1 files changed, 20 insertions, 15 deletions

diff --git a/src/capi.c b/src/capi.c
index 5e2928e3..bcec07bf 100644
--- a/src/capi.c
+++ b/src/capi.c
@@ -300,17 +300,26 @@ static char *Capi_dpi_build_cmd(DilloWeb *web, char *server)
    if (strcmp(server, "proto.https") == 0) {
       /* Let's be kind and make the HTTP query string for the dpi */
       char *proxy_connect = a_Http_make_connect_str(web->url);
-      Dstr *http_query = a_Http_make_query_str(web->url, FALSE);
+      Dstr *http_query = a_Http_make_query_str(web->url, web->requester,FALSE);
       /* BUG: embedded NULLs in query data will truncate message */
+
+      /* BUG: WORKAROUND: request to only check the root URL's certificate.
+       *  This avoids the dialog bombing that stems from loading multiple
+       * https images/resources in a single page. A proper fix would take
+       * either to implement the https-dpi as a server (with state),
+       * or to move back https handling into dillo. */
       if (proxy_connect) {
          const char *proxy_urlstr = a_Http_get_proxy_urlstr();
          cmd = a_Dpip_build_cmd("cmd=%s proxy_url=%s proxy_connect=%s "
-                                "url=%s query=%s", "open_url", proxy_urlstr,
+                                "url=%s query=%s check_cert=%s",
+                                "open_url", proxy_urlstr,
                                 proxy_connect, URL_STR(web->url),
-                                http_query->str);
+                                http_query->str,
+                                (web->flags & WEB_RootUrl) ? "true" : "false");
       } else {
-         cmd = a_Dpip_build_cmd("cmd=%s url=%s query=%s",
-                                "open_url", URL_STR(web->url),http_query->str);
+         cmd = a_Dpip_build_cmd("cmd=%s url=%s query=%s check_cert=%s",
+                                "open_url", URL_STR(web->url),http_query->str,
+                                (web->flags & WEB_RootUrl) ? "true" : "false");
       }
       dFree(proxy_connect);
       dStr_free(http_query, 1);
@@ -376,9 +385,7 @@ static bool_t Capi_filters_test(const DilloUrl *wanted,
          case PREFS_FILTER_SAME_DOMAIN:
          {
             const char *req_host = URL_HOST(requester),
-                       *want_host = URL_HOST(wanted),
-                       *req_suffix,
-                       *want_suffix;
+                       *want_host = URL_HOST(wanted);
             if (want_host[0] == '\0') {
                ret = (req_host[0] == '\0' ||
                       !dStrcasecmp(URL_SCHEME(wanted), "data")) ? TRUE : FALSE;
@@ -386,14 +393,12 @@ static bool_t Capi_filters_test(const DilloUrl *wanted,
                /* This will regard "www.dillo.org" and "www.dillo.org." as
                 * different, but it doesn't seem worth caring about.
                 */
-               req_suffix = a_Url_host_find_public_suffix(req_host);
-               want_suffix = a_Url_host_find_public_suffix(want_host);
-
-               ret = dStrcasecmp(req_suffix, want_suffix) == 0;
+               ret = a_Url_same_organization(wanted, requester);
+            }
+            if (ret == FALSE) {
+               MSG("Capi_filters_test: deny from '%s' to '%s'\n", req_host,
+                   want_host);
             }
-
-            MSG("Capi_filters_test: %s from '%s' to '%s'\n",
-                ret ? "ALLOW" : "DENY", req_host, want_host);
             break;
          }
          case PREFS_FILTER_ALLOW_ALL: