Opened 3 years ago

Last modified 2 years ago

#320 new enhancement

Additional XSS protection for the usage of SVG files?

Reported by: TC Haddad Owned by: Jeff McKenna
Priority: critical Milestone: 5.0.0 release
Component: MS4W - Apache Version: 4.0.5
Keywords: Cc:
Blocked By: Blocking:


This config modification was suggested in a Joomla security notice, and I wondered if you think it worth including in MS4W:

"This rule will protect users of svg files from potential Cross-Site-Scripting (XSS) vulnerabilities."

<FilesMatch "\.svg$">
  <IfModule mod_headers.c>
    Header always set Content-Security-Policy "script-src 'none'"

Change History (2)

comment:1 by Jeff McKenna, 3 years ago

Component: MS4W - BaseMS4W - Apache
Priority: enhancementcritical

Great idea. I think this is very important, absolutely will add to next MS4W release. thanks!

comment:2 by Jeff McKenna, 2 years ago

Milestone: 4.1.0 release5.0.0 release

Milestone renamed

Note: See TracTickets for help on using tickets.