From d4e464ad4ef0cbbf61751e70f77865de325dd6cf Mon Sep 17 00:00:00 2001
From: "nicolas.dorier" <nicolas.dorier@gmail.com>
Date: Thu, 26 Jan 2023 18:51:08 +0900
Subject: [PATCH] Fix XSS on uploaded files to the file storage

---
 BTCPayServer/Storage/StorageExtensions.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/BTCPayServer/Storage/StorageExtensions.cs b/BTCPayServer/Storage/StorageExtensions.cs
index bfc8b14360..cb91b93c2d 100644
--- a/BTCPayServer/Storage/StorageExtensions.cs
+++ b/BTCPayServer/Storage/StorageExtensions.cs
@@ -75,6 +75,7 @@ private static Action<StaticFileResponseContext> HandleStaticFileResponse()
                 {
                     context.Context.Response.Headers["Content-Disposition"] = "attachment";
                 }
+                context.Context.Response.Headers["Content-Security-Policy"] = "script-src 'self'";
             };
         }
     }