We have a web site that makes several PDFs available for download. The PDFs might be static, or dynamically generated. They are downloaded using one of several mechanisms (static-URL, post back/redirect/meta-refresh/etc.). For certain PDF files, Chrome downloads them without complaint. For others, it warns the user that “This type of file can harm your computer. Are you sure you want to download …” and requires an extra click.
What information is Chrome using to decide whether to show the message? Obviously, it’s not simply the fact that the file is a PDF.
To be clear, I want to do something on the server side (we use IIS/ASP.NET, if it matters) to prevent the message from ever appearing. I’m not interested in a solution that has each user disable the message in their browser (if that’s even possible).
Thank you.
TL;DR: Chrome has a variety of client-side heuristics used to determine a file’s safety. I don’t believe there’s anything you can do to ensure that a file is marked “safe”, but I’ll point at some things that might help.
A good amount of logic goes into determining whether or not that prompt should be shown. Happily, Chromium is open source, so that logic is available for you to peruse. I’m not incredibly familiar with the download code, but the best place to start would almost certainly be ChromeDownloadManagerDelegate::IsDangerousFile. That ends up calling out to download_util::GetFileDangerLevel and download_util::IsExecutableMimeType which seem to be where the checks against mime types and paths live.
Based on a quick read, I’d imagine that the redirects are at least part of the cause, as those aren’t directly related to a user gesture. Clicking directly through to the download is “safer” in this context than clicking on something, and being redirected through a variety of trackers and dispatchers, as the user can’t be expected to follow along.
The heuristic also takes into account whether you’ve been to a particular URL or domain before; that could also have an impact on certain files showing up as “safe” and others not.