This issue has been created
There is 1 update, 2 comments.
 
 
XWiki Platform / cid:jira-generated-image-avatar-ff45f16c-4023-42cd-8018-04871c545165 XWIKI-23620 Open

Add the pdf mimetype in the default list of file types to serve as inline when attached to a wiki page
 
View issue   ·   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-d7f24ac9-52fa-45b2-ae24-850aaecc7b2a Anca Luca created this issue on 21/Oct/25 19:33
 
Summary: Add the pdf mimetype in the default list of file types to serve as inline when attached to a wiki page
Issue Type: cid:jira-generated-image-avatar-ff45f16c-4023-42cd-8018-04871c545165 Improvement
Affects Versions: 16.10.9, 5.2
Assignee: Unassigned
Components: Configuration
Created: 21/Oct/25 19:33
Priority: cid:jira-generated-image-static-major-468f5649-4c6e-4dc6-86db-477535e0bd7b Major
Reporter: Anca Luca
Description:

The content disposition of the attachments of XWiki is controlled by a couple of configurations, that will determine whether the file is sent as an inline content, leaving the browser handle it (open or download, depending on what it knows to do) or as an attachment content, forcing the browser to download it.

These are configured in https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HSecurity.

The pdf mimetype is not in the default list of whitelisted attachment types, which results in pdf files being always proposed for download, in absence of a custom configuration. There is fundamentally no good reason for this protection by default, the browser should ensure security of the pdf files it handles .

We should add the pdf mimetype in the default list of whitelisted attachment types.
 
 

1 update

 
cid:jira-generated-image-avatar-d7f24ac9-52fa-45b2-ae24-850aaecc7b2a Changes by Anca Luca on 21/Oct/25 19:37
 
Description: The content disposition of the attachments of XWiki is controlled by a couple of configurations, that will determine whether the file is sent as an inline content, leaving the browser handle it (open or download, depending on what it knows to do) or as an attachment content, forcing the browser to download it.

These are configured in https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HSecurity.

The pdf mimetype is not in the default list of whitelisted attachment types, which results in pdf files being always proposed for download, in absence of a custom configuration. There is fundamentally no good reason for this protection by default, the browser should ensure security of the pdf files it handles opens .

We should add the pdf mimetype in the default list of whitelisted attachment types.
 
 

2 comments

 
cid:jira-generated-image-avatar-d7f24ac9-52fa-45b2-ae24-850aaecc7b2a Anca Luca on 21/Oct/25 19:35
 

Thanks Michael Hamann, Ludovic Dubost (Test simple user) and Clément Aubin for helping confirm that there should be no security issue with pdf files.
 
cid:jira-generated-image-avatar-d7f24ac9-52fa-45b2-ae24-850aaecc7b2a Anca Luca on 21/Oct/25 19:35
 
Thanks [~MichaelHamann], [~ ldubost ludovic ] and [~caubin] for helping confirm that there should be no security issue with pdf files.
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.