Set safe content security policy for svg files [New in Security Center 1.3]

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:2分

    • The com.glide.csp.self_script_src_svg property adds the script-src none directive to the HTTP Content-Security-Policy header when Scalable Vector Graphics (SVGs) are accessed through the Translation Memory Index (IIX) file extension.

    The com.glide.csp.self_script_src_svg property prevents malicious file attachments that stores cross site scripting (XSS) attacks from running in an instance. Without this policy, a bad actor could cause a user to run arbitrary JavaScript code in their web browser which could lead to security vulnerabilities such as data exfiltration and session takeover.

    More information

    Attribute Description
    Configuration name com.glide.csp.self_script_src_svg
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 7.1
    • CVSS score: High
    • Security risk details: Not setting this property to the recommended value of true could cause a user to run arbitrary JavaScript code from a bad actor.
    Dependencies and prerequisites None
    Functional impact This property prevents scalable vector graphics (SVG) files from accessing external scripts.