Skip to content


Do not allow HTML media to contain iframes
Browse files Browse the repository at this point in the history
  • Loading branch information
fisharebest committed Oct 19, 2021
1 parent 69d5bee commit 8340714
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/Factories/ImageFactory.php
Expand Up @@ -343,10 +343,10 @@ protected function imageResponse(string $data, string $mime_type, string $filena
->withHeader('X-Image-Exception', 'SVG image blocked due to XSS.');

// HTML files may contain javascript, so use content-security-policy to disable it.
// HTML files may contain javascript and iframes, so use content-security-policy to disable them.
$response = response($data)
->withHeader('content-type', $mime_type)
->withHeader('content-security-policy', 'script-src none');
->withHeader('content-security-policy', 'script-src none;frame-src none');

if ($filename === '') {
return $response;
Expand Down

0 comments on commit 8340714

Please sign in to comment.