Set safe content security policy for svg files [New in Security Center 1.3]

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 2분

    • The com.glide.csp.self_script_src_svg property adds the script-src none directive to the HTTP Content-Security-Policy header when Scalable Vector Graphics (SVGs) are accessed through the Translation Memory Index (IIX) file extension.

    The com.glide.csp.self_script_src_svg property prevents malicious file attachments that stores cross site scripting (XSS) attacks from running in an instance. Without this policy, a bad actor could cause a user to run arbitrary JavaScript code in their web browser which could lead to security vulnerabilities such as data exfiltration and session takeover.

    More information

    Attribute Description
    Configuration name com.glide.csp.self_script_src_svg
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 7.1
    • CVSS score: High
    • Security risk details: Not setting this property to the recommended value of true could cause a user to run arbitrary JavaScript code from a bad actor.
    Dependencies and prerequisites None
    Functional impact This property prevents scalable vector graphics (SVG) files from accessing external scripts.