Adobe Experience Manager Sites & More

aemanonymous · 1/30/17

In AEM 6.2, we have the following configuration Apache Sling Content Disposition Filter (org.apache.sling.security.impl.ContentDispositionFilter). Is there any side effects of unchecking the option "Enable Content Disposition for all paths".

I have unchecked it to prevent the dam assets like PDF from being downloaded automatically. Is it possible to restrict this only for PDF files irrespective of paths.

smacdonald2008 · 1/31/17

Response from team:

The filter does not allow for mime-type specific configuration. The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature. As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers. So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.

It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc. I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.

It is a security feature though so disabling should be documented and intentional.

However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

View solution in original post

smacdonald2008 · 1/31/17

I will check internally for this question... There are no docs so hard to really know.

You can also post to the Sling board too: http://apache-sling.73963.n3.nabble.com/Sling-Dev-f73966.html

smacdonald2008 · 1/31/17

Response from team:

The filter does not allow for mime-type specific configuration. The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature. As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers. So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.

It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc. I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.

It is a security feature though so disabling should be documented and intentional.

However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

aemanonymous · 1/31/17

Thanks Scott.

For requests via apache, this is happening correctly for PDF files. The problem happens only while being invoked directly from AEM instance.

Paul

KrishnaGunturu · 12/24/18

I disabled Content Disposition filter for all paths. It worked fine for all the image other than .svg images. They are still getting downloaded. Any thoughts on it?

Mounikasri · 12/29/21

Hi @KrishnaGunturu

I am also facing same issue with videos , all format of images and pdfs.Could you please tell me how you resolved this issue .Please share the configuration settings screenshots.

I have unchecked "Enable For All Resource Paths" but no use .Please help me with this issue.

suhass86991778 · 8/5/19

Hey team, there's a typo in this doc Adobe Experience Manager Help | Content Disposition Filter - it says PFD instead of PDF - please have this updated.

So, from 6.4 all assets including PDF gets downloaded, unless otherwise the filter is disabled or exceptions are added.

suhass86991778 · 8/5/19

KrishnaGunturu you will have to remove 'image/svg+xml' entry from DAM Safe Binary filter in Felix Console.

VictorToledo_ · 8/27/19

Hi here, i'm using this configuration

and it seems to work, i mean, I've deactivated the filter for all paths, but I have added a rule to validate everything in content except pdfs

what do you think? should i add more paths on Included Resource Paths, as for example, /etc, /libs, /apps etc

Adobe Experience Manager Sites & More

Apache Sling Content Disposition Filter

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe