مراية لـ
https://github.com/postalserver/postal.git
تم المزامنة 2026-05-31 04:35:42 +00:00
cad2aa6808
The app-wide CSP already blocks inline script execution, but the HTML preview iframe for a stored email was same-origin and un-sandboxed, and the html_raw response had no per-action hardening. Add a sandbox on the iframe and tighten the CSP on html_raw to script-src 'none' with nosniff and no-referrer so the preview has defence in depth against a future CSP bypass or regression. Relates to GHSA-f6g9-8555-cw28.
18 أسطر
865 B
Plaintext
18 أسطر
865 B
Plaintext
- page_title << @server.name
|
|
- page_title << "Messages"
|
|
- page_title << "Message ##{@message.id}"
|
|
- page_title << "HTML"
|
|
= render 'servers/sidebar', :active_server => @server
|
|
= render 'servers/header', :active_nav => :messages
|
|
= render 'header', :active_nav => @message.scope.to_sym
|
|
= render 'message_header', :active_nav => :html
|
|
- if @message.html_body.blank?
|
|
.pageContent.pageContent--compact
|
|
.noData.noData--clean
|
|
%h2.noData__title There's no HTML body for this message.
|
|
%p.noData__text
|
|
This means that we no longer store the raw data for this e-mail
|
|
or the e-mail didn't include a HTML part.
|
|
- else
|
|
%iframe{:width => "100%", :height => "100%", :sandbox => "allow-popups allow-popups-to-escape-sandbox", :referrerpolicy => "no-referrer", :src => html_raw_organization_server_message_path(organization, @server, @message.id)}
|