From e71f748bd57bfa86630d7a3e0aca8526a56cd15d Mon Sep 17 00:00:00 2001 From: Fai Date: Tue, 5 Nov 2024 09:34:25 -0500 Subject: [PATCH] [17.0][FIX] fs_attachment: Add CSP header for fs stream --- fs_attachment/fs_stream.py | 14 +++++++++++++- fs_attachment/tests/test_stream.py | 13 +++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/fs_attachment/fs_stream.py b/fs_attachment/fs_stream.py index f04b6c47a5..7bf50e4325 100644 --- a/fs_attachment/fs_stream.py +++ b/fs_attachment/fs_stream.py @@ -38,7 +38,13 @@ def read(self): return f.read() return super().read() - def get_response(self, as_attachment=None, immutable=None, **send_file_kwargs): + def get_response( + self, + as_attachment=None, + immutable=None, + content_security_policy="default-src 'none'", + **send_file_kwargs, + ): if self.type != "fs": return super().get_response( as_attachment=as_attachment, immutable=immutable, **send_file_kwargs @@ -79,6 +85,12 @@ def get_response(self, as_attachment=None, immutable=None, **send_file_kwargs): if immutable and res.cache_control: res.cache_control["immutable"] = None + + res.headers["X-Content-Type-Options"] = "nosniff" + + if content_security_policy: + res.headers["Content-Security-Policy"] = content_security_policy + return res @classmethod diff --git a/fs_attachment/tests/test_stream.py b/fs_attachment/tests/test_stream.py index 9d19df60b4..e9ceb918bc 100644 --- a/fs_attachment/tests/test_stream.py +++ b/fs_attachment/tests/test_stream.py @@ -150,3 +150,16 @@ def test_image_url_with_size(self): }, ) self.assertEqual(Image.open(io.BytesIO(res.content)).size, (64, 64)) + + def test_response_csp_header(self): + self.authenticate("admin", "admin") + url = f"/web/content/{self.attachment_binary.id}" + self.assertDownload( + url, + headers={}, + assert_status_code=200, + assert_headers={ + "X-Content-Type-Options": "nosniff", + "Content-Security-Policy": "default-src 'none'", + }, + )