Recently we had our security tests in the platform, where one finding raised critical was the request sent to /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl under cross site scripting tampering the request to execute script.
now the question, will there be any impact in author if I block .permissions.json/* requests in dispatcher ? does it affect any functionalities ?
When you will click on "Create Folder" button in Touch UI Assets broweser, you won't see the checkbox option that say "private", it simply won't be there, due to the fact that AEM could not retieve requests value and due to this it won't be shown.
Please note, have used AEM 6.4 SP2 to get this info.