cancel
Showing results for 
Search instead for 
Did you mean: 

Block mimetype for all but 1 site?

avatar47
Champ in-the-making
Champ in-the-making
Hello,

I'm looking to ask if anyone would know if it's possible to block a mimetype on a site-by-site basis. Recently there was an update which blocks .svg mimetypes from opening natively (ie. View in browser), because of XSS concerns, requiring employees to save locally instead, which is undesired. I would like to know if it is possible for my company to block this mimetype for all but ONE Document site. Is this possible to configure?


Regards,
Alex
5 REPLIES 5

mrogers
Star Contributor
Star Contributor
You could have a policy that throws an exception on addition of the banned mimetype.    Not elegant - but it will work.

avatar47
Champ in-the-making
Champ in-the-making
I'll discuss your proposed solution with our infrastructure team, thanks mrogers!

Hi mrojers,

I represent the infrastructure team Alex was referring to.

First, I'd like to provide you some context. Alex was referring to ticket MNT-8453: "View in browser" function in Share was disabled for SVG files in Alfresco Enterprise 4.1.5. Alex asks if it is possible to re-enable this function per-site basis.

Now, if I got your idea correct, you suggest to disable <em>adding</em> SVG documents (depending on how we implement this, this can be done per-site basis). But that's not what we would like to achieve. We still want that users are able to upload SVG files, and we want that "View in browser" function in Share is still disabled for SVG files by default - but if some Share site manager insists, this function can be re-enabled for this specific site.

Please correct me if I got your idea wrong.

Huge thanks and warm regards,
Anton

For reference: I am conducting a conversation on this topic on support ticket 00153174 with Jay Sinha.

mrogers
Star Contributor
Star Contributor
I'll leave it to you and Jay to discuss.  

I don't think its appropriate to enable .svg for one site only since that could be vulnerable to XSS.    Perhaps the .svg could be filtered or transformed?   I think that's the way to go.

avatar47
Champ in-the-making
Champ in-the-making
Apologies for poking my nose in here again, but could you elaborate on the 'filtered' option? Transforming .svgs would mean losing a considerable amount of native functionality, it is not really an option for us. If by filtering you mean that they are pre-scanned for suspicious activity, that could be an option.

Secondly, I was informed that XSS attacks are, for larger companies, somewhat rare (or even impossible), as usually there are numerous hardware/software combinations which block XSS activity from occuring at all in any given intranet. For example, F5 Networks sells a 'Application Management Systems' (AMS) which scans at Layer 7 for XSS activity, and then blocks it. I was hoping our company was already in possession of such equipment perhaps (I assure you I am not a salesman for F5, but for anyone's interest perhaps -> https://f5.com/glossary/cross-site-scripting ).

Thirdly, if .svg 'view in browser' were enabled for only 1 site, and that site were fully audited and controlled tightly, then *surely* that must significantly be a lower risk, no?


Regards,
Alex