groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-02-25 19:09:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Allow file downloads and modals in HTML sandbox

Browse source
This commit is contained in:
Jan Böhmer 2026-02-24 22:57:48 +01:00
parent 628f794b37
commit dcafc8a1a1
2 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/Controller/AttachmentFileController.php
View file

@ -69,7 +69,7 @@ class AttachmentFileController extends AbstractController
//Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others.
//Also set the sandbox CSP directive with only "allow-script" to run basic scripts
$response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts;");
$response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts allow-downloads allow-modals;");
//Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now
$response->headers->set('X-Frame-Options', 'DENY');

2
templates/attachments/html_sandbox.html.twig
View file

@ -65,7 +65,7 @@
<iframe referrerpolicy="no-referrer" class="content-frame"
{# When changing this sandbox, also change the sandbox CSP in the controller #}
sandbox="allow-scripts"
sandbox="allow-scripts allow-downloads allow-modals"
srcdoc="{{ content|e('html_attr') }}"
></iframe>