Apply CSPs to generic hook responses.

matrix-org / matrix-hookshot

A bridge between Matrix and multiple project management services, such as GitHub, GitLab and JIRA.

https://matrix-org.github.io/matrix-hookshot/

Apache License 2.0

267 stars 66 forks source link

Apply CSPs to generic hook responses. #926

Closed Half-Shot closed 2 months ago

Half-Shot commented 2 months ago

A generic hook could potentially return a valid HTML document provided both enableHttpGet and JS functions are enabled. This isn't bad in itself but being able to execute JS is not really a useful feature.