Hosting Static HTML in the JCR

Thank you for posting your solution.

In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:

Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types

http://stackoverflow.com/a/35031277

I have the same issue.  I have a package containing static HTML files.

I import this into AEM 6.1 and it is rendered to the browser.

Importing the exact same package into AEM 6.2 results in the files being downloaded instead of served into the browser.

I attempted to add /content/path and also /content/path/somefile.html to the Apache Sling Content Disposition Filter as suggested without seeing any difference in behavior.

I'm curious if you had made any other changes to get this working. 

Thanks.

Rob,

I don't recall having to change anything else. Did you try checking the "Enable content disposition for all paths" checkbox on that Service?

Root cause:-

This is an intended change made by engineering in AEM 6.2. Even for 6.1, we released a hotfix for it NPR-9381. 

GRANITE-9550 - Extend content disposition filter protection to author

NPR-9381 - HF for GRANITE-9550 - Extend content disposition filter protection to author

This was introduced as part of Sling Security Fix 

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr:data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

Other customers reported this as a security issue. 

1) They identified that malicius files can potentially be uploaded by using the functionality

2) Access the uploaded file via above URL, verify that the file gets executed

Therefore, engineering fixed the issue and implemented this change and now by default the file instead of opening up in the browser gets download instead.

This is coming through OSGI configuration - 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior which is intended.

To revert to old behavior:

If you are OK to bear this security issue, you can uncheck the checkbox and the file would directly open in the browser instead of getting downloaded. Thereby, meeting your requirements.

Thanks very much for this helpful response.  I have confirmed this re-enables this functionality on my environment.

In my particular case I want to serve these files as an interim step in a migration effort so I am not concerned about the security concerns.  I will recheck the box once completed.

Cheers.

smacdonald2008, vmehrotr Have same requirement, is there a way to enable this for all the HTML files added under a specific location. Like if I need to show all the HTML files under content/mySite/htmlFiles.

I tried with content/mySite/htmlFiles(/.*), but it does not work.

Client does not want to check the box due to mentioned security concerns.

Please suggest......Thanks

Hi,

We would also like to host static HTML files (+ accompanying JS, CSS, etc. in subfolders) on AEM. Besides the workaround mentioned above (Apache Sling Content Disposition Filter), which apparently is not recommended due to security concerns, are there any other ways of hosting such static HTML files on AEM? Specifically, we would be interested in a solution for AEM 6.4. 

Essentially, we want to use AEM just as a standard webserver for these files, and then includes them as an iFrame on our regular AEM pages.

Any help would be appreciated!

Per my knowledge, you could host it under /content path or /content/dam as nt:file or /etc/.. or /apps/.. using proxy accessible using/etc.clientlibs/..

Try it and revert if you get any issues.