Security mechanisms for preventing cross-site scripting vulnerabilities.
To prevent cross-site scripting (XSS) attacks and reduce system vulnerabilities, additional security mechanisms are available that provide further protection when you download and upload files in XSS scenarios. Without sufficient security measures to verify the data you access, XSS scenarios could be vulnerable to attacks where script code has been maliciously injected into a Web page of another Website so that the script is executed by your browser as soon as you open the corrupted Web page. In the worst case, the maliciously injected script could be used to steal, corrupt or manipulate the content of the infected Web page when you access it. The attack can affect text, images, and cookies and can also invoke actions by submitting requests on your behalf. The security mechanisms explained here prevent such attacks on your computer by verifying the content you want to download or upload.
Two security mechanisms are used for media read access:
Save to disk: When you trigger a read request, a Save to disk dialog appears that enables you to save and open the file from an alternative location without risk of a potential cross-site scripting attack because the file is not opened with the browser.
In the HTTP header, the following option is added: content-disposition=attachment;filename=<filename>
No sniff option: The nosniff option is set in the HTTP header (x-content-type-options=nosniff), which instructs the browser not to sniff the content of the file to be downloaded. This prevents your computer from inadvertently executing any script that might have been inserted maliciously.
For example, if you access an HTML page with MIME type text/plain and the nosniff option in the HTTP header, the content of the HTML page is opened as a plain text file as opposed to displaying the original HTML page in your browser.
<html> <body bgcolor="#AA0000"> <h1>This page renders as HTML source code (text).</h1> </body> </html>
By displaying the content in plain text, you can prevent any potential cross-site scripting attack.
To provide additional security for uploaded content, you can define which MIME types you want to be allowed for file uploads. Consequently, only the MIME types you define in your whitelist can be uploaded. Should an attempt be made to upload a file that is not of a permitted MIME type, the content is blocked and the message rule violation "MIME type text/html blocked" is displayed for example.
This feature is part of SAP Virus Scan Interface (VSI) 2.00 and is supported for the following two products. For more information, see SAP Note 1494278 (NW-VSI: Summary of Virus Scan Adapter's for SAP Integration).
You must also define your list of permitted MIME types. For more information, see SAP Note 1640285 (Determine MIME type with Virus Scan Interface).