Comment 3 for bug 1190788

I agree about having the artefact/file/download.php file have forcedownload on by default (and not overridable) - it would be a matter of checking if that causes problems with things that are using that url but should not be.

I notice there is this page talking about how to get around the 'allowscriptaccess' variable:
https://soroush.secproject.com/blog/tag/allowscriptaccess-bypass/ so for embedding files it might not be as simple as setting the embed html param allowscriptaccess=never.