How To Restrict Rendering of XNAT Resources
Resource Rendering controls were added to the XNAT Admin UI in version 1.8.4. Older versions of XNAT can enable or disable all resource rendering (but cannot white-list MIME types as described below) via the Site-wide Configuration API, using Swagger.
The XNAT web application delivers HTML pages to your browser that include javascript, images and possibly other web related resources. XNAT plugins may alter existing pages or create new pages that deliver similar content. As an XNAT administrator, you are relying on the core XNAT software and any installed plugins to behave in a responsible manner.
XNAT allows users to upload resources (aka files) and attach these to various items within the XNAT data hierarchy (subject, experiment, scan). The XNAT application supports the upload through the web user interface or through the RESTful API.
See: Adding or Removing Resource Files
There are no restrictions on the types of files that are uploaded (e.g., xml, html, jpeg, pdf) nor on the content of those files. The upload feature provides a simple model for a site to extend their XNAT instance to collect data beyond the types managed by core XNAT code (e.g., DICOM files). Arbitrary resources uploaded by XNAT users may create a security risk for other users who would render those resources in their web browser.
Restricting Resource Rendering
The XNAT administration panel provides two levels of control for the rendering of resources that are stored as files in the XNAT system, located in Administer > Site Administration > Security.
Firstly, the Resource Rendering flag enables the administrator to enable or disable rendering across the entire instance. If disabled, when a user clicks on a resource in the Web UI, the resource will be downloaded and not rendered. The user has access to the downloaded file, but it is up to that user how they choose to use that file. If Resource Rendering is enabled, the resource can be rendered directly in the user's web browser.
The second level of control takes place when Resource Rendering is enabled. The administrator can enter a comma separated list of mime types in Resource Rendering Whitelist that XNAT will render when a user clicks on the relevant resource. This white list is consulted when resources are rendered. As mentioned above, the white list does not restrict what kinds of resource files can be uploaded.
XNAT only has support for allowing rendering of certain mime types. For more fine grained control, you can enter values from the list below; values are case in-sensitive. As a shortcut, you can enable all of the supported mime types by entering a * character in the list (no quotes).
Please note that XNAT snapshot and thumbnail images that are available at the scan level are stored as gif files. These will render properly within the scan preview regardless of the values of the settings above. However, if you wish users to be able to click on the snapshots in Manage Files and preview them in their browsers, you would need to enable that mime type.
Supported MIME-Types for Resource Rendering in XNAT
Image Formats (Security Risk: Low) | Plaintext Formats (Security Risk: Medium) | Document / Rich Text Formats (Security Risk: High) |
---|---|---|
|
|
|
There are several MIME-types that can commonly be rendered in browsers that are not included in this list. Any resource files of this type will be downloaded, even if the file extension is added to the whitelist.