From a9968e8f87a5d0abad4e370e84f5aad92be9ea0f Mon Sep 17 00:00:00 2001 From: Uncled1023 Date: Fri, 14 Apr 2017 10:19:41 -0700 Subject: [PATCH] Added content security policy for uploads --- Teknik/Areas/Upload/Controllers/UploadController.cs | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Teknik/Areas/Upload/Controllers/UploadController.cs b/Teknik/Areas/Upload/Controllers/UploadController.cs index d4a832c..7c932a2 100644 --- a/Teknik/Areas/Upload/Controllers/UploadController.cs +++ b/Teknik/Areas/Upload/Controllers/UploadController.cs @@ -172,8 +172,8 @@ namespace Teknik.Areas.Upload.Controllers { // Are they downloading it by range? bool byRange = !string.IsNullOrEmpty(Request.ServerVariables["HTTP_RANGE"]); // We do not support ranges - // Check to see if they have a cache - bool isCached = !string.IsNullOrEmpty(Request.Headers["If-Modified-Since"]); + + bool isCached = !string.IsNullOrEmpty(Request.Headers["If-Modified-Since"]); // Check to see if they have a cache if (isCached) { @@ -272,11 +272,8 @@ namespace Teknik.Areas.Upload.Controllers Response.AddHeader("Content-Disposition", cd.ToString()); - // We need to prevent html (make cleaner later) - if (contentType == "text/html") - { - contentType = "text/plain"; - } + // Apply content security policy for downloads + Response.AddHeader("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; form-action 'none';"); // Read in the file FileStream fs = new FileStream(filePath, FileMode.Open, FileAccess.Read, FileShare.Read);