Skip to content

Fix attachment Content-Security-Policy#37455

Merged
silverwind merged 6 commits into
go-gitea:mainfrom
wxiaoguang:fix-attachment-csp
Apr 28, 2026
Merged

Fix attachment Content-Security-Policy#37455
silverwind merged 6 commits into
go-gitea:mainfrom
wxiaoguang:fix-attachment-csp

Conversation

@wxiaoguang

@wxiaoguang wxiaoguang commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

See the comments. Others are not changed, only added a new rule for medias: serveHeaderCspMedia

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 27, 2026
@wxiaoguang wxiaoguang force-pushed the fix-attachment-csp branch 3 times, most recently from 8d8c704 to 0e1d8f2 Compare April 27, 2026 15:02
@wxiaoguang wxiaoguang requested a review from Copilot April 27, 2026 15:03
@wxiaoguang wxiaoguang added the backport/v1.26 This PR should be backported to Gitea 1.26 label Apr 27, 2026
@wxiaoguang wxiaoguang added this to the 1.27.0 milestone Apr 27, 2026
Copilot AI reviewed Apr 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates how attachment-serving responses set Content-Security-Policy based on the served Content-Type, and adds tests to verify the new CSP selection behavior.

Changes:

  • Refactors header-setting logic into a helper that sets Content-Type-related headers and a CSP policy.
  • Introduces CSP variants for default, PDF, and audio/video content types.
  • Adds a unit test to validate CSP selection for several content types.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
modules/httplib/serve.go Introduces CSP constants and factors Content-Type/CSP header setting into a helper used by ServeSetHeaders.
modules/httplib/serve_test.go Adds a table-driven test for CSP selection and imports typesniffer for SVG MIME coverage.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread modules/httplib/serve.go Outdated
Comment thread modules/httplib/serve.go Outdated
Comment thread modules/httplib/serve.go Outdated
Comment thread modules/httplib/serve_test.go Outdated
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 27, 2026
@wxiaoguang wxiaoguang requested a review from Copilot April 27, 2026 15:13
Copilot AI reviewed Apr 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@silverwind

silverwind commented Apr 27, 2026

Copy link
Copy Markdown
Member

Two minor nits, neither blocking:

  1. The new comment // "style-src" is for SVG inline styles (maybe) — the (maybe) understates it. style-src 'unsafe-inline' is a known requirement for SVG inline <style> rendering in this project, not speculation. Worth firming up the wording.

  2. TestServeSetHeaderContentRelated only asserts the CSP header. Since serveSetHeaderContentRelated also sets Content-Type (with the application/octet-stream default when empty) and X-Content-Type-Options: nosniff, it'd be good to assert those too — they're part of the helper's contract.

Reviewed by Claude Opus 4.7.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 27, 2026
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 28, 2026
@silverwind silverwind enabled auto-merge (squash) April 28, 2026 01:08
@silverwind silverwind merged commit 15b23f0 into go-gitea:main Apr 28, 2026
26 checks passed
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 28, 2026
@GiteaBot GiteaBot mentioned this pull request Apr 28, 2026
Merged
@GiteaBot GiteaBot added the backport/done All backports for this PR have been created label Apr 28, 2026
@wxiaoguang wxiaoguang deleted the fix-attachment-csp branch April 28, 2026 03:57
wxiaoguang added a commit that referenced this pull request Apr 28, 2026
@GiteaBot @wxiaoguang
Fix attachment Content-Security-Policy (#37455) (#37464)
7889983 
Backport #37455 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 29, 2026
@zjjhot
Merge branch 'main' into mainzjj
277bb5d 
* main:
  Add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (go-gitea#37465)
  Fix compare dropdown for branches without common history (go-gitea#37470)
  FIX: URL sanitization to handle schemeless credentials (go-gitea#37440)
  Refactor pull request view (4) (go-gitea#37451)
  Fix scheduled action panic with null event payload (go-gitea#37459)
  Fix attachment Content-Security-Policy (go-gitea#37455)
  [skip ci] Updated translations via Crowdin
  Rename CurrentRefPath to CurrentRefSubURL (go-gitea#37453)
  Clean up org pages layout (go-gitea#37445)
  Fix script error alert (go-gitea#37458)
  Fix inconsistent disabled styling on logged-out repo header buttons (go-gitea#37406)
  Add API endpoint to reply to pull request review comments (go-gitea#36683)
  Add CurrentURL template variable back (go-gitea#37444)
AlexMikhalev added a commit to terraphim/gitea that referenced this pull request May 15, 2026
@AlexMikhalev
[ferrox] feat(security): centralise CSP for served content, exempt au…
abaf36e 
…dio/video

Adapt upstream commit 15b23f0 (go-gitea#37455) for the fork. The upstream commit
modifies modules/httplib/serve.go around upstream-only symbols
(`ContentDispositionType`, `encodeContentDisposition`,
`typesniffer.FromContentType`) that the fork has not absorbed; this is what
produced the Phase 3 cherry-pick cascade documented in
`.docs/blocker-12-pick7-cascade.md`.

This is a manual application (not `git cherry-pick`) that captures the
security intent without touching the `ContentDispositionType` refactor:

- Add three CSP constants: default sandbox, PDF (no sandbox), audio/video
  (empty -> header removed).
- Extract a `serveSetContentSecurityHeaders` helper that switches on the
  resolved Content-Type prefix.
- Call it from `ServeSetHeaders` so CSP applies to attachment-served content
  too, not only file-served content. This is a deliberate broadening that
  matches the upstream commit's intent.
- Exempt `audio/*` and `video/*` from the default `default-src 'none'; sandbox`
  policy. The upstream security fix: those types must not carry that policy
  because it breaks playback in some browsers, and audio/video bytes carry no
  executable surface.
- Drop the duplicate inline SVG/PDF CSP block from `setServeHeadersByFile`;
  CSP is now set downstream by `ServeSetHeaders` from the same resolved
  `opts.ContentType` that this function has just produced.

Tests:

- New `TestServeSetContentSecurityHeaders`: 10 table-driven cases covering
  empty/unknown content-type (default), SVG (default sandbox), HTML (default
  sandbox), `application/pdf` with and without charset (no sandbox),
  `audio/*` and `video/*` with and without codec parameters (header
  removed). Also asserts `serveHeaderCspDefault` still contains
  `"; sandbox"` to catch any silent weakening of the SVG sandbox.
- Existing `TestServeContentByReader` and `TestServeContentByReadSeeker`
  extended with a regression assertion: every served fixture now carries
  the default CSP header (the previous file-only path is gone).

Verification:

- `go test ./modules/httplib/...` -- green (all old tests + new
  TestServeSetContentSecurityHeaders pass).
- `go vet ./modules/httplib/...` -- green.
- `make lint-go` not run: local toolchain has go1.25.9 but golangci-lint
  v2.9.0 configuration targets go 1.26; this is an environment mismatch
  unrelated to this change. CI will run the lint with the correct toolchain.

Refs terraphim/gitea#17
Refs terraphim/gitea#12
Adapted-from: 15b23f0 (go-gitea#37455)
AlexMikhalev pushed a commit to terraphim/gitea that referenced this pull request May 15, 2026
[ferrox] fix(security): apply upstream attachment CSP fix 15b23f0
3a3e708 
Manual application of upstream commit 15b23f0 (go-gitea#37455).

The security content of this commit (CSP for served attachments with
audio/video exemption) was already applied in pick7 (abaf36e) but
cherry-pick failed due to missing prerequisite symbols
(ContentDispositionType, encodeContentDisposition) from upstream commit
bc5c554.

Changes:
- Align serveSetContentSecurityHeaders with upstream structure (if-else
  instead of switch)
- Update comments to mark as 'applied' instead of 'adapted'
- Add typesniffer.MimeTypeImageSvg test case (upstream coverage)

Refs terraphim/gitea#32
Adapted-from: 15b23f0 (go-gitea#37455)
eleboucher pushed a commit to eleboucher/apoci that referenced this pull request May 20, 2026
@eleboucher
fix(deps): update module code.gitea.io/gitea (v1.26.1 → v1.26.2) (#47)
ce5a949 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.gitea.io/gitea](https://github.com/go-gitea/gitea) | `v1.26.1` → `v1.26.2` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.gitea.io%2fgitea/v1.26.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.gitea.io%2fgitea/v1.26.1/v1.26.2?slim=true) |

---

### Release Notes

<details>
<summary>go-gitea/gitea (code.gitea.io/gitea)</summary>

### [`v1.26.2`](https://github.com/go-gitea/gitea/releases/tag/v1.26.2)

[Compare Source](go-gitea/gitea@v1.26.1...v1.26.2)

- SECURITY
  - fix(permissions): Fix reading permission ([#&#8203;37769](go-gitea/gitea#37769))
  - fix(actions): make artifact signature payloads unambiguous ([#&#8203;37707](go-gitea/gitea#37707))
  - fix: Unify public-only token filtering in API queries and repo access checks ([#&#8203;37118](go-gitea/gitea#37118))
  - fix: Add missed token scope checking ([#&#8203;37735](go-gitea/gitea#37735))
  - fix(oauth): bind token exchanges to the original client request ([#&#8203;37704](go-gitea/gitea#37704))
  - fix(oauth): strengthen PKCE validation and refresh token replay protection ([#&#8203;37706](go-gitea/gitea#37706))
  - fix(web): enforce token scopes on raw, media, and attachment downloads ([#&#8203;37698](go-gitea/gitea#37698))
  - fix(security): enforce wiki git writes and LFS token access at request time ([#&#8203;37695](go-gitea/gitea#37695))
  - feat(api): encrypt AWS creds ([#&#8203;37679](go-gitea/gitea#37679))
  - fix(deps): update dependency mermaid to v11.15.0 \[security], add e2e test
  - fix(packages): Add label for private and internal package and fix composor package source permission check ([#&#8203;37610](go-gitea/gitea#37610))
  - fix(git): Fix smart http request scope bug ([#&#8203;37583](go-gitea/gitea#37583))
  - Fix basic auth bug ([#&#8203;37503](go-gitea/gitea#37503))
  - Fix allow maintainer edit permission check ([#&#8203;37479](go-gitea/gitea#37479)) ([#&#8203;37484](go-gitea/gitea#37484))
  - Fix URL sanitization to handle schemeless credentials ([#&#8203;37440](go-gitea/gitea#37440)) ([#&#8203;37471](go-gitea/gitea#37471))
  - Fix attachment Content-Security-Policy ([#&#8203;37455](go-gitea/gitea#37455)) ([#&#8203;37464](go-gitea/gitea#37464))
  - chore(deps): bump go-git/go-git/v5 to 5.19.0 ([#&#8203;37608](go-gitea/gitea#37608))

- BUGFIXES
  - fix(pull): handle empty pull request files view to allow reviews ([#&#8203;37783](go-gitea/gitea#37783))
  - fix(markup): make RenderString never fail ([#&#8203;37779](go-gitea/gitea#37779))
  - fix: add natural sort to sortTreeViewNodes ([#&#8203;37772](go-gitea/gitea#37772))
  - fix: package creation unique conflict ([#&#8203;37774](go-gitea/gitea#37774))
  - fix!: add DEFAULT\_TITLE\_SOURCE setting for pull request title default behavior ([#&#8203;37465](go-gitea/gitea#37465))
  - fix: Allow direct commits for unprotected files with push restrictions ([#&#8203;37657](go-gitea/gitea#37657))
  - fix(actions): wrong assumption that run id always >= job id ([#&#8203;37737](go-gitea/gitea#37737))
  - fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register ([#&#8203;37564](go-gitea/gitea#37564)) ([#&#8203;37588](go-gitea/gitea#37588))
  - fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState ([#&#8203;37692](go-gitea/gitea#37692))
  - fix(repo): /generate must sync the branch table for the new repo ([#&#8203;37693](go-gitea/gitea#37693))
  - build: Fix snap build (1.26)
  - fix(actions): run TransferLogs on UpdateLog{Rows:\[], NoMore:true} ([#&#8203;37631](go-gitea/gitea#37631))
  - fix show correct mergebase
  - fix: make clone URL respect public URL detection setting ([#&#8203;37615](go-gitea/gitea#37615))
  - fix: "run as root" check ([#&#8203;37622](go-gitea/gitea#37622))
  - chore(deps): update dependency go to v1.26.3 ([#&#8203;37601](go-gitea/gitea#37601))
  - Compare dropdown fails when selecting branch with no common merge-base ([#&#8203;37470](go-gitea/gitea#37470))
  - fix: treat email addresses case-insensitively ([#&#8203;37600](go-gitea/gitea#37600))
  - fix(actions): fix blank lines after ::endgroup:: ([#&#8203;37597](go-gitea/gitea#37597))
  - fix(actions): report individual step status in workflow job API response ([#&#8203;37592](go-gitea/gitea#37592))
  - fix: Invalid UTF-8 commit messages in JSON API responses ([#&#8203;37542](go-gitea/gitea#37542))
  - fix: use consistent GetUser family functions ([#&#8203;37553](go-gitea/gitea#37553))
  - fix(api): return 409 message instead of empty JSON for wrong commit id ([#&#8203;37572](go-gitea/gitea#37572))
  - fix(actions): prevent panic when workflow contains null jobs ([#&#8203;37570](go-gitea/gitea#37570))
  - Make ServeSetHeaders default to download attachment if filename exists ([#&#8203;37552](go-gitea/gitea#37552)) ([#&#8203;37555](go-gitea/gitea#37555))
  - Fix(actions): validate workflow param to prevent 500 error ([#&#8203;37546](go-gitea/gitea#37546)) ([#&#8203;37554](go-gitea/gitea#37554))
  - Don't unblock run-level-concurrency-blocked runs in the resolver ([#&#8203;37461](go-gitea/gitea#37461)) ([#&#8203;37538](go-gitea/gitea#37538))
  - Fix(packages): use file names for generic web downloads ([#&#8203;37514](go-gitea/gitea#37514)) ([#&#8203;37520](go-gitea/gitea#37520))
  - Fix merge autodetect can't close other PRs but only the last one when multiple PRs are pushed at once ([#&#8203;37512](go-gitea/gitea#37512)) ([#&#8203;37516](go-gitea/gitea#37516))
  - Fix update branch protection order ([#&#8203;37508](go-gitea/gitea#37508)) ([#&#8203;37513](go-gitea/gitea#37513))
  - Fix mCaptcha broken after Vite migration ([#&#8203;37492](go-gitea/gitea#37492)) ([#&#8203;37509](go-gitea/gitea#37509))
  - Fix review submission from single-commit PR view ([#&#8203;37475](go-gitea/gitea#37475)) ([#&#8203;37485](go-gitea/gitea#37485))
  - Fix scheduled action panic with null event payload ([#&#8203;37459](go-gitea/gitea#37459)) ([#&#8203;37466](go-gitea/gitea#37466))
  - Make GetPossibleUserByID can handle deleted user ([#&#8203;37430](go-gitea/gitea#37430)) ([#&#8203;37431](go-gitea/gitea#37431))
  - Remove excessive quote from terraform instructions ([#&#8203;37424](go-gitea/gitea#37424)) ([#&#8203;37426](go-gitea/gitea#37426))
  - Fix color regressions, add `priority` color ([#&#8203;37417](go-gitea/gitea#37417)) ([#&#8203;37421](go-gitea/gitea#37421))

- MISC
  - Add CurrentURL template variable back ([#&#8203;37444](go-gitea/gitea#37444)) ([#&#8203;37449](go-gitea/gitea#37449))

Instances on **[Gitea Cloud](https://cloud.gitea.com)** will be automatically upgraded to this version during the specified maintenance window.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL3BhdGNoIl19-->

Reviewed-on: https://git.erwanleboucher.dev/eleboucher/apoci/pulls/47
This was referenced Jun 8, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@silverwind silverwind silverwind approved these changes

@bircni bircni bircni approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/v1.26 This PR should be backported to Gitea 1.26 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore.

Projects

None yet

Milestone

1.27.0

Development

Successfully merging this pull request may close these issues.

6 participants

@wxiaoguang @silverwind @bircni @lunny @GiteaBot