Fix note attachments XSS and access control
Replaces the reverted #1528, as proposed in https://gitlab.com/gitlab-org/omnibus-gitlab/issues/434, as discussed with @dzaporozhets and as summarized in #2032.
@marin Could you take a look at the nginx config and apply it to Omnibus once this gets merged?
See merge request !1553
