UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce the problem:
1.Create a page with <a href="my_resource.file" download> tag 
2.Set security mode on your server
3.Click on the link

What is the expected behavior?
Chrome should download file as other browsers do.

What went wrong?
HTTP/1.1 403 Forbidden
Content-Length: 252
Keep-Alive: timeout=1, max=300
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd24/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1545307843168895 965 (- - -)
Stopwatch2: 1545307843168895 965; combined=303, p1=208, p2=65, p3=0, p4=0, p5=30, sr=67, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 67.0.3396.87  Channel: n/a
OS Version: Mint 18.3 Cinnamon
Flash Version: