Implement CSP for direct file downloads

With this header we tell the browser to ignore javascript, frames and
objects which decreases the exploitability of simple html pastes if
viewed raw ("<domain>/<id>", without a tailing slash) quite a lot.

You can still upload arbitrary files containing javascript code, but the
browser will refuse to execute it.

References: https://wiki.mozilla.org/Security/CSP/Specification

Signed-off-by: Florian Pritz <bluewind@xinu.at>

1 files changed, 3 insertions, 0 deletions

diff --git a/application/models/file_mod.php b/application/models/file_mod.php
index 05b4ef08c..32c3f29d0 100644
--- a/application/models/file_mod.php
+++ b/application/models/file_mod.php
@@ -262,6 +262,9 @@ class File_mod extends CI_Model {
 		$filesize_too_big = filesize($file) > $this->config->item('upload_max_text_size');
 
 		if (!$can_highlight || $filesize_too_big || !$mode) {
+			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy") as $header_name) {
+				header("$header_name: allow 'none'; img-src *; media-src *; font-src *; style-src *; script-src 'none'; object-src 'none'; frame-src 'none'; ");
+			}
 			rangeDownload($file, $filedata["filename"], $type);
 			exit();
 		}