From 72d9912a2e4dfc1bd7489d11548cf1ca43647987 Mon Sep 17 00:00:00 2001
From: Denis Kasak <dkasak@termina.org.uk>
Date: Tue, 28 Sep 2021 12:35:58 +0200
Subject: [PATCH]  Mitigate media repo XSS attacks on IE11 via the non-standard
 X-Content-Security-Policy header.

---
 api/webserver/route_handler.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/api/webserver/route_handler.go b/api/webserver/route_handler.go
index 950e70f9..f3227348 100644
--- a/api/webserver/route_handler.go
+++ b/api/webserver/route_handler.go
@@ -79,6 +79,7 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 	w.Header().Set("Content-Security-Policy", "sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; media-src 'self'; object-src 'self';")
+	w.Header().Set("X-Content-Security-Policy", "sandbox;")
 	w.Header().Set("X-Robots-Tag", "noindex, nofollow, noarchive, noimageindex")
 	w.Header().Set("Server", "matrix-media-repo")
 
@@ -245,6 +246,7 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Cache-Control", "private, max-age=259200") // 3 days
 		w.Header().Set("Content-Type", "text/html; charset=UTF-8")
 		w.Header().Set("Content-Security-Policy", "") // We're serving HTML, so take away the CSP
+		w.Header().Set("X-Content-Security-Policy", "") // We're serving HTML, so take away the CSP
 		io.Copy(w, bytes.NewBuffer([]byte(result.HTML)))
 		return
 	default:
-- 
GitLab