diff options
| author | Erik Johnston <erik@matrix.org> | 2016-08-17 16:27:39 +0100 |
|---|---|---|
| committer | Erik Johnston <erik@matrix.org> | 2016-08-17 16:27:39 +0100 |
| commit | 0af9e1a637f8e278775e0e2b366b381d32753e81 (patch) | |
| tree | 7548d527686d2cfe10d537cd7072aaff08b234f4 /synapse/rest | |
| parent | Add None check to _iterate_over_text (diff) | |
| download | synapse-0af9e1a637f8e278775e0e2b366b381d32753e81.tar.xz | |
Set `Content-Security-Policy` on media repo
This is to inform browsers that they should sandbox the returned media. This is particularly cruical for javascript/HTML files.
Diffstat (limited to 'synapse/rest')
| -rw-r--r-- | synapse/rest/media/v1/download_resource.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py index 9f69620772..9f0625a822 100644 --- a/synapse/rest/media/v1/download_resource.py +++ b/synapse/rest/media/v1/download_resource.py @@ -45,6 +45,7 @@ class DownloadResource(Resource): @request_handler() @defer.inlineCallbacks def _async_render_GET(self, request): + request.setHeader("Content-Security-Policy", "sandbox") server_name, media_id, name = parse_media_id(request) if server_name == self.server_name: yield self._respond_local_file(request, media_id, name) |