Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/d/[slug]/CommentsShell.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -803,7 +803,7 @@ export default function CommentsShell(props: Props) {
ref={iframeRef}
title={title}
src={rawSrc}
sandbox="allow-scripts"
sandbox="allow-scripts allow-downloads"
referrerPolicy="no-referrer"
style={{ border: "none", width: "100%", height: "100%", display: "block", background: "var(--jh-stage-bg, #fff)" }}
/>
Expand Down
9 changes: 5 additions & 4 deletions app/d/[slug]/raw/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,10 @@ type Ctx = { params: Promise<{ slug: string }> };
// can never execute same-origin with our auth/session surface (birthday.md "The
// one security decision that matters").
//
// Content-Security-Policy: sandbox allow-scripts → the response is treated as
// a unique opaque origin; scripts run but cannot read our cookies / tokens or
// reach our origin's storage.
// Content-Security-Policy: sandbox allow-scripts allow-downloads → the response
// is treated as a unique opaque origin; scripts run and user-initiated file
// downloads work, but the document cannot read our cookies / tokens or reach
// our origin's storage.
// X-Content-Type-Options: nosniff → no MIME sniffing.
//
// Directly linkable for zero-chrome viewing; same token rules as /d/:slug.
Expand Down Expand Up @@ -97,7 +98,7 @@ export async function GET(req: Request, ctx: Ctx): Promise<Response> {
status: 200,
headers: {
"Content-Type": "text/html; charset=utf-8",
"Content-Security-Policy": "sandbox allow-scripts",
"Content-Security-Policy": "sandbox allow-scripts allow-downloads",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downloads blocked in Firefox

Medium Severity

Firefox still does not honor allow-downloads on the CSP sandbox directive (open Bugzilla 1653678). Hosted docs are constrained by both the iframe sandbox and the /raw CSP, and those flag sets combine as a union, so the CSP layer can keep downloads blocked in Firefox even though the iframe token is present. Chromium/WebKit are fine; the shell viewer path is the one that breaks for Firefox users.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7e68914. Configure here.

"X-Content-Type-Options": "nosniff",
// Never cache private content at shared caches; tokens are capability URLs.
"Cache-Control": "private, no-store",
Expand Down
Loading