Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add CSP to attachments to prevent XSS
  • Loading branch information
tjerman committed Jun 22, 2021
1 parent 83afe8e commit af0563c
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
4 changes: 3 additions & 1 deletion compose/rest/attachment.go
Expand Up @@ -3,11 +3,12 @@ package rest
import (
"context"
"fmt"
"github.com/cortezaproject/corteza-server/pkg/api"
"io"
"net/http"
"net/url"

"github.com/cortezaproject/corteza-server/pkg/api"

"github.com/cortezaproject/corteza-server/compose/rest/request"
"github.com/cortezaproject/corteza-server/compose/service"
"github.com/cortezaproject/corteza-server/compose/types"
Expand Down Expand Up @@ -142,6 +143,7 @@ func (ctrl Attachment) serve(ctx context.Context, namespaceID, attachmentID uint
w.Header().Add("Content-Disposition", "attachment; filename="+name)
} else {
w.Header().Add("Content-Disposition", "inline; filename="+name)
w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
}

http.ServeContent(w, req, name, att.CreatedAt, fh)
Expand Down
1 change: 1 addition & 0 deletions system/rest/attachment.go
Expand Up @@ -129,6 +129,7 @@ func (ctrl Attachment) serve(ctx context.Context, attachmentID uint64, preview,
w.Header().Add("Content-Disposition", "attachment; filename="+name)
} else {
w.Header().Add("Content-Disposition", "inline; filename="+name)
w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
}

http.ServeContent(w, req, name, att.CreatedAt, fh)
Expand Down

0 comments on commit af0563c

Please sign in to comment.