summaryrefslogtreecommitdiffstats
path: root/application/controllers
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2012-02-19 12:10:09 +0100
committerFlorian Pritz <bluewind@xinu.at>2012-02-19 12:10:09 +0100
commitccb038f92a2d4fdc4510151e549d83121522ecae (patch)
treef38aeafcf45651ae3d31044bfb072326055b041f /application/controllers
parent28290de0665bdba2129fde7901b28b6299566e56 (diff)
Implement CSP for direct file downloads
With this header we tell the browser to ignore javascript, frames and objects which decreases the exploitability of simple html pastes if viewed raw ("<domain>/<id>", without a tailing slash) quite a lot. You can still upload arbitrary files containing javascript code, but the browser will refuse to execute it. References: https://wiki.mozilla.org/Security/CSP/Specification Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'application/controllers')
0 files changed, 0 insertions, 0 deletions