Set `Content-Security-Policy` on media repo
This is to inform browsers that they should sandbox the returned media. This is particularly cruical for javascript/HTML files.pull/1021/head
parent
f90b3d83a3
commit
0af9e1a637
|
@ -45,6 +45,7 @@ class DownloadResource(Resource):
|
||||||
@request_handler()
|
@request_handler()
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def _async_render_GET(self, request):
|
def _async_render_GET(self, request):
|
||||||
|
request.setHeader("Content-Security-Policy", "sandbox")
|
||||||
server_name, media_id, name = parse_media_id(request)
|
server_name, media_id, name = parse_media_id(request)
|
||||||
if server_name == self.server_name:
|
if server_name == self.server_name:
|
||||||
yield self._respond_local_file(request, media_id, name)
|
yield self._respond_local_file(request, media_id, name)
|
||||||
|
|
Loading…
Reference in New Issue