Add a flag to disable download warnings when Safe Browsing is OFF

[RonnyTNL]

Description

Downloading .exe files now prompts for every file "This type of file can harm your computer" dialog (keep/discard).
Safe browsing is set to "No protection"

Steps to Reproduce

Download any .exe file from which ever site

1. download, download will start and dialog "This type of file can harm your computer" will appear.

Actual result:

As safe browsing is set to disabled AND this did not happen in the past something has either changed or is broken.

Expected result:

File should have been downloaded without being interrupted by the Keep/Discard dialog.

Reproduces how often:

100% over multiple machines

Brave version (brave://version info)

1.48.171 Chromium: 110.0.5481.177 (Official Build) (64-bit)

Version/Channel Information:

N/A

• Can you reproduce this issue with the current release?
  Yes
• Can you reproduce this issue with the beta channel?
• Can you reproduce this issue with the nightly channel?

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields?
• Does the issue resolve itself when disabling Brave Rewards?
• Is the issue reproducible on the latest version of Chrome?
  No does not produce in Chrome.

Miscellaneous Information:

[RonnyTNL]

Interestingly if I ENABLE Safe Browsing the issue disappears.

[bsclifton]

Hi @RonnyTNL

This should be (need to confirm) expected behavior. Safe browsing is enabled by default and there's a specific download list that is queried for downloads. With safe browsing off, I believe it's falling back on this notice

cc: @fmarier for confirmation

[RonnyTNL]

Has this changed in latest update then? this didn't happen on previous builds.

[RonnyTNL]

@fmarier Update on repro:

I've verified with Chrome Stable (110.0.5481.178 (Official Build) (32-bit)) and Canary (113.0.5635.0 (Official Build) canary (64-bit)). On a clean VM.

If you set Safe browsing to No Protection the default is to prompt for Keep/Discard.
However if you also switch "Ask where to save each file" this behavior is NOT seen and the download finishes uninterrupted.

That's the reason I noticed the change in behavior as I have both settings non default.

[fmarier]

Thanks for the extra details @RonnyTNL . The reason why this started to happen is that we've recently made it so that the same checks are applied to downloads regardless of the "Ask where to save each file" setting: #28079

So while in Chrome, you can suppress this behavior by:

• disabling Safe Browsing
• enabling "Ask where to save each file"

in Brave, that's no longer possible because we want to err on the side of protecting from more threats.

It's an unfortunate side-effect that disabling Safe Browsing means every .exe downloaded on Windows will throw up this warning, but since Safe Browsing is enabled by default and the warning can be bypassed by clicking the "Keep" button, I think it's a reasonable trade-off.

[fmarier]

Not sure closed/wontfix is the best label for this, because it's a legit issue, but there's no closed/unfortunate-side-effect.

[fmarier]

@RonnyTNL If you don't mind me asking, would you be willing to share why you disabled Safe Browsing? There are a lot of misconceptions about it and we've tried to improve some of the privacy properties in Brave, but I'd be curious to hear what made you disable it if you're willing to share.

[RonnyTNL]

Hi @fmarier

First thing, there is a configuration option to disable something, then I expect that it does what it claims.

Setting it to "No protection" means "From now on I'm responsible" in my idea, so it kind of defeats the purpose to keep prompting from my point of view. And I get that from a use case of an average user downloads an occasional binary.
But if you chose to ignore that from a design perspective I guess you could remove the "No protection" setting completely.

I research security related stuff, might want to run in to an exploit, as we design anti-exploit protection, access stuff that Safe browsing prohibits, and download dozens of binaries a day, so in that case having to click on "Keep" get's rather annoying within a matter of minutes and frustrates my work, so I would really welcome some form of solution here (doesn't need to be UI, flag is fine) as long as I can disable this nag.

So it has nothing to do with not trusting the Safe browsing, I have a completely different use-case.

On a side-note, it seems there is still some part of the code that doesn't touch this "protection"
I have one way/link download that get saved without a prompt being an .exe file, but I guess it would be better not to post that in public.

[fmarier]

I see. Thanks for the details on your use-case. I agree that it's pretty annoying for those who have legitimate reasons for disabling this protection.

Now that I think more about it, I suspect that the warning might go away once #17616 is fixed. That's the component that determines whether or not a file is (very loosely) "executable" and many of the checks and warnings are tied to that.

On a side-note, it seems there is still some part of the code that doesn't touch this "protection" I have one way/link download that get saved without a prompt being an .exe file, but I guess it would be better not to post that in public.

You can email that to security@brave.com if you'd like.

[RonnyTNL]

Update, on latest release this now has a nasty effect, the download bar on the bottom is gone, which leaves you without any visible clue as to that the download was not finished. (There is no keep/discard notification drawing attention) as the download now seems to use the download bubble, which leaves you with a fully downloaded file only in the tmp format (Unconfirmed 123456.crdownload).

[fmarier]

Thanks for the update @RonnyTNL . I also noticed others reporting this:

• with .dmg files on Mac (https://www.reddit.com/r/firefox/comments/12qrcl3/brave_browser_is_now_blocking_firefox_downloads/)
• with .msi on Windows (https://community.brave.com/t/brave-blocks-downloads-when-safe-browsing-is-disabled/483308/7)

I think it's showing up enough in the wild that we need to address it.

[fmarier]

Some screenshots to illustrate the problem.

This is Brave with Safe Browsing turned off treating all .exe downloads as dangerous (including the Brave browser itself):

While this behavior can be worked-around in Chrome via the Ask where to save each file setting, if you disable Safe Browsing in Chrome, all .exe are treated as dangerous just like in Brave:

As @RonnyTNL said, now that the download notification bar is gone in Brave, this is even less obvious and it just looks like the download is not working.

In both Chrome and Brave, the downloads can be manually allowed by going into chrome://downloads and clicking Keep:

[Upgrad3]

Hi @fmarier

First thing, there is a configuration option to disable something, then I expect that it does what it claims.

Setting it to "No protection" means "From now on I'm responsible" in my idea, so it kind of defeats the purpose to keep prompting from my point of view. And I get that from a use case of an average user downloads an occasional binary. But if you chose to ignore that from a design perspective I guess you could remove the "No protection" setting completely.

I research security related stuff, might want to run in to an exploit, as we design anti-exploit protection, access stuff that Safe browsing prohibits, and download dozens of binaries a day, so in that case having to click on "Keep" get's rather annoying within a matter of minutes and frustrates my work, so I would really welcome some form of solution here (doesn't need to be UI, flag is fine) as long as I can disable this nag.

So it has nothing to do with not trusting the Safe browsing, I have a completely different use-case.

On a side-note, it seems there is still some part of the code that doesn't touch this "protection" I have one way/link download that get saved without a prompt being an .exe file, but I guess it would be better not to post that in public.

I also research CyberSecurity and am in the same position, I can sometimes download 100+ binaries per day, so in my case to have every download blocked until i click "keep" is ridiculous.

"First thing, there is a configuration option to disable something, then I expect that it does what it claims." - This is also my view.

Will we ever be able to completely disable again as we previously could ? Seriously considering changing browser cant put up with it much longer.

[chuckmckinnon]

Chiming in -- I'm setting up a new computer and, my word, on every single download I'm being told it's "dangerous" and have to open the download icon and click Keep.

Notepad++ is dangerous now? VLC? Really? Because those are the prompts I'm getting.

I'm old. I started programming in Apple ][ days and have been using Windows since before antivirus was a thing. I value Brave because it protects my privacy; I disabled Safe Browsing because I don't want or need anyone (even Brave) nannying me and yes, I am perfectly comfortable assuming any "risks" attendant on that decision. I'm not so stupid as to download files from illegitimate sources and if I do, that's my problem.

Seriously, please make this stop. Like Upgrad3 last week, I'm considering finding alternatives to Brave for a daily driver because every. blessed. time. I have to tell it to Keep a file I just told it to download. Please stop trying to anticipate my security needs and let me decide. Thank you.

[guest271314]

We have to enable

Ask where to save each file before downloading

for

--disable-features=InsecureDownloadWarnings

to work.

Keep in mind none of these combinations of flags and settings to disable the download warnings is spelled out in Google Chrome or Chromium documentation.

If you think all roads lead back to Google Safe Browsing there are yet other "features" that are in play trying to prevent you from downloading the file you decide to download on the Web page (HTTP:; FILE:; whatever) that you decide to visit.

[root-phantasoft]

@RonnyTNL If you don't mind me asking, would you be willing to share why you disabled Safe Browsing? There are a lot of misconceptions about it and we've tried to improve some of the privacy properties in Brave, but I'd be curious to hear what made you disable it if you're willing to share.

Because it is my computer, not yours. I, the user, make the decisions, and I don't want the software making decisions for me.

sudo rm -rf / means delete all the bloody files on my computer. Don't ask me, don't tell me if I'm sure, don't make choices for me.

All of this "features" really insult the intelligence of a lot of users, specially when they can't be completely disabled. I don't ever want to see a warning, I don't want a confirmation dialog, I don't need my own computer second guessing my actions.

[sorquan]

Chrome is getting worse and worse, the freedom to customize the old chromium is disappearing somewhere. Why can’t we just make at least a flag to disable this useless protection that no one needs?

[fmarier]

Why can’t we just make at least a flag to disable this useless protection that no one needs?

There is a flag: brave://flags/#brave-override-download-danger-level

[MNLierman]

Chrome is getting worse and worse, the freedom to customize the old chromium is disappearing somewhere. Why can’t we just make at least a flag to disable this useless protection that no one needs?

There is a flag: brave://flags/#brave-override-download-danger-level

He said Chrome and Chromium, not Brave. I know this issue is in /brave/ but he specifically said Chromium. I think a lot of people are here in this discussion thread because of a Reddit post referencing this stupid Chromium behavior. Stupid Google, come on. Have A/B tests actually shown that crap UI decisions like this stop the spread of malware? By creating extra steps a user will have to click through once they turn off Safe Browsing? Yeah, I don't think so.
@fmarier @sorquan

[Ghrem]

Chrome is getting worse and worse, the freedom to customize the old chromium is disappearing somewhere. Why can’t we just make at least a flag to disable this useless protection that no one needs?

There is a flag: brave://flags/#brave-override-download-danger-level

He said Chrome and Chromium, not Brave. I know this issue is in /brave/ but he specifically said Chromium. I think a lot of people are here in this discussion thread because of a Reddit post referencing this stupid Chromium behavior. Stupid Google, come on. Have A/B tests actually shown that crap UI decisions like this stop the spread of malware? By creating extra steps a user will have to click through once they turn off Safe Browsing? Yeah, I don't think so. @fmarier @sorquan

I've been arguing with the incredibly useless and ignorant morons that are Google One support over this issue and they know absolutely nothing. Probably take an act of god to get them to truly allow disabling this ridiculous blocking on their end. That flag Brave added should be pushed up into Chromium.

[guest271314]

@Ghrem See above at --disable-features=InsecureDownloadWarnings

• https://github.com/chromium/chromium/blob/3ae33ca6c8d566139bd18e281d1fa0a97ae79c23/chrome/browser/download/insecure_download_blocking.cc#L468
• https://github.com/chromium/chromium/blob/3ae33ca6c8d566139bd18e281d1fa0a97ae79c23/chrome/common/chrome_features.cc#L1294
• https://github.com/chromium/chromium/blob/3ae33ca6c8d566139bd18e281d1fa0a97ae79c23/chrome/browser/flag_descriptions.h#L1180

[levicki]

@fmarier The flag Override download danger level no longer works in Brave version 1.60.114 Chromium: 119.0.6045.124 (Official Build) (64-bit) — browser is asking whether to keep or discard a .dll file.

[fmarier]

@levicki It seems to work for me. Here's what I did:

1. Start Brave with a fresh profile.
2. Set the Safe Browsing setting to No protection in chrome://settings/security.
   
3. Set the Override download danger level flag to Enabled in brave://flags/#brave-override-download-danger-level:
   
4. Restart the browser.
5. Go to https://zoom.us/download#client_4meeting and download the Zoom client.

Result

Following the above steps, the download is not blocked:

On the other hand, when the Override download danger level flag is set to Default (or Disabled), then I get the warning:

Versions tested

I tested:

• Stable channel 1.61.120 Chromium: 120.0.6099.234 on Linux and Windows 10
• Beta channel 1.63.126 Chromium: 121.0.6167.57 on Linux
• Nightly channel 1.64.12 Chromium: 121.0.6167.75 on Linux

all with the same results, though of course the file was an .exe for Windows.

[fmarier]

@levicki If you're still seeing something different from me, can you try again with 1.61 and then tell me:

• the URL of a website / download file where you can reproduce the problem
• what you have the Safe Browsing setting and the brave://flags/#brave-override-download-danger-level flag set to

[guest271314]

@fmarier Nice work in Brave world if you got this far. From Chromium Version 122.0.6251.0 (Developer Build) (64-bit) with Google Safe Browsing turned off. I'll have to try some disabling feature flags, again. This is insane.

[fmarier]

@guest271314 I'm not aware of a way to opt out of this behavior on Chrome/Chromium.

[guest271314]

Interesting.

Somebody baked a "warning" about a .deb file in to WICG File System Access API

but not a Chromium .zip download from https://download-chromium.appspot.com/

[levicki]

@fmarier I updated to latest release just now.

Here is the URL: https://github.com/p0358/Fuck_off_EA_App/releases

Try downloading version.dll file.

What happens for me:

My settings:

Safe browsing

Flags:

EDIT

Zoom client you linked also downloads without the warning for me.

It sems that flag related code is only checking for string.EndsWith(".exe")?

If so, then it might need some expansion to cover other "dangerous" filetypes.

[fmarier]

@levicki I found the problem: #35561. It seems like there are only 6 file types that have the "DANGEROUS" danger level and .exe (or any of the ones I had previously tested) is not one of those.

@guest271314 The warnings are platform-specific and are defined in https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb, a file that's downloaded as part of the "File Type Policies" component you can see in chrome://components.

[guest271314]

@fmarier Well, something ain't working as written out here https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb;l=3439-3448.

The user gesture is the click on the link (HTML element)

file_types {
  extension: "deb"
  uma_value: 141
  ping_setting: FULL_PING
  platform_settings {
    platform: PLATFORM_TYPE_LINUX
    danger_level: ALLOW_ON_USER_GESTURE
    auto_open_hint: DISALLOW_AUTO_OPEN
  }
}

Chromium doesn't have anything in chrome://components, no components installed. Just like there are no terms (TOS) in chrome://terms.

"File Type Policies"

That got me to thinking about policies, i.e., chrome://policy, where there is at least one relevant entry https://chromeenterprise.google/policies/?policy=ExemptDomainFileTypePairsFromFileTypeDownloadWarnings

[ { "file_extension": "jnlp", "domains": ["example.com"] }, { "file_extension": "exe", "domains": ["example.com"] }, { "file_extension": "swf", "domains": ["*"] } ]

Note that while the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension is not recommended due to security concerns. It is shown in the example merely to demonstrate the ability to do so.

[fmarier]

Well, something ain't working as written out here https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb;l=3439-3448.

The user gesture is the click on the link (HTML element)

In Chromium, a danger level of ALLOW_ON_USER_GESTURE triggers the warning in the download manager when Safe Browsing is OFF. That's why you're seeing this (on the Linux platform).

Chromium doesn't have anything in chrome://components, no components installed.

This fallback code probably applies then.

Keep in mind though, I'm not a Chromium expert. I've only ever tested this in Brave.

[guest271314]

@fmarier

Setting the policy works on Chromium Version 123.0.6262.0 (Developer Build) (64-bit) - with Google Safe Browsing off.

I experimented setting Chromium and Chrome policies previously some time ago chrome Pop-up blocker when to re-check after allowing page. Then I was using Chromium downloaded via PPA using apt, which used the "chromium-browser" folder.

This links to https://github.com/google/ChromeBrowserEnterprise/blob/main/docs/policy_examples/managed_policies.json which I downloaded and modified to

{"ExemptDomainFileTypePairsFromFileTypeDownloadWarnings": [
 {
  "domains": [
   "*"
  ],
  "file_extension": "deb"
 }
]}

sudo mkdir /etc/chromium
sudo mkdir /etc/chromium/policies
sudo mkdir -p /etc/chromium/policies/managed
sudo cp ~/Downloads/managed_policies.json /etc/chromium/policies/managed

Verify the policy is loaded in chrome://policy

Test downloading the .deb file. Observe no file type warning notification.

29f6a8b8-a3f0-4c8d-8dd6-973e59640a5b.webm

[levicki]

@fmarier Thanks for looking into it, glad you could reproduce it.

I think that having ini and cfg listed as dangerous is plain ridiculous.

Moreover, manifest could probably be narrowed down to dll.manifest and exe.manifest so that other files with manifest extension are unaffected.

Is there a chance you could provide at least a rough ETA for the fix to hit the release channel?

[fmarier]

Is there a chance you could provide at least a rough ETA for the fix to hit the release channel?

I have a PR in review which should land in time for 1.64 (currently scheduled to hit stable on March 19th).

[levicki]

I have a PR in review which should land in time for 1.64 (currently scheduled to hit stable on March 19th).

Good to know.

Out of curiosity, why not change cfg, dll, and ini to be ALLOW_ON_USER_GESTURE level as well? Are they seriously that more dangerous than exe?

As an experienced PC user, software developer, and system administrator I can't understand the rationale behind that rating.

It's totally paranoid, and if we go that route why not mark webp files as DANGEROUS? After all, there was a 0-day exploit back in October 2023 in libwebp and everyone scrambled to patch it because pretty much all software everywhere was affected.

While we are at it, maybe we should also mark png and jpg as DANGEROUS because either current or some future version of Windows Explorer shell preview handler might have a vulnerability which will allow those files to do damage without user interaction (just generating a thumbnail preview while browsing Downloads folder could trigger the malicious payload).

In my opinion, blocking user-initiated downloads amounts to nothing more than a security theater. It's one thing to add a layer of security, and another to turn it into a major nuisance because when people are faced with an impediment 9 times out of 10 they will go out of their way to fully remove it and you will end up with the overall worse security posture than if you dialed the nuisance factor down a couple of notches.

Prime example of this are password policies. Let's say you demand:

• Minimum 12 characters password
• At least one uppercase letter
• At least one digit
• At least one symbol
• Change every 90 days

And then you set their work PCs to lock after 5 minutes of being idle.

What do you think will 90% of people do if they have to type those passwords dozens of times in their 8 hour shift?

They will simply use passwords like January2024!, because remembering and typing complex passwords is a chore and nobody likes chores when they are already tasked to (or over the) capacity with their salaried work. Come end of March they will change it to AprilFools24@, and so on. It's a clear example that overly restrictive security policies do not actually improve security.

Sorry for the slight off-topic rant, but these things are like the pet peeve of mine.

[guest271314]

It's one thing to add a layer of security

There really is no such thing as "security" for any signal communications. As of last century certain entities were analyzing 20 TB per second via ThinThread. PRISM, Apple "disclosing" the had an agreement with the U.S. Government to not disclose to users agreements between that concern and the U.S. Government re user data, et al.

[fmarier]

Out of curiosity, why not change cfg, dll, and ini to be ALLOW_ON_USER_GESTURE level as well?

That list is maintained by the Google Safe Browsing team and we use it without modifications in Brave (proxied of course). It's not currently something we have had the need to fork in Brave yet.

[digitaldreamer7]

Thanks for providing one more annoyance that we can't get rid of. I don't need you or google to hold my hand. My av can handle anything that's downloaded. This browser is becoming more and more frustrating for people who don't need YOU to decide what WE want to do on our own personal computers.

[luckman212]

Here's why THIS FEATURE FUC*ING SUCKS

Yesterday I was at a customer's office dealing with an emergency Network Down situation. The firewall's flash memory had become corrupt and I had to access it using a console cable in a very difficult to reach location. It was a tense moment but I got it repaired. Our policy is to save copies of the running config for these types of situations. So I clicked the "download config" button, saw the download complete (or so I thought), climbed down from the ladder, packed up my bag and left.

This morning, went to upload the config to our server for safekeeping and saw the file never made it to my disk. It was blocked & canceled because it was "insecure". THANKS GOOGLE.

[guest271314]

FWIW This might be the place to lodge your feedback on the record for download warnings Q4 2023 Summary from Chrome Security.

[levicki]

@digitaldreamer7 @luckman212 Guys you are barking up the wrong tree here. Being abusive towards Brave devs doesn't really help — you are antagonizing the only people who can actually help us by making a browser which doesn't fully follow Google's (and Chromium's) bullshit policies like this one.

In case you didn't read the full thread and just came to vent your anger here is a short summary:

1. When you turn off Safe Browsing all Chromium based browsers block downloads that are considered dangerous. What is dangerous is decided by Google Safe Browsing Team, not Brave devs.
2. Brave users submitted a feature request for the ability to disable download blocking and that was implemented via brave://flags/#brave-override-download-danger-level flag.
3. However, because of an oversight (which I reported here), that flag doesn't fully disable download blocking for all file tyes — the fix for that is currently scheduled for release in version 1.64 on March 19.

So, if you are using Brave, you just need to be a bit patient. Thanking Brave devs for honoring a feature request and putting in the extra work to override the default Chromium behavior in order to allow us to disable download blocking wouldn't hurt either.

[luckman212]

Sorry - my frustration wasn't towards Brave or the devs who are working towards finding a good solution to this. Yes I was venting a bit—towards Google—because it was being discussed. I meant no disrespect.