Ad Code

Tuesday, October 15, 2019

AEM : PDF is getting Downloded Instead of opening in new Tab

Hello Everyone,

While working in an AEM website, I faced one issue in which when we click on any PDF link,
the PDF gets downloaded instead of opening in new Tab.

Client Expectation:
This particular client was looking for providing information to the users upfront.
It is annoying when user click on PDF and it gets download and then user need to go to
downloads to open the PDF.

But the question is how browser decide whether to download the file or whether need to
open in new Tab??

Basically, this happens because the website tells the browser to do it. Occasionally, it's
because the website developer decides they want this behavior, e.g. common on file sharing sites.
Other times, it's because it's a default option for whatever software they're using.
Sometimes it's because the site dev has no idea what they're doing.

Content-Disposition:

That's usually because the site sends a Content-Disposition header in the response. Specifically, it can send either inline or attachment.

Inline: inline is the default if not otherwise specified, and means the browser will
open the file within the browser window if it is able to.

attachment: means to always download the file, never attempt to open it
inside the browser.
Fig 1: Content-Disposition attachment in response headers
But I have not set any Content-Deposition as attachment in AEM so from where it is
coming and how to make it inline.

There is an OSGi Configuration in Felix console named "Apache Sling Content
Disposition Filter" which controls Content Disposition for different mime types based on the path.
Fig 2:Apache Sling Content Disposition Filter

Note:Content disposition filter is a security feature against XSS attacks on SVG files.

The Content Disposition Filter options provide the following functionality:
  • Content Disposition Paths: a list of paths where the filter will be applied followed by a list of mime-types to exclude on that path.This path must be an absolute path and may contain a wildcard ('*') at the end, to match every resource path with the given path prefix. For example: /content/*:image/jpeg,image/svg+xml " will apply the filter to every node in /content except jpg and svg images
  • Excluded Resource Paths: a list of excluded resources, each resource path must be given as absolute and fully qualified path. Prefix matching/wildcards are not supported.
  • Enable For All Resource Paths: this flag controls whether to enable this filter for all paths, except for the excluded paths defined by Excluded Resource Paths. Setting this to 'true' leads to ignoring Content Disposition Paths. Independent of the configuration only resource paths are covered which contain a property named 'jcr:data' or 'jcr:content jcr:data'.

Solution: As stated in the problem statement,the website is having hundreds of
PDFs to render so i can not add every PDF URL in Excluded Resource Paths.So
i unchecked the enable for all resource Paths” Checkbox which will enable
the Content-Disposition response header as inline.

If you want to enable certain paths to make downloadable you can make an entry in included resourceTypes.
Here because the website is having svg images and svg images are vulnerable to XSS
attacks so I added  “/content/*:image/svg+xml” in the "Included Resource Paths and Content Types."

Hope it will help you guys !!
Thanks and Happy Learning.

1 comment:

  1. Hey, Thanks for your post.
    I think your last comment should be changed. We should exclude the PDF mimetype instead of the image/svg+xml from the /content/* to make a inline response header for PDF, right?

    Thanks.

    ReplyDelete