groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-02-25 19:09:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Allow to load external images and styles in the HTML sandbox

Browse source 
That should not cause much security issues, as this is what users can do anyway via attachment creation, and markdown images
This commit is contained in:
Jan Böhmer 2026-02-24 23:05:09 +01:00
parent dcafc8a1a1
commit 419b46e806
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/Controller/AttachmentFileController.php
View file

@ -69,7 +69,7 @@ class AttachmentFileController extends AbstractController
//Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others.
//Also set the sandbox CSP directive with only "allow-script" to run basic scripts
$response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts allow-downloads allow-modals;");
$response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline' *; img-src data: *; sandbox allow-scripts allow-downloads allow-modals;");
//Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now
$response->headers->set('X-Frame-Options', 'DENY');