Define restricted downloadable MIME types [Updated in Security Center 1.3, 1.5, and 2.0]

Yokohama Platform security

Release

yokohama

ft:locale

en-US

ft:publication_title

Yokohama Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Define restricted downloadable MIME types [Updated in Security Center 1.3, 1.5, and 2.0]

Release version: Yokohama

Updated July 2, 2025

1 minute to read

Use the glide.ui.attachment.force_download_all_mime_types property to download MIME types and not to render inline in the browser.

If glide.ui.attachment.download_mime_types does include dangerous MIME types such as text/html, image/svg ,image/svg+xml,application/xml, then dangerous files could be rendered inline in the browser, which could lead to Cross Site Scripting attacks (XSS). This property is the list of comma-separated attachment mime types, which won’t render inline in the browser. For example, including text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser. Maintaining this list properly prevents cross-site scripting attacks.

If the glide.ui.attachment.download_mime_types system property doesn't include dangerous MIME types such as "text/html, image/svg,image/svg+xml,application/xml", then dangerous files could be rendered inline in the browser. This can lead to Cross Site Scripting (XSS) attacks. This check is only relevant when glide.ui.attachment.force_download_all_mime_types is set to false.

This property is a list of comma-separated attachment MIME types, which don’t render inline in the browser. For example, including text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.

If glide.ui.attachment.force_download_all_mime_types is set to false, verify that the glide.ui.attachment.download_mime_types system property includes the dangerous MIME types text/html,image/svg,image/svg+xml,application/xml.

More information


Attribute	Description
Configuration name	glide.ui.attachment.force_download_all_mime_types
Configuration type	System Properties (/sys_properties_list.do)
Data type	String (Comma-separated list of MIME types)
Recommended value	text/html,image/svg,image/svg+xml,application/xml
Default value	text/html,image/svg,image/svg+xml,application/xml
Fallback value	text/html,image/svg,image/svg+xml,application/xml
Category	Validation, sanitization, and encoding
Security risk	Severity score: 6.3 CVSS score: Medium Security Risk: Maintaining this list properly can prevent cross site scripting attacks.
Dependencies and prerequisites	This check is only relevant when glide.ui.attachment.download_mime_types is set to false or doesn’t exist in the System Properties [sys_properties] table.