Chrome is fixing the file download bug…

I just noticed that Ryan Naraine has written that Google’s fixed the file download bug in Chrome.  This is awesome, but there’s one aspect of the fix that concerns me.

According to the changelog:

This CL adds prompting for dangerous types of files (executable) when they are automatically downloaded.

When I read this, my first thought was: “I wonder how they determine if a file is ‘dangerous’?”

One of the things that we’ve learned over time is that there are relatively few files that aren’t “dangerous”.  Sure there are the obvious files (.exe, .dll, .com, .bat, etc) but there are lots of other file types that can contain executable content.  For instance most word processors and spreadsheets support some form of scripting language, that means that most documents downloaded can contain executable content.

Even if you ignore the files that contain things that are clearly identifiable as “code”, you’ve still got problems.  After all, just about every single file format out there has had readers who have had bugs that would have allowed remote code execution.

It’s unfortunate, but given the history of the past couple of years, I can’t see how ANY content that was downloaded from the internet could be considered “safe”.

IMHO Google’s change is a good start, but I’m worried that that it doesn’t go far enough.