topic Re: Block mimetype for all but 1 site? in Alfresco Archive

Block mimetype for all but 1 site?

avatar47 — Tue, 08 Apr 2014 11:50:48 GMT

Hello,I'm looking to ask if anyone would know if it's possible to block a mimetype on a site-by-site basis. Recently there was an update which blocks .svg mimetypes from opening natively (ie. View in browser), because of XSS concerns, requiring employees to save locally instead, which is undesired.

Re: Block mimetype for all but 1 site?

mrogers — Wed, 09 Apr 2014 10:37:58 GMT

You could have a policy that throws an exception on addition of the banned mimetype. Not elegant - but it will work.

Re: Block mimetype for all but 1 site?

avatar47 — Wed, 09 Apr 2014 12:26:07 GMT

I'll discuss your proposed solution with our infrastructure team, thanks mrogers!

Re: Block mimetype for all but 1 site?

anton_udintsev — Wed, 09 Apr 2014 13:34:00 GMT

Hi mrojers,

I represent the infrastructure team Alex was referring to.

First, I'd like to provide you some context. Alex was referring to ticket MNT-8453: "View in browser" function in Share was disabled for SVG files in Alfresco Enterprise 4.1.5. Alex asks if it is possible to re-enable this function per-site basis.

Now, if I got your idea correct, you suggest to disable <em>adding</em> SVG documents (depending on how we implement this, this can be done per-site basis). But that's not what we would like to achieve. We still want that users are able to upload SVG files, and we want that "View in browser" function in Share is still disabled for SVG files by default - but if some Share site manager insists, this function can be re-enabled for this specific site.

Please correct me if I got your idea wrong.

Huge thanks and warm regards,
Anton

For reference: I am conducting a conversation on this topic on support ticket 00153174 with Jay Sinha.

Re: Block mimetype for all but 1 site?

mrogers — Wed, 09 Apr 2014 15:26:42 GMT

I'll leave it to you and Jay to discuss.

I don't think its appropriate to enable .svg for one site only since that could be vulnerable to XSS. Perhaps the .svg could be filtered or transformed? I think that's the way to go.

Re: Block mimetype for all but 1 site?

avatar47 — Wed, 09 Apr 2014 16:01:20 GMT

Apologies for poking my nose in here again, but could you elaborate on the 'filtered' option? Transforming .svgs would mean losing a considerable amount of native functionality, it is not really an option for us. If by filtering you mean that they are pre-scanned for suspicious activity, that could be an option.

Secondly, I was informed that XSS attacks are, for larger companies, somewhat rare (or even impossible), as usually there are numerous hardware/software combinations which block XSS activity from occuring at all in any given intranet. For example, F5 Networks sells a 'Application Management Systems' (AMS) which scans at Layer 7 for XSS activity, and then blocks it. I was hoping our company was already in possession of such equipment perhaps (I assure you I am not a salesman for F5, but for anyone's interest perhaps -> https://f5.com/glossary/cross-site-scripting ).

Thirdly, if .svg 'view in browser' were enabled for only 1 site, and that site were fully audited and controlled tightly, then *surely* that must significantly be a lower risk, no?

Regards,
Alex