Comment 194 for bug 25830

(In reply to comment #159)
> Security consideration: Gmail appears to use content-disposition: attachment to
> prevent HTML attachments from being used in XSS attacks. We should avoid
> breaking that if we add this feature.

Concerning content-disposition, see bug 185618. But not taking content-disposition into account is the right way, as it is a non-standard header, which should thus be ignored (though a different behavior could also be chosen as an option). If Gmail is based on such a non-standard feature for security consideration, then it is highly broken.