internal: add CSP header to files in /media (cherry-pick #12092)

[gcp-cherry-pick-bot]

Cherry-picked internal: add CSP header to files in /media (#12092)

add CSP header to files in /media

This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with can_save_media
capability.

This can be exploited if:

• the uploaded file is served from the same origin as authentik, and
• the user opens the uploaded file directly in their browser

Co-authored-by: Jens L. jens@goauthentik.io

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	6be59a7
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/673eec51a1380a0007d0d739
😎 Deploy Preview	https://deploy-preview-12108--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.67%. Comparing base (f8015fc) to head (6be59a7).
Report is 1 commits behind head on version-2024.10.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@                 Coverage Diff                 @@
##           version-2024.10   #12108      +/-   ##
===================================================
+ Coverage            92.66%   92.67%   +0.01%     
===================================================
  Files                  761      761              
  Lines                37863    37863              
===================================================
+ Hits                 35085    35090       +5     
+ Misses                2778     2773       -5     

Flag	Coverage Δ
e2e	49.28% <ø> (+0.01%)	⬆️
integration	24.89% <ø> (ø)
unit	90.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• JS Bundle Analysis - Avoid shipping oversized bundles

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea-arm64

Afterwards, run the upgrade commands from the latest release notes.