From 419b46e806774f3ac2d60f31b20f259cb6d68bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Tue, 24 Feb 2026 23:05:09 +0100 Subject: [PATCH] Allow to load external images and styles in the HTML sandbox That should not cause much security issues, as this is what users can do anyway via attachment creation, and markdown images --- src/Controller/AttachmentFileController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php index bc16b7dc..01aeab11 100644 --- a/src/Controller/AttachmentFileController.php +++ b/src/Controller/AttachmentFileController.php @@ -69,7 +69,7 @@ class AttachmentFileController extends AbstractController //Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others. //Also set the sandbox CSP directive with only "allow-script" to run basic scripts - $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts allow-downloads allow-modals;"); + $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline' *; img-src data: *; sandbox allow-scripts allow-downloads allow-modals;"); //Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now $response->headers->set('X-Frame-Options', 'DENY');