From 3d576cd06b7e1947017ee7a88c4617c10f3b86fe Mon Sep 17 00:00:00 2001
From: Nicolas Dorier <nicolas.dorier@gmail.com>
Date: Thu, 26 Jan 2023 19:12:06 +0900
Subject: [PATCH] Fix XSS on uploaded files to the file storage (#4567)

---
 BTCPayServer/Storage/StorageExtensions.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/BTCPayServer/Storage/StorageExtensions.cs b/BTCPayServer/Storage/StorageExtensions.cs
index bfc8b1436..cb91b93c2 100644
--- a/BTCPayServer/Storage/StorageExtensions.cs
+++ b/BTCPayServer/Storage/StorageExtensions.cs
@@ -75,6 +75,7 @@ namespace BTCPayServer.Storage
                 {
                     context.Context.Response.Headers["Content-Disposition"] = "attachment";
                 }
+                context.Context.Response.Headers["Content-Security-Policy"] = "script-src 'self'";
             };
         }
     }