This would prevent scripts from being executed when opening an SVG file:
Yes, user-uploaded SVG files can include JavaScript. These execute if you load that image directly (top-level navigation). Someone could be sent a link to check out a funny meme on your website, and unwittingly be running scripts in your website's context in the background
[...]
To safely host SVG images, you need to [...] have a Content-Security-Policy (CSP) response header set on SVG images which denies running those scripts
On defaulting this: I'm not aware of any usecase where we would have static assets in which we would want scripts running. Still, there could be possible scenarios - maybe we want to be able to override this like new AssetsFrom(...)->allow(['script-src' => ...])?
Add this to
web.frontend.AssetsFrom:This would prevent scripts from being executed when opening an SVG file:
Source: https://stackoverflow.com/questions/10557137/are-user-uploaded-svgs-a-xss-risk-how-can-you-sterilize-an-svg
On defaulting this: I'm not aware of any usecase where we would have static assets in which we would want scripts running. Still, there could be possible scenarios - maybe we want to be able to override this like
new AssetsFrom(...)->allow(['script-src' => ...])?