March 29, 2020
Estimated Post Reading Time ~

AEM : PDF is getting Downloaded Instead of opening in new Tab

While working in an AEM website, I faced one issue in which when we click on any PDF link, the PDF gets downloaded instead of opening in new Tab.

Client Expectation:
This particular client was looking for providing information to the users upfront.
It is annoying when user clicks on PDF and it gets download and then the user needs to go to downloads to open the PDF.

But the question is how the browser decides whether to download the file or whether need to open in a new Tab??

Basically, this happens because the website tells the browser to do it. Occasionally, it's because the website developer decides they want this behavior, e.g. common on file sharing sites. Other times, it's because it's a default option for whatever software they're using.  
Sometimes it's because the site dev has no idea what they're doing.

Content-Disposition:
That's usually because the site sends a Content-Disposition header in the response. Specifically, it can send either inline or attachment.

Inline: inline is the default if not otherwise specified, and means the browser will open the file within the browser window if it is able to.

attachment: means to always download the file, never attempt to open it
inside the browser.

Fig 1: Content-Disposition attachment in response headers

But I have not set any Content-Deposition as attachment in AEM so from where it is coming and how to make it inline.

There is an OSGi Configuration in Felix console named "Apache Sling Content
Disposition Filter" which controls Content Disposition for different mime types based on the path.

Fig 2:Apache Sling Content Disposition Filter

Note: Content disposition filter is a security feature against XSS attacks on SVG files.

The Content Disposition Filter options provide the following functionality:

Content Disposition Paths: a list of paths where the filter will be applied followed by a list of mime-types to exclude on that path. This path must be an absolute path and may contain a wildcard ('*') at the end, to match every resource path with the given path prefix. 

For example: /content/*:image/jpeg,image/svg+xml " will apply the filter to every node in /content except jpg and svg images

Excluded Resource Paths: a list of excluded resources, each resource path must be given as absolute and fully qualified path. Prefix matching/wildcards are not supported.

Enable For All Resource Paths: this flag controls whether to enable this filter for all paths, except for the excluded paths defined by Excluded Resource Paths. Setting this to 'true' leads to ignoring Content Disposition Paths. Independent of the configuration only resource paths are covered which contain a property named 'jcr:data' or 'jcr:content jcr:data'.

Solution: As stated in the problem statement,the website is having hundreds of
PDFs to render so i can not add every PDF URL in Excluded Resource Paths. So I unchecked the “enable for all resource Paths” Checkbox which will enable
the Content-Disposition response header as inline.

If you want to enable certain paths to make downloadable you can make an entry in included resourceTypes.

Here because the website is having svg images and svg images are vulnerable to XSS attacks so I added “/content/*:image/svg+xml” in the "Included Resource Paths and Content Types."


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.