| Index: chrome/browser/resources/safe_browsing/README.md
|
| diff --git a/chrome/browser/resources/safe_browsing/README.md b/chrome/browser/resources/safe_browsing/README.md
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..3d7f2e60fe855c0879352dd35e6981f86926f053
|
| --- /dev/null
|
| +++ b/chrome/browser/resources/safe_browsing/README.md
|
| @@ -0,0 +1,96 @@
|
| +# Behavior of Download File Types in Chrome
|
| +
|
| +This describes how to adjust file-type download behavior in
|
| +Chrome including interactions with Safe Browsing. The metadata described
|
| +here, and stored in `download_file_types.asciipb`, will be both baked into
|
| +Chrome released and pushable to Chrome between releases. http://crbug.com/596555
|
| +
|
| +Rendered version of this file: https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/safe_browsing/README.md
|
| +
|
| +
|
| +## Procedure for adding a new type
|
| + * Edit `download_file_types.asciipb`. Update `histograms.xml`
|
| + * Get it reviewed, submit.
|
| + * Push via component update (PROCEDURE TBD)
|
| +
|
| +## Guidelines for a DownloadFileType entry:
|
| +See `download_file_types.proto` for all fields.
|
| +
|
| + * `extension`: Value must be unique within the config. It should be
|
| + lowercase ASCII and not contain a dot. If there _is_ a duplicate,
|
| + first one wins. Only the `default_file_type` should leave this unset.
|
| +
|
| + * `uma_value`: Value must be unique and match one in the
|
| + `SBClientDownloadExtensions` enum in `histograms.xml`.
|
| +
|
| + * `is_archive`: `True` if this filetype is a container for other files.
|
| + Leave it unset for `false`.
|
| +
|
| + * `platform_settings`: (repeated) Must have one entry with an unset
|
| + `platform` field, and optionally additional entries with overrides
|
| + for one or more platforms. An unset `platform` field acts as a
|
| + default for any platforms that don't have an override. There should
|
| + not be two settings with the same `platform`, but if there are,
|
| + first one wins. Keep them sorted by platform.
|
| +
|
| + * `platform_settings.danger_level`: (required)
|
| + * `NOT_DANGEROUS`: Safe to download and open, even if the download
|
| + was accidental.
|
| + * `DANGEROUS`: Always warn the user that this file may harm their
|
| + computer. We let them continue or discard the file. If Safe
|
| + Browsing returns a SAFE verdict, we still warn the user.
|
| + * `ALLOW_ON_USER_GESTURE`: Warn the user normally but skip the warning
|
| + if there was a user gesture or the user visited this site before
|
| + midnight last night (i.e. is a repeat visit). If Safe Browsing
|
| + returns a SAFE verdict for this file, it won't show a warning.
|
| +
|
| + * `platform_settings.auto_open_hint`: Required.
|
| + * `ALLOW_AUTO_OPEN`: File type can be opened automatically if the user
|
| + selected that option from the download tray on a previous download
|
| + of this type.
|
| + * `DISALLOW_AUTO_OPEN`: Never let the file automatically open.
|
| + Files that should be disallowed from auto-opening include those that
|
| + execute arbitrary or harmful code with user privileges, or change
|
| + configuration of the system to cause harmful behavior immediately
|
| + or at some time in the future. We *do* allow auto-open for files
|
| + that upon opening sufficiently warn the user about the fact that it
|
| + was downloaded from the internet and can do damage. **Note**:
|
| + Some file types (e.g.: .local and .manifest) aren't dangerous
|
| + to open. However, their presence on the file system may cause
|
| + potentially dangerous changes in behavior for other programs. We
|
| + allow automatically opening these file types, but always warn when
|
| + they are downloaded.
|
| +
|
| + * `platform_settings.ping_setting`: Required. This controls what sort
|
| + of ping is sent to Safe Browsing and if a verdict is checked before
|
| + the user can access the file.
|
| + * `SAMPLED_PING`: Don't send a full Safe Browsing ping, but
|
| + send a no-PII "light-ping" for a random sample of SBER users.
|
| + This should be the default for unknown types. The verdict won't
|
| + be used.
|
| + * `NO_PING`: Don’t send any pings. This file is whitelisted. All
|
| + NOT_DANGEROUS files should normally use this.
|
| + * `FULL_PING`: Send full pings and use the verdict. All dangerous
|
| + file should use this.
|
| +
|
| + * TODO(nparker): Support this: `platform_settings.unpacker`:
|
| + optional. Specifies which archive unpacker internal to Chrome
|
| + should be used. If potentially dangerous file types are found,
|
| + Chrome will send a full-ping for the entire file. Otherwise, it'll
|
| + follow the ping settings. Can be one of UNPACKER_ZIP or UNPACKER_DMG.
|
| +
|
| +## Guidelines for the top level DownloadFileTypeConfig entry:
|
| + * `version_id`: Must be increased (+1) every time the file is checked in.
|
| + Will be logged to UMA.
|
| +
|
| + * `sampled_ping_probability`: For what fraction of extended-reporting
|
| + users' downloads with unknown extensions (or
|
| + ping_setting=SAMPLED_PING) should we send light-pings? [0.0 .. 1.0]
|
| +
|
| + * `file_type`: The big list of all known file types. Keep them
|
| + sorted by extension.
|
| +
|
| + * `default_file_type`: Settings used if a downloaded file is not in
|
| + the above list. `extension` is ignored, but other settings are used.
|
| + The ping_setting should be SAMPLED_PING for all platforms.
|
| +
|
|
|
Chromium Code Reviews
Issue 1857983002:
Add download_file_types.proto with ascii->binary conversion, as a resource. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master