Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Apache Sling Content Disposition Filter

Avatar

Level 4

In AEM 6.2, we have the following configuration Apache Sling Content Disposition Filter (org.apache.sling.security.impl.ContentDispositionFilter). Is there any side effects of unchecking the option "Enable Content Disposition for all paths".

I have unchecked it to prevent the dam assets like PDF from being downloaded automatically. Is it possible to restrict this only for PDF files irrespective of paths.

1 Accepted Solution

Avatar

Correct answer by
Level 10

Response from team:   

The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
 
It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
 
It is a security feature though so disabling should be documented and intentional.
 
However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

View solution in original post

8 Replies

Avatar

Level 10

I will check internally for this question... There are no docs so hard to really know. 

You can also post to the Sling board too: http://apache-sling.73963.n3.nabble.com/Sling-Dev-f73966.html

Avatar

Correct answer by
Level 10

Response from team:   

The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
 
It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
 
It is a security feature though so disabling should be documented and intentional.
 
However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

Avatar

Level 4

Thanks Scott.

For requests via apache, this is happening correctly for PDF files. The problem happens only while being invoked directly from AEM instance.

 

Paul

Avatar

Level 1

I disabled Content Disposition filter for all paths. It worked fine for all the image other than .svg images. They are still getting downloaded. Any thoughts on it?

Avatar

Level 2

Hi @KrishnaGunturu 

 

I am also facing same issue with videos , all format of images and pdfs.Could you please tell me how you resolved this issue .Please share the configuration settings screenshots.

I have unchecked "Enable For All Resource Paths" but no use .Please help me with this issue.

Mounikasri_0-1640847602869.png

 

Avatar

Level 3

Hey team, there's a typo in this doc Adobe Experience Manager Help | Content Disposition Filter - it says PFD instead of PDF - please have this updated.

So, from 6.4 all assets including PDF gets downloaded, unless otherwise the filter is disabled or exceptions are added.

Avatar

Level 3

KrishnaGunturu​ you will have to remove 'image/svg+xml' entry from DAM Safe Binary filter in Felix Console.

Avatar

Level 4

Hi here, i'm using this configuration

Screen Shot 2019-08-27 at 14.05.25.png

and it seems to work, i mean, I've deactivated the filter for all paths, but I have added a rule to validate everything in content except pdfs

what do you think? should i add more paths on Included Resource Paths, as for example, /etc, /libs, /apps etc