summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--changelog.d/10468.misc1
-rw-r--r--synapse/rest/media/v1/download_resource.py2
2 files changed, 3 insertions, 0 deletions
diff --git a/changelog.d/10468.misc b/changelog.d/10468.misc
new file mode 100644
index 0000000000..b9854bb4c1
--- /dev/null
+++ b/changelog.d/10468.misc
@@ -0,0 +1 @@
+Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
index cd2468f9c5..d6d938953e 100644
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@@ -49,6 +49,8 @@ class DownloadResource(DirectServeJsonResource):
             b" media-src 'self';"
             b" object-src 'self';",
         )
+        # Limited non-standard form of CSP for IE11
+        request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
         request.setHeader(
             b"Referrer-Policy",
             b"no-referrer",