I agree about having the artefact/file/download.php file have forcedownload on by default (and not overridable) - it would be a matter of checking if that causes problems with things that are using that url but should not be.
I notice there is this page talking about how to get around the 'allowscriptaccess' variable: https://soroush.secproject.com/blog/tag/allowscriptaccess-bypass/ so for embedding files it might not be as simple as setting the embed html param allowscriptaccess=never.
I agree about having the artefact/ file/download. php file have forcedownload on by default (and not overridable) - it would be a matter of checking if that causes problems with things that are using that url but should not be.
I notice there is this page talking about how to get around the 'allowscriptaccess' variable: /soroush. secproject. com/blog/ tag/allowscript access- bypass/ so for embedding files it might not be as simple as setting the embed html param allowscriptacce ss=never.
https:/