From 831f6f1d956742887ffd0e63c2f376f2449ebab0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Tue, 24 Feb 2026 23:05:09 +0100 Subject: [PATCH] Allow to load external images and styles in the HTML sandbox That should not cause much security issues, as this is what users can do anyway via attachment creation, and markdown images --- src/Controller/AttachmentFileController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php index bc16b7dc..01aeab11 100644 --- a/src/Controller/AttachmentFileController.php +++ b/src/Controller/AttachmentFileController.php @@ -69,7 +69,7 @@ class AttachmentFileController extends AbstractController //Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others. //Also set the sandbox CSP directive with only "allow-script" to run basic scripts - $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts allow-downloads allow-modals;"); + $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline' *; img-src data: *; sandbox allow-scripts allow-downloads allow-modals;"); //Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now $response->headers->set('X-Frame-Options', 'DENY');