• Sean McGivern's avatar
    Forbid scripting for wiki files · 1cda245c
    Sean McGivern authored
    Wiki files (not pages - files in the repo) are just sent to the browser
    with whatever content-type the mime_types gem assigns to them based on
    their extension. As this is from the same domain as the GitLab
    application, this is an XSS vulnerability.
    
    Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
    files.
    1cda245c
wikis_controller.rb 3.26 KB