In retrospect, this shouldn't have been a whitelist. We should have implemented a blacklist of extensions that typically represented non-downloads, eg
.php, .html, .asp, ... (and common variants of these)
as there are fewer extensions, less subject to change, and web frameworks move towards friendlier URLs.
White list is good, since some sites use custom file extension which would track a lot of fake downloads and slow down their site (since download has a delay of 500ms).