This site is attempting to download multiple files
4,344 views
Skip to first unread message
Kodak
May 27, 2010, 3:12:20 PM5/27/10
to Chromium-discuss
We need to make it configurable guys - there are sites used only for
downloading/sharing files like rapidshare.com or similar. What is the
method behind? When this warning is shown?
downloading/sharing files like rapidshare.com or similar. What is the
method behind? When this warning is shown?
Nico Weber
May 27, 2010, 4:59:16 PM5/27/10
to krzyszto...@gmail.com, Chromium-discuss
This is shown if a page starts more than one download without user intervention. It's not configurable. Just click "Allow" on the infobar and all downloads will be stored.
Google "carpet bombing" for why this is necessary.
Nico
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
Kodak
May 31, 2010, 2:51:46 AM5/31/10
to Chromium-discuss
I googled for "carpet bombing" but I think we talk about different
things. If I understand corectly "carpet bombing" was about
downloading executables without user's authority. But here chrome
blocks content by type and some content needs to be confirmed that it
is safe. However I still do not see a reason for the browser to block
downloading a safe content?
On 27 Maj, 22:59, Nico Weber <tha...@chromium.org> wrote:
> This is shown if a page starts more than one download without user
> intervention. It's not configurable. Just click "Allow" on the infobar and
> all downloads will be stored.
>
> Google "carpet bombing" for why this is necessary.
>
> Nico
>
>
>
> On Thu, May 27, 2010 at 12:12 PM, Kodak <krzysztof.cho...@gmail.com> wrote:
> > We need to make it configurable guys - there are sites used only for
> > downloading/sharing files like rapidshare.com or similar. What is the
> > method behind? When this warning is shown?
>
> > --
> > Chromium Discussion mailing list: chromium-disc...@chromium.org
things. If I understand corectly "carpet bombing" was about
downloading executables without user's authority. But here chrome
blocks content by type and some content needs to be confirmed that it
is safe. However I still do not see a reason for the browser to block
downloading a safe content?
On 27 Maj, 22:59, Nico Weber <tha...@chromium.org> wrote:
> This is shown if a page starts more than one download without user
> intervention. It's not configurable. Just click "Allow" on the infobar and
> all downloads will be stored.
>
> Google "carpet bombing" for why this is necessary.
>
> Nico
>
>
>
> On Thu, May 27, 2010 at 12:12 PM, Kodak <krzysztof.cho...@gmail.com> wrote:
> > We need to make it configurable guys - there are sites used only for
> > downloading/sharing files like rapidshare.com or similar. What is the
> > method behind? When this warning is shown?
>
> > --
Simon B.
May 31, 2010, 5:01:53 AM5/31/10
to Chromium-discuss
On May 31, 8:51 am, Kodak <krzysztof.cho...@gmail.com> wrote:
> If I understand correctly "carpet bombing" was about
files than I would want. I've never seen a site that does multiple
downloads, but perhaps a flickr or picasa web album could make use of
a multi-download feature.
It's very unlikely that Chrome would simply remove the limit on
multiple downloads. Also the downloading user experience might not be
that highly prioritized, but users could perhaps make it prioritized.
I guess no good download managers for Chrome exist? And for sites like
rapidshare I guess it is by design they make sure that no download
managers should be usable; instead rapidshare sell prioritized access
and perhaps have some built-in download manager instead?
That being said; I do agree that the download feature of Chrome isn't
impressive in any way. Perhaps an experimental javascript API to hook
in just before the multi-download-warning and before the download bar
gets shown could be an easy path to solve your specific problem at
least temporarily. An experimental API would also allow javascript-
programmers to create mock-ups of how a download manager could look
and behave.
If I could have API access, I would:
- replace the full length download bar (shelf) at the browser bottom
with something simpler that can be extented to a more complete
vertical list view, grouping downloads by site and optionally page
within the site, in case I have several downloads from same site. The
simplest download indicator I can imagine is a spinner animation with
a number showing how many files are still not finished downloading.
The number inside the spinner shows only when there is more than one
download going on. The spinner could perhaps work like the existing
chrome download spinner/indicator.
- replace confirm-buttons with something intelligent:
* For many websites I might want to accept with "Yes, always for
this website"
* The dangerous/executable file warning just shows a cropped
filename, so not much for me to go on in deciding. So I always accept.
This could be replaced with something more intelligent.
- file integrity checking -- some download sites offer md5/sha1 codes
to verify the file. For those it could be OK to download the file
silently (no executable/dangerous warnings), then verify md5/sha1, do
virus checking (perhaps optionally even do this early, looking up the
declared sha/md5 in an online virus DB?). If nothing seems wrong the
file is shown 100% DONE and is made available as usual; but if
something is wrong then a short easy to read message can be shown.
How *you* would like a perfect browser to behave when downloading
files?
Are there some download managers that you like, and what is great
about them? I tried GetRight in the 90:s, but haven't since felt the
need for a download manager. In the old days you would typically need
to restart a download many times over before you would get the
complete file, and maybe modern browsers do exactly this silently and
invisibly.
> If I understand correctly "carpet bombing" was about
> downloading executables without user's authority.
Carpet bombing (without looking it up) to me means downloading more
files than I would want. I've never seen a site that does multiple
downloads, but perhaps a flickr or picasa web album could make use of
a multi-download feature.
It's very unlikely that Chrome would simply remove the limit on
multiple downloads. Also the downloading user experience might not be
that highly prioritized, but users could perhaps make it prioritized.
I guess no good download managers for Chrome exist? And for sites like
rapidshare I guess it is by design they make sure that no download
managers should be usable; instead rapidshare sell prioritized access
and perhaps have some built-in download manager instead?
That being said; I do agree that the download feature of Chrome isn't
impressive in any way. Perhaps an experimental javascript API to hook
in just before the multi-download-warning and before the download bar
gets shown could be an easy path to solve your specific problem at
least temporarily. An experimental API would also allow javascript-
programmers to create mock-ups of how a download manager could look
and behave.
If I could have API access, I would:
- replace the full length download bar (shelf) at the browser bottom
with something simpler that can be extented to a more complete
vertical list view, grouping downloads by site and optionally page
within the site, in case I have several downloads from same site. The
simplest download indicator I can imagine is a spinner animation with
a number showing how many files are still not finished downloading.
The number inside the spinner shows only when there is more than one
download going on. The spinner could perhaps work like the existing
chrome download spinner/indicator.
- replace confirm-buttons with something intelligent:
* For many websites I might want to accept with "Yes, always for
this website"
* The dangerous/executable file warning just shows a cropped
filename, so not much for me to go on in deciding. So I always accept.
This could be replaced with something more intelligent.
- file integrity checking -- some download sites offer md5/sha1 codes
to verify the file. For those it could be OK to download the file
silently (no executable/dangerous warnings), then verify md5/sha1, do
virus checking (perhaps optionally even do this early, looking up the
declared sha/md5 in an online virus DB?). If nothing seems wrong the
file is shown 100% DONE and is made available as usual; but if
something is wrong then a short easy to read message can be shown.
How *you* would like a perfect browser to behave when downloading
files?
Are there some download managers that you like, and what is great
about them? I tried GetRight in the 90:s, but haven't since felt the
need for a download manager. In the old days you would typically need
to restart a download many times over before you would get the
complete file, and maybe modern browsers do exactly this silently and
invisibly.
Krzysztof Chodak
May 31, 2010, 5:59:10 AM5/31/10
to Simon B., Chromium-discuss
You are right that "carpet combing" name means something different than described in some googled articles (f.e. http://www.zdnet.com/blog/security/google-chrome-vulnerable-to-carpet-bombing-flaw/1843). I just wanted to know rationale behind this feature - that is why I was googleing for it. Personally I have never seen a site trying to dump multiple files on me but maybe I am browsing safely.
My problem is with rapidshare - it is true that paid service has its own download manager but free service does not so there are extensions that automate all waiting/clicking between allowed downloads. Here chrome's mechanisms is a bit awkward: there is no bombing but only single download per about an hour.
The simplest solution would be a whitelist similar to popup blocker's one as You have already proposed. I do not expect anyone to prepare that experimental API for javascript and I am not a chrome developer (at least yet).
Re downloads in general: I thing many are waiting for downloads API that is already defined. I am happy with chrome' current downloads GUI however I wait for this API from possible extensions perspective.
Re security in general: am I right that currently there is no option in javascript to run a file that was downloaded? One thing that comes to my mind is a usage of ActiveX components but quick googleing gives me the information that it is not supported by Chrome. So then from a Chrome perspective there is no vulnerability even if user downloads malicious code as there is no (at least official) way to run it afterward, correct? I know that user can always double click and run it but it is always his own decision.
--
Chromium Discussion mailing list: chromium...@chromium.org
Simon B.
May 31, 2010, 7:50:00 AM5/31/10
to Krzysztof Chodak, chromium-discuss
Re security in general: am I right that currently there is no option in javascript to run a file that was downloaded? One thing that comes to my mind is a usage of ActiveX components but quick googleing gives me the information that it is not supported by Chrome.
It is surely by design that you can't download and run an executable file automatically (or through any kind of script) -- that would mean an extreme virus risk. If you would find some way it can be done, contact Google via the chromium security page and you might earn some money, as well as helping to keep Chrome users safe.
So then from a Chrome perspective there is no vulnerability even if user downloads malicious code as there is no (at least official) way to run it afterward, correct? I know that user can always double click and run it but it is always his own decision.
One possible problem is if a website (or advertisement) shows a link to a free "image" or "video" download, which is actually an executable. If it's not obvious from the icon in the download shelf, then at least the extra warning about executables might help you realize you received a program instead of the expected media file. But it's quite a long shot; I don't really know who (if anyone) is really helped by the extra confirmation/warning for executable files.
Krzysztof Chodak
May 31, 2010, 8:00:06 AM5/31/10
to Simon B., chromium-discuss
Mechanism should be more worrisome then simple yes/no question :)
Coming back to main point about downloading many files I still see no real threat there however I agree that "always allow for this site" option would solve it definitely (if it will allow * wildcards).
Another small problem is that Chrome is actually starting that consequent download but then stalls when it is about 1MB with a question to user. My guess is that if the files that site is trying to auto-download/bomb user with are smaller than that 1MB this mechanism will be useless/won't be triggered... :)
Kodak
Jun 25, 2010, 2:53:33 AM6/25/10
to Chromium-discuss
I'm trying to locate this downloads blocking code in chromium source
but with no luck
http://www.google.com/codesearch?hl=pl&lr=&q=%22This+site+is+attempting+to+download+multiple+files%22+package:src.chromium.org/svn/trunk&sbtn=Szukaj
Can somebody help me with that?
I have now a suspicion that this "allow" permission works only till
noon but I want to verify it.
On 31 Maj, 14:00, Krzysztof Chodak <krzysztof.cho...@gmail.com> wrote:
but with no luck
http://www.google.com/codesearch?hl=pl&lr=&q=%22This+site+is+attempting+to+download+multiple+files%22+package:src.chromium.org/svn/trunk&sbtn=Szukaj
Can somebody help me with that?
I have now a suspicion that this "allow" permission works only till
noon but I want to verify it.
On 31 Maj, 14:00, Krzysztof Chodak <krzysztof.cho...@gmail.com> wrote:
PhistucK
Jul 4, 2010, 4:16:14 AM7/4/10
to krzyszto...@gmail.com, Chromium-discuss
Try asking at chromium-dev.
☆PhistucK
☆PhistucK
Reply all
Reply to author
Forward
0 new messages