From cb35b73048b91ca32ee89d5b05a09552db8e5faf Mon Sep 17 00:00:00 2001
From: Joe Chen <jc@unknwon.io>
Date: Tue, 3 May 2022 17:51:28 +0800
Subject: [PATCH] attachment: set CSP header in the serving endpoint (#6926)

---
 internal/cmd/web.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/cmd/web.go b/internal/cmd/web.go
index 097ad23a8..80c8ce48d 100644
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -318,6 +318,7 @@ func runWeb(c *cli.Context) error {
 				}
 				defer fr.Close()
 
+				c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 				c.Header().Set("Cache-Control", "public,max-age=86400")
 				c.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, attach.Name))