Expand my Community achievements bar.

SOLVED

Issues that might arise due to having content disposition: inline on images

Avatar

Level 2
Level 2
2/17/21 8:42:07 PM

I am trying to display images (png, jpeg, gif, svg) directly on browser instead of letting the users downloading it. I've read from so many places that having content disposition header as inline might cause some security issues, and it is better to have it as attachment. Can anyone provide me a scenario where this might be a problem?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

6.5

Views

1.0K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
2/17/21 10:10:01 PM

Hi @aemAmateur ,

 

yes, the OSGi config "org.apache.sling.security.impl.ContentDispositionFilter" provides the way to disable it but it could lead to security issues and that's why it is enabled by default in the product.

 

Here are a few security issues can cause: 

 

1. SVG images are vulnerable to XSS  attacks

https://research.securitum.com/do-you-allow-to-load-svg-files-you-have-xss/

 

2. if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-sling-content-dispo...

 

3. Also, check XSS Attack 4: Capture the keystrokes by injecting a keylogger

https://pentest-tools.com/blog/xss-attacks-practical-scenarios/

 

So, explore all the options in the above OSGI config like "Content Disposition Paths" & "Excluded Resource Paths" before disabling it for all files.

 

Hope it will help you.

 

Thanks

View solution in original post

Views

1.0K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 4
Level 4
2/17/21 10:10:01 PM

Hi @aemAmateur ,

 

yes, the OSGi config "org.apache.sling.security.impl.ContentDispositionFilter" provides the way to disable it but it could lead to security issues and that's why it is enabled by default in the product.

 

Here are a few security issues can cause: 

 

1. SVG images are vulnerable to XSS  attacks

https://research.securitum.com/do-you-allow-to-load-svg-files-you-have-xss/

 

2. if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-sling-content-dispo...

 

3. Also, check XSS Attack 4: Capture the keystrokes by injecting a keylogger

https://pentest-tools.com/blog/xss-attacks-practical-scenarios/

 

So, explore all the options in the above OSGI config like "Content Disposition Paths" & "Excluded Resource Paths" before disabling it for all files.

 

Hope it will help you.

 

Thanks

Views

1.0K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
2/18/21 10:47:41 PM
In response to Sanket_Kumbharkhane
Sanket, thanks for the reply. I specifically want to display some pictures that are stored under 'content/dam/*: images/png'. can i add a 'Content-Security-Policy': 'script-src none' header to those urls to stop script execution?

Views

983

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Passing parameters to Sling Model methods Solved

Views

131

Likes

0

Replies

2
Issue with OSGi Bundle in Installed State After Adding Apache PDFBox to bnd-baseline-maven-plugin

Views

45

Likes

0

Replies

2
Need to show featured image alone in list component

Views

28

Likes

0

Replies

1
Content quality checks

Views

89

Likes

0

Replies

6
The dynamic table previews correctly in HTML, but when converted to PDF, the page is cut off.

Views

109

Likes

0

Replies

4