According to the developer guide from Mozilla: "In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.
A Content-disposition filter is a security feature against XSS attacks on SVG files.
Different values for the Content-Disposition headers
inline (This is the default value - indicating it can be displayed inside the Web page, or as the Web page)
attachment (which indicates it should be downloaded).
In AEM how the content-disposition supports?
Usually, people might have complained in AEM websites, the pdf or an image that is supposed to be downloaded are getting open in a new tab(usually on the dispatcher URL).
In AEM there is a configuration in OSGI console - 'org.apache.sling.security.impl.ContentDispositionFilter'
In AEM we can configure Content-Disposition Filter in multiple ways
Content-Disposition Paths
This option helps us to configure a list of paths where the content-disposition filter will be applied followed by a list of mime-types to exclude on that path.
Some examples given below:
/content/*:image/png This will apply the filter to every node in /content except png/content
/*:image/png,image/svg+xml - This will apply the filter to every node in /content except svg images
/content/*:audio/mpeg - For the audio of type mpeg
/content/*:application/pdf - For pdf files to download instead of opening in other tab
/content/dam/project/doc/*:image/png,image/svg+xml,image/jpeg,image/jpgEnsure the path must be an absolute path and can contain a wildcard ('*') at the end, to match every resource path with the given path prefix.
Excluded Resource Paths
We can exclude a set of paths to be excluded, each resource path must be given as an absolute and fully qualified path. In this case prefix, matching/wildcards are not supported.
Enable For All Resource Paths
This feature flag controls enablement of the filter for all paths, except for the excluded paths defined by Excluded Resource Paths.
If we set this to true, we are ignoring all content-disposition paths (resource paths which has a property named 'jcr:data' or 'jcr:content jcr:data').
The Content-Disposition details can be found in url
Usually, people might have complained in AEM websites, the pdf or an image that is supposed to be downloaded are getting open in a new tab(usually on the dispatcher URL).
In AEM there is a configuration in OSGI console - 'org.apache.sling.security.impl.ContentDispositionFilter'
In AEM we can configure Content-Disposition Filter in multiple ways
Content-Disposition Paths
This option helps us to configure a list of paths where the content-disposition filter will be applied followed by a list of mime-types to exclude on that path.
Some examples given below:
/content/*:image/png This will apply the filter to every node in /content except png/content
/*:image/png,image/svg+xml - This will apply the filter to every node in /content except svg images
/content/*:audio/mpeg - For the audio of type mpeg
/content/*:application/pdf - For pdf files to download instead of opening in other tab
/content/dam/project/doc/*:image/png,image/svg+xml,image/jpeg,image/jpgEnsure the path must be an absolute path and can contain a wildcard ('*') at the end, to match every resource path with the given path prefix.
Excluded Resource Paths
We can exclude a set of paths to be excluded, each resource path must be given as an absolute and fully qualified path. In this case prefix, matching/wildcards are not supported.
Enable For All Resource Paths
This feature flag controls enablement of the filter for all paths, except for the excluded paths defined by Excluded Resource Paths.
If we set this to true, we are ignoring all content-disposition paths (resource paths which has a property named 'jcr:data' or 'jcr:content jcr:data').
The Content-Disposition details can be found in url
No comments:
Post a Comment
If you have any doubts or questions, please let us know.