Sandbox box sand

2023-11-02 12:05:01 +01:00 · 2023-11-02 12:05:01 +01:00 · 625ab5171d
parent b1c84f2b4c
commit 625ab5171d
2 changed files with 2 additions and 1 deletions
--- a/infrastructure/web/views/layout.twig
+++ b/infrastructure/web/views/layout.twig
@ -4,6 +4,7 @@
    <title>{{ title }}</title>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, minimal-ui">
+    <meta http-equiv="Content-Security-Policy" content="script-src 'none'">
    <meta name="darkreader" content="stfu">

    <meta name="description" content="Dont give shady companies your real email. Use 48hr.email to protect your privacy!">
--- a/infrastructure/web/views/mail.twig
+++ b/infrastructure/web/views/mail.twig
@ -26,7 +26,7 @@
            srcdoc='html' seems like a very, very unsafe method to me, unfortunately I havent found a better solution.
        #}

-		<iframe srcdoc='{{ mail.html|replace({'<html>': '<html style="color: white"'}) }}'></iframe>
+		<iframe sandbox="allow-popups allow-popups-to-escape-sandbox" csp="script-src 'none'" srcdoc='{{ mail.html|replace({'<html>': '<html style="color: white"'}) }}'></iframe>
 	</div>
    {% elseif mail.textAsHtml %}
        <div class="mail_body">