The generated policy for page responses is likely too lenient for private files.
e.g. SVGs should likely be restricted from downloading any external resources by default
Send a different header value on either BinaryFileResponse instances, or on responses to the system.private_file_download route.
a) Provide an option (enabled by default) to add a hard-coded policy to all file responses. Values could be set for different mime-types in settings.php
b) Provide a single text field (or two, for report-only and enforced) to set a policy
c) Provide the same, full configuration interface as page responses (without values for CSS and JS from libraries)
Active
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.