Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Force application/json content-type

thomasf35641124
Level 1
Level 1

Hello,

 

We have an apple-app-site-association file located in /.well-known/apple-app-site-association which is being downloaded when requested thru a browser.  We would like the file to be displayed as json output instead.  Examining the headers shows the following:

 

Content-Disposition: attachment; filename="apple-app-site-association"

Content-Type: application/octet-stream

 

I assume that the Content-Type needs to be application/json or something other than octed-stream to prevent the file from downloading.  Is it possible to configure this somehow?  I have already tried setting a format in CRX as well as adding an exclusion to the Content Disposition Filter with no success.  Any help would be appreciated.

 

Thank you

1 Accepted Solution
sunjot16
Correct answer by
Employee
Employee

What's the extension of your apple-app-site-association file?

 

I created a sample json file, uploaded it under Assets in AEM. I tried to render it, but it was getting downloaded.

 

So, I unchecked Enable For All Resource Paths in /system/console/org.apache.sling.security.impl.ContentDispositionFilter and saved it.

ContentDispositionFilter.JPG

 

Then, I tried to render the same file, and now, it got rendered correctly.

JSONDisplayedInBrowser.JPG

 

I tried that in Incognito Window in Mozilla Firefox, with Disable Cache checkbox checked under Developer Tools' Network tab.

DisableCache_NetworkTab.JPG

 

 

Octect Stream is blacklisted in DAM Safe Binary Filter(/system/console/com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter).

OctetStream.JPG

 

Try removing it from there, save it, and verify whether you are able to render the octet-stream file in the browser. However, it was blacklisted due to security reasons[1]. You can either remove this from the DAM Safe Binary Filter, or change your file extension to .json(and a valid json), whichever works for you.

 

Hope it works. 😊

 

[1] Content disposition filter is a security feature against XSS attacks on SVG files. https://helpx.adobe.com/experience-manager/6-4/sites/administering/using/content-disposition-filter....

 

View solution in original post

4 Replies
sunjot16
Correct answer by
Employee
Employee

What's the extension of your apple-app-site-association file?

 

I created a sample json file, uploaded it under Assets in AEM. I tried to render it, but it was getting downloaded.

 

So, I unchecked Enable For All Resource Paths in /system/console/org.apache.sling.security.impl.ContentDispositionFilter and saved it.

ContentDispositionFilter.JPG

 

Then, I tried to render the same file, and now, it got rendered correctly.

JSONDisplayedInBrowser.JPG

 

I tried that in Incognito Window in Mozilla Firefox, with Disable Cache checkbox checked under Developer Tools' Network tab.

DisableCache_NetworkTab.JPG

 

 

Octect Stream is blacklisted in DAM Safe Binary Filter(/system/console/com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter).

OctetStream.JPG

 

Try removing it from there, save it, and verify whether you are able to render the octet-stream file in the browser. However, it was blacklisted due to security reasons[1]. You can either remove this from the DAM Safe Binary Filter, or change your file extension to .json(and a valid json), whichever works for you.

 

Hope it works. 😊

 

[1] Content disposition filter is a security feature against XSS attacks on SVG files. https://helpx.adobe.com/experience-manager/6-4/sites/administering/using/content-disposition-filter....

 

View solution in original post

thomasf35641124
Level 1
Level 1

Thank you so much for the reply!  The file does not have an extension. The file does render correctly when I completely disable the filter. Do you happen to know how to configure the filter for one specific path? I have tried numerous different configurations with exclude and include and the only thing that seems to work is unchecking the box to completely disable.

sunjot16
Employee
Employee
@thomasf35641124 You will have to keep Enable For All Resource Paths unchecked and then you can specify some paths in Included Resource Path and Content Types on which you would like to not apply this filter. The following doc may be helpful: https://docs.adobe.com/content/help/en/experience-manager-64/administering/security/content-disposit... 🙂
Andrew_Khoury
Employee
Employee
Depending on the AEM version, you might also be hitting a product issue where response headers are reset on serving of asset files. To address that, you can apply the latest service pack - test locally to confirm.