I'm confused about why SetInternetZoneIdentifier was removed

[delhi2050]

On Windows, when using Edge or Chrome, after downloading an executable you cannot run it directly. Instead a security warning pops up, and in the file's Properties you can see a line saying "This file came from another computer and might be blocked to help protect this computer."

With Chromium, that security warning does not appear. I noticed that in disable-download-quarantine.patch the part that sets the Zone.Identifier was removed.

When a malicious executable is downloaded without the user explicitly initiating it, there is often a popup in the top-right corner. It's very easy to accidentally click that download entry and thereby run the malicious program directly.

[tomasz1986]

This patch seems to have existed since the very beginning of the browser, but I would also like to ask - why is this necessary? While not exactly bullet-proof, it seems like yet another layer of protection against potentially malicious files when downloaded on Windows. Are there perhaps any privacy-related issues with SetInternetZoneIdentifier? If not, then personally I would definitely prefer not to remove this functionality from my browser. 😟

[delhi2050]

why is this necessary?

Just as the default behavior of other browsers creates an InternetZoneIdentifier while also adhering to the group policy (gpedit.msc) of "Do not preserve zone information in file attachments". I think it is inappropriate for Ungoogled-Chromium to completely remove SetInternetZoneIdentifier.

Imagine this: while you're browsing the web, an executable finishes downloading unexpectedly. You might accidentally click it in a popup, or unintentionally open it while trying to delete the file in File Explorer — either action can cause a potentially malicious program to run.

Are there perhaps any privacy-related issues with SetInternetZoneIdentifier?

I don't think whether this feature is removed is related to privacy. For people who need the feature removed, the extra writes of the :Zone.Identifier ADS (Alternate Data Stream) to disk may cause cross‑platform or other issues.

[elkay]

Holy yikes. This was an INCREDIBLY useful feature to prevent malicious pages from auto-downloading exe files and ever getting them onto disk. Why would it be a good idea to remove this feature? A decision like this has me second-guessing using Ungoogled Chromium now..

[PF4Public]

A decision like this has me second-guessing using Ungoogled Chromium now..

But why? Was there any decision made?

[elkay]

A decision like this has me second-guessing using Ungoogled Chromium now..

But why? Was there any decision made?

There's no way I'm running a browser that allows an exe to be saved in runnable form on the computer without a confirmation. There's good reason that was put in place so that even if you have autosave enabled it doesn't allow exe files to be saved without an additional step.

[teeminus]

@Ahrotahn Do you know why this patch has been introduced? Or is this something we want to address in V141?

[Ahrotahn]

That patch was one of the earliest ones added to the project so I don't know the reasoning for including it. My assumption is it was added to reduce friction since sites have to request permission to auto-download. It's also possible some of the quarantine checks hook into safebrowsing.

I don't find the safety arguments convincing since they could be equally applied to safebrowsing for example. Users that require protection from themselves really shouldn't be using a browser built from these patches.

That having been said I do think it's a good idea to re-evaluate patches occasionally. I'll spend some time this weekend building without the disable-download-quarantine patch to see how that affects things on the linux side. If someone can make a windows build without that patch, do some testing, and report back here then we can see if this is something that can be addressed in time for 141.