Skip to content
Permalink
Browse files
Add CSP to attachments to prevent XSS
  • Loading branch information
tjerman committed Jun 22, 2021
1 parent 83afe8e commit af0563c0528b0f71025cbb6d87ddb315345757bd
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
@@ -3,11 +3,12 @@ package rest
import (
"context"
"fmt"
"github.com/cortezaproject/corteza-server/pkg/api"
"io"
"net/http"
"net/url"

"github.com/cortezaproject/corteza-server/pkg/api"

"github.com/cortezaproject/corteza-server/compose/rest/request"
"github.com/cortezaproject/corteza-server/compose/service"
"github.com/cortezaproject/corteza-server/compose/types"
@@ -142,6 +143,7 @@ func (ctrl Attachment) serve(ctx context.Context, namespaceID, attachmentID uint
w.Header().Add("Content-Disposition", "attachment; filename="+name)
} else {
w.Header().Add("Content-Disposition", "inline; filename="+name)
w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
}

http.ServeContent(w, req, name, att.CreatedAt, fh)
@@ -129,6 +129,7 @@ func (ctrl Attachment) serve(ctx context.Context, attachmentID uint64, preview,
w.Header().Add("Content-Disposition", "attachment; filename="+name)
} else {
w.Header().Add("Content-Disposition", "inline; filename="+name)
w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
}

http.ServeContent(w, req, name, att.CreatedAt, fh)

0 comments on commit af0563c

Please sign in to comment.