Friday, 17 July 2020

Content disposition configuration in AEM

What is Content-Disposition?
According to developer guide from Mozilla : "In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.

Content disposition filter is a security feature against XSS attacks on SVG files.



Different values for the Content-Disposition headers
  • inline (This is the default value - indicating it can be displayed inside the Web page, or as the Web page)
  • attachment (which indicates it should be downloaded).
In AEM how the content disposition supports?
Usually people might have complained in AEM websites, the pdf or an image which is supposed to be downloaded are getting open in new tab(usually on dispatcher URL).

In AEM there is a configuration in OSGI console - 'org.apache.sling.security.impl.ContentDispositionFilter'

In AEM we can configure Content Disposition Filter in multiple ways

Content Disposition Paths
This option helps us to configure a list of paths where the content disposition filter will be applied followed by a list of mime-types to exclude on that path.

Some examples given below: 
  • /content/*:image/png This will apply the filter to every node in /content except png/content
  • /*:image/png,image/svg+xml - This will apply the filter to every node in /content except svg images
  • /content/*:audio/mpeg - For the audio of type mpeg
  • /content/*:application/pdf - For pdf files to download instead of opening in other tab
  • /content/dam/project/doc/*:image/png,image/svg+xml,image/jpeg,image/jpg
Ensure the path must be an absolute path and can contain a wildcard ('*') at the end, to match every resource path with the given path prefix.

Excluded Resource Paths
We can exclude a set of paths to be excluded, each resource path must be given as absolute and fully qualified path. In ths case prefix matching/wildcards are not supported.

Enable For All Resource Paths


This feature flag controls enablement of the filter for all paths, except for the excluded paths defined by Excluded Resource Paths.
If we set this to true, we are ignoring all content disposition paths (resource paths which has a property named 'jcr:data' or 'jcr:content jcr:data').


The Content Disposition details can be found in url

No comments:

Post a comment