groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-06-23 19:11:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Set CSP policy for static assets for security hardeninng

Browse source
This commit is contained in:
Jan Böhmer 2026-06-20 23:42:01 +02:00
parent 0cd83f0322
commit b62f47ba05
6 changed files with 29 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/Controller/AttachmentFileController.php
View file

@ -122,7 +122,7 @@ class AttachmentFileController extends AbstractController
private function setAttachmentCSPHeaders(Response $response): Response
{
//Set an CSP that disallow to run any scripts, styles or images from the attachment render page, as it is not used anywhere else for now and can be a security risk if used without proper precautions, so it should be opt-in
$response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; sandbox;");
$response->headers->set('Content-Security-Policy', "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; sandbox;");
return $response;
}