If you are wondering if the link that sends_data PDF with rails is only a save option in IE11 Changes to the Rails 5.2 release notes https://railsguides.jp/5_2_release_notes.html It was in.
Added secure X-Download-Options and X-Permitted-Cross-Domain-Policies to the default header set. (Commit)
By default, I think that the intention is not to open the vulnerable file in the application suddenly, but while all the browsers I tried are through, only IE11 is in a state of "only saving" Isn't it surprising? (May be misunderstood)
So if you want to open it directly in IE11, for example, like this.
response.headers["X-Download-Options"] = nil (if ...Risk tolerance...)
send_file(file_path,:filename => filename,:type=>content_type,:disposition=>'inline')
If it is applied to the entire site, it may be possible with config. → You gave us an example of how to deal with it in the comments.
cinfig/application.rb
config.action_dispatch.default_headers.delete('X-Download-Options')