Set a strict CSP policy for downloaded attachments, thumbnails, and raw repository files(#38417).

Patch by Holger Just. git-svn-id: https://svn.redmine.org/redmine/trunk@22295 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2023-09-18 02:16:36 +00:00 · 2023-09-18 02:16:36 +00:00 · 4973c9014b
commit 4973c9014b
parent 3de9413917
2 changed files with 10 additions and 0 deletions
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@ -321,4 +321,9 @@ class AttachmentsController < ApplicationController
      request.raw_post
    end
  end
+
+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
 end
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@ -431,6 +431,11 @@ class RepositoriesController < ApplicationController
    end
  end

+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
+
  def valid_name?(rev)
    return true if rev.nil?
    return true if REV_PARAM_RE.match?(rev)