Mitigate media repo XSSs on IE11. (#10468)

IE11 doesn't support Content-Security-Policy but it has support for
a non-standard X-Content-Security-Policy header, which only supports the
sandbox directive. This prevents script execution, so it at least offers
some protection against media repo-based attacks.

Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
This commit is contained in:
Denis Kasak 2021-07-27 11:45:10 +00:00 committed by GitHub
parent b3a757eb3b
commit 2476d5373c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 0 deletions

1
changelog.d/10468.misc Normal file
View file

@ -0,0 +1 @@
Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.

View file

@ -49,6 +49,8 @@ class DownloadResource(DirectServeJsonResource):
b" media-src 'self';"
b" object-src 'self';",
)
# Limited non-standard form of CSP for IE11
request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
request.setHeader(
b"Referrer-Policy",
b"no-referrer",