From ccb038f92a2d4fdc4510151e549d83121522ecae Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Sun, 19 Feb 2012 12:10:09 +0100
Subject: Implement CSP for direct file downloads

With this header we tell the browser to ignore javascript, frames and
objects which decreases the exploitability of simple html pastes if
viewed raw ("<domain>/<id>", without a tailing slash) quite a lot.

You can still upload arbitrary files containing javascript code, but the
browser will refuse to execute it.

References: https://wiki.mozilla.org/Security/CSP/Specification

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/models/file_mod.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'application/models')

diff --git a/application/models/file_mod.php b/application/models/file_mod.php
index 05b4ef08c..32c3f29d0 100644
--- a/application/models/file_mod.php
+++ b/application/models/file_mod.php
@@ -262,6 +262,9 @@ class File_mod extends CI_Model {
 		$filesize_too_big = filesize($file) > $this->config->item('upload_max_text_size');
 
 		if (!$can_highlight || $filesize_too_big || !$mode) {
+			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy") as $header_name) {
+				header("$header_name: allow 'none'; img-src *; media-src *; font-src *; style-src *; script-src 'none'; object-src 'none'; frame-src 'none'; ");
+			}
 			rangeDownload($file, $filedata["filename"], $type);
 			exit();
 		}
-- 
cgit v1.2.3-24-g4f1b