Do not allow HTML media to contain iframes

fisharebest · Oct 19, 2021 · 8340714 · 8340714
1 parent 69d5bee
commit 8340714
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/Factories/ImageFactory.php b/app/Factories/ImageFactory.php
@@ -343,10 +343,10 @@ protected function imageResponse(string $data, string $mime_type, string $filena
                 ->withHeader('X-Image-Exception', 'SVG image blocked due to XSS.');
         }
 
-        // HTML files may contain javascript, so use content-security-policy to disable it.
+        // HTML files may contain javascript and iframes, so use content-security-policy to disable them.
         $response = response($data)
             ->withHeader('content-type', $mime_type)
-            ->withHeader('content-security-policy', 'script-src none');
+            ->withHeader('content-security-policy', 'script-src none;frame-src none');
 
         if ($filename === '') {
             return $response;