Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Issues that might arise due to having content disposition inline on images

aemAmateur
Level 2
Level 2

I have already asked the same question before on the forum, sorry for posting again. l asked the following question.

 

"I am trying to display images (png, jpeg, gif, svg) directly on browser instead of letting the users downloading it. I've read from so many places that having content disposition header as inline might cause some security issues, and it is better to have it as attachment. Can anyone provide me a scenario where this might be a problem?"

 

From the answers from my previous post, I could see mostly the security issue are caused when a malicious attacker injects a script along with the image. Can we tackle this problem by adding a Content-Security-Policy script-src 'none'? my use case for this question only requires the displaying of the image on browser window, and nothing else.

1 Accepted Solution
raj_mandalapu
Correct answer by
Community Advisor
Community Advisor

@aemAmateur the file which contains executable code is recommended to be downloaded, for example XML, SVG, txt, etc. let us take a simple use case, usually, we use a .svg file to render the images, but at the same time, you can also execute javascript within the SVG file. The problem with this is if you open the SVG within the browser then there is a chance that the attackers can run malicious code in the browser. 

In this case, you need to set the correct mime type that is image/svg+xml and also use  Content-Security-Policy: script-src ‘none’ to disable the javascript execution while loading the SVG file in the browser.

It is good that create and upload .svg file only from the developers. if you give it to the end-user or content authors then you need to set up proper governance and everything should be reviewed and approved.

 

 

 

View solution in original post

4 Replies
kunal23
Level 10
Level 10

You can add img-src attribute in CSP header to reliably load images from trusted domains only. 

 

For more details, please see this - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 

 

aemAmateur
Level 2
Level 2
thanks for the reply kunal. The images I am uploading to clients are already coming from my domain only. but what if one of many authors that are uploading assets to my site, uploads a malicious image. In that time img-src 'self' wouldn't stop the malicious code to be executed on client, right?
kunal29
Level 1
Level 1
If your concern is regarding authors uploading something bad then you should implement workflow and governance process on publishing images. An author can also put some unwanted text on the page as well. So you should always have a review and approval process in place before anything is published.
raj_mandalapu
Correct answer by
Community Advisor
Community Advisor

@aemAmateur the file which contains executable code is recommended to be downloaded, for example XML, SVG, txt, etc. let us take a simple use case, usually, we use a .svg file to render the images, but at the same time, you can also execute javascript within the SVG file. The problem with this is if you open the SVG within the browser then there is a chance that the attackers can run malicious code in the browser. 

In this case, you need to set the correct mime type that is image/svg+xml and also use  Content-Security-Policy: script-src ‘none’ to disable the javascript execution while loading the SVG file in the browser.

It is good that create and upload .svg file only from the developers. if you give it to the end-user or content authors then you need to set up proper governance and everything should be reviewed and approved.

 

 

 

View solution in original post