Apache Sling Content Disposition Filter

Avatar

Avatar
Give Back 3
Level 2
aemanonymous
Level 2

Likes

10 likes

Total Posts

55 posts

Correct reply

2 solutions
Top badges earned
Give Back 3
Give Back
Ignite 1
Validate 10
Validate 1
View profile

Avatar
Give Back 3
Level 2
aemanonymous
Level 2

Likes

10 likes

Total Posts

55 posts

Correct reply

2 solutions
Top badges earned
Give Back 3
Give Back
Ignite 1
Validate 10
Validate 1
View profile
aemanonymous
Level 2

30-01-2017

In AEM 6.2, we have the following configuration Apache Sling Content Disposition Filter (org.apache.sling.security.impl.ContentDispositionFilter). Is there any side effects of unchecking the option "Enable Content Disposition for all paths".

I have unchecked it to prevent the dam assets like PDF from being downloaded automatically. Is it possible to restrict this only for PDF files irrespective of paths.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,410 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,410 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile
smacdonald2008
Level 10

31-01-2017

Response from team:   

The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
 
It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
 
It is a security feature though so disabling should be documented and intentional.
 
However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

Answers (6)

Answers (6)

Avatar

Avatar
Validate 1
Level 2
suhass86991778
Level 2

Likes

8 likes

Total Posts

32 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
suhass86991778
Level 2

Likes

8 likes

Total Posts

32 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile
suhass86991778
Level 2

05-08-2019

KrishnaGunturu​ you will have to remove 'image/svg+xml' entry from DAM Safe Binary filter in Felix Console.

Avatar

Avatar
Validate 1
Level 2
victor_toledo_3
Level 2

Likes

14 likes

Total Posts

39 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 1
Level 2
victor_toledo_3
Level 2

Likes

14 likes

Total Posts

39 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile
victor_toledo_3
Level 2

27-08-2019

Hi here, i'm using this configuration

Screen Shot 2019-08-27 at 14.05.25.png

and it seems to work, i mean, I've deactivated the filter for all paths, but I have added a rule to validate everything in content except pdfs

what do you think? should i add more paths on Included Resource Paths, as for example, /etc, /libs, /apps etc

Avatar

Avatar
Validate 1
Level 2
suhass86991778
Level 2

Likes

8 likes

Total Posts

32 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
suhass86991778
Level 2

Likes

8 likes

Total Posts

32 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile
suhass86991778
Level 2

05-08-2019

Hey team, there's a typo in this doc Adobe Experience Manager Help | Content Disposition Filter - it says PFD instead of PDF - please have this updated.

So, from 6.4 all assets including PDF gets downloaded, unless otherwise the filter is disabled or exceptions are added.

Avatar

Avatar
Level 1
KrishnaGunturu
Level 1

Likes

0 likes

Total Posts

1 post

Correct reply

0 solutions
View profile

Avatar
Level 1
KrishnaGunturu
Level 1

Likes

0 likes

Total Posts

1 post

Correct reply

0 solutions
View profile
KrishnaGunturu
Level 1

24-12-2018

I disabled Content Disposition filter for all paths. It worked fine for all the image other than .svg images. They are still getting downloaded. Any thoughts on it?

Avatar

Avatar
Give Back 3
Level 2
aemanonymous
Level 2

Likes

10 likes

Total Posts

55 posts

Correct reply

2 solutions
Top badges earned
Give Back 3
Give Back
Ignite 1
Validate 10
Validate 1
View profile

Avatar
Give Back 3
Level 2
aemanonymous
Level 2

Likes

10 likes

Total Posts

55 posts

Correct reply

2 solutions
Top badges earned
Give Back 3
Give Back
Ignite 1
Validate 10
Validate 1
View profile
aemanonymous
Level 2

31-01-2017

Thanks Scott.

For requests via apache, this is happening correctly for PDF files. The problem happens only while being invoked directly from AEM instance.

 

Paul

Avatar

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,410 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,410 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile
smacdonald2008
Level 10

31-01-2017

I will check internally for this question... There are no docs so hard to really know. 

You can also post to the Sling board too: http://apache-sling.73963.n3.nabble.com/Sling-Dev-f73966.html