Set a strict CSP policy for downloaded attachments, thumbnails, and raw repository...

author Go MAEDA <maeda@farend.jp>

Mon, 18 Sep 2023 02:16:36 +0000 (02:16 +0000)

committer Go MAEDA <maeda@farend.jp>

Mon, 18 Sep 2023 02:16:36 +0000 (02:16 +0000)
author Go MAEDA <maeda@farend.jp>
Mon, 18 Sep 2023 02:16:36 +0000 (02:16 +0000)
committer Go MAEDA <maeda@farend.jp>
Mon, 18 Sep 2023 02:16:36 +0000 (02:16 +0000)
diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb

index 06a236c2c0d7e6c00e81048587bfc05dbe6dfec2..414ecfde0c697bdd1c87d22a382ed18adefbde5a 100644 (file)
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -321,4 +321,9 @@ class AttachmentsController < ApplicationController
        request.raw_post
      end
    end
+
+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
  end
diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb

index 8ecb0022ffe79e2ef54ecce359017f6f2a34efd0..3fb69e8b2060ec99d9895c01f1e0671fcd202799 100644 (file)
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -431,6 +431,11 @@ class RepositoriesController < ApplicationController
      end
    end
  
+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
+
    def valid_name?(rev)
      return true if rev.nil?
      return true if REV_PARAM_RE.match?(rev)
author	Go MAEDA <maeda@farend.jp>
	Mon, 18 Sep 2023 02:16:36 +0000 (02:16 +0000)
committer	Go MAEDA <maeda@farend.jp>
	Mon, 18 Sep 2023 02:16:36 +0000 (02:16 +0000)
app/controllers/attachments_controller.rb		patch \| blob \| history
app/controllers/repositories_controller.rb		patch \| blob \| history