DeforaNetworks/corteza
3
0
Fork 0
Code Activity

Add CSP to attachments to prevent XSS

Browse Source
This commit is contained in:
Tomaž Jerman
2021-06-22 09:40:05 +02:00
parent ee850124f6
commit 744bb70548
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
compose/rest/attachment.go
View File

@@ -3,11 +3,12 @@ package rest
import (
"context"
"fmt"
"github.com/cortezaproject/corteza-server/pkg/api"
"io"
"net/http"
"net/url"
"github.com/cortezaproject/corteza-server/pkg/api"
"github.com/cortezaproject/corteza-server/compose/rest/request"
"github.com/cortezaproject/corteza-server/compose/service"
"github.com/cortezaproject/corteza-server/compose/types"
@@ -142,6 +143,7 @@ func (ctrl Attachment) serve(ctx context.Context, namespaceID, attachmentID uint
w.Header().Add("Content-Disposition", "attachment; filename="+name)
} else {
w.Header().Add("Content-Disposition", "inline; filename="+name)
w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
}
http.ServeContent(w, req, name, att.CreatedAt, fh)

1
system/rest/attachment.go
View File

@@ -129,6 +129,7 @@ func (ctrl Attachment) serve(ctx context.Context, attachmentID uint64, preview,
w.Header().Add("Content-Disposition", "attachment; filename="+name)
} else {
w.Header().Add("Content-Disposition", "inline; filename="+name)
w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
}
http.ServeContent(w, req, name, att.CreatedAt, fh)