Uploads: Sandbox them in the CSP. (!2389) · Merge requests · Pleroma / pleroma · GitLab

lain requested to merge uploads-csp-changes into develop Apr 15, 2020

The currently applied CSP is meant to make it possible to run our frontends, but nothing should ever run from the uploaded media. This CSP sandboxes (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) all uploads, preventing attacks.