VERSION
Chrome Version: 66.0.3359.139 Stable (64-bit) +  67.0.3396.30 Dev (64-bit)
Operating System: Windows 10 Pro 1803 Build 17134.1

REPRODUCTION CASE
1. Open sample.html
2. Right click on any link and select "Save Link As". Click "Save"
3. Execute the downloaded .py/.bat file, which should download the sample pua.exe from https://testsafebrowsing.appspot.com/s/pua.exe ( Files are embedded as data URLs in the html file )
4. Confirm that "pua.exe" is in your Downloads folder

I am not sure if this is expected behavior for these file types, but since the settings for these files ( seen at https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb ) are similar to those for "exe" or "zip" files, for which this doesn't happen, I figured I'd ask. I understand these are text files, and it might annoy developers if they got a prompt every time they downloaded a .py file, but these are also ( conditionally ) executable files, especially python files, which won't trigger the UAC prompt. 

The Download Protection Ping increments, but since these are text files, they can easily be changed and don't require signing, so I wasn't sure if this would be considered dangerous or not.


 

Deleted: sample.html 620 bytes

sample.html 620 bytes View Download