See IsFromTrustedSource in https://cs.chromium.org/chromium/src/chrome/browser/download/trusted_sources_manager_win.cc?l=29&rcl=257f778c824dd36bd8896d120d6c6b006f117f51

(Although that would only explain Windows, not Mac)

Ah, perhaps https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/client_side_detection_service.h?l=109&rcl=257f778c824dd36bd8896d120d6c6b006f117f51

  // Returns true if the given IP address string falls within a private
  // (unroutable) network block.  Pages which are hosted on these IP addresses
  // are exempt from client-side phishing detection.  This is called by the
  // ClientSideDetectionHost prior to sending the renderer a
  // SafeBrowsingMsg_StartPhishingDetection IPC.
  //
  // ip_address should be a dotted IPv4 address, or an unbracketed IPv6
  // address.

#3 makes this sound like this is working as intended? Can anyone confirm that?

On Windows .sh is not considered dangerous. Pings should still be getting sent, but the file won't be marked as dangerous if the SafeBrowsing service gives a verdict of UNKONWN.

On macOS, I can confirm that the pings do get sent for localhost:{3000,5000}. If SafeBrowsing returns UNKNOWN (i.e. the service doesn't have enough information to say whether this file is bad), then the warning should show up unless you've visited the host frequently[1]. But again, you should be seeing pings in the form of increments at bucket #27 in SBClientDownload.CheckDownloadStats (27 means UNKOWN).


[1]: E.g. If you try downloading test.sh from localhost:<port> where localhost:<port> is a host you haven't visited on your current browser profile, then you should see a warning. I think this may explain the discrepancies in prompting that you are seeing.

Thanks, looks interesting
I've tested this on a freshly installed Chromium and it works(i.e. download is blocked)

Just interesting, what was the reason to implement this behavior?
i.e., same-origin download from trusted host is blocked, while cross-origin download isn't

Status -> WontFix. The current behavior is WAI and this issues doesn't uncover any previously unknown risks.

#6: The behavior is based on the origin of the download and not whether the request that initiated the download was cross origin or not. There's no CORS restriction for downloads.

Chrome has an additional heuristic for some potentially dangerous file types where we suppress the warning if both the following are true:
  a) The download was initiated via a user gesture (e.g. a click)
  b) The user has visited the download's host prior to the date of the download.

This goal of this heuristic is to remove prompting for files that are downloaded frequently from a well known source (e.g. maybe you download ".sh" files from some staging site every day). The file types for which this heuristic applies are those that are marked as ALLOW_ON_USER_GESTURE in download_file_types.asciipb [1] (the format and an explanation of that file is at [2]).

I hope this clarifies what's going on.

[1]: https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/safe_browsing/download_file_types.asciipb

[2]: https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/safe_browsing/README.md

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot