+ var attachment bool
+ credentialsOK := h.Config.TrustAllContent
+
+ if r.Host != "" && r.Host == h.Config.AttachmentOnlyHost {
+ credentialsOK = true
+ attachment = true
+ } else if r.FormValue("disposition") == "attachment" {
+ attachment = true
+ }
+
+ if targetID = parseCollectionIDFromDNSName(r.Host); targetID != "" {
+ // http://ID.collections.example/PATH...
+ credentialsOK = true
+ } else if r.URL.Path == "/status.json" {
+ h.serveStatus(w, r)
+ return
+ } else if len(pathParts) >= 1 && strings.HasPrefix(pathParts[0], "c=") {
+ // /c=ID[/PATH...]
+ targetID = parseCollectionIDFromURL(pathParts[0][2:])
+ stripParts = 1
+ } else if len(pathParts) >= 2 && pathParts[0] == "collections" {
+ if len(pathParts) >= 4 && pathParts[1] == "download" {
+ // /collections/download/ID/TOKEN/PATH...
+ targetID = parseCollectionIDFromURL(pathParts[2])
+ tokens = []string{pathParts[3]}
+ stripParts = 4
+ pathToken = true
+ } else {
+ // /collections/ID/PATH...
+ targetID = parseCollectionIDFromURL(pathParts[1])
+ tokens = h.Config.AnonymousTokens
+ stripParts = 2
+ }
+ }
+
+ if targetID == "" {
+ statusCode = http.StatusNotFound
+ return
+ }
+
+ formToken := r.FormValue("api_token")
+ if formToken != "" && r.Header.Get("Origin") != "" && attachment && r.URL.Query().Get("api_token") == "" {
+ // The client provided an explicit token in the POST
+ // body. The Origin header indicates this *might* be
+ // an AJAX request, in which case redirect-with-cookie
+ // won't work: we should just serve the content in the
+ // POST response. This is safe because:
+ //
+ // * We're supplying an attachment, not inline
+ // content, so we don't need to convert the POST to
+ // a GET and avoid the "really resubmit form?"
+ // problem.
+ //
+ // * The token isn't embedded in the URL, so we don't
+ // need to worry about bookmarks and copy/paste.
+ tokens = append(tokens, formToken)
+ } else if formToken != "" {
+ // The client provided an explicit token in the query
+ // string, or a form in POST body. We must put the
+ // token in an HttpOnly cookie, and redirect to the
+ // same URL with the query param redacted and method =
+ // GET.
+ h.seeOtherWithCookie(w, r, "", credentialsOK)
+ return
+ }
+
+ targetPath := pathParts[stripParts:]
+ if tokens == nil && len(targetPath) > 0 && strings.HasPrefix(targetPath[0], "t=") {
+ // http://ID.example/t=TOKEN/PATH...
+ // /c=ID/t=TOKEN/PATH...
+ //
+ // This form must only be used to pass scoped tokens
+ // that give permission for a single collection. See
+ // FormValue case above.
+ tokens = []string{targetPath[0][2:]}