summary refs log tree commit diff
path: root/synapse/rest/media/v1/download_resource.py
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2016-08-17 16:27:39 +0100
committerErik Johnston <erik@matrix.org>2016-08-17 16:27:39 +0100
commit0af9e1a637f8e278775e0e2b366b381d32753e81 (patch)
tree7548d527686d2cfe10d537cd7072aaff08b234f4 /synapse/rest/media/v1/download_resource.py
parentAdd None check to _iterate_over_text (diff)
downloadsynapse-0af9e1a637f8e278775e0e2b366b381d32753e81.tar.xz
Set `Content-Security-Policy` on media repo
This is to inform browsers that they should sandbox the returned
media. This is particularly cruical for javascript/HTML files.
Diffstat (limited to 'synapse/rest/media/v1/download_resource.py')
-rw-r--r--synapse/rest/media/v1/download_resource.py1
1 files changed, 1 insertions, 0 deletions
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
index 9f69620772..9f0625a822 100644
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@@ -45,6 +45,7 @@ class DownloadResource(Resource):
     @request_handler()
     @defer.inlineCallbacks
     def _async_render_GET(self, request):
+        request.setHeader("Content-Security-Policy", "sandbox")
         server_name, media_id, name = parse_media_id(request)
         if server_name == self.server_name:
             yield self._respond_local_file(request, media_id, name)