HTML file stored in CRX does not open in Browser, instead, it is getting downloaded | AEM

Issue

HTML file stored directly in the Oak repository does not open in the Browser. Instead, it is downloaded in 6.1 SP2 and later versions.

Environment

AEM 6.x

Cause

It is an intended change in AEM 6.2. Even for 6.1, the same change applies to Service Pack 2 and later patches. 

It was introduced as a part of Sling Security Fix.

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr: data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

 

Other customers reported it as a security issue. 

  1. They identified that malicious files can potentially be uploaded by using the functionality.
  2. Access the uploaded file through the URL mentioned above and verify that the file gets executed.

Resolution

Engineering team fixed the issue and implemented this change and by default the file gets downloaded instead of opening up in the browser.

It comes through the following OSGI configuration: 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior, which is intended.
 

To revert to old behavior:

If one is OK to bear this security issue, one can clear the check box and the file gets directly opened in the browser instead of getting downloaded. Hence, meeting your requirements.

 Adobe

รับความช่วยเหลือได้เร็วและง่ายกว่าเดิม

หากคุณเป็นผู้ใช้ใหม่

Adobe MAX 2024

Adobe MAX
การประชุมความคิดสร้างสรรค์

14-16 ต.ค. Miami Beach และออนไลน์

Adobe MAX

การประชุมความคิดสร้างสรรค์

14-16 ต.ค. Miami Beach และออนไลน์

Adobe MAX 2024

Adobe MAX
การประชุมความคิดสร้างสรรค์

14-16 ต.ค. Miami Beach และออนไลน์

Adobe MAX

การประชุมความคิดสร้างสรรค์

14-16 ต.ค. Miami Beach และออนไลน์