Add download_file_types.proto with ascii->binary conversion, as a resource.

chrome/common/safe_browsing/download_file_types.proto

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//

[Jialiu Lin, 2016/04/04 22:05:21]

empty line instead of the last "//"?

[Nathan Parker, 2016/04/05 23:20:31]

Done.

+syntax = "proto2";
+
+option optimize_for = LITE_RUNTIME;
+
+package safe_browsing;
+
+// Next id: 5
+message DownloadFileType {
+  // The file extension, without a dot.
+  // This must be unique within one DownloadFileTypeConfig
+  optional string extension = 1;  // required
+
+  // Must be unique and not reused, and be consistent with
+  // SBClientDownloadExtensions enum in histograms.xml
+  optional int64 uma_value = 2;  // required
+
+  // True if is an archive type.
+  optional bool is_archive = 3;  // required
+
+
+  enum DownloadDangerLevel {
+    // Safe. Or at least not known to be dangerous. Safe to
+    // download and open, even if the download was accidental.
+    NOT_DANGEROUS = 0;
+
+    // Require confirmation before downloading. An additional user
+    // gesture may not be required if the download was from a
+    // familiar site and the download was initiated via a user
+    // action.

[Jialiu Lin, 2016/04/04 22:05:21]

If "user gesture" and "user action" refer to the same thing, maybe just stick
with one of them. Also can you give an example of "familiar site"?

[Nathan Parker, 2016/04/05 23:20:31]

Done.

+    ALLOW_ON_USER_GESTURE = 1;
+
+    // Always require confirmation when downloading.
+    DANGEROUS = 2;
+  }
+
+  enum DownloadAutoOpenHint {
+    // File type can be opened automatically.
+    ALLOW_AUTO_OPEN = 1;
+
+    // The file type should not be allowed to open automatically.

[Jialiu Lin, 2016/04/04 22:05:21]

Remove "The" at the beginning?

[Nathan Parker, 2016/04/05 23:20:31]

Done.

+    //
+    // Criteria for disallowing a file type from opening automatically:
+    //
+    // Includes file types that upon opening may either:

[Jialiu Lin, 2016/04/04 22:05:21]

maybe add indentation or bulleted symbol to indicate this is one of the
criteria?

[Nathan Parker, 2016/04/05 23:20:31]

Done.

+    //   * ... execute arbitrary or harmful code with user privileges.
+    //   * ... change configuration of the system to cause harmful behavior
+    //     immediately or at some time in the future.
+    //
+    // Doesn't include file types that upon opening:

[Jialiu Lin, 2016/04/04 22:05:21]

Similar here.
Also, it might sound confusing to ppl not familiar with download protection
logic. Will it be more understandable if we put all these explanation next to
code instead of in the proto definition?

[Nathan Parker, 2016/04/05 23:20:31]

Yes, from offline conv: I'll put this in a README.md file and strip out much of
the comments here.

+    //   * ... sufficiently warn the user about the fact that:
+    //     - This file was downloaded from the Internet.
+    //     - Opening it can make specified changes to the system.
+    //     (Note that any such warnings need to be displayed prior to
+    //      the harmful logic being executed).
+    //   * ... does nothing particularly dangerous, despite the act
+    //     of downloading itself being dangerous (E.g. .local and
+    //     .manifest files).
+    DISALLOW_AUTO_OPEN = 2;
+  }
+
+  enum PlatformType {
+    ALL = 0;
+    PLATFORM_ANDROID = 1;
+    PLATFORM_CHROME_OS = 2;
+    PLATFORM_LINUX = 3;
+    PLATFORM_MAC = 4;
+    PLATFORM_WINDOWS = 5;
+  }
+
+  enum PingSetting {
+    // Don’t send pings except maybe light-pings.

[Jialiu Lin, 2016/04/04 22:05:21]

some explanation of "light-ping"? Any "verdict" comes with "light-pings"?

[Nathan Parker, 2016/04/05 23:20:31]

This is explained in the design doc. I'll link to it in the README

+    TREAT_AS_UNKNOWN = 0;
+    // Don’t send any pings.
+    NO_PING = 1;
+    // Send full pings and use the verdicts.
+    SEND_FULL_PING = 2;
+    // Send full pings and but ignore the SAFE verdict.
+    SEND_FULL_PING_IGNORE_SAFE = 3;
+  }
+
+  // Next id: 5
+  message PlatformSettings {
+    optional PlatformType platform = 1;
+    optional DownloadDangerLevel danger_level = 2;  // required
+    optional DownloadAutoOpenHint auto_open_hint = 3;  // required
+    optional PingSetting ping_setting = 4;  // required
+  };
+
+  // In the canonical list, this must have at least one entry and it can
+  // have platform=ALL to act as the default for any OS not listed.  In
+  // the files served via gstatic, each _<OS>.pb file will have only its
+  // own single entry, with |platform| not populated.

[Jialiu Lin, 2016/04/04 22:05:21]

Since platform can be ALL, how to handle conflicts between different
PlatformSettings? Or should we assume it would never happen?

[Nathan Parker, 2016/04/05 23:20:31]

I'll document the behavior.  If a platform isn't present, it'll use "ALL."  If
there are duplicates, last entry with that value wins.  

+  repeated PlatformSettings platform_settings = 4; // required >= 1
+};
+
+
+// The file_types.asciipb config file is composed of one of these messages.
+// Next id: 5
+message DownloadFileTypeConfig {
+  // Monotonically increasing version number.  Will be logged to UMA.
+  optional uint32 version_id = 1;
+
+  // For what fraction of extended-reporting users’ downloads
+  // with unknown extensions should we send light-pings?
+  // [0..1]
+  optional float light_ping_probability = 2;
+
+  // List of all known types.
+  repeated DownloadFileType file_type = 3;
+
+  // Settings used if a file is not in the above list.  “Extension” is ignored.
+  optional DownloadFileType default_file_type = 4;
+}
+