lightbox: Make the "download" link use the new download endpoint.

The "download" attribute on the button only functions for same-origin
requests; thus, the download endpoint must be used in order for the
"Download" button to function for uploaded images which are stored in
S3, and thus served from a different origin.

This is only done for uploaded images; it does not address a similar
problem with Camo, when Camo is hosted on a different hostname.

Fixes: #19238.

static/js/lightbox.js

@@ -217,7 +217,22 @@ function display_image(payload) {
         .prop("data-filename", filename || "N/A");
     $(".image-description .user").text(payload.user).prop("title", payload.user);
 
-    $(".image-actions .open, .image-actions .download").attr("href", payload.source);
+    $(".image-actions .open").attr("href", payload.source);
+
+    const url = new URL(payload.source, window.location.href);
+    const same_origin = url.origin === window.location.origin;
+    if (same_origin && url.pathname.startsWith("/user_uploads/")) {
+        // Switch to the "download" handler, so S3 URLs set their Content-Disposition
+        url.pathname = "/user_uploads/download/" + url.pathname.slice("/user_uploads/".length);
+        $(".image-actions .download").attr("href", url.href);
+    } else if (same_origin) {
+        $(".image-actions .download").attr("href", payload.source);
+    } else {
+        // If it's not same-origin, and we don't know how to tell the remote service to put a
+        // content-disposition on it, the download can't possibly download, just show -- so hide the
+        // element.
+        $(".image-actions .download").hide();
+    }
 }
 
 function display_video(payload) {