fix: xss vulnerability in /api/raw (#2570) (#2572)

filebrowser · Jul 27, 2023 · b508ac3 · b508ac3
1 parent ff4375c
commit b508ac3
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/http/raw.go b/http/raw.go
@@ -207,7 +207,7 @@ func rawFileHandler(w http.ResponseWriter, r *http.Request, file *files.FileInfo
 	defer fd.Close()
 
 	setContentDisposition(w, r, file)
-
+	w.Header().Add("Content-Security-Policy", `script-src 'none';`)
 	w.Header().Set("Cache-Control", "private")
 	http.ServeContent(w, r, file.Name, file.ModTime, fd)
 	return 0, nil