mirror of
https://github.com/element-hq/synapse
synced 2024-10-02 09:12:43 +00:00
Mitigate media repo XSSs on IE11. (#10468)
IE11 doesn't support Content-Security-Policy but it has support for a non-standard X-Content-Security-Policy header, which only supports the sandbox directive. This prevents script execution, so it at least offers some protection against media repo-based attacks. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
This commit is contained in:
parent
b3a757eb3b
commit
2476d5373c
2 changed files with 3 additions and 0 deletions
1
changelog.d/10468.misc
Normal file
1
changelog.d/10468.misc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.
|
|
@ -49,6 +49,8 @@ class DownloadResource(DirectServeJsonResource):
|
||||||
b" media-src 'self';"
|
b" media-src 'self';"
|
||||||
b" object-src 'self';",
|
b" object-src 'self';",
|
||||||
)
|
)
|
||||||
|
# Limited non-standard form of CSP for IE11
|
||||||
|
request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
|
||||||
request.setHeader(
|
request.setHeader(
|
||||||
b"Referrer-Policy",
|
b"Referrer-Policy",
|
||||||
b"no-referrer",
|
b"no-referrer",
|
||||||
|
|
Loading…
Reference in a new issue