summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2012-02-19 12:10:09 +0100
committerFlorian Pritz <bluewind@xinu.at>2012-02-19 12:10:09 +0100
commitccb038f92a2d4fdc4510151e549d83121522ecae (patch)
treef38aeafcf45651ae3d31044bfb072326055b041f
parent28290de0665bdba2129fde7901b28b6299566e56 (diff)
Implement CSP for direct file downloads
With this header we tell the browser to ignore javascript, frames and objects which decreases the exploitability of simple html pastes if viewed raw ("<domain>/<id>", without a tailing slash) quite a lot. You can still upload arbitrary files containing javascript code, but the browser will refuse to execute it. References: https://wiki.mozilla.org/Security/CSP/Specification Signed-off-by: Florian Pritz <bluewind@xinu.at>
-rw-r--r--application/models/file_mod.php3
1 files changed, 3 insertions, 0 deletions
diff --git a/application/models/file_mod.php b/application/models/file_mod.php
index 05b4ef08c..32c3f29d0 100644
--- a/application/models/file_mod.php
+++ b/application/models/file_mod.php
@@ -262,6 +262,9 @@ class File_mod extends CI_Model {
$filesize_too_big = filesize($file) > $this->config->item('upload_max_text_size');
if (!$can_highlight || $filesize_too_big || !$mode) {
+ foreach (array("X-WebKit-CSP", "X-Content-Security-Policy") as $header_name) {
+ header("$header_name: allow 'none'; img-src *; media-src *; font-src *; style-src *; script-src 'none'; object-src 'none'; frame-src 'none'; ");
+ }
rangeDownload($file, $filedata["filename"], $type);
exit();
}