Mitigate media repo XSSs on IE11. (#10468)

IE11 doesn't support Content-Security-Policy but it has support for a non-standard X-Content-Security-Policy header, which only supports the sandbox directive. This prevents script execution, so it at least offers some protection against media repo-based attacks. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
2021-07-27 11:45:10 +00:00 · 2021-07-27 11:45:10 +00:00 · 2476d5373c
parent b3a757eb3b
commit 2476d5373c
2 changed files with 3 additions and 0 deletions
--- a/changelog.d/10468.misc
+++ b/changelog.d/10468.misc
@ -0,0 +1 @@
+Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@ -49,6 +49,8 @@ class DownloadResource(DirectServeJsonResource):
            b" media-src 'self';"
            b" object-src 'self';",
        )
+        # Limited non-standard form of CSP for IE11
+        request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
        request.setHeader(
            b"Referrer-Policy",
            b"no-referrer",
				`@ -0,0 +1 @@`
				`Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.`