diff options
author | Denis Kasak <dkasak@termina.org.uk> | 2021-07-27 11:45:10 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-27 13:45:10 +0200 |
commit | 2476d5373cde3a881b6f8f3ccc5d19707e9f600d (patch) | |
tree | 2d92e51c4b345325c9a0ef6d08ada7578a17fef0 /synapse/rest/media | |
parent | Support MSC2033: Device ID on whoami (#9918) (diff) | |
download | synapse-2476d5373cde3a881b6f8f3ccc5d19707e9f600d.tar.xz |
Mitigate media repo XSSs on IE11. (#10468)
IE11 doesn't support Content-Security-Policy but it has support for a non-standard X-Content-Security-Policy header, which only supports the sandbox directive. This prevents script execution, so it at least offers some protection against media repo-based attacks. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
Diffstat (limited to 'synapse/rest/media')
-rw-r--r-- | synapse/rest/media/v1/download_resource.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py index cd2468f9c5..d6d938953e 100644 --- a/synapse/rest/media/v1/download_resource.py +++ b/synapse/rest/media/v1/download_resource.py @@ -49,6 +49,8 @@ class DownloadResource(DirectServeJsonResource): b" media-src 'self';" b" object-src 'self';", ) + # Limited non-standard form of CSP for IE11 + request.setHeader(b"X-Content-Security-Policy", b"sandbox;") request.setHeader( b"Referrer-Policy", b"no-referrer", |