fix(security): use a more restrictive CSP for untrusted content

2025-08-11 17:51:01 +00:00 · 2025-03-29 19:43:06 -07:00 · 2025-03-29 19:43:06 -07:00 · cb695e653a
commit cb695e653a
parent f57949c9a2
4 changed files with 18 additions and 4 deletions
--- a/internal/ui/proxy.go
+++ b/internal/ui/proxy.go
@ -144,7 +144,7 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) {

 	response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
 		b.WithStatus(resp.StatusCode)
-		b.WithHeader("Content-Security-Policy", `sandbox`)
+		b.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent)
 		b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))

 		if filename := path.Base(parsedMediaURL.Path); filename != "" {