From a5639bf5f6261b2834e27b60159caad522703a06 Mon Sep 17 00:00:00 2001
From: Denis Kasak <dkasak@termina.org.uk>
Date: Fri, 23 Jul 2021 15:40:09 +0200
Subject: [PATCH 1/2] Mitigate media repo XSSs on IE11.

IE11 doesn't support Content-Security-Policy but it has support for
a non-standard X-Content-Security-Policy header, which only supports the
sandbox directive. This prevents script execution, so it at least offers
some protection against media repo-based attacks.

Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
---
 synapse/rest/media/v1/download_resource.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
index cd2468f9c59a..d6d938953e44 100644
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@@ -49,6 +49,8 @@ async def _async_render_GET(self, request: Request) -> None:
             b" media-src 'self';"
             b" object-src 'self';",
         )
+        # Limited non-standard form of CSP for IE11
+        request.setHeader(b"X-Content-Security-Policy", b"sandbox;")
         request.setHeader(
             b"Referrer-Policy",
             b"no-referrer",

From c7a1ae22fd7b0822297c67c91d7806d9a8c44066 Mon Sep 17 00:00:00 2001
From: Denis Kasak <dkasak@termina.org.uk>
Date: Fri, 23 Jul 2021 16:16:44 +0200
Subject: [PATCH 2/2] Add changelog entry.

---
 changelog.d/10468.misc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/10468.misc

diff --git a/changelog.d/10468.misc b/changelog.d/10468.misc
new file mode 100644
index 000000000000..b9854bb4c16c
--- /dev/null
+++ b/changelog.d/10468.misc
@@ -0,0 +1 @@
+Mitigate media repo XSS attacks on IE11 via the non-standard X-Content-Security-Policy header.