View online PDF inside the web browser by default

Originally created by @emmapeel on #7887 (Redmine)

Reported by a user

If we avoid using Evince we can significantly decrease the attack vectors through PDFs.

A PDF opened in Iceweasel must (1) break through pdf.js to execute arbitrary JavaScript, but then (2) break Iceweasel itself to root your computer.

A PDF opened in Evince would have a much easier time breaking through. Evince and libpoppler are subject to significantly less attacks than Iceweasel, so Iceweasel is hardened and security conscious.

Related issues

Related to #7542 (closed)

Edited May 15, 2020 by emmapeel

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information