File UI Security

The Aras Innovator user interface has a security mechanism to prevent loading of files directly in the browser and will force the file to download to local disk first instead.

The Vault Server vault.config file contains the Content Security Policy (CSP) that prevents the loading and executing of files in the user interface.

The policy has 2 possible settings:

1. attachment – This will force a file to be downloaded in the UI

   <mimeType value="application/zip">

   <headers>

   <add name="Content-Disposition” value="attachment” />

   </headers>

   </mimeType>

2. inline – This will force a file to load in the browser but will limit the execution of scripts in the file when loading in the browser.

   <mimeType value="text/xml">

   <headers>

   <add name="Content-Disposition” value="inline” />

   <add name="Content-Security-Policy” value="sandbox” />

   </headers>

   </mimeType>

When loading as “inline” the Content-Security-Policy header enables a sandbox for the requested resource. This restricts page actions including the prevention of pop-ups and the execution of plugins and scripts. More about Content-Security-Policy is here: https://content-security-policy.com/.