#6132 ticket attachments should have the option to view in browser vs download
Originally created by: nieder
Currently, clicking on any attachment link in a tracker causes a download of the item to disk. For common file types (txt/patch/diff/jpg/png/gif, maybe some others), it would be nice to have the ability to either download the file to disk or to view it in-browser.
An extra feature might be that the uploader sets the type of file upon submission, and if 'text' is chosen, then the attachment is always offered with either text/x-<SOMETHING> or text/plain links.
Image attachments do show in the browser already
Plain text attachments could be shown in the browser though. We might want to have some precautions so that a very very large log file (for example) can't be displayed in the browser since it would be to much for most browsers to handle.
See also [#5772] for showing text & html from the code repository, and security concerns there.
Related
Tickets: #5772
Originally by: nieder
Ahh, was unaware of image attachments were already displayable since I had never run across one in the few projects I've seen. Thanks.
If HTML files are added to the whitelist, a possibility is to set the HTTP Content-Type header to text/plain. Safari and Firefox (as well as Chrome and IE, I believe) display the raw HTML when served with that. This would also work for displaying other 'active web' files (php, css, js, etc) that could otherwise open browser holes. There should not be any security holes when a (reasonable) file is sent as text/plain.