From 0af9e1a637f8e278775e0e2b366b381d32753e81 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 17 Aug 2016 16:27:39 +0100 Subject: [PATCH] Set `Content-Security-Policy` on media repo This is to inform browsers that they should sandbox the returned media. This is particularly cruical for javascript/HTML files. --- synapse/rest/media/v1/download_resource.py | 1 + 1 file changed, 1 insertion(+) diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py index 9f6962077..9f0625a82 100644 --- a/synapse/rest/media/v1/download_resource.py +++ b/synapse/rest/media/v1/download_resource.py @@ -45,6 +45,7 @@ class DownloadResource(Resource): @request_handler() @defer.inlineCallbacks def _async_render_GET(self, request): + request.setHeader("Content-Security-Policy", "sandbox") server_name, media_id, name = parse_media_id(request) if server_name == self.server_name: yield self._respond_local_file(request, media_id, name)