From b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30 Mon Sep 17 00:00:00 2001
From: Anchit Bajaj <ab@abifog.com>
Date: Thu, 27 Jul 2023 15:12:27 +0530
Subject: [PATCH] fix: xss vulnerability in /api/raw (#2570) (#2572)

---
 http/raw.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/http/raw.go b/http/raw.go
index 1312510b87..9bf982e98e 100644
--- a/http/raw.go
+++ b/http/raw.go
@@ -207,7 +207,7 @@ func rawFileHandler(w http.ResponseWriter, r *http.Request, file *files.FileInfo
 	defer fd.Close()
 
 	setContentDisposition(w, r, file)
-
+	w.Header().Add("Content-Security-Policy", `script-src 'none';`)
 	w.Header().Set("Cache-Control", "private")
 	http.ServeContent(w, r, file.Name, file.ModTime, fd)
 	return 0, nil