For security reasons, your organization may want to configure the way some file types are handled during upload and download.
Setup > Security Controls > File Upload and download Security
File Upload and Download Security Page
Don’t allow HTML uploads as attachments or document records: To prevent users from uploading files that may pose a security risk.
Blocks upload of these MIME file types: .html, .htt, .mht, .svg, .swf, .thtml, and .xhtml.
Download (recommended): Download file, regardless of file type.
Execute in Browser: The file, regardless of file type, is displayed and executed automatically when accessed in a browser or through an HTTP request.
Hybrid: The file uses the default browser execution behavior, but downloads Chatter and Salesforce CRM Content files.