Restrict Downloadable MIME types [Updated in Security Center 1.3]

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • The glide.ui.attachment.download_mime_types property will force the specified list of dangerous file types to be downloaded to the client and not viewed inline in the browser.

    If a file's MIME type is present in the glide.ui.attachment.download_mime_types then a download is forced. For example, downloading text/html forces an HTML file to be downloaded to the client as a file rather than viewed inline in the browser, preventing an XSS attack.

    To view of a listing of existing MIME types, type /sys_attachment_icon_rule_list.do. You can enable any one of these MIME types to meet the security compliance requirements within the ServiceNow AI Platform.

    Note:
    The security_admin role is required to edit the property.

    More information

    Attribute Description
    Property name glide.ui.attachment.download_mime_types
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Maintaining the list properly of dangerous file types that cannot be viewed in the browser will prevent cross site scripting attacks (XSS).
    Recommended value List of applicable MIME types or the recommended value: text/html,image/svg,image/svg+xml,application/xml
    Default value List of applicable MIME types for the default value: text/html,image/svg,image/svg+xml,application/xml
    Configuration type String: any comma separated values of application mime types.
    Functional impact This remediation enforces performance of validation checks before performing an action when you click an attachment in a ServiceNow AI Platform application. There is no potential impact, but the user experience is altered.
    Security risk (Moderate) Attackers can abuse MIME types and place unintended script content in the attachment on the victim's side to capture sensitive information. The ability to have XSS can lead to easily attained privilege escalation to higher roles, such as admin, where more lateral movement can be taken.

    In the current context, populate the property with a list of comma-separated attachment MIME types that should not render inline in the browser.
    Security risk rating 6.3
    Related properties
    • glide.ui.attachment.force_download_all_mime_types
    • glide.ui.attachment.tables_ignore_force_download
    References Force download MIME types.