Mirrors/linkding
1
0
Fork 0
mirror of https://github.com/sissbruecker/linkding.git synced 2026-02-27 22:43:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use sandbox CSP for viewing assets (#1245)

Browse Source
This commit is contained in:
Sascha Ißbrücker
2025-12-13 10:32:06 +01:00
committed by GitHub
parent 1c17e16655
commit c349ad7670
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bookmarks/tests/test_bookmark_asset_view.py
View File

@@ -141,7 +141,7 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
def test_reader_view_access_guest_user(self):
self.view_access_guest_user_test("linkding:assets.read")
def test_snapshot_download_name(self):
def test_snapshot_download_headers(self):
bookmark = self.setup_bookmark()
asset = self.setup_asset_with_file(bookmark)
response = self.client.get(reverse("linkding:assets.view", args=[asset.id]))
@@ -151,8 +151,9 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
response["Content-Disposition"],
f'inline; filename="{asset.display_name}.html"',
)
self.assertEqual(response["Content-Security-Policy"], "sandbox")
def test_uploaded_file_download_name(self):
def test_uploaded_file_download_headers(self):
bookmark = self.setup_bookmark()
asset = self.setup_asset_with_uploaded_file(bookmark)
response = self.client.get(reverse("linkding:assets.view", args=[asset.id]))
@@ -162,3 +163,4 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
response["Content-Disposition"],
f'inline; filename="{asset.display_name}"',
)
self.assertEqual(response["Content-Security-Policy"], "sandbox")

1
bookmarks/views/assets.py
View File

@@ -33,6 +33,7 @@ def view(request, asset_id: int):
response = HttpResponse(content, content_type=asset.content_type)
response["Content-Disposition"] = f'inline; filename="{asset.download_name}"'
response["Content-Security-Policy"] = "sandbox"
return response