From 0cd83f0322f832eecf6d31492bb672385527b875 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sat, 20 Jun 2026 23:02:55 +0200
Subject: [PATCH] Set strict CSP policies when serving files from the
 attachment endpoints

---
 src/Controller/AttachmentFileController.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php
index 01aeab11..c3f581cc 100644
--- a/src/Controller/AttachmentFileController.php
+++ b/src/Controller/AttachmentFileController.php
@@ -93,6 +93,8 @@ class AttachmentFileController extends AbstractController
         //Set header content disposition, so that the file will be downloaded
         $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_ATTACHMENT, $attachment->getFilename());
 
+        $this->setAttachmentCSPHeaders($response);
+
         return $response;
     }
 
@@ -112,6 +114,16 @@ class AttachmentFileController extends AbstractController
         //Set header content disposition, so that the file will be downloaded
         $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_INLINE, $attachment->getFilename());
 
+        $this->setAttachmentCSPHeaders($response);
+
+        return $response;
+    }
+
+    private function setAttachmentCSPHeaders(Response $response): Response
+    {
+        //Set an CSP that disallow to run any scripts, styles or images from the attachment render page, as it is not used anywhere else for now and can be a security risk if used without proper precautions, so it should be opt-in
+        $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; sandbox;");
+
         return $response;
     }