Skip to content

Uploads: Sandbox them in the CSP.

lain requested to merge uploads-csp-changes into develop

The currently applied CSP is meant to make it possible to run our frontends, but nothing should ever run from the uploaded media. This CSP sandboxes (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) all uploads, preventing attacks.

Merge request reports