Set safe content security policy for svg files [New in Security Center 1.3]

  • Release version: Yokohama
  • Updated January 30, 2025
  • 1 minute to read

    • The com.glide.csp.self_script_src_svg property adds the script-src none directive to the HTTP Content-Security-Policy header when Scalable Vector Graphics (SVGs) are accessed through the Translation Memory Index (IIX) file extension.

    The com.glide.csp.self_script_src_svg property prevents malicious file attachments that stores cross site scripting (XSS) attacks from running in an instance. Without this policy, a bad actor could cause a user to run arbitrary JavaScript code in their web browser which could lead to security vulnerabilities such as data exfiltration and session takeover.

    More information

    Attribute Description
    Configuration name com.glide.csp.self_script_src_svg
    Configuration type System Properties (/sys_properties_list.do)
    Data type boolean
    Recommended value true
    Default value true
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 7.1
    • CVSS score: High
    • Security risk details: Not setting this property to the recommended value of true could cause a user to run arbitrary JavaScript code from a bad actor.
    Dependencies and prerequisites None
    Functional impact This property prevents scalable vector graphics (SVG) files from accessing external scripts.