Last modified: 2013-12-14 06:33:10 UTC
Original Bug title: Drop "Content-disposition: attachment;" from the response headers if the MIME type can be typically rendered by the browser, including text, png and jpg files. ---- Reasoning: This header forces the browser to open a download-dialog which is not really handy for quickly looking at a screenshot. Downloading is still possible for all who are fans of error-screenshots after removing that header. ---- Possible issue: Bugzilla is abused by spammers for placing their images here. Possible solution: Only drop the header if user is logged-in. Possible issue: Injection of malicious content. Possible solution: Only allow "safe types" (i.e. not .js or only png and jpg images) ---- ---- Current response headers for attachments: HTTP/1.1 200 OK Date: Fri, 13 Dec 2013 13:56:58 GMT Server: Apache X-xss-protection: 1; mode=block Content-disposition: attachment; filename="commons_revision_missing_not_in_user_language.png" X-content-type-options: nosniff Content-length: 287653 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: image/png; name="commons_revision ..."
Yeah, it's really about time someone fixed this. *** This bug has been marked as a duplicate of bug 54181 ***