From 0a881b7edb0ed535680cc9c98ed72a392f23a788 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Mon, 10 Dec 2018 16:24:32 +0000
Subject: [PATCH 1/2] Add 'sandbox' to the CSP for media repo

---
 synapse/rest/media/v1/download_resource.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
index f911b120b154..bdc5daecc1d5 100644
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@@ -48,7 +48,8 @@ def _async_render_GET(self, request):
         set_cors_headers(request)
         request.setHeader(
             b"Content-Security-Policy",
-            b"default-src 'none';"
+            b"sandbox;"
+            b" default-src 'none';"
             b" script-src 'none';"
             b" plugin-types application/pdf;"
             b" style-src 'unsafe-inline';"

From 4239bd20482ca67d6522b3882c269f372640e15f Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Mon, 10 Dec 2018 16:26:34 +0000
Subject: [PATCH 2/2] Changelog

---
 changelog.d/4284.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/4284.bugfix

diff --git a/changelog.d/4284.bugfix b/changelog.d/4284.bugfix
new file mode 100644
index 000000000000..4a9478fa2818
--- /dev/null
+++ b/changelog.d/4284.bugfix
@@ -0,0 +1 @@
+Add 'sandbox' to CSP for media reprository