Mitigate media repo XSSs on IE11. (#10468)

IE11 doesn't support Content-Security-Policy but it has support for a non-standard X-Content-Security-Policy header, which only supports the sandbox directive. This prevents script execution, so it at least offers some protection against media repo-based attacks. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
author: Denis Kasak <dkasak@termina.org.uk> 2021-07-27 11:45:10 +0000
committer: GitHub <noreply@github.com> 2021-07-27 13:45:10 +0200
commit: 2476d5373cde3a881b6f8f3ccc5d19707e9f600d (patch)
tree: 2d92e51c4b345325c9a0ef6d08ada7578a17fef0 /changelog.d
parent: Support MSC2033: Device ID on whoami (#9918) (diff)
download: synapse-2476d5373cde3a881b6f8f3ccc5d19707e9f600d.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/changelog.d/10468.misc b/changelog.d/10468.misc
new file mode 100644
index 0000000000..b9854bb4c1
--- /dev/null
+++ b/changelog.d/10468.misc
@@ -0,0 +1 @@
+Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.
author	Denis Kasak <dkasak@termina.org.uk>	2021-07-27 11:45:10 +0000
committer	GitHub <noreply@github.com>	2021-07-27 13:45:10 +0200
commit	2476d5373cde3a881b6f8f3ccc5d19707e9f600d (patch)
tree	2d92e51c4b345325c9a0ef6d08ada7578a17fef0 /changelog.d
parent	Support MSC2033: Device ID on whoami (#9918) (diff)
download	synapse-2476d5373cde3a881b6f8f3ccc5d19707e9f600d.tar.xz