mirror of
https://github.com/element-hq/synapse.git
synced 2024-12-15 17:51:10 +00:00
Mitigate media repo XSSs on IE11. (#10468)
IE11 doesn't support Content-Security-Policy but it has support for a non-standard X-Content-Security-Policy header, which only supports the sandbox directive. This prevents script execution, so it at least offers some protection against media repo-based attacks. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
This commit is contained in:
parent
b3a757eb3b
commit
2476d5373c
2 changed files with 3 additions and 0 deletions
1
changelog.d/10468.misc
Normal file
1
changelog.d/10468.misc
Normal file
|
@ -0,0 +1 @@
|
|||
Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.
|
|
@ -49,6 +49,8 @@ class DownloadResource(DirectServeJsonResource):
|
|||
b" media-src 'self';"
|
||||
b" object-src 'self';",
|
||||
)
|
||||
# Limited non-standard form of CSP for IE11
|
||||
request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
|
||||
request.setHeader(
|
||||
b"Referrer-Policy",
|
||||
b"no-referrer",
|
||||
|
|
Loading…
Reference in a new issue