Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Hosting Static HTML in the JCR

Avatar

Avatar
Validate 1
Level 2
SmashTheGoat
Level 2

Likes

9 likes

Total Posts

4 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
SmashTheGoat
Level 2

Likes

9 likes

Total Posts

4 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile
SmashTheGoat
Level 2

23-08-2016

Hi, 

I've got a use case where I need to store and serve static html, js, css, images, flash videos, and etc from the JCR. 

The only suggestions I could find on how to do this come from this article. http://blogs.adobe.com/dekesmith/2012/05/22/place-simple-html-and-image-files-online-with-crx-and-cq...

I've tried all methods of uploading my static content as described in the article and have been able to consistently upload my static content to the JCR. However, the problem that I'm facing is actually trying to render the content. 

In AEM 6.2, when I attempt to hit the static content, such as: /content/some-site/some-static-page.html, it is treated like a binary download. It does the same for all the other filetypes that I've uploaded. Instead of trying to render them, it simply downloads them to my computer.

I noticed that the article was written in 2012, so I tried this on an older version of AEM, specifically 5.6.1, and I was successfully able to render the content within the browser.

I think it has something to do with the one of the rendering servlets, but I'm not sure. Any help is greatly appreciated. 

View Entire Topic

Avatar

Avatar
Boost 5
Employee
vmehrotr
Employee

Likes

19 likes

Total Posts

43 posts

Correct Reply

5 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Applaud 5
View profile

Avatar
Boost 5
Employee
vmehrotr
Employee

Likes

19 likes

Total Posts

43 posts

Correct Reply

5 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Applaud 5
View profile
vmehrotr
Employee

29-09-2016

Root cause:-

This is an intended change made by engineering in AEM 6.2. Even for 6.1, we released a hotfix for it NPR-9381. 

GRANITE-9550 - Extend content disposition filter protection to author

NPR-9381 - HF for GRANITE-9550 - Extend content disposition filter protection to author

This was introduced as part of Sling Security Fix 

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr:data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

Other customers reported this as a security issue. 

1) They identified that malicius files can potentially be uploaded by using the functionality

2) Access the uploaded file via above URL, verify that the file gets executed

Therefore, engineering fixed the issue and implemented this change and now by default the file instead of opening up in the browser gets download instead.

This is coming through OSGI configuration - 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior which is intended.

To revert to old behavior:

If you are OK to bear this security issue, you can uncheck the checkbox and the file would directly open in the browser instead of getting downloaded. Thereby, meeting your requirements.