This prevents `<img src=' tags from being used to deep-link
image attachments from HTML outside of the current host and
reduces potential for abuse.
Some browsers (e.g. Firefox) favor content detection and will
display images irrespective of the Content-Type header being
"application/octet-stream", and "Content-Disposition: attachment"
doesn't stop them, either.
Tested with dillo and Firefox.
Reported-by: Leah Neukirchen <leah@vuxu.org>
(cherry picked from commit
46cbc5a7a4ba917bd7154be3b6e6898420ff85d3)