Yes, dynamic file creation is absolutely a feature of the web platform and has been for many years; it is available across HTML5 browsers. Beyond data URIs, you can use blob URIs to similar effect.

Chrome's SafeBrowsing and Download Protection features operate on all "Downloads", whether they originate from a remote URL or are dynamically generated on the client, as you can see in the attached screenshot.

If you found that Download Protection or SafeBrowsing were /not/ consulted for files generated in that manner, /that/ would be an interesting vulnerability report.

Deleted: Prompt.png 3.5 KB

	Prompt.png 3.5 KB View Download

Incidentally, if you don't want firefox to rename your file to funnygame.bat.txt, simply change "data:text/plain" to "data:application/octet-stream".

Yes, of course Download Protection is there, but it still looks to me a dangerous feature (of HTML5). This gives too much "power" to the client side and allows to trivially bypass any security perimeter solution. How perimeter solutions can fight that if browsers allow dynamic file creation...?? There's no way to stop that as the malware payload can be obtained (in very small pieces) from many side channels and then it can be reassembled in the locally created file... It is scaring. It opens a wide attack surface. I don't think that a feature is more or less secure just because it has been there for years... 
So, I understand from your response that there's no problem if I made this malware creation vector public and openly write about that. Isn't it?

Sure, feel free to talk about this; it's not in any way secret, and is a feature commonly used by popular sites. For instance, see https://en.wikipedia.org/wiki/Mega_(service)#Data_encryption as one service that dynamically generates downloads from JavaScript-built blob URLs.

Yes, it is clear that the feature it is not secret :). I mean the way this feature is exploited in my example for creating malware locally (thus bypassing all the perimeter based security solutions) is scaring. There have been a lot of "features" of javascript, HTML, and the HTTP protocol itself that have been there for years and massively used that at some point have been "hardened" in some way, some times improving RFC's, some times having browser vendors changing the way they implement RFC's, etc. You probably remember many years ago it was possible to do many things from Javascript that are nowadays not allowed (cross domain requests, access to HTTP headers, etc) just because those "features" where exploited many times with bad intentions by attackers to compromise systems. I could post many examples of such kind of "features" I used to exploit at that time that do not work nowadays. And this is good as many of those "features" where a bit bizarre in terms of security. This is how usually specs of technology get improved. It is not a matter of discussing if this is a widely used feature, it is a matter of thinking if this is a safe feature. Do you honestly think it is safe...? I don't think so... ;) Anyway I can understand that you, as browser vendor, can think that "this is not your problem". But this doesn't solves the root problem and my question: is it a safe feature? I absolutely think it is not. The same I used to think XMLHTTP was not safe may years ago and finally changes were made to have it a more secure implementation. Think that we are not talking about Java or Flash, we are talking about Javascript, something that every decent browser will support. Without Javascript the modern Internet is broken so I think it should be as much safe as we can. If browsers don't care about the whole picture (there's security life beyond OS and web browsers...) and forget about perimeter solution vendors then we have a problem... The Internet security is a responsibility and a team work of all of the actors. If we HTML5 allows arbitrary local file creation and browser vendors don't care about that then we can think about the next step of insecurity: directly allowing command execution from browsers... will you still think this is secure also? I know you give an alert from a locally generated file the same as if it was remotely downloaded, but this is not enough, and I'm pretty sure you agree with me. Will you allow local system commands execution protected only with a similar alert? No, for sure. 
So why don't we make some team effort and try to change this behavior? You as leading browser vendor have power to do this. I just can publish a paper with a cook-book of more elaborated exploitation examples that will be used in the wild to spread more malware but the Internet reaction will be very slow (the same happened with XMLHTTP and tons of exploits being published until vendors reacted...). Maybe we can go a step ahead and try to change this now. You can help on this. Let me know your impressions about that topic and sorry for the long post.    

Issue 899742 has been merged into this issue.

This (one year old paper) may help you understand the problem:
http://www.pentest.es/luturbia/chrome_welcomes_malware.pdf