From b821ac0a9e2bb152fc3f572e6d502c3266e99ea5 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Tue, 16 Aug 2022 22:28:53 -0600 Subject: [PATCH] Add CORP headers --- CHANGELOG.md | 4 ++++ api/webserver/route_handler.go | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24daf86a..afebc7f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [Unreleased] +### Added + +* Added the `Cross-Origin-Resource-Policy: cross-origin` header to all downloads, as per [MSC3828](https://github.com/matrix-org/matrix-spec-proposals/pull/3828). + ### Changed * Swap out the HEIF library for better support towards [ARM64 Docker Images](https://github.com/turt2live/matrix-media-repo/issues/365). diff --git a/api/webserver/route_handler.go b/api/webserver/route_handler.go index 3d04714b..b67cf515 100644 --- a/api/webserver/route_handler.go +++ b/api/webserver/route_handler.go @@ -6,7 +6,6 @@ import ( "encoding/json" "errors" "fmt" - "github.com/getsentry/sentry-go" "io" "io/ioutil" "math" @@ -17,6 +16,8 @@ import ( "strconv" "strings" + "github.com/getsentry/sentry-go" + "github.com/alioygur/is" "github.com/prometheus/client_golang/prometheus" "github.com/sebest/xff" @@ -81,6 +82,7 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS") w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Content-Security-Policy", "sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; media-src 'self'; object-src 'self';") + w.Header().Set("Cross-Origin-Resource-Policy", "cross-origin") w.Header().Set("X-Content-Security-Policy", "sandbox;") w.Header().Set("X-Robots-Tag", "noindex, nofollow, noarchive, noimageindex") w.Header().Set("Server", "matrix-media-repo")