-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a flag to disable download warnings when Safe Browsing is OFF #28917
Comments
Interestingly if I ENABLE Safe Browsing the issue disappears. |
Has this changed in latest update then? this didn't happen on previous builds. |
@fmarier Update on repro: I've verified with Chrome Stable (110.0.5481.178 (Official Build) (32-bit)) and Canary (113.0.5635.0 (Official Build) canary (64-bit)). On a clean VM. If you set Safe browsing to No Protection the default is to prompt for Keep/Discard. That's the reason I noticed the change in behavior as I have both settings non default. |
Thanks for the extra details @RonnyTNL . The reason why this started to happen is that we've recently made it so that the same checks are applied to downloads regardless of the "Ask where to save each file" setting: #28079 So while in Chrome, you can suppress this behavior by:
in Brave, that's no longer possible because we want to err on the side of protecting from more threats. It's an unfortunate side-effect that disabling Safe Browsing means every |
Not sure |
@RonnyTNL If you don't mind me asking, would you be willing to share why you disabled Safe Browsing? There are a lot of misconceptions about it and we've tried to improve some of the privacy properties in Brave, but I'd be curious to hear what made you disable it if you're willing to share. |
Hi @fmarier First thing, there is a configuration option to disable something, then I expect that it does what it claims. Setting it to "No protection" means "From now on I'm responsible" in my idea, so it kind of defeats the purpose to keep prompting from my point of view. And I get that from a use case of an average user downloads an occasional binary. I research security related stuff, might want to run in to an exploit, as we design anti-exploit protection, access stuff that Safe browsing prohibits, and download dozens of binaries a day, so in that case having to click on "Keep" get's rather annoying within a matter of minutes and frustrates my work, so I would really welcome some form of solution here (doesn't need to be UI, flag is fine) as long as I can disable this nag. So it has nothing to do with not trusting the Safe browsing, I have a completely different use-case. On a side-note, it seems there is still some part of the code that doesn't touch this "protection" |
I see. Thanks for the details on your use-case. I agree that it's pretty annoying for those who have legitimate reasons for disabling this protection. Now that I think more about it, I suspect that the warning might go away once #17616 is fixed. That's the component that determines whether or not a file is (very loosely) "executable" and many of the checks and warnings are tied to that.
You can email that to security@brave.com if you'd like. |
Update, on latest release this now has a nasty effect, the download bar on the bottom is gone, which leaves you without any visible clue as to that the download was not finished. (There is no keep/discard notification drawing attention) as the download now seems to use the download bubble, which leaves you with a fully downloaded file only in the tmp format (Unconfirmed 123456.crdownload). |
Thanks for the update @RonnyTNL . I also noticed others reporting this:
I think it's showing up enough in the wild that we need to address it. |
Some screenshots to illustrate the problem. This is Brave with Safe Browsing turned off treating all While this behavior can be worked-around in Chrome via the Ask where to save each file setting, if you disable Safe Browsing in Chrome, all As @RonnyTNL said, now that the download notification bar is gone in Brave, this is even less obvious and it just looks like the download is not working. In both Chrome and Brave, the downloads can be manually allowed by going into |
I also research CyberSecurity and am in the same position, I can sometimes download 100+ binaries per day, so in my case to have every download blocked until i click "keep" is ridiculous. "First thing, there is a configuration option to disable something, then I expect that it does what it claims." - This is also my view. Will we ever be able to completely disable again as we previously could ? Seriously considering changing browser cant put up with it much longer. |
Chiming in -- I'm setting up a new computer and, my word, on every single download I'm being told it's "dangerous" and have to open the download icon and click Keep. Notepad++ is dangerous now? VLC? Really? Because those are the prompts I'm getting. I'm old. I started programming in Apple ][ days and have been using Windows since before antivirus was a thing. I value Brave because it protects my privacy; I disabled Safe Browsing because I don't want or need anyone (even Brave) nannying me and yes, I am perfectly comfortable assuming any "risks" attendant on that decision. I'm not so stupid as to download files from illegitimate sources and if I do, that's my problem. Seriously, please make this stop. Like Upgrad3 last week, I'm considering finding alternatives to Brave for a daily driver because every. blessed. time. I have to tell it to Keep a file I just told it to download. Please stop trying to anticipate my security needs and let me decide. Thank you. |
We have to enable
for
to work. Keep in mind none of these combinations of flags and settings to disable the download warnings is spelled out in Google Chrome or Chromium documentation. If you think all roads lead back to Google Safe Browsing there are yet other "features" that are in play trying to prevent you from downloading the file you decide to download on the Web page (HTTP:; FILE:; whatever) that you decide to visit. |
Because it is my computer, not yours. I, the user, make the decisions, and I don't want the software making decisions for me. sudo rm -rf / means delete all the bloody files on my computer. Don't ask me, don't tell me if I'm sure, don't make choices for me. All of this "features" really insult the intelligence of a lot of users, specially when they can't be completely disabled. I don't ever want to see a warning, I don't want a confirmation dialog, I don't need my own computer second guessing my actions. |
Chrome is getting worse and worse, the freedom to customize the old chromium is disappearing somewhere. Why can’t we just make at least a flag to disable this useless protection that no one needs? |
There is a flag: |
He said Chrome and Chromium, not Brave. I know this issue is in /brave/ but he specifically said Chromium. I think a lot of people are here in this discussion thread because of a Reddit post referencing this stupid Chromium behavior. Stupid Google, come on. Have A/B tests actually shown that crap UI decisions like this stop the spread of malware? By creating extra steps a user will have to click through once they turn off Safe Browsing? Yeah, I don't think so. |
I've been arguing with the incredibly useless and ignorant morons that are Google One support over this issue and they know absolutely nothing. Probably take an act of god to get them to truly allow disabling this ridiculous blocking on their end. That flag Brave added should be pushed up into Chromium. |
@fmarier The flag |
@levicki It seems to work for me. Here's what I did:
ResultFollowing the above steps, the download is not blocked: On the other hand, when the Override download danger level flag is set to Default (or Disabled), then I get the warning: Versions testedI tested:
all with the same results, though of course the file was an |
@levicki If you're still seeing something different from me, can you try again with 1.61 and then tell me:
|
@fmarier Nice work in Brave world if you got this far. From Chromium Version 122.0.6251.0 (Developer Build) (64-bit) with Google Safe Browsing turned off. I'll have to try some disabling feature flags, again. This is insane. |
@guest271314 I'm not aware of a way to opt out of this behavior on Chrome/Chromium. |
Interesting. Somebody baked a "warning" about a but not a Chromium |
@fmarier I updated to latest release just now. Here is the URL: https://github.com/p0358/Fuck_off_EA_App/releases Try downloading What happens for me: My settings: Safe browsing Flags: EDIT Zoom client you linked also downloads without the warning for me. It sems that flag related code is only checking for If so, then it might need some expansion to cover other "dangerous" filetypes. |
@levicki I found the problem: #35561. It seems like there are only 6 file types that have the "DANGEROUS" danger level and @guest271314 The warnings are platform-specific and are defined in https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb, a file that's downloaded as part of the "File Type Policies" component you can see in |
@fmarier Well, something ain't working as written out here https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb;l=3439-3448. The user gesture is the click on the link (HTML element)
Chromium doesn't have anything in
That got me to thinking about policies, i.e.,
|
In Chromium, a danger level of
This fallback code probably applies then. Keep in mind though, I'm not a Chromium expert. I've only ever tested this in Brave. |
Setting the policy works on Chromium Version 123.0.6262.0 (Developer Build) (64-bit) - with Google Safe Browsing off. I experimented setting Chromium and Chrome policies previously some time ago chrome Pop-up blocker when to re-check after allowing page. Then I was using Chromium downloaded via PPA using This links to https://github.com/google/ChromeBrowserEnterprise/blob/main/docs/policy_examples/managed_policies.json which I downloaded and modified to
Verify the policy is loaded in chrome://policy Test downloading the 29f6a8b8-a3f0-4c8d-8dd6-973e59640a5b.webm |
@fmarier Thanks for looking into it, glad you could reproduce it. I think that having Moreover, Is there a chance you could provide at least a rough ETA for the fix to hit the release channel? |
I have a PR in review which should land in time for 1.64 (currently scheduled to hit stable on March 19th). |
Good to know. Out of curiosity, why not change As an experienced PC user, software developer, and system administrator I can't understand the rationale behind that rating. It's totally paranoid, and if we go that route why not mark While we are at it, maybe we should also mark In my opinion, blocking user-initiated downloads amounts to nothing more than a security theater. It's one thing to add a layer of security, and another to turn it into a major nuisance because when people are faced with an impediment 9 times out of 10 they will go out of their way to fully remove it and you will end up with the overall worse security posture than if you dialed the nuisance factor down a couple of notches. Prime example of this are password policies. Let's say you demand:
And then you set their work PCs to lock after 5 minutes of being idle. What do you think will 90% of people do if they have to type those passwords dozens of times in their 8 hour shift? They will simply use passwords like Sorry for the slight off-topic rant, but these things are like the pet peeve of mine. |
There really is no such thing as "security" for any signal communications. As of last century certain entities were analyzing 20 TB per second via ThinThread. PRISM, Apple "disclosing" the had an agreement with the U.S. Government to not disclose to users agreements between that concern and the U.S. Government re user data, et al. |
That list is maintained by the Google Safe Browsing team and we use it without modifications in Brave (proxied of course). It's not currently something we have had the need to fork in Brave yet. |
Thanks for providing one more annoyance that we can't get rid of. I don't need you or google to hold my hand. My av can handle anything that's downloaded. This browser is becoming more and more frustrating for people who don't need YOU to decide what WE want to do on our own personal computers. |
Here's why THIS FEATURE FUC*ING SUCKS Yesterday I was at a customer's office dealing with an emergency Network Down situation. The firewall's flash memory had become corrupt and I had to access it using a console cable in a very difficult to reach location. It was a tense moment but I got it repaired. Our policy is to save copies of the running config for these types of situations. So I clicked the "download config" button, saw the download complete (or so I thought), climbed down from the ladder, packed up my bag and left. This morning, went to upload the config to our server for safekeeping and saw the file never made it to my disk. It was blocked & canceled because it was "insecure". THANKS GOOGLE. |
FWIW This might be the place to lodge your feedback on the record for download warnings Q4 2023 Summary from Chrome Security. |
@digitaldreamer7 @luckman212 Guys you are barking up the wrong tree here. Being abusive towards Brave devs doesn't really help — you are antagonizing the only people who can actually help us by making a browser which doesn't fully follow Google's (and Chromium's) bullshit policies like this one. In case you didn't read the full thread and just came to vent your anger here is a short summary:
So, if you are using Brave, you just need to be a bit patient. Thanking Brave devs for honoring a feature request and putting in the extra work to override the default Chromium behavior in order to allow us to disable download blocking wouldn't hurt either. |
Sorry - my frustration wasn't towards Brave or the devs who are working towards finding a good solution to this. Yes I was venting a bit—towards Google—because it was being discussed. I meant no disrespect. |
Description
Downloading .exe files now prompts for every file "This type of file can harm your computer" dialog (keep/discard).
Safe browsing is set to "No protection"
Steps to Reproduce
Download any .exe file from which ever site
Actual result:
As safe browsing is set to disabled AND this did not happen in the past something has either changed or is broken.
Expected result:
File should have been downloaded without being interrupted by the Keep/Discard dialog.
Reproduces how often:
100% over multiple machines
Brave version (brave://version info)
1.48.171 Chromium: 110.0.5481.177 (Official Build) (64-bit)
Version/Channel Information:
N/A
Yes
Other Additional Information:
No does not produce in Chrome.
Miscellaneous Information:
The text was updated successfully, but these errors were encountered: