Apache Sling Content Disposition Filter | Community
Skip to main content
A
aemanonymous
January 31, 2017
Solved

Apache Sling Content Disposition Filter

  • January 31, 2017
  • 7 replies
  • 14420 views

In AEM 6.2, we have the following configuration Apache Sling Content Disposition Filter (org.apache.sling.security.impl.ContentDispositionFilter). Is there any side effects of unchecking the option "Enable Content Disposition for all paths".

I have unchecked it to prevent the dam assets like PDF from being downloaded automatically. Is it possible to restrict this only for PDF files irrespective of paths.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by smacdonald2008

    Response from team:   

    The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
     
    It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
     
    It is a security feature though so disabling should be documented and intentional.
     
    However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.

    7 replies

    smacdonald2008
    smacdonald2008
    February 1, 2017

    I will check internally for this question... There are no docs so hard to really know. 

    You can also post to the Sling board too: http://apache-sling.73963.n3.nabble.com/Sling-Dev-f73966.html

      smacdonald2008
      smacdonald2008Accepted solution
      February 1, 2017

      Response from team:   

      The filter does not allow for mime-type specific configuration.  The purpose of the filter is to instruct a client that the file is a download rather than something to render as a security feature.  As an example if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.  So AEM inserts a content disposition header to tell the browser it's a download rather than to render the files this increasing security.  
       
      It can be disabled if the customer truly wants to have static files rendered from the repository for HTML etc.  I have one customer that required this for their use cases where HTML is rendered by another system for technical documentation.
       
      It is a security feature though so disabling should be documented and intentional.
       
      However, I do think the filter applies for text/* mimetypes and PDFs should be rendered as expected in the browser so I would encourage more testing for the person posting this.
      A
      aemanonymousAuthor
      February 1, 2017

      Thanks Scott.

      For requests via apache, this is happening correctly for PDF files. The problem happens only while being invoked directly from AEM instance.

       

      Paul

        K
        KrishnaGunturu
        December 25, 2018

        I disabled Content Disposition filter for all paths. It worked fine for all the image other than .svg images. They are still getting downloaded. Any thoughts on it?

          M
          Mounikasri
          December 30, 2021

          Hi @krishnagunturu 

           

          I am also facing same issue with videos , all format of images and pdfs.Could you please tell me how you resolved this issue .Please share the configuration settings screenshots.

          I have unchecked "Enable For All Resource Paths" but no use .Please help me with this issue.

           

            B
            Berus
            August 5, 2019

            Hey team, there's a typo in this doc Adobe Experience Manager Help | Content Disposition Filter - it says PFD instead of PDF - please have this updated.

            So, from 6.4 all assets including PDF gets downloaded, unless otherwise the filter is disabled or exceptions are added.

              B
              Berus
              August 5, 2019

              KrishnaGunturu​ you will have to remove 'image/svg+xml' entry from DAM Safe Binary filter in Felix Console.

                VictorToledo_
                VictorToledo_
                August 27, 2019

                Hi here, i'm using this configuration

                and it seems to work, i mean, I've deactivated the filter for all paths, but I have added a rule to validate everything in content except pdfs

                what do you think? should i add more paths on Included Resource Paths, as for example, /etc, /libs, /apps etc

                  Terms & ConditionsAccessibility statement

                  Loading footer...