nat
January 2, 2025, 5:04pm
16
Just a quick update -
The ext_mime_db above that we use follows IANA Media Types defined here - https://www.iana.org/assignments/media-types/media-types.xhtml . Unfortunately, this means that mp4 is correctly application/mp4
Though, looking into our S3 uploader implementation further, I do see that we are adding Content-Disposition header "attachment" for pretty much every upload that is not an image, but it feels like it was only intended to be added for svgs. Using "attachment" would result in the content to get downloaded rather than open in a new tab. For videos, it is a mixture of application/video and attachment that is causing this.
We can at least remove this header, I think.
discourse:main ← discourse:use-inline-no-download
opened 05:01PM - 02 Jan 25 UTC
Back then in https://github.com/discourse/discourse/commit/31e31ef44973dc4daaee2… f010d71588ea5873b53, we added the Content-Disposition headers so that SVGs get downloaded instead of get run in the browser. Inadvertently, this also causes other attachments like pdfs and videos to be downloaded instead of heeding the "Open in new tab" option that users choose in the browser.
### Problem video with `Content-Disposition: attachment`:
https://github.com/user-attachments/assets/f05d388f-4454-4615-9d5a-7a0a66fe3b52
When the header is removed, the default value is `"inline"`, this allows the browser to perform as requested. This also applies to other file types like pdfs, allowing users to view them in the browser instead of always downloading them.
Existing tests (https://github.com/discourse/discourse/pull/10205) already do check that SVGs remain downloaded.
2 Likes
