diff options
| author | Florian Pritz <bluewind@xinu.at> | 2012-02-19 12:10:09 +0100 |
|---|---|---|
| committer | Florian Pritz <bluewind@xinu.at> | 2012-02-19 12:10:09 +0100 |
| commit | ccb038f92a2d4fdc4510151e549d83121522ecae (patch) | |
| tree | f38aeafcf45651ae3d31044bfb072326055b041f /application | |
| parent | 28290de0665bdba2129fde7901b28b6299566e56 (diff) | |
Implement CSP for direct file downloads
With this header we tell the browser to ignore javascript, frames and
objects which decreases the exploitability of simple html pastes if
viewed raw ("<domain>/<id>", without a tailing slash) quite a lot.
You can still upload arbitrary files containing javascript code, but the
browser will refuse to execute it.
References: https://wiki.mozilla.org/Security/CSP/Specification
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'application')
| -rw-r--r-- | application/models/file_mod.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/application/models/file_mod.php b/application/models/file_mod.php index 05b4ef08c..32c3f29d0 100644 --- a/application/models/file_mod.php +++ b/application/models/file_mod.php @@ -262,6 +262,9 @@ class File_mod extends CI_Model { $filesize_too_big = filesize($file) > $this->config->item('upload_max_text_size'); if (!$can_highlight || $filesize_too_big || !$mode) { + foreach (array("X-WebKit-CSP", "X-Content-Security-Policy") as $header_name) { + header("$header_name: allow 'none'; img-src *; media-src *; font-src *; style-src *; script-src 'none'; object-src 'none'; frame-src 'none'; "); + } rangeDownload($file, $filedata["filename"], $type); exit(); } |