Original Bug title:
Drop "Content-disposition: attachment;" from the response headers if the MIME type can be typically rendered by the browser, including text, png and jpg files.
Reasoning:
This header forces the browser to open a download-dialog which is not really handy for quickly looking at a screenshot. Downloading is still possible for all who are fans of error-screenshots after removing that header.
Possible issue: Bugzilla is abused by spammers for placing their images here.
Possible solution: Only drop the header if user is logged-in.
Possible issue: Injection of malicious content.
Possible solution: Only allow "safe types" (i.e. not .js or only png and jpg images)
Current response headers for attachments:
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2013 13:56:58 GMT
Server: Apache
X-xss-protection: 1; mode=block
Content-disposition: attachment; filename="commons_revision_missing_not_in_user_language.png"
X-content-type-options: nosniff
Content-length: 287653
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/png; name="commons_revision ..."
Version: wmf-deployment
Severity: normal