-
Forbid scripting for wiki files · 1cda245cSean McGivern authored
Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files.
1cda245c
×