SharePoint, being a Content Management System, has some in-built security features that prevent some of the files from opening in the browser. This security limitation is done using HTTP response headers. SharePoint adds ‘X-Download-Options: noopen’ to the header which prevents it from opening up in the browser. Instead the file is downloaded to the local file system which can be opened using a client application. However, we can circumvent this issue using a couple of methods which we will explore in this article.
As shown below, if PDF is not set to open up in the browser, it will be downloaded to the disk.
We can overcome this issue using two methods:
Method 1 (Not the recommended way)
In order to open the PDF in the browser, we can update the settings in -
- Library and
- Central Administration
Let’s enable the browser opening capability at the library level. Go to the library settings.
Select Advanced Settings.
Select the radio button ‘Open in the browser’.
Now, we have to update the settings in the Web Application level. Select Manage Web Applications.
Click on General Settings.
From General Settings page, change the browser handling option from ‘Strict’ to ‘Permissive’.
Setting the Permissive option enables PDF to open up in the browser. Though this can be achieved out of the box, it is not recommended to change the Browser file handling from Strict to Permissive, as it opens up a huge security hole in the SharePoint Environment. Setting the option to ‘Strict’ adds ‘X-Download-Options: noopen’ to the header of the document whose MIME (Multipurpose Internet Mail Extensions) type is not present in the web applications’ allowed list. This prevents file from opening in browser.
Method 2 (Recommended)
As an alternative, we can add PDF (by default it is added) to the web application’s trusted MIME Type List. If the MIME type is added to the trusted list, even if the Browser File Handling is set to ‘Strict’, it will not prevent the file from opening in the browser. We can get the list of Trusted MIME types by running the ‘SPWebApplication.AllowedInlineDownloadedMimeTypes’ command.
$webApplication = Get-SPWebApplication("http://vm03-sp2016:51000/")
$webApplication.AllowedInlineDownloadedMimeTypes
If application/pdf is not present in the list, it means that PDF is not added to trusted MIME types of the web application. Let’s add application/pdf to the trusted MIME Types List by running the below command.
$webApplication = Get-SPWebApplication("http://vm03-sp2016:51000/")
$webApplication.AllowedInlineDownloadedMimeTypes.Add("application/pdf")
$webApplication.Update()
This will add the new MIME type to the end of the list as shown below.
Now if we click on a PDF file, it will open up the file in the browser.
In this way, we are not opening up any security issues in the environment, and it is the best way to ensure PDF opens up in the browser.
We can also remove the added MIME type in the similar way we added it by running the below command.
$mimeType = "application/pdf"
$webApplication.AllowedInlineDownloadedMimeTypes.Remove($mimeType)
$webApplication.Update()
Summary - Thus, we saw how to allow PDF to open up in the browser by adding PDF to the allowed MIME type list of the Web Application.