Add Cross-Origin-Resource-Policy header to thumbnail and download media endpoints (#12944)

author: Robert Long <robert@robertlong.me> 2022-06-27 06:44:05 -0700
committer: GitHub <noreply@github.com> 2022-06-27 14:44:05 +0100
commit: 9b683ea80f94de4249264cbf375523b987900c89 (patch)
tree: b96da6baec0589be6fabda401ad2fdf7219adc81 /synapse/rest/media/v1/download_resource.py
parent: Refactor the Dockerfile-workers configuration script to use Jinja2 templates ... (diff)
download: synapse-9b683ea80f94de4249264cbf375523b987900c89.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
index 6180fa575e..048a042692 100644
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@@ -15,7 +15,11 @@
 import logging
 from typing import TYPE_CHECKING
 
-from synapse.http.server import DirectServeJsonResource, set_cors_headers
+from synapse.http.server import (
+    DirectServeJsonResource,
+    set_corp_headers,
+    set_cors_headers,
+)
 from synapse.http.servlet import parse_boolean
 from synapse.http.site import SynapseRequest
 
@@ -38,6 +42,7 @@ class DownloadResource(DirectServeJsonResource):
 
     async def _async_render_GET(self, request: SynapseRequest) -> None:
         set_cors_headers(request)
+        set_corp_headers(request)
         request.setHeader(
             b"Content-Security-Policy",
             b"sandbox;"
author	Robert Long <robert@robertlong.me>	2022-06-27 06:44:05 -0700
committer	GitHub <noreply@github.com>	2022-06-27 14:44:05 +0100
commit	9b683ea80f94de4249264cbf375523b987900c89 (patch)
tree	b96da6baec0589be6fabda401ad2fdf7219adc81 /synapse/rest/media/v1/download_resource.py
parent	Refactor the Dockerfile-workers configuration script to use Jinja2 templates ... (diff)
download	synapse-9b683ea80f94de4249264cbf375523b987900c89.tar.xz