Sfoglia il codice sorgente

Fixes #22480: Revert forced handling of image attachments as downloads (#22493)

Jeremy Stretch 2 settimane fa
parent
commit
e92367b3f6
2 ha cambiato i file con 6 aggiunte e 6 eliminazioni
  1. 4 4
      netbox/netbox/tests/test_views.py
  2. 2 2
      netbox/netbox/views/misc.py

+ 4 - 4
netbox/netbox/tests/test_views.py

@@ -124,8 +124,8 @@ class MediaViewTestCase(TestCase):
         with patch('netbox.views.misc.serve', return_value=HttpResponse(status=200)):
             response = self.client.get(url)
         self.assertHttpStatus(response, 200)
-        self.assertEqual(response['Content-Disposition'], 'attachment')
-        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
+        self.assertEqual(response['Content-Security-Policy'], "sandbox; default-src 'none'")
+        self.assertEqual(response['X-Content-Type-Options'], "nosniff")
 
     def test_image_attachment_without_permission(self):
         url = reverse('media', kwargs={'path': self.image_attachment.image.name})
@@ -145,8 +145,8 @@ class MediaViewTestCase(TestCase):
         with patch('netbox.views.misc.serve', return_value=HttpResponse(status=200)):
             response = self.client.get(url)
         self.assertHttpStatus(response, 200)
-        self.assertEqual(response['Content-Disposition'], 'attachment')
-        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
+        self.assertEqual(response['Content-Security-Policy'], "sandbox; default-src 'none'")
+        self.assertEqual(response['X-Content-Type-Options'], "nosniff")
 
     def test_device_type_without_permission(self):
         url = reverse('media', kwargs={'path': self.device_type.front_image.name})

+ 2 - 2
netbox/netbox/views/misc.py

@@ -159,6 +159,6 @@ class MediaView(TokenConditionalLoginRequiredMixin, View):
                 raise Http404
 
         response = serve(request, path, document_root=settings.MEDIA_ROOT)
-        response['Content-Disposition'] = 'attachment'
-        response['X-Content-Type-Options'] = 'nosniff'
+        response['Content-Security-Policy'] = "sandbox; default-src 'none'"
+        response['X-Content-Type-Options'] = "nosniff"
         return response