Opened 5 years ago

Last modified 5 months ago

#320 new enhancement

Additional XSS protection for the usage of SVG files?

Reported by: TC Haddad Owned by: Jeff McKenna
Priority: critical Milestone: 5.2.0 release
Component: MS4W - Apache Version: 4.0.5
Keywords: Cc:
Blocked By: Blocking:

Description

This config modification was suggested in a Joomla security notice, and I wondered if you think it worth including in MS4W:

"This rule will protect users of svg files from potential Cross-Site-Scripting (XSS) vulnerabilities."

<FilesMatch "\.svg$">
  <IfModule mod_headers.c>
    Header always set Content-Security-Policy "script-src 'none'"
  </IfModule>
</FilesMatch>

Change History (4)

comment:1 by Jeff McKenna, 5 years ago

Component: MS4W - BaseMS4W - Apache
Priority: enhancementcritical

Great idea. I think this is very important, absolutely will add to next MS4W release. thanks!

comment:2 by Jeff McKenna, 4 years ago

Milestone: 4.1.0 release5.0.0 release

Milestone renamed

comment:3 by Jeff McKenna, 13 months ago

Milestone: 5.0.0 release5.0.1 release

comment:4 by Jeff McKenna, 5 months ago

Milestone: 5.0.1 release5.2.0 release

Milestone renamed

Note: See TracTickets for help on using tickets.