mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Whitelist for preview files from the backend (#1651)

Browse Source 
This PR adds a whitelist of safe files to download with
`Content-Disposition: inline;` from the backend, all other files will be
force download via `Content-Disposition: attachment;` existing svg files
will still be rendered in a secure way via the html `image` tag.

reference: https://digi.ninja/blog/svg_xss.php

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Lenin Alevski
2022-03-02 12:18:43 -08:00
committed by GitHub
parent 20ba19affc
commit 26d5972ab5
3 changed files with 47 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
operatorapi/proxy.go
View File

@@ -254,7 +254,7 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
}
// Allow iframes
responseWriter.Header().Set("X-Frame-Options", "SAMEORIGIN")
responseWriter.Header().Set("X-XSS-Protection", "1")
responseWriter.Header().Set("X-XSS-Protection", "1; mode=block")
io.Copy(responseWriter, resp.Body)