Enhancement: click to view original picture

[ghost]

It would be great to have an option to view the full size/original picture in the gallery. Currently there is A Download button, but that doesn't show the picture in the browser window.

[littleboxis]

Has there been any progress made in that regard?

[ferdiga]

and/or allow download original (if user is entitled)

[skjnldsv]

cc @rullzer can we enable the images to show in the browser from dav and not download?

[ghost]

can we enable the images to show in the browser from dav and not download?

Perhaps both options should be available. Download (the down arrow) and View Original. Currently the following headers are set for for a PNG file that I open in the gallery app.

Cache-control: no-cache, no-store, must-revalidate
content-disposition: attachment; filename*=UTF-8''BH_myAvatar400x400.png; filename="BH_myAvatar400x400.png"
content-length: 120926
content-security-policy: <redacted>
content-type: image/png; charset=utf-8
date: Tue, 10 Sep 2019 17:11:54 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: no-referrer
server: Apache
status: 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block

I think that it is the content-disposition: attachment or the x-download-options: noopen that prevents the inline view.

[skjnldsv]

I think that it is the content-disposition: attachment or the x-download-options: noopen that prevents the inline view.

yes it is :)

[rullzer]

cc @rullzer can we enable the images to show in the browser from dav and not download?

Not really. The problem is that we then would serve content that could potentially have exploits. This is the reason we only show previews. They have been parsed, and written out.

For example userA uploads an image with an exploit. Shares it to userB and userB views it full screen in their browser. :boom:

Most other software out there solves this by serving it from a differnt subdomain (dropbox... or ever noticed raw.github.com :wink: ).

[skjnldsv]

@rullzer but what about display the preview instead of downloading it? We could at least show the file with maximum preview size? :)

[rullzer]

Sure you could do that. But for that just use the preview endpoint ;) Max preview these days is 4096x4096

Ah but you'd probably need a way to just say 'give me the max preview'

[skjnldsv]

Ah but you'd probably need a way to just say 'give me the max preview'

Can we have that? Does it make sense?

[rullzer]

Sure we can have that ;) That is fine IMO

[rullzer]

Please do open a ticket for that in the server repo. As that is where the preview endpoint lives.

[ghost]

Hm, I guess downloading is a little safer. I'd still would like this option since I am using this I only with my family and our own photo archive. Also running with clamav.

Perhaps an config.php option could enable this? We do have unsafe options already like previews for certain document formats.

Requesting a Max preview might also be slow...