Ad Code

Tuesday, October 15, 2019

AEM : PDF is getting Downloded Instead of opening in new Tab

Hello Everyone,

While working in an AEM website, I faced one issue in which when we click on any PDF link,
the PDF gets downloaded instead of opening in new Tab.

Client Expectation:
This particular client was looking for providing information to the users upfront.
It is annoying when user click on PDF and it gets download and then user need to go to
downloads to open the PDF.

But the question is how browser decide whether to download the file or whether need to
open in new Tab??

Basically, this happens because the website tells the browser to do it. Occasionally, it's
because the website developer decides they want this behavior, e.g. common on file sharing sites.
Other times, it's because it's a default option for whatever software they're using.
Sometimes it's because the site dev has no idea what they're doing.

Content-Disposition:

That's usually because the site sends a Content-Disposition header in the response. Specifically, it can send either inline or attachment.

Inline: inline is the default if not otherwise specified, and means the browser will
open the file within the browser window if it is able to.

attachment: means to always download the file, never attempt to open it
inside the browser.
Fig 1: Content-Disposition attachment in response headers
But I have not set any Content-Deposition as attachment in AEM so from where it is
coming and how to make it inline.

There is an OSGi Configuration in Felix console named "Apache Sling Content
Disposition Filter" which controls Content Disposition for different mime types based on the path.
Fig 2:Apache Sling Content Disposition Filter

Note:Content disposition filter is a security feature against XSS attacks on SVG files.

The Content Disposition Filter options provide the following functionality:
  • Content Disposition Paths: a list of paths where the filter will be applied followed by a list of mime-types to exclude on that path.This path must be an absolute path and may contain a wildcard ('*') at the end, to match every resource path with the given path prefix. For example: /content/*:image/jpeg,image/svg+xml " will apply the filter to every node in /content except jpg and svg images
  • Excluded Resource Paths: a list of excluded resources, each resource path must be given as absolute and fully qualified path. Prefix matching/wildcards are not supported.
  • Enable For All Resource Paths: this flag controls whether to enable this filter for all paths, except for the excluded paths defined by Excluded Resource Paths. Setting this to 'true' leads to ignoring Content Disposition Paths. Independent of the configuration only resource paths are covered which contain a property named 'jcr:data' or 'jcr:content jcr:data'.

Solution: As stated in the problem statement,the website is having hundreds of
PDFs to render so i can not add every PDF URL in Excluded Resource Paths.So
i unchecked the enable for all resource Paths” Checkbox which will enable
the Content-Disposition response header as inline.

If you want to enable certain paths to make downloadable you can make an entry in included resourceTypes.
Here because the website is having svg images and svg images are vulnerable to XSS
attacks so I added  “/content/*:image/svg+xml” in the "Included Resource Paths and Content Types."

Hope it will help you guys !!
Thanks and Happy Learning.

11 comments:

  1. Hey, Thanks for your post.
    I think your last comment should be changed. We should exclude the PDF mimetype instead of the image/svg+xml from the /content/* to make a inline response header for PDF, right?

    Thanks.

    ReplyDelete
  2. Hi, Can you please provide the some regular expression to open from specific site pdfs in new tab.
    Below is reg expression for open all pdf's in new tab, but want to restric on specific site.


    ForceType application/pdf
    Header set Content-Disposition inline

    ReplyDelete
  3. Above reg expression "\.(?i:pdf)$" is for open all pdf's from content dam, but want to open pdf in new tab from specific site dam"/contet/dam/mysite/pdfs/

    ReplyDelete
  4. Finally we are able to make specific folder pdf's open in tab itself , below is the site configuration in dispatcher level.



    Header set Content-Disposition "inline"
    Header set Cache-Control "max-age=86400, public"
    Require all granted

    ReplyDelete
    Replies
    1. Finally we are able to make specific folder pdf's open in tab itself , below is the site configuration in dispather level.


      ==Directory "/usr/local/pmc/var/www/html/content/dam/site/specificfolder/"
      ==FilesMatch "\.(pdf)$"==
      Header set Content-Disposition "inline"
      Header set Cache-Control "max-age=86400, public"
      Require all granted
      ==/FilesMatch==
      ==/Directory==

      Delete
    2. from the above comment, please less than & greater than symbols to close directory & filematch tags, Thank you

      Delete
  5. Very good article! We will be linking to this particularly great post on our website. Keep up the good writing.
    Master PDF Editor Crack
    DgFlick Album Xpress Pro Crack
    PDF Expert Crack

    ReplyDelete
  6. If you want to download the latest version of this software so links are given below
    We've added it to our list of bookmarked web pages and will be checking back in the near
    future. Please also visit my website and tell us what you think.

    Master PDF Editor Crack
    PassFab For RAR Crack
    AOMEI Partition Assistant Crack
    Artlantis Crack

    ReplyDelete
  7. Slots Casino Resort Spa, Washington D.C. - JSH Hub
    Free casino hotel 김천 출장샵 shuttle, hotel rooms & accomodations. Find deals near 세종특별자치 출장샵 Casino Resort Spa 논산 출장샵 Casino Resort 경상남도 출장안마 Spa, 순천 출장샵 Washington D.C.. Book online with JTM Rewards.

    ReplyDelete