Opened 6 months ago

Last modified 6 months ago

#320 new enhancement

Additional XSS protection for the usage of SVG files?

Reported by: TC Haddad Owned by: Jeff McKenna
Priority: critical Milestone: 4.1.0 release
Component: MS4W - Apache Version: 4.0.5
Keywords: Cc:
Blocked By: Blocking:


This config modification was suggested in a Joomla security notice, and I wondered if you think it worth including in MS4W:

"This rule will protect users of svg files from potential Cross-Site-Scripting (XSS) vulnerabilities."

<FilesMatch "\.svg$">
  <IfModule mod_headers.c>
    Header always set Content-Security-Policy "script-src 'none'"

Change History (1)

comment:1 by Jeff McKenna, 6 months ago

Component: MS4W - BaseMS4W - Apache
Priority: enhancementcritical

Great idea. I think this is very important, absolutely will add to next MS4W release. thanks!

Note: See TracTickets for help on using tickets.