Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 92345 Auto-opened PDFs warn on click
Starred by 8 users Project Member Reported by pkasting@chromium.org, Aug 10 2011 Back to list
Status: Fixed
Owner:
Closed: Aug 2011
Components:
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Regression

Restricted
  • Only users with Commit permission may comment.


Sign in to add a comment
Supposedly bug 65895 has regressed in M13.
 
Status: Started
I believe this could happen if the PDF was hosted on a page the user had not visited before today, or hosted in a way that strips referrers (e.g. link from HTTPS hosting site to different-origin PDF, or PDF link from gmail).

Assuming that's correct, I have a local fix for this.
Status: Fixed
Fixed in r98897.
Project Member Comment 3 by bugdroid1@chromium.org, Aug 31 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=98897

------------------------------------------------------------------------
r98897 | pkasting@chromium.org | Tue Aug 30 16:55:57 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/page_transition_types.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/render_view.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/user_script_listener_unittest.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/resource_dispatcher_host.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/browser_navigator.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/views/location_bar/location_bar_view.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/resource_dispatcher_host_unittest.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/download/chrome_download_manager_delegate.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/resource_dispatcher_host.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/metrics/metrics_service.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/api/extension_api.json?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/download/download_create_info.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/resource_dispatcher_host_request_info.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/request_extra_data.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/cocoa/location_bar/location_bar_view_mac.mm?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/resource_dispatcher.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/download/download_state_info.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/download/download_resource_handler.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/extensions/docs/experimental.clear.html?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/resource_queue_unittest.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/download/download_state_info.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/resource_dispatcher_unittest.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/download/download_item.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/location_bar_view_gtk.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/request_extra_data.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/resource_dispatcher_host_request_info.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/resource_messages.h?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/download/download_create_info.cc?r1=98897&r2=98896&pathrev=98897
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_webnavigation_api.cc?r1=98897&r2=98896&pathrev=98897

Treat files downloaded from the address bar as "always safe" (including extensions per discussion with asargent and the extensions folks).

This required plumbing the PageTransition::Type from render_view.cc back up through various layers to the download system, as well as adding an extra state qualifier bit on the Type to mark navigations triggered "FROM_ADDRESS_BAR" (since the Type itself sans-qualifier cannot be used to reliably check this).

This also fixes an inconsistency in IsDangerousFile() where "auto-open" lowered our safety checks for Dangerous files but not for AllowOnUserGesture files.

BUG= 87192 , 92345 
TEST=Paste the PDF link from bug 87192 comment 0 into your address bar and hit enter.  The file should download without triggering any warning UI in the download shelf.
Review URL: http://codereview.chromium.org/7624031
------------------------------------------------------------------------
Comment 4 by li...@f-p-i.com, Sep 4 2011
The issue remains in Mac OS X 10.6.8 with Chrome 14.0.835.126 beta. 

Example:
http://org2.democracyinaction.org/dia/track.jsp?v=2&c=qjMHGILadkJocCqGY8s%2FVC3N%2BtHOBBbn

Is there a version coming that will implement this revision? Thanks!
Labels: Merge-Requested
This hasn't been merged to the M14 branch.

I don't know if the release managers will approve such a major change to fix this.  This might not ship until M15.
Comment 6 by li...@f-p-i.com, Sep 12 2011
Thanks for the update Peter!

I can get the latest (I believe) raw patch set at:
http://codereview.chromium.org/7624031
and use Terminal (on the Mac, running OS X 10.6.8) to run patch(1)
But I don’t know which file to apply the patch to! (I went into Chrome’s “Contents” folder and didn’t find any data file that would accept the patch.)

Please forgive my ignorance, but where is the appropriate Chrome data file to apply the patch to, to get a working version of Chrome, with the patch? Or do you not recommend doing so?

Thanks again!!
Comment 7 Deleted
This is a source code patch, not a data patch.  You'd need to build Chrome from source code to use this patch.
Comment 9 Deleted
Comment 10 Deleted
Comment 11 by li...@f-p-i.com, Sep 28 2011
Thanks for all your patience (and efforts!) with this, Peter!

98897 still hasn’t been incorporated. What do you recommend as the best way to find out when it is merged into a release? Could this page be updated as an alert for those of us who have starred it?

The revision log at:
http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=%2Fbranches%2F874%2Fsrc&range=102895%3A102155&mode=html
doesn’t have any date stamp, so it is not clear what range to search within.

Thanks so much!!
Labels: -Merge-Requested
You want http://omahaproxy.appspot.com/viewer which shows that this is in Chrome 15, which you can get from the beta channel.
Comment 13 by li...@f-p-i.com, Sep 28 2011
Thanks, Peter!

I’m on the 15.0.874.51 beta (Mac) and had thought that opening a link in a new tab via control-click would have the same result, given that it is the deliberate choice of opening a tab with the chosen link, but it does not. Apparently it only works by manually copying and pasting the link into a new tab. I do not see why the one action would be allowed and the other action would not.

Saving a link to the desktop still generates the warning, which would also have been quite helpful.

Is there no mercy for those of us who actually use a computer for a living and accept responsibility for our actions?  ;-)

Thanks again for all your efforts!
The fix above affects downloading files directly from the address bar, and clicking links to files which you've marked as "auto-open" inside Chrome.  There is no fix and will be no fix that makes ctrl-clicking a link behave like typing it into the address bar as the security implications of those actions are distinct.
Project Member Comment 15 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 16 by bugdroid1@chromium.org, Mar 9 2013
Labels: -Type-Regression -Area-UI -Feature-Downloads Type-Bug-Regression Cr-UI Cr-UI-Browser-Downloads
Sign in to add a comment