diff --git a/application/Espo/EntryPoints/Attachment.php b/application/Espo/EntryPoints/Attachment.php index b085136224..0e1c6fafa5 100644 --- a/application/Espo/EntryPoints/Attachment.php +++ b/application/Espo/EntryPoints/Attachment.php @@ -95,7 +95,7 @@ class Attachment implements EntryPoint $response ->setHeader('Content-Length', (string) $size) ->setHeader('Cache-Control', 'private, max-age=864000, immutable') - ->setHeader('Content-Security-Policy', "default-src 'self'") + ->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'none'; object-src 'none';") ->setBody($stream); } diff --git a/application/Espo/EntryPoints/Download.php b/application/Espo/EntryPoints/Download.php index 726a063086..672dc26d83 100644 --- a/application/Espo/EntryPoints/Download.php +++ b/application/Espo/EntryPoints/Download.php @@ -87,7 +87,7 @@ class Download implements EntryPoint if (in_array($type, $inlineMimeTypeList)) { $disposition = 'inline'; - $response->setHeader('Content-Security-Policy', "default-src 'self'"); + $response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'none'; object-src 'none';"); } $response->setHeader('Content-Description', 'File Transfer'); diff --git a/application/Espo/EntryPoints/Image.php b/application/Espo/EntryPoints/Image.php index 614a66bdd9..e86c66c63b 100644 --- a/application/Espo/EntryPoints/Image.php +++ b/application/Espo/EntryPoints/Image.php @@ -153,7 +153,7 @@ class Image implements EntryPoint $response ->setHeader('Content-Disposition', 'inline;filename="' . $fileName . '"') ->setHeader('Content-Length', (string) $fileSize) - ->setHeader('Content-Security-Policy', "default-src 'self'"); + ->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'none'; object-src 'none';"); if (!$noCacheHeaders) { $response->setHeader('Cache-Control', 'private, max-age=864000, immutable');