Set Content-Security-Policy on media repo

This is to inform browsers that they should sandbox the returned media. This is particularly cruical for javascript/HTML files.
2024-12-14 07:33:47 +01:00 · 2016-08-17 16:27:39 +01:00 · 2016-08-17 16:27:39 +01:00 · 0af9e1a637
commit 0af9e1a637
parent f90b3d83a3
1 changed files with 1 additions and 0 deletions
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@ -45,6 +45,7 @@ class DownloadResource(Resource):
    @request_handler()
    @defer.inlineCallbacks
    def _async_render_GET(self, request):
+        request.setHeader("Content-Security-Policy", "sandbox")
        server_name, media_id, name = parse_media_id(request)
        if server_name == self.server_name:
            yield self._respond_local_file(request, media_id, name)