Downloadable MIME types (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.ui.attachment.download_mime_types property to specify a list of comma-separated attachment MIME types that should be downloaded but not render inline in the browser.

    To view of a listing of existing MIME types, type /sys_attachment_icon_rule_list.do. You can enable any one of these MIME types to meet the security compliance requirements within the ServiceNow AI Platform.
    Note:
    If you set the Force Download MIME Types property to true, it overrides the Downloadable MIME types property, which is a comma-delimited listing of downloadable MIME types. To learn more, see Force download MIME types.

    More information

    Attribute Description
    Property name glide.ui.attachment.download_mime_types
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose To restrict the file types from being rendered in the browser to avoid any hidden malicious script execution.
    Recommended value Some defined file types, for example, text/html,text/csv.
    Functional ImpactThis remediation enforces performance of validation checks before performing an action when you click an attachment in a ServiceNow AI Platform application. There is no potential impact, but the user experience is altered.
    Security risk (Medium) Client-side scripting attack vectors come in different flavors and MIME type attachment abuse is no exception.

    Attackers can abuse MIME types and place unintended script content in the attachment on the victim's side to capture sensitive information. In the current context, populate the property with a list of comma-separated attachment mime types that should not render inline in the browser.

    Example: text/html

    To learn more about adding or creating a system property, see Add a system property.