M ui-blob.c → ui-blob.c

@@ -166,6 +166,9 @@ ctx.page.mimetype = "application/octet-stream";
 	else
 		ctx.page.mimetype = "text/plain";
 	ctx.page.filename = path;
+
+	html("X-Content-Type-Options: nosniff\n");
+	html("Content-Security-Policy: default-src 'none'\n");
 	cgit_print_http_headers();
 	html_raw(buf, size);
 	free(buf);