[5.x] Add CSP header to svg route (#14325)

jasonvarga · web-flow · commit 3eaa80c92962 · 2026-03-23T17:57:32.000-04:00
diff --git a/src/Http/Controllers/CP/Assets/SvgController.php b/src/Http/Controllers/CP/Assets/SvgController.php
@@ -21,7 +21,9 @@ public function show($asset)
 
         $this->authorize('view', $asset);
 
-        return response($contents)->header('Content-Type', 'image/svg+xml');
+        return response($contents)
+            ->header('Content-Type', 'image/svg+xml')
+            ->header('Content-Security-Policy', "script-src 'none'");
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,9 @@ public function show($asset)`
`21`	`21`
`22`	`22`	`$this->authorize('view', $asset);`
`23`	`23`
`24`		`- return response($contents)->header('Content-Type', 'image/svg+xml');`
	`24`	`+ return response($contents)`
	`25`	`+ ->header('Content-Type', 'image/svg+xml')`
	`26`	`+ ->header('Content-Security-Policy', "script-src 'none'");`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`/**`