From 8340714c9369b59664643bdb46b2c7483610b23d Mon Sep 17 00:00:00 2001
From: Greg Roach <greg@subaqua.co.uk>
Date: Tue, 19 Oct 2021 17:48:24 +0100
Subject: [PATCH] Do not allow HTML media to contain iframes

---
 app/Factories/ImageFactory.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Factories/ImageFactory.php b/app/Factories/ImageFactory.php
index 51689de852e..21ad02f04fe 100644
--- a/app/Factories/ImageFactory.php
+++ b/app/Factories/ImageFactory.php
@@ -343,10 +343,10 @@ protected function imageResponse(string $data, string $mime_type, string $filena
                 ->withHeader('X-Image-Exception', 'SVG image blocked due to XSS.');
         }
 
-        // HTML files may contain javascript, so use content-security-policy to disable it.
+        // HTML files may contain javascript and iframes, so use content-security-policy to disable them.
         $response = response($data)
             ->withHeader('content-type', $mime_type)
-            ->withHeader('content-security-policy', 'script-src none');
+            ->withHeader('content-security-policy', 'script-src none;frame-src none');
 
         if ($filename === '') {
             return $response;