Why is Google Safe Browsing is still enabled even after explicitly turning it off?

[guest271314]

I'm not sure the individual asking for feedback here https://bugs.chromium.org/p/chromium/issues/detail?id=1490891 understands all the information they are asking for is in OP.

I'm not interested in Google Safe Browsing, at all. I explicitly turned it off. None of it should be on, but some of it is.

[Zhanbang He]

hello, so hard to understand what you were talking about.

On Saturday, October 21, 2023, guest271314 <guest...@gmail.com> wrote:

I'm not sure the individual asking for feedback here https://bugs.chromium.org/p/chromium/issues/detail?id=1490891 understands all the information they are asking for is in OP.

I'm not interested in Google Safe Browsing, at all. I explicitly turned it off. None of it should be on, but some of it is.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b8ebc7c9-3d04-44d1-a6c0-ff04e3fc19b3n%40chromium.org.

[guest271314]

Hello. It's very simple. I turned off Google Safe Browsing in chrome://settings. When I checked chrome://safe-browsing parts of Google Safe Browsing are still enabled.

I don't want any parts of Google Safe Browsing enable at all.

That's why I explicitly turned off Google Safe Browsing in settings.

If Google Safe Browsing is enabled when I explicitly turn it off in chrome://settings either that setting is misleading or something is wrong in that Google Safe Browing is still enabled.

On Sat, Oct 21, 2023 at 8:13 PM Zhanbang He <hezha...@gmail.com> wrote:

hello, so hard to understand what you were talking about.

On Saturday, October 21, 2023, guest271314 <guest...@gmail.com> wrote:

I'm not sure the individual asking for feedback here https://bugs.chromium.org/p/chromium/issues/detail?id=1490891 understands all the information they are asking for is in OP.

I'm not interested in Google Safe Browsing, at all. I explicitly turned it off. None of it should be on, but some of it is.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Daniel Cheng]

I've already replied on the bug, but to reiterate, there are many experiments/prefs that are part of safe browsing. That page reports on *all* of them, whether or not the overall safe browsing feature is enabled or disabled. It's intended as an internal diagnostic page for developers working on Chrome itself or trying to debug issues with the safe browsing feature.

If you've disabled the safe browsing feature in settings *and* you have other evidence that safe browsing is still being used, I would consider that a bug.

Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CA%2BsyWAPEc16nnbz-dTWW5CWWP_Y8XhKS8Dd_U5xfbf9E-7w_zw%40mail.gmail.com.

[guest271314]

>  there are many experiments/prefs that are part of safe browsing. That page reports on *all* of them, whether or not the overall safe browsing feature is enabled or disabled. 

I disabled Google Safe Browsing deliberately. There shouldn't be any experiments going on at all under the umbrella of Safe Browsing. 

> If you've disabled the safe browsing feature in settings *and* you have other evidence that safe browsing is still being used, I would consider that a bug.

Sure right in the image at OP of the bug https://bugs.chromium.org/p/chromium/issues/attachment?aid=615444&signed_aid=oC9e3LjZVcfZRU27p_bnNA==&inline=1, e.g.,

Enabled: ClientSideDetectionModelIsFlatBuffer
Enabled: ClientSideDetectionTypeForceRequest
...
Enabled: SadeBrowsingExtensionTelemetry
...

I don't want anything associated with Google Safe Browsing enabled, period. That's why I turned the "feature" off, deliberately. 

The "Turn Off Safebrowsing" must be misleading, because the plain language of turn off does not mean to me 

> there are many experiments/prefs that are part of safe browsing. That page reports on *all* of them, whether or not the overall safe browsing feature is enabled or disabled. 

I want *all* of them turned off. That's why I turned off Gogle Safe Browsing. 

[K. Moon]

I think dcheng@ is saying that this is just a page that reports on current experiment settings, like the variations reported on chrome://version. 

That doesn't mean any of those experiments are being used, that's just the configuration that's applied when Safe Browsing is on.

dcheng@ is asking for evidence that the Safe Browsing feature is still on when turned off, which would be something like Chrome contacting backend services at Google related to Safe Browsing, not just an internal configuration report that isn't actually used.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b10f5686-f70f-43bb-8d72-5341dc846a0an%40chromium.org.

[guest271314]

Compare turning off Motion sensors, Location, pop-ups for all sites in Settings. The plain language of off/disabled doesn;t mean, to me, that that off/disabled setting applies to all sites *except* Google. It means off/disabled, not on/enabled at all for all sites or "experiments" that I am not interested in.

[guest271314]

> That doesn't mean any of those experiments are being used, that's just the configuration that's applied when Safe Browsing is on.

> not just an internal configuration report that isn't actually used.

How am I supposed to know that the "internal" "feature" is not still enabled when the plain language says Enabled?

Then that report needs to reflect that those experiments are disabled, to avoid confusion.

[K. Moon]

I think a visual indicator is a reasonable ask, if only to reduce confusion. The internal Safe Browsing page presumably was meant for debugging only, and probably wasn't designed with user experience in mind.

I think another way to think about this whole issue: Can tell Safe Browsing is on without chrome://safe-browsing? If the page didn't exist, would you have any reason to think a bug existed? There are, after all, lots of variables within a browser that have no external UI surfaced.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/00ae4894-6248-4a7e-9abe-ffc05e2a2cd7n%40chromium.org.

[guest271314]

> The internal Safe Browsing page presumably was meant for debugging only, and probably wasn't designed with user experience in mind.

All chrome://* URL's are for debugging. I'm not talking about a user experience. I'm talking about accurately reporting what is enabled and what is not enabled. 

It is not outside the scope of verifying a browser does what it says it does and does not do what it is not supposed to do to retrieve all possible information about what is being tested, then draw a logical conclusion.

I know that Google Safe Browsing was at one point, and still is used to "scan" files downloaded and files written to the local file system with FileSystemWritableFileStream of File System Access API. 

So it's rational to ask if I deliberately turned that "feature" off, as the setting itself says: "off", if files are still being scanned by Google Safe Browsing anyway, after all, the only indication that I have from the application (Chrom, Chromium) is that some ("internal") "features" are "Enabled". 

> I think another way to think about this whole issue: Can tell Safe Browsing is on without chrome://safe-browsing? If the page didn't exist, would you have any reason to think a bug existed? There are, after all, lots of variables within a browser that have no external UI surfaced.

You raise an interesting question here. 

Who said I wanted Google Safe Browsing enabled by default anyway? 

Yes, I would find another way to try to verify if the "feature" was on/implemented/behind one or more flags, by testing. I would read the source code, read the contents of the extracted Chrome/Chromium .zip folder before, during, after launching the application.

Just like I found out that Chrome's implementation of Web Speech API speechSynthesis.speak() - when Google voices are used - sends the users' text to remote servers, and that server sends back an audio file. Similarly for webkitSpeechRocognition the users' PII, their voice, is recorded and sent to remote servers for processing, then the transcript is sent back to the browser. I don't think those facts are documented anywhere.

What I know for certain is noboy knows what Google does with the users' PII biometric data, their recorded voice, when said recording gets to Google's remote servers. Google doesn't say what it does with those user PII voice recordings.

Why would Chromium developers even consider making a user, content, extension, et al. tracking system unobservable to the user? 

[guest271314]

Some evidence that something in Chrome is scanning files is when I download Chrome-For-Testing using open() the executable bits of chrome and chrome-wrapper, et al. are stripped. That doesn't happen when I fetch the zip file using wget or curl.

[PhistucK]

Unless I misunderstand - would that not be just being a good citizen of the operating system (marking things downloaded from the internet as such)?

Or are you talking about something else?

☆PhistucK

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/bf6bf2ca-e863-41ce-8d0c-b0ad54764892n%40chromium.org.

[Greg Thompson]

On Sun, Oct 22, 2023 at 5:09 PM guest271314 <guest...@gmail.com> wrote:

> The internal Safe Browsing page presumably was meant for debugging only, and probably wasn't designed with user experience in mind.

All chrome://* URL's are for debugging. I'm not talking about a user experience. I'm talking about accurately reporting what is enabled and what is not enabled. 

It is not outside the scope of verifying a browser does what it says it does and does not do what it is not supposed to do to retrieve all possible information about what is being tested, then draw a logical conclusion.

I know that Google Safe Browsing was at one point, and still is used to "scan" files downloaded and files written to the local file system with FileSystemWritableFileStream of File System Access API. 

So it's rational to ask if I deliberately turned that "feature" off, as the setting itself says: "off", if files are still being scanned by Google Safe Browsing anyway, after all, the only indication that I have from the application (Chrom, Chromium) is that some ("internal") "features" are "Enabled". 

> I think another way to think about this whole issue: Can tell Safe Browsing is on without chrome://safe-browsing? If the page didn't exist, would you have any reason to think a bug existed? There are, after all, lots of variables within a browser that have no external UI surfaced.

You raise an interesting question here. 

Who said I wanted Google Safe Browsing enabled by default anyway? 

Yes, I would find another way to try to verify if the "feature" was on/implemented/behind one or more flags, by testing. I would read the source code, read the contents of the extracted Chrome/Chromium .zip folder before, during, after launching the application.

Just like I found out that Chrome's implementation of Web Speech API speechSynthesis.speak() - when Google voices are used - sends the users' text to remote servers, and that server sends back an audio file. Similarly for webkitSpeechRocognition the users' PII, their voice, is recorded and sent to remote servers for processing, then the transcript is sent back to the browser. I don't think those facts are documented anywhere.

https://www.google.com/chrome/privacy/whitepaper.html#speech

 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/78c5c2a5-f82e-4b09-ac97-ee169d1e6623n%40chromium.org.

[Lei Zhang]

On Sun, Oct 22, 2023 at 8:09 AM guest271314 <guest...@gmail.com> wrote:
>
> > The internal Safe Browsing page presumably was meant for debugging only, and probably wasn't designed with user experience in mind.
>
> All chrome://* URL's are for debugging. I'm not talking about a user experience. I'm talking about accurately reporting what is enabled and what is not enabled.

Not all chrome:// URLs are for debugging. For example, ctrl + h and
ctrl + shift + o opens chrome://history and chrome://bookmarks,
respectively. Those are user facing UIs. In comparison,
chrome://safe-browsing is not user facing. I don't know of any normal
menu / keyboard shortcut that would navigate there.

[guest271314]

> Unless I misunderstand - would that not be just being a good citizen of the operating system (marking things downloaded from the internet as such)?

> Or are you talking about something else?

No. 

I didn't ask for Google or Mozilla to scan and tamper with my files and arbitrarily remove data. 

What this results in is Chrome stripping the file metadata from Chrome when I download in the browser. So Chrome thinks Chrome is a suspect download and preemptively removed the executable bits. 

I can decide what I want to do with my own files I download, thank you.

[guest271314]

> Not all chrome:// URLs are for debugging. For example, ctrl + h and
ctrl + shift + o opens chrome://history and chrome://bookmarks,
respectively. Those are user facing UIs. In comparison,
chrome://safe-browsing is not user facing. I don't know of any normal
menu / keyboard shortcut that would navigate there.

Developers in the field are well aware of chrome://* URL's.

It's trivial to type chrome: in the omnibox and for chrome://chrome-urls to pop up. 

It's hard to fathom why the question of whether or not chrome://* URL's are discoverable in the wild or not by developers is neing raised. That's not the issue. 

The issue is the erroneous Enabled on chrome://safe-browsing IF those notifications are erroneous and Google Safe Browsing if in fact disabled like I set it to be. OR Google Safe Browsing is still on. There's no way to know for sure due to the report page printing Enabled for certain "internal" experiments, etc. - and the ZIP files I download are being stripped of executable bits, including Chrome-For-Testing itself.

[guest271314]

Greg Thompson,

> https://www.google.com/chrome/privacy/whitepaper.html#speech

Thanks!

That's the first time I've seen that in Google documentation for the years I've been experimenting with Web Speech API. That's also why I filed this Release TTS and STT source code and Google voices as FOSS.

[guest271314]

Is are Chromium developers stating here that when I turn off/disable Google Safe Browsing in chrome://settings (probably the first place where chrome://* URL's are discoverable for Chromium and Chrome users who are not developers) is Google Safe Browsing completely off?

Is Google Safe Browsing really turned off for 

- Scanning and altering downloads (files, folders, archives)

- Scanning and altering files, folders written with FileSystemWritableFileStream of File System Access API (Native File System API) (WICG) and File System Standard (WHATWG)?

I'm skeptical because of the multiple Enabled here on chrome-safe-browsing - and the Chrome-For-Testing ZIP file I download gets stripped of executable bits. 

I want Google Safe Browsing COMPLETELY OFF. I can manage my own downloads and file writing locally. I want no parts of Google Safe Browsing. That's why I deliberately turned it off.

Preferences

Enabled: safebrowsing.extended_reporting_opt_in_allowed

Experiments

Enabled: ClientSideDetectionModelIsFlatBuffer
Enabled: ClientSideDetectionTypeForceRequest
Disabled: SafeBrowsingDelayedWarnings
Enabled: DownloadBubble
Enabled: DownloadBubbleV2
Enabled: DownloadTailoredWarnings
Enabled: SafeBrowsingExtensionTelemetryDisableOffstoreExtensions
Enabled: SafeBrowsingExtensionTelemetryFileData
Enabled: SafeBrowsingExtensionTelmetryInterceptRemoteHostsContactedInRenderer
Enabled: SafeBrowsingExtensionTelemetryPotentialPasswordTheft
Enabled: SafeBrowsingExtensionTelemetryReportContactedHosts
Enabled: SafeBrowsingExtensionTelemetryReportHostsContactedViaWebsocket
Enabled: SafeBrowsingExtensionTelemetryTabsApiSignal
Enabled: SafeBrowsingExtensionTelemetryTabsExecuteScriptSignal
Enabled: SafeBrowsingHashPrefixRealTimeLookups
Enabled: SafeBrowsingHashRealTimeOverOhttp
Enabled: ImprovedDownloadBubbleWarnings
Enabled: MmapSafeBrowsingDatabase
Enabled: SafeBrowsingArchiveImprovements
Enabled: SafeBrowsingCsbrrNewDownloadTrigger
Enabled: SafeBrowsingLookupMechanismExperiment
Enabled: SafeBrowsingSkipSubResources
Enabled: SafeBrowsingSkipSubResources2
Enabled: SafeBrowsingSevenZipEvaluationEnabled
Enabled: SafeBrowsingStrictDownloadtimeout
Enabled: SafeBrowsingSuspiciousSiteTriggerQuota
Enabled: TailoredSecurityIntegration

Policies

safebrowsing.safe_browsing_whitelist_domains:
safebrowsing.password_protection_change_password_url:
safebrowsing.password_protection_warning_trigger: 0
safebrowsing.password_protection_login_urls:
safebrowsing.real_time_download_protection_request_allowed_by_policy: true
safebrowsing.csd_phishing_protection_allowed_by_policy: true
safebrowsing.extension_protection_allowed_by_policy: true
safebrowsing.hash_prefix_real_time_checks_allowed_by_policy: true
safebrowsing.surveys_enabled: true

[guest271314]

By the way, why is Google Safe Browsing still using the term "whitelist" here safebrowsing.safe_browsing_whitelist_domains:?

- https://chromium.googlesource.com/chromium/src/+/HEAD/styleguide/inclusive_code.md#racially-neutral-example-changelists

- https://crbug.com/842296

[Daniel Cheng]

(sorry resending this from my chromium.org account, since it bounced from the mailing list)

I'm going to answer what I can inline. However, chromium-dev@ is a list with wide distribution, and there are quite a few topics getting entangled in here. If you have feedback or bugs about Chrome, filing issues at https://crbug.com/new is a better way.

> By the way, why is Google Safe Browsing still using the term "whitelist" here safebrowsing.safe_browsing_whitelist_domains:?

Preferences are persisted to storage. Renaming them is non-trivial and potentially error-prone and requires maintaining migration code for long periods of time.

> Is are Chromium developers stating here that when I turn off/disable Google Safe Browsing in chrome://settings (probably the first place where chrome://* URL's are discoverable for Chromium and Chrome users who are not developers) is Google Safe Browsing completely off?

Yes; if you set "Safe Browsing" to disabled, all safe browsing features are disabled. As I mentioned on the bug, if you discover a case where this does not happen, that is a bug.

> The issue is the erroneous Enabled on chrome://safe-browsing IF those notifications are erroneous and Google Safe Browsing if in fact disabled like I set it to be. OR Google Safe Browsing is still on. There's no way to know for sure due to the report page printing Enabled for certain "internal" experiments, etc. - and the ZIP files I download are being stripped of executable bits, including Chrome-For-Testing itself.

The "enabled" indications on the chrome://safe-browsing page are *not* erroneous. They are a reflection of the internal state, and the target is a developer working on Chrome that needs the page to accurately reflect the internal state. It is not intended to be used as a canonical source for "is safe browsing enabled". That is what chrome://settings is for.

If you set Safe Browsing to disabled in the Settings UI, it is off.

> What this results in is Chrome stripping the file metadata from Chrome when I download in the browser. So Chrome thinks Chrome is a suspect download and preemptively removed the executable bits.

This isn't related to safe browsing or even Chrome specifically. URL requests (and responses) don't encode Posix access permissions. Chrome isn't removing the executable bits, because it never knew about them to begin with. `curl` and other similar utilities do not mark files as executable by default either; that's why many installation scripts (e.g. Rust's) download the installation script with curl but pipe the result into sh.

Daniel

--

--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/e5c5d775-a318-4265-8455-d5462bc6af20n%40chromium.org.

[K. Moon]

I think guest271314@ has mentioned previously that they were banned from the bug tracker, so they just take everything to the mailing list instead. Not really an ideal outcome.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAF3XrKqWn8oxtpBxXzJsw8WPE-5Ly%3DnjNeSsD%3DcqmYf_M8F%3D2w%40mail.gmail.com.

[guest271314]

Thanks for your reply. 

curl and wget do maek the files as executable on Linux.

On Tue, Oct 24, 2023 at 12:58 AM Daniel Cheng <dch...@google.com> wrote:

I'm going to answer what I can inline. However, chromium-dev@ is a list with wide distribution, and there are quite a few topics getting entangled in here. If you have feedback or bugs about Chrome, filing issues at https://crbug.com/new is a better way.

> By the way, why is Google Safe Browsing still using the term "whitelist" here safebrowsing.safe_browsing_whitelist_domains:?

Preferences are persisted to storage. Renaming them is non-trivial and potentially error-prone and requires maintaining migration code for long periods of time.

> Is are Chromium developers stating here that when I turn off/disable Google Safe Browsing in chrome://settings (probably the first place where chrome://* URL's are discoverable for Chromium and Chrome users who are not developers) is Google Safe Browsing completely off?

Yes; if you set "Safe Browsing" to disabled, all safe browsing features are disabled. As I mentioned on the bug, if you discover a case where this does not happen, that is a bug.

> The issue is the erroneous Enabled on chrome://safe-browsing IF those notifications are erroneous and Google Safe Browsing if in fact disabled like I set it to be. OR Google Safe Browsing is still on. There's no way to know for sure due to the report page printing Enabled for certain "internal" experiments, etc. - and the ZIP files I download are being stripped of executable bits, including Chrome-For-Testing itself.

The "enabled" indications on the chrome://safe-browsing page are *not* erroneous. They are a reflection of the internal state, and the target is a developer working on Chrome that needs the page to accurately reflect the internal state. It is not intended to be used as a canonical source for "is safe browsing enabled". That is what chrome://settings is for.

If you set Safe Browsing to disabled in the Settings UI, it is off.

> What this results in is Chrome stripping the file metadata from Chrome when I download in the browser. So Chrome thinks Chrome is a suspect download and preemptively removed the executable bits.

This isn't related to safe browsing or even Chrome specifically. URL requests (and responses) don't encode Posix access permissions. Chrome isn't removing the executable bits, because it never knew about them to begin with. `curl` and other similar utilities do not mark files as executable by default either; that's why many installation scripts (e.g. Rust's) download the installation script with curl but pipe the result into sh.

Daniel

On Mon, 23 Oct 2023 at 22:56, guest271314 <guest...@gmail.com> wrote:

--

--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/e5c5d775-a318-4265-8455-d5462bc6af20n%40chromium.org.

[Joshua Pawlicki]

Can you clarify, are you expecting to see the executable bit set on the Chrome-for-Testing .zip file itself? Or are you talking about the file permissions for the files within the zip?

If you could post the curl or wget command you're using, I'd be curious to see it. For example, I would expect

curl -Ls https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/120.0.6089.0/linux64/chrome-linux64.zip -o chrome-linux64.zip && stat -f %p chrome-linux64.zip

to output something like 644 or 600, not 755 nor 700.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+unsubscribe@chromium.org.

[guest271314]

Sure

wget

wget --show-progress --progress=bar --output-document chrome.zip https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/120.0.6084.0/linux64/chrome-linux64.zip && unzip chrome.zip && rm chrome.zip

Deno

var json = await (await fetch(
  "https://googlechromelabs.github.io/chrome-for-testing/last-known-good-versions-with-downloads.json",
)).json();

var {
  url,
} = json.channels.Canary.downloads.chrome.find(({
  platform,
}) => platform === "linux64");
var request = await fetch(
  url,
);
var ab = await request.arrayBuffer();
await Deno.writeFile("chrome-linux64.zip", new Uint8Array(ab));

For Chromium

wget --show-progress --progress=bar --output-document chrome.zip https://download-chromium.appspot.com/dl/Linux_x64?type=snapshots && unzip chrome.zip && rm chrome.zip

Deno

curl --fail --location --progress-bar --output deno.zip https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip && unzip deno.zip && rm deno.zip

QuickJS

curl --fail --location --progress-bar --output quickjs.zip https://bellard.org/quickjs/binary_releases/quickjs-linux-x86_64-2021-03-27.zip

Bun

wget --show-progress --progress=bar --output-document bun.zip https://github.com/oven-sh/bun/releases/latest/download/bun-linux-x64-baseline.zip && unzip bun.zip && rm bun.zip && mv bun-linux-x64-baseline/bun `pwd` && rmdir bun-linux-x64-baseline

gist of what I am doing re Chrome-For-Testing, (which by the way, trying to navigate to Settings on Canary crashes). I am using JSZip to extract the ZIP file, which has its own issues, and File System Access API to reconstructur the folders and files

https://gist.github.com/guest271314/09733eaa2de16bd79f01d41de41ce843

When I fetch the node nightly executable standalone using File System Access API I have to set the node executable before downloading. Prior to the change in Chromium File System Access API always overwrote the permissions of the file, see https://bugs.chromium.org/p/chromium/issues/detail?id=1166751, https://github.com/guest271314/download-node-nightly-executable/blob/main/index.html

touch node

chmod +x node

Why I suspect File System Access API and Goold Safe Browsing might also be involved, https://bugs.chromium.org/p/chromium/issues/detail?id=1168715#c17

> The problem here is indeed that our security team really wants us to perform safe browsing analysis of written files, before the files are available with their normal file name/extension (it is also for this reason that downloads are written to a temporary file, and only renamed once safe browsing checks pass).

The idea is to update Chrome-For-Testing to the latest Canary or Developer buils from and using Chrome-For-Testing. That seems reasonable. 

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[guest271314]

>  Or are you talking about the file permissions for the files within the zip? 

The files within the ZIP. The same way that chrome, et. al. 

find `pwd` -executable -type f > executables.txt

xdg-settings
xdg-mime
nacl_irt_x86_64.nexe
nacl_helper_bootstrap
nacl_helper
libvulkan.so.1
libvk_swiftshader.so
libGLESv2.so
libEGL.so
chrome_sandbox
chrome_crashpad_handler
chrome-wrapper
chrome

are executable when I fetch with curl, wget, Deno, and extract with unzip.

[K. Moon]

This discussion group is for discussing Chromium development, not for Google product decisions. If you have feedback about Google Chrome, you should report that feedback directly to the product feedback channels for Google Chrome.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/c222fe56-f756-40b1-8407-81dc928b6a1fn%40chromium.org.

[K. Moon]

(I meant to post this to the other thread, not sure how I ended up posting this here.)

[Greg Thompson]

On Thu, Oct 26, 2023 at 6:46 AM guest271314 <guest...@gmail.com> wrote:

The idea is to update Chrome-For-Testing to the latest Canary or Developer buils from and using Chrome-For-Testing.

Since human language is so imprecise, I just want to make sure that there's no confusion as to what Chrome for Testing is and isn't for. The sentence above makes me wonder if you have the impression that Chrome for Testing exists so that developers can "kick the tires" of Chrome and test Chrome itself. If so, please see my previous message on this topic. If not, feel free to disregard this message.