fix(messages): sandbox rendered email HTML as extra XSS defence

The app-wide CSP already blocks inline script execution, but the HTML
preview iframe for a stored email was same-origin and un-sandboxed, and
the html_raw response had no per-action hardening. Add a sandbox on the
iframe and tighten the CSP on html_raw to script-src 'none' with
nosniff and no-referrer so the preview has defence in depth against a
future CSP bypass or regression.

Relates to GHSA-f6g9-8555-cw28.

app/controllers/messages_controller.rb

@@ -89,6 +89,18 @@ class MessagesController < ApplicationController
   end
 
   def html_raw
+    override_content_security_policy_directives(
+      default_src: %w('none'),
+      script_src: %w('none'),
+      style_src: %w('unsafe-inline'),
+      img_src: %w(* data:),
+      font_src: %w(*),
+      frame_ancestors: %w('self'),
+      form_action: %w('none'),
+      base_uri: %w('none')
+    )
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["Referrer-Policy"] = "no-referrer"
     render html: @message.html_body_without_tracking_image.html_safe
   end
 

app/views/messages/html.html.haml

@@ -14,4 +14,4 @@
         This means that we no longer store the raw data for this e-mail
         or the e-mail didn't include a HTML part.
 - else
-  %iframe{:width => "100%", :height => "100%", :src => html_raw_organization_server_message_path(organization, @server, @message.id)}
+  %iframe{:width => "100%", :height => "100%", :sandbox => "allow-popups allow-popups-to-escape-sandbox", :referrerpolicy => "no-referrer", :src => html_raw_organization_server_message_path(organization, @server, @message.id)}