HTML file stored in CRX doesn’t open in browser, gets downloaded instead

A HTML file stored directly in the Oak repository does not open in the browser. Instead it is downloaded in 6.1 SP2 and later versions.

Description description

Environment

Adobe Experience Manager 6.x (AEM 6.x)

Issue/Symptoms

A HTML file stored directly in the Oak repository does not open in the browser. Instead it is downloaded in 6.1 SP2 and later versions.

Cause

It is an intended change in AEM 6.2.

Even for 6.1, the same change applies to Service Pack 2 and later patches.

It was introduced as a part of Sling Security Fix.

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr: data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

This issue was sometimes reported as a security issue.

  1. It was identified that malicious files can potentially be uploaded by using the functionality.
  2. Access the uploaded file through the URL mentioned above and verify that the file gets executed.

Resolution resolution

Engineering team fixed the issue and implemented this change and by default the file gets downloaded instead of opening up in the browser.

It comes through the following OSGI configuration:

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior, which is intended.

To revert to old behavior:

If one is OK to bear this security issue, one can clear the check box and the file gets directly opened in the browser instead of getting downloaded. Hence, meeting your requirements.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f