Function of com.glide.csp.self_script_src_svg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2024 04:34 AM
What is the function of the com.glide.csp.self_script_src_svg property, and how can we accurately verify whether the property is working fine?
Additionally, what are the implications of enabling/disabling this property
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2024 07:06 AM
When I said loading I was referring to external SVG images that you load into the instance, not the OOB ones. The vulnerability that was fixed was part of loading an external SVG image.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2024 10:32 PM - edited 10-13-2024 10:47 PM
I have tried loading an external svg image into the images table as well in both cases when the property was true and false, in both cases I am able to load the images into servicenow instance. Please let me know how can I accurately validate this property as this method is not working in my PDI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2024 12:45 AM
Hi @VibhaSastry
The vulnerability referred to a way of crafting Javascript inside the SVG image which would be executed when image is rendered in ServiceNow, therefore loading a normal SVG image would work irrespective of the property value. I cannot disclose the full vulnerability.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2024 04:08 AM
If I enable the property, how can I unit test?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2024 01:03 AM
I cannot tell you how to unit test since I cannot disclose the full vulnerability as I mentioned before.