diff options
author | Florian Pritz <bluewind@xinu.at> | 2012-02-19 12:10:09 +0100 |
---|---|---|
committer | Florian Pritz <bluewind@xinu.at> | 2012-02-19 12:10:09 +0100 |
commit | ccb038f92a2d4fdc4510151e549d83121522ecae (patch) | |
tree | f38aeafcf45651ae3d31044bfb072326055b041f /application/controllers/file.php | |
parent | 28290de0665bdba2129fde7901b28b6299566e56 (diff) |
Implement CSP for direct file downloads
With this header we tell the browser to ignore javascript, frames and
objects which decreases the exploitability of simple html pastes if
viewed raw ("<domain>/<id>", without a tailing slash) quite a lot.
You can still upload arbitrary files containing javascript code, but the
browser will refuse to execute it.
References: https://wiki.mozilla.org/Security/CSP/Specification
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'application/controllers/file.php')
0 files changed, 0 insertions, 0 deletions