Mitigate media repo XSSs on IE11. (#10468)

IE11 doesn't support Content-Security-Policy but it has support for a non-standard X-Content-Security-Policy header, which only supports the sandbox directive. This prevents script execution, so it at least offers some protection against media repo-based attacks. Signed-off-by: Denis Kasak <[email protected]>
matrix-org · Jul 27, 2021 · 2476d53 · 2476d53
1 parent b3a757e
commit 2476d53
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/changelog.d/10468.misc b/changelog.d/10468.misc
@@ -0,0 +1 @@
+Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
@@ -49,6 +49,8 @@ async def _async_render_GET(self, request: Request) -> None:
             b" media-src 'self';"
             b" object-src 'self';",
         )
+        # Limited non-standard form of CSP for IE11
+        request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
         request.setHeader(
             b"Referrer-Policy",
             b"no-referrer",
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.