The external program warning is a privacy measure to prevent leaking user's identity to the external app. Downloading the file doesn't have the same privacy implications, so I don't think there is a vulnerability here. Adding Privacy label and CC'ing battre@ in case he has comments, but I'll close this bug otherwise.

Also please note that this dialog is currently being discussed at  bug 587306 .

I agree in the sense that Chrome is very explicit about files downloaded in incognito mode stay on your disk.

However, I tried this out and observed that the download is triggered AFTER the  user has pressed cancel. This is indeed surprising.

Our report is specifically about the fact that hitting the cancel button still downloads.

Happy to reopen the bug, but it seems to me that downloading the file after clicking cancel doesn't have any security or privacy implications, but rather a functional issue.

I'm hesitant to say downloading the file is a bug though. I can imagine users would be confused if they click on a pdf, say "no" to open the pdf in an external dialog and then end up with Chrome doing nothing, assuming they intended to download the pdf in the first place.

Does this only happen with pdf files?

Yes. We tested with other file types and it only happens with PDFs. Maybe some sort of carryover from the desktop browser which has a built-in PDF viewer while android does not?

Thanks, I'm not sure about the reason either.

+tedchoc from  bug 587306 

</bad attempt at renaming the bug>

The source of this problem is in:
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationDelegateImpl.java

Specifically, the intent gets overriden for PDF files.

I kind of sympathize with comment 4. If the behavior was changed, there was no way to download a PDF file in incognito mode, right?

Adding qinmin@ for downloads.

I think it is very similar to the bug linked in #6.  The dialog is just confusing, but it is specifically about launching external applications.

If you click on a link to maps.google.com, you get warned that you're about to leave chrome for another application.  If you hit cancel, you are still navigated to the webpage.  I would argue that that experience is just as odd as the one described here.  One is a download action one is a navigation action.  Both do "something" on cancel.

Maybe cancelling the app chooser dialog should be considered as cancelling the navigation? 
But then user has to always choose "chrome" from the app chooser if we really want the navigation to continue.

@#11, that was actually the previous behavior.  I like that there is an option to stay in chrome, but the wording is IMO confusing.  If I recall, no one could come up with a concise language for the action that would proceed in Chrome, so we stuck with Cancel.

"Continue in Chrome" or "Stay in Chrome" are both quite lengthy.  Until there is an outcome on  crbug.com/587306 , then I think we should hold off on anything.

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Can't reproduce. I don't see an external program warning.