Closes#11724.
Option is enabled by default for users using qBittorrent's built-in HTTPS capabilities. This flag will never be set if qBittorrent is using plain HTTP.
Users using HTTPS reverse proxies, like "qbt <-> (http) <-> proxy <-> (https) <-> user" should override the flag in the proxy in order to set it, if they wish to do so.
Since it is possible alternative WebUI could be coded in languages other than English,
WebUI must be able to load user-provided webui_en.qm.
At least one translated string must exist in order to generate an usable .qm file.
The majority of the CSP is tuned for built-in WebUI, it may not be
suitable for alternative UI.
Also add QLatin1String to strings. This code path is called repeatedly,
it is worth adding QLatin1String to squeeze out the last bit of
performance.
This is because Qt translator returns empty string when the translation
is not provided, now we fallback to the original string from source code.
Closes#9868.
Tune the caching time to be shorter, in case there is a program
update.
Change the cacheability to private, as WebUI resources are not intended
to be cached at proxy.
For uncacheable responses, send out "no-store" explicitly to halt
browser caching.
This option restricts all form submissions to the WebUI's origin.
qBittorrent only ever submits forms to the origin, so this is intended as a security measure.
This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
CSP was erroneously disabled in bad4d94f778a1ceba8a0e16d1836e649d767cca8
when clickjacking protection is off, now it is back.
Also added CSP 'frame-ancestors' directive when clickjacking
protection is enabled.
Some users are using WebUI with simple port-forwarding from their router,
providing an option to control the protection will save them from setting up an
non-trival web proxy.
Closes#7274.