Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Force application/json content-type

Avatar

Level 1

Hello,

 

We have an apple-app-site-association file located in /.well-known/apple-app-site-association which is being downloaded when requested thru a browser.  We would like the file to be displayed as json output instead.  Examining the headers shows the following:

 

Content-Disposition: attachment; filename="apple-app-site-association"

Content-Type: application/octet-stream

 

I assume that the Content-Type needs to be application/json or something other than octed-stream to prevent the file from downloading.  Is it possible to configure this somehow?  I have already tried setting a format in CRX as well as adding an exclusion to the Content Disposition Filter with no success.  Any help would be appreciated.

 

Thank you

1 Accepted Solution

Avatar

Correct answer by
Employee

What's the extension of your apple-app-site-association file?

 

I created a sample json file, uploaded it under Assets in AEM. I tried to render it, but it was getting downloaded.

 

So, I unchecked Enable For All Resource Paths in /system/console/org.apache.sling.security.impl.ContentDispositionFilter and saved it.

ContentDispositionFilter.JPG

 

Then, I tried to render the same file, and now, it got rendered correctly.

JSONDisplayedInBrowser.JPG

 

I tried that in Incognito Window in Mozilla Firefox, with Disable Cache checkbox checked under Developer Tools' Network tab.

DisableCache_NetworkTab.JPG

 

 

Octect Stream is blacklisted in DAM Safe Binary Filter(/system/console/com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter).

OctetStream.JPG

 

Try removing it from there, save it, and verify whether you are able to render the octet-stream file in the browser. However, it was blacklisted due to security reasons[1]. You can either remove this from the DAM Safe Binary Filter, or change your file extension to .json(and a valid json), whichever works for you.

 

Hope it works. 

 

[1] Content disposition filter is a security feature against XSS attacks on SVG files. https://helpx.adobe.com/experience-manager/6-4/sites/administering/using/content-disposition-filter....

 

View solution in original post

5 Replies

Avatar

Correct answer by
Employee

What's the extension of your apple-app-site-association file?

 

I created a sample json file, uploaded it under Assets in AEM. I tried to render it, but it was getting downloaded.

 

So, I unchecked Enable For All Resource Paths in /system/console/org.apache.sling.security.impl.ContentDispositionFilter and saved it.

ContentDispositionFilter.JPG

 

Then, I tried to render the same file, and now, it got rendered correctly.

JSONDisplayedInBrowser.JPG

 

I tried that in Incognito Window in Mozilla Firefox, with Disable Cache checkbox checked under Developer Tools' Network tab.

DisableCache_NetworkTab.JPG

 

 

Octect Stream is blacklisted in DAM Safe Binary Filter(/system/console/com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter).

OctetStream.JPG

 

Try removing it from there, save it, and verify whether you are able to render the octet-stream file in the browser. However, it was blacklisted due to security reasons[1]. You can either remove this from the DAM Safe Binary Filter, or change your file extension to .json(and a valid json), whichever works for you.

 

Hope it works. 

 

[1] Content disposition filter is a security feature against XSS attacks on SVG files. https://helpx.adobe.com/experience-manager/6-4/sites/administering/using/content-disposition-filter....

 

Avatar

Level 1

Thank you so much for the reply!  The file does not have an extension. The file does render correctly when I completely disable the filter. Do you happen to know how to configure the filter for one specific path? I have tried numerous different configurations with exclude and include and the only thing that seems to work is unchecking the box to completely disable.

Avatar

Employee
@thomasf35641124 You will have to keep Enable For All Resource Paths unchecked and then you can specify some paths in Included Resource Path and Content Types on which you would like to not apply this filter. The following doc may be helpful: https://docs.adobe.com/content/help/en/experience-manager-64/administering/security/content-disposit...

Avatar

Employee
Depending on the AEM version, you might also be hitting a product issue where response headers are reset on serving of asset files. To address that, you can apply the latest service pack - test locally to confirm.

Avatar

Community Advisor

Hi @thomasf35641124 ,

 

We have a similar requirement. We are on first stage of it.

We have a apple-app-site-association file and need to place in AEM Server which is accessible at https://<fully qualified domain>/.well-known/apple-app-site-association.

Do you know where we can place this file in AEM?