Bug 607138: Don't send the Strict-Transport-Security header for the

Bugzilla/CGI.pm

@@ -275,9 +275,13 @@ sub header {
 
     # Add Strict-Transport-Security (STS) header if this response
     # is over SSL and the strict_transport_security param is turned on.
-    if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+    if ($self->https && !$self->url_is_attachment_base
+        && Bugzilla->params->{'strict_transport_security'} ne 'off') 
+    {
         my $sts_opts = 'max-age=' . MAX_STS_AGE;
-        if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+        if (Bugzilla->params->{'strict_transport_security'} 
+            eq 'include_subdomains')
+        {
             $sts_opts .= '; includeSubDomains';
         }
         unshift(@_, '-strict_transport_security' => $sts_opts);