From c349ad7670d3b2c8ab595d1dfa454ac680905bd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sascha=20I=C3=9Fbr=C3=BCcker?=
 <sascha.issbruecker@googlemail.com>
Date: Sat, 13 Dec 2025 10:32:06 +0100
Subject: [PATCH] Use sandbox CSP for viewing assets (#1245)

---
 bookmarks/tests/test_bookmark_asset_view.py | 6 ++++--
 bookmarks/views/assets.py                   | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/bookmarks/tests/test_bookmark_asset_view.py b/bookmarks/tests/test_bookmark_asset_view.py
index f192305..ccdaeb9 100644
--- a/bookmarks/tests/test_bookmark_asset_view.py
+++ b/bookmarks/tests/test_bookmark_asset_view.py
@@ -141,7 +141,7 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
     def test_reader_view_access_guest_user(self):
         self.view_access_guest_user_test("linkding:assets.read")
 
-    def test_snapshot_download_name(self):
+    def test_snapshot_download_headers(self):
         bookmark = self.setup_bookmark()
         asset = self.setup_asset_with_file(bookmark)
         response = self.client.get(reverse("linkding:assets.view", args=[asset.id]))
@@ -151,8 +151,9 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
             response["Content-Disposition"],
             f'inline; filename="{asset.display_name}.html"',
         )
+        self.assertEqual(response["Content-Security-Policy"], "sandbox")
 
-    def test_uploaded_file_download_name(self):
+    def test_uploaded_file_download_headers(self):
         bookmark = self.setup_bookmark()
         asset = self.setup_asset_with_uploaded_file(bookmark)
         response = self.client.get(reverse("linkding:assets.view", args=[asset.id]))
@@ -162,3 +163,4 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
             response["Content-Disposition"],
             f'inline; filename="{asset.display_name}"',
         )
+        self.assertEqual(response["Content-Security-Policy"], "sandbox")
diff --git a/bookmarks/views/assets.py b/bookmarks/views/assets.py
index ae6f8b0..65eef97 100644
--- a/bookmarks/views/assets.py
+++ b/bookmarks/views/assets.py
@@ -33,6 +33,7 @@ def view(request, asset_id: int):
 
     response = HttpResponse(content, content_type=asset.content_type)
     response["Content-Disposition"] = f'inline; filename="{asset.download_name}"'
+    response["Content-Security-Policy"] = "sandbox"
     return response