inline attachment header change

2026-06-28 06:56:05 +00:00 · 2026-03-23 23:55:01 +02:00
parent 8a8f8453f8
commit 310dcdaf24
3 changed files with 3 additions and 3 deletions
--- a/application/Espo/EntryPoints/Attachment.php
+++ b/application/Espo/EntryPoints/Attachment.php
@@ -95,7 +95,7 @@ class Attachment implements EntryPoint
        $response
            ->setHeader('Content-Length', (string) $size)
            ->setHeader('Cache-Control', 'private, max-age=864000, immutable')
-            ->setHeader('Content-Security-Policy', "default-src 'self'")
+            ->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'none'; object-src 'none';")
            ->setBody($stream);
    }

--- a/application/Espo/EntryPoints/Download.php
+++ b/application/Espo/EntryPoints/Download.php
@@ -87,7 +87,7 @@ class Download implements EntryPoint
        if (in_array($type, $inlineMimeTypeList)) {
            $disposition = 'inline';

-            $response->setHeader('Content-Security-Policy', "default-src 'self'");
+            $response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'none'; object-src 'none';");
        }

        $response->setHeader('Content-Description', 'File Transfer');
--- a/application/Espo/EntryPoints/Image.php
+++ b/application/Espo/EntryPoints/Image.php
@@ -153,7 +153,7 @@ class Image implements EntryPoint
        $response
            ->setHeader('Content-Disposition', 'inline;filename="' . $fileName . '"')
            ->setHeader('Content-Length', (string) $fileSize)
-            ->setHeader('Content-Security-Policy', "default-src 'self'");
+            ->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'none'; object-src 'none';");

        if (!$noCacheHeaders) {
            $response->setHeader('Cache-Control', 'private, max-age=864000, immutable');