SVG XSS Protection

The Shopware Security Update 10/2021 refers to a possible cross-site scripting (XSS) vulnerability based on SVG graphics. If SVG graphics from third-party providers are loaded into your own online store, the SVG graphics can be manipulated so that possible malicious code can be executed.

When using the creoline CDN, SVG graphics are automatically delivered with the necessary 'Content-Security-Policy' header so that cross-site scripting (XSS) within the SVG graphic is prevented.

CDN Example Request:

GET https://assets.cstatic.io/img/creoline-logo.svg

Response:

Content-Type image/svg+xml
Content-Length 3087
Server creoline
Cache-Control max-age=31536000, public

[..]

Content-Security-Policy script-src 'none'
X-Creoline-Information https://go.creoline.de/svg-xss

[..]

x-edge-pop FRANKFURT
x-cache HIT

All requests of content type image/svg or image/svg+xml are automatically supplemented with the Content-Security-Policy header so that your online store is automatically protected.

Additional measures

If you deliver SVG graphics independently of the creoline CDN on your website, the 'Content-Security-Policy' header should also be set for all SVG files.

Apache web server

# .htaccess

<IfModule mod_headers.c>
    <FilesMatch "\.(?i:svg)$">
        Header set Content-Security-Policy "script-src 'none'"
    </FilesMatch>
</IfModule>

nginx web server

# nginx.conf (/etc/nginx/conf.d/*.conf)

location ~* ^.+\.svg$ {
    add_header Content-Security-Policy "script-src 'none'";
}

On this page

SVG XSS Protection
- CDN Example Request:
- Additional measures
  - Apache web server
  - nginx web server

Questions? Contact us.
Already a customer? Create support ticket.

Emergency?

In urgent cases, our emergency hotline is available around the clock at +49 2507 900 80 - 34.

Data Protection · Imprint