Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Apache Sling Content Disposition Filter

aemanonymous
Level 4
Level 4

In AEM 6.2, we have the following configuration Apache Sling Content Disposition Filter (org.apache.sling.security.impl.ContentDispositionFilter). Is there any side effects of unchecking the option "Enable Content Disposition for all paths".

I have unchecked it to prevent the dam assets like PDF from being downloaded automatically. Is it possible to restrict this only for PDF files irrespective of paths.

1 Accepted Solution
smacdonald2008
Correct answer by
Level 10
Level 10

Response from team:   

The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
 
It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
 
It is a security feature though so disabling should be documented and intentional.
 
However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

View solution in original post

0 Replies
smacdonald2008
Level 10
Level 10

I will check internally for this question... There are no docs so hard to really know. 

You can also post to the Sling board too: http://apache-sling.73963.n3.nabble.com/Sling-Dev-f73966.html

smacdonald2008
Correct answer by
Level 10
Level 10

Response from team:   

The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
 
It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
 
It is a security feature though so disabling should be documented and intentional.
 
However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

View solution in original post

aemanonymous
Level 4
Level 4

Thanks Scott.

For requests via apache, this is happening correctly for PDF files. The problem happens only while being invoked directly from AEM instance.

 

Paul

KrishnaGunturu
Level 1
Level 1

I disabled Content Disposition filter for all paths. It worked fine for all the image other than .svg images. They are still getting downloaded. Any thoughts on it?

suhass86991778
Level 3
Level 3

Hey team, there's a typo in this doc Adobe Experience Manager Help | Content Disposition Filter - it says PFD instead of PDF - please have this updated.

So, from 6.4 all assets including PDF gets downloaded, unless otherwise the filter is disabled or exceptions are added.

suhass86991778
Level 3
Level 3

KrishnaGunturu​ you will have to remove 'image/svg+xml' entry from DAM Safe Binary filter in Felix Console.

victor_toledo_3
Level 3
Level 3

Hi here, i'm using this configuration

Screen Shot 2019-08-27 at 14.05.25.png

and it seems to work, i mean, I've deactivated the filter for all paths, but I have added a rule to validate everything in content except pdfs

what do you think? should i add more paths on Included Resource Paths, as for example, /etc, /libs, /apps etc