Merged r22294 and r22295 from trunk to 4.2-stable (#38417).

git-svn-id: https://svn.redmine.org/redmine/branches/4.2-stable@22297 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 11 insertions, 1 deletions

diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index d956ac17e..35c8aa5f9 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -89,7 +89,7 @@ class AttachmentsController < ApplicationController
           tbnail,
           :filename => filename_for_content_disposition(@attachment.filename),
           :type => detect_content_type(@attachment, true),
-          :disposition => 'inline')
+          :disposition => 'attachment')
       end
     else
       # No thumbnail for the attachment or thumbnail could not be created
@@ -330,4 +330,9 @@ class AttachmentsController < ApplicationController
       request.raw_post
     end
   end
+
+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
 end
diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 60b27e2f2..59f65b3e9 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -432,6 +432,11 @@ class RepositoriesController < ApplicationController
     end
   end
 
+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
+
   def valid_name?(rev)
     return true if rev.nil?
     return true if REV_PARAM_RE.match?(rev)