Index: chrome/browser/resources/safe_browsing/README.md |
diff --git a/chrome/browser/resources/safe_browsing/README.md b/chrome/browser/resources/safe_browsing/README.md |
new file mode 100644 |
index 0000000000000000000000000000000000000000..5f2d018b210d1c5d5407903d13895db04ee9bdf8 |
--- /dev/null |
+++ b/chrome/browser/resources/safe_browsing/README.md |
@@ -0,0 +1,80 @@ |
+# Behavior of Download File Types in Chrome |
+ |
+This describes how to adjust file-type download behavior in Chrome including |
+interactions with Safe Browsing. The metadata in download_file_types.asciipb |
asanka
2016/04/06 02:12:31
Embedded underscores could be interpreted as _emph
Nathan Parker
2016/04/11 20:12:07
yea, hrm. I thought intra-word was disabled. I'l
|
+is both baked into Chrome and pushable to Chrome between releases. |
+ |
+Rendered version of this file: https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/safe_browsing/README.md |
+ |
+ |
+# Procedure for adding a new type |
+ * Edit `download_file_types.asciipb`. Update `histograms.xml` |
+ * Get it reviewed, submit. |
+ * Push via component update (PROCEDURE TBD) |
+ |
+# Guidelines for a DownloadFileType entry: |
+See `download_file_types.proto` for all fields. |
+ * `extension` value must be unique within the config. It should be |
+ lowercase ASCII and not contain a dot. If there _is_ a duplicate, |
+ last one will win. |
+ * `uma_value` value must be unique and match one in the |
+ SBClientDownloadExtensions enum in histograms.xml |
+ * `is_archive`: True if this filetype is a container for other files. |
+ * `platform_settings`: (repeated) Must have one entry with platform=ALL, and |
+ optionally additional entries with overrides for one or more |
+ platforms. platform=ALL acts as a default for any platforms that |
+ don't have an override. There shouldn't be two settings with the |
+ same `platform`, but if there are, last one wins. Keep them sorted |
+ by platform. |
+ * `platform_settings.danger_level`: Required. |
+ * `NOT_DANGEROUS`: Safe to download and open, even if the download |
+ was accidental. |
+ * `DANGEROUS`: Always warn the user that this file may harm their |
+ computer. We let them continue or discard the file. If Safe |
+ Browsing returns a SAFE verdict, we still warn the user. |
+ * `ALLOW_ON_USER_GESTURE`: Warn the user normally but skip the warning |
+ if there was a user gesture or the user visited this site before |
+ midnight last night (i.e. is a repeat visit). If Safe Browsing |
+ returns a SAFE verdict for this file, it won't show a warning. |
+ * `platform_settings.auto_open_hint`: Required. |
+ * `ALLOW_AUTO_OPEN`: File type can be opened automatically if the user |
+ selected that option from the download tray on a previous download |
+ of this type. |
+ * `DISALLOW_AUTO_OPEN`: Never let the file automatically open. |
+ Files that should be disallowed from auto-opening include those that |
+ execute arbitrary or harmful code with user privileges, or change |
+ configuration of the system to cause harmful behavior immediately |
+ or at some time in the future. We *do* allow auto-open for files |
+ that upon opening sufficiently warn the user about the fact that it |
+ was downloaded from the internet and can do damage. (TODO(asanka): |
+ Clarify this sentence: We don't warn for files that... |
+ "do nothing particularly dangerous, despite the act |
+ of downloading itself being dangerous (E.g. .local and .manifest |
+ files)). |
+ * `platform_settings.ping_setting`: Required. This controls what sort |
+ of ping is sent to Safe Browsing and if a verdict is checked before |
+ the user can access the file. |
+ * `SAMPLE_WITH_LIGHT_PING`: Don't send a full Safe Browsing ping, but |
+ send a no-PII "light-ping" for a random sample of SBER users. |
+ This should be the default for unknown types. The verdict won't be |
+ used. |
+ * `NO_PING`: Don’t send any pings. This file is whitelisted. All |
+ NOT_DANGEROUS files should normally use this. |
+ * `FULL_PING`: Send full pings and use the verdict. All dangerous |
+ file should use this. |
+ |
+# Guidelines for the top level DownloadFileTypeConfig entry: |
+ * `version_id`: Must be increased (+1) every time the file is checked in. |
+ Will be logged to UMA. |
+ |
+ * `light_ping_probability`: For what fraction of extended-reporting users' |
+ downloads with unknown extensions (or ping_setting=TREAT_AS_UNKNOWN) |
+ should we send light-pings? [0..1] |
+ |
+ * `file_type`: The big list of all known file types. Keep them |
+ sorted by extension. |
+ |
+ * `default_file_type`: Settings used if a file is not in the above list. |
+ `extension` is ignored, but other settings are used. The ping_setting |
+ should be TREAT_AS_UNKNOWN for all platforms. |
+ |