postal

ghaymah_dev/postal

نسخ 0

مراية لـ https://github.com/postalserver/postal.git تم المزامنة 2026-05-31 04:35:42 +00:00

رسم بياني للالتزام

المؤلف	SHA1	الرسالة	التاريخ
Adam Cooke	cad2aa6808	fix(messages): sandbox rendered email HTML as extra XSS defence The app-wide CSP already blocks inline script execution, but the HTML preview iframe for a stored email was same-origin and un-sandboxed, and the html_raw response had no per-action hardening. Add a sandbox on the iframe and tighten the CSP on html_raw to script-src 'none' with nosniff and no-referrer so the preview has defence in depth against a future CSP bypass or regression. Relates to GHSA-f6g9-8555-cw28.	2026-04-24 22:12:27 +01:00
Adam Cooke	f6784238d3	a sad sad day in postal-land, no more puns.	2017-05-02 13:33:17 +01:00
Adam Cooke	2fdba0ceb5	initial commit from appmail	2017-04-19 13:07:25 +01:00

المؤلف

SHA1

الرسالة

التاريخ

Adam Cooke

cad2aa6808

fix(messages): sandbox rendered email HTML as extra XSS defence

The app-wide CSP already blocks inline script execution, but the HTML
preview iframe for a stored email was same-origin and un-sandboxed, and
the html_raw response had no per-action hardening. Add a sandbox on the
iframe and tighten the CSP on html_raw to script-src 'none' with
nosniff and no-referrer so the preview has defence in depth against a
future CSP bypass or regression.

Relates to GHSA-f6g9-8555-cw28.

2026-04-24 22:12:27 +01:00

Adam Cooke

f6784238d3

a sad sad day in postal-land, no more puns.

2017-05-02 13:33:17 +01:00

Adam Cooke

2fdba0ceb5

initial commit from appmail

2017-04-19 13:07:25 +01:00

3 الالتزامات