package safe_browsing

Get desktop application:
View/edit binary Protocol Buffers messages

Protocol buffer describing the Chrome user population of the user reporting data.

Used in: ClientDownloadRequest, ClientIncidentReport, ClientMalwareRequest, ClientPhishingRequest

• optional ChromeUserPopulation.UserPopulation user_population = 1

Used in: ChromeUserPopulation

• UNKNOWN_USER_POPULATION = 0

• SAFE_BROWSING = 1

• EXTENDED_REPORTING = 2

The following protocol buffer holds the feedback report gathered from the user regarding the download.

• optional ClientDownloadReport.Reason reason = 1

  The type of feedback for this report.

• optional ClientDownloadRequest download_request = 2

  The original download ping

• optional ClientDownloadReport.UserInformation user_information = 3

  Stores the information of the user who provided the feedback.

• optional bytes comment = 4

  Unstructed comments provided by the user.

• optional ClientDownloadResponse download_response = 5

  The original download response sent from the verdict server.

Used in: ClientDownloadReport

• SHARE = 0

• FALSE_POSITIVE = 1

• APPEAL = 2

The information of user who provided the feedback. This is going to be useful for handling appeals.

Used in: ClientDownloadReport

• optional string email = 1

Used in: ClientDownloadReport, ClientIncidentReport.DownloadDetails

• required string url = 1

  The final URL of the download (after all redirects).

• required ClientDownloadRequest.Digests digests = 2

• required int64 length = 3

  This is the length in bytes of the download payload.

• repeated ClientDownloadRequest.Resource resources = 4

  This repeated field will store all the redirects as well as the final URLs for the top-level tab URL (i.e., the URL that triggered the download) as well as for the download URL itself.

• optional ClientDownloadRequest.SignatureInfo signature = 5

  This field will only be set if the binary is signed.

• optional bool user_initiated = 6

  True if the download was user initiated.

• optional string file_basename = 9

  Name of the file where the download would be stored if the download completes. E.g., "bla.exe".

• optional ClientDownloadRequest.DownloadType download_type = 10

• optional string locale = 11

  Locale of the device, eg en, en_US.

• optional ClientDownloadRequest.ImageHeaders image_headers = 18

• repeated ClientDownloadRequest.ArchivedBinary archived_binary = 22

• optional ChromeUserPopulation population = 24

  Population that the reporting user is part of.

• optional bool archive_valid = 26

  True if the .zip or DMG, etc, was 100% successfully unpacked.

• optional bool skipped_url_whitelist = 28

  True if this ClientDownloadRequest is from a whitelisted domain.

• optional bool skipped_certificate_whitelist = 31

  True if this ClientDownloadRequest contains a whitelisted certificate.

• repeated string alternate_extensions = 35

  PPAPI_SAVE_REQUEST type messages may have more than one suggested filetype. Each element in this collection indicates an alternate extension including the leading extension separator.

• repeated ClientDownloadRequest.URLChainEntry url_chain = 36

  URLs transitions from landing referrer to download in reverse chronological order, i.e. download url comes first in this list, and landing referrer comes last.

A binary contained in an archive (e.g., a .zip archive).

Used in: ClientDownloadRequest

• optional string file_basename = 1

• optional DownloadType download_type = 2

• optional Digests digests = 3

• optional int64 length = 4

• optional SignatureInfo signature = 5

• optional ImageHeaders image_headers = 6

A trust chain of certificates. Each chain begins with the signing certificate of the binary, and ends with a self-signed certificate, typically from a trusted root CA. This structure is analogous to CERT_CHAIN_CONTEXT on Windows.

Used in: SignatureInfo

• repeated CertificateChain.Element element = 1

A single link in the chain.

Used in: CertificateChain

• optional bytes certificate = 1

  DER-encoded X.509 representation of the certificate.

  Fields 2 - 7 are only used on the server.

This message contains various binary digests of the download payload.

Used in: ClientDownloadRequest, ArchivedBinary, ClientIncidentReport.IncidentData.BlacklistLoadIncident, ClientIncidentReport.IncidentData.SuspiciousModuleIncident

• optional bytes sha256 = 1

• optional bytes sha1 = 2

• optional bytes md5 = 3

Starting with Chrome M19 we're also sending back pings for Chrome extensions that get downloaded by users.

Used in: ClientDownloadRequest, ArchivedBinary

• WIN_EXECUTABLE = 0

  Currently all .exe, .cab and .msi files.

• CHROME_EXTENSION = 1

  .crx files.

• ANDROID_APK = 2

  .apk files.

• ZIPPED_EXECUTABLE = 3

  .zip files containing one of the other executable types.

• MAC_EXECUTABLE = 4

  .dmg, .pkg, etc.

• ZIPPED_ARCHIVE = 5

  .zip file containing another archive.

• ARCHIVE = 6

  Archive that doesn't have a specific DownloadType.

• INVALID_ZIP = 7

  A .zip that Chrome failed to unpack to the point of finding exe/zips.

• INVALID_MAC_ARCHIVE = 8

  A .dmg, .pkg, etc, that Chrome failed to unpack to the point of finding Mach O's.

• PPAPI_SAVE_REQUEST = 9

  A download request initiated via PPAPI. Typically the requestor is a Flash applet.

• SAMPLED_UNSUPPORTED_FILE = 10

  A file we don't support, but we've decided to sample and send a light-ping.

This is an OS X only message to report extended attribute informations. Extended attributes on OS X are used for various security mechanisms, which makes them interesting to Chrome.

Used in: SignatureInfo

• required string key = 1

  This is the name of the extended attribute.

• optional bytes value = 2

  This is the value of the extended attribute.

Used in: ClientDownloadRequest, ArchivedBinary, ClientIncidentReport.EnvironmentData.Process.Dll, ClientIncidentReport.IncidentData.BinaryIntegrityIncident, ClientIncidentReport.IncidentData.BinaryIntegrityIncident.ContainedFile, ClientIncidentReport.IncidentData.BlacklistLoadIncident, ClientIncidentReport.IncidentData.SuspiciousModuleIncident

• optional PEImageHeaders pe_headers = 1

  Windows Portable Executable image headers.

• repeated MachOHeaders mach_o_headers = 2

  OS X Mach-O image headers.

Used in: ImageHeaders

• required bytes mach_header = 1

  The mach_header or mach_header_64 struct.

• repeated MachOHeaders.LoadCommand load_commands = 2

  All the load commands of the Mach-O file.

Used in: MachOHeaders

• required uint32 command_id = 1

  |command_id| is the first uint32 of |command| as well, but is extracted for easier processing.

• required bytes command = 2

  The entire data stream of the load command.

Used in: ImageHeaders

• optional bytes dos_header = 1

  IMAGE_DOS_HEADER.

• optional bytes file_header = 2

  IMAGE_FILE_HEADER.

• optional bytes optional_headers32 = 3

  IMAGE_OPTIONAL_HEADER32. Present only for 32-bit PE images.

• optional bytes optional_headers64 = 4

  IMAGE_OPTIONAL_HEADER64. Present only for 64-bit PE images.

• repeated bytes section_header = 5

  IMAGE_SECTION_HEADER.

• optional bytes export_section_data = 6

  Contents of the .edata section.

• repeated PEImageHeaders.DebugData debug_data = 7

Used in: PEImageHeaders

• optional bytes directory_entry = 1

  IMAGE_DEBUG_DIRECTORY.

• optional bytes raw_data = 2

Used in: ClientDownloadRequest

• required string url = 1

• required ResourceType type = 2

• optional bytes remote_ip = 3

• optional string referrer = 4

  This will only be set if the referrer is available and if the resource type is either TAB_URL or DOWNLOAD_URL.

Type of the resources stored below.

Used in: Resource

• DOWNLOAD_URL = 0

  The final URL of the download payload. The resource URL should correspond to the URL field above.

• DOWNLOAD_REDIRECT = 1

  A redirect URL that was fetched before hitting the final DOWNLOAD_URL.

• TAB_URL = 2

  The final top-level URL of the tab that triggered the download.

• TAB_REDIRECT = 3

  A redirect URL thas was fetched before hitting the final TAB_URL.

• PPAPI_DOCUMENT = 4

  The document URL for a PPAPI plugin instance that initiated the download. This is the document.url for the container element for the plugin instance.

• PPAPI_PLUGIN = 5

  The plugin URL for a PPAPI plugin instance that initiated the download.

Used in: ClientDownloadRequest, ArchivedBinary, ClientIncidentReport.IncidentData.BinaryIntegrityIncident, ClientIncidentReport.IncidentData.BinaryIntegrityIncident.ContainedFile, ClientIncidentReport.IncidentData.BlacklistLoadIncident, ClientIncidentReport.IncidentData.SuspiciousModuleIncident

• repeated CertificateChain certificate_chain = 1

  All certificate chains for each of the binary's signers. Multiple chains may be present if the binary or any certificate has multiple signers. Absence of certificate chains does not imply that the binary is not signed (in that case, SignedData blobs extracted from the binary may be preset), but does mean that trust has not been verified.

• optional bool trusted = 2

  True if the signature was trusted on the client.

• repeated bytes signed_data = 3

  On Windows, PKCS#7 SignedData blobs extracted from a portable executable image's attribute certificate table. The presence of these does not imply that the signatures were deemed trusted by the client. On Mac, this is the code signature blob referenced by the LC_CODE_SIGNATURE load command.

• repeated ExtendedAttr xattr = 4

  On OS X, code signing data can be contained in the extended attributes of a file. As Gatekeeper respects this signature, we look for it and collect it.

Used in: ClientDownloadRequest

• optional string url = 1

  [required] The url of this Entry.

• optional URLChainEntry.URLType type = 2

  Type of URLs, such as download url, download referrer, etc.

• optional string ip_address = 3

  IP address corresponding to url.

• optional string referrer = 4

  Referrer url of this entry.

• optional string main_frame_referrer = 5

  Main frame URL of referrer.

• optional bool is_retargeting = 6

  If this URL loads in a different tab/frame from previous one.

• optional bool is_user_initiated = 7

  If there is a user gesture attached to this transition.

• optional double timestamp_in_millisec = 8

Used in: URLChainEntry

• DOWNLOAD_URL = 1

• DOWNLOAD_REFERRER = 2

• LANDING_PAGE = 3

• LANDING_REFERRER = 4

• CLIENT_REDIRECT = 5

• SERVER_REDIRECT = 6

Used in: ClientDownloadReport

• optional ClientDownloadResponse.Verdict verdict = 1

• optional ClientDownloadResponse.MoreInfo more_info = 2

• optional bytes token = 3

  An arbitrary token that should be sent along for further server requests.

Used in: ClientDownloadResponse

• optional string description = 1

  A human-readable string describing the nature of the warning. Only if verdict != SAFE. Localized based on request.locale.

• optional string url = 2

  A URL to get more information about this warning, if available.

Used in: ClientDownloadResponse, ClientSafeBrowsingReportRequest

• SAFE = 0

  Download is considered safe.

• DANGEROUS = 1

  Download is considered dangerous. Chrome should show a warning to the user.

• UNCOMMON = 2

  Download is uncommon. Chrome should display a less severe warning.

• POTENTIALLY_UNWANTED = 3

  The download is potentially unwanted.

• DANGEROUS_HOST = 4

  The download is from a dangerous host.

• UNKNOWN = 5

  The backend doesn't have confidence in its verdict of this file. Chrome should show the default warning if configured for this file type.

• repeated ClientIncidentReport.IncidentData incident = 1

• optional ClientIncidentReport.DownloadDetails download = 2

• optional ClientIncidentReport.EnvironmentData environment = 3

• optional ChromeUserPopulation population = 7

  Population that the reporting user is part of.

• optional ClientIncidentReport.ExtensionData extension_data = 8

• optional ClientIncidentReport.NonBinaryDownloadDetails non_binary_download = 9

Used in: ClientIncidentReport, DownloadMetadata

• optional bytes token = 1

• optional ClientDownloadRequest download = 2

• optional int64 download_time_msec = 3

• optional int64 open_time_msec = 4

Used in: ClientIncidentReport

• optional EnvironmentData.OS os = 1

• optional EnvironmentData.Machine machine = 2

• optional EnvironmentData.Process process = 3

Used in: EnvironmentData

• optional string cpu_architecture = 1

• optional string cpu_vendor = 2

• optional uint32 cpuid = 3

Used in: EnvironmentData

• optional string os_name = 1

• optional string os_version = 2

• repeated OS.RegistryKey registry_key = 3

• optional bool is_enrolled_to_domain = 4

Used in: OS

• optional string name = 1

• repeated RegistryValue value = 2

• repeated RegistryKey key = 3

Used in: RegistryKey

• optional string name = 1

• optional uint32 type = 2

• optional bytes data = 3

Used in: EnvironmentData

• optional string version = 1

• repeated string OBSOLETE_dlls = 2

• repeated Process.Patch patches = 3

• repeated Process.NetworkProvider network_providers = 4

• optional Process.Channel chrome_update_channel = 5

• optional int64 uptime_msec = 6

• optional bool metrics_consent = 7

• optional bool extended_consent = 8

• repeated Process.Dll dll = 9

• repeated string blacklisted_dll = 10

• repeated Process.ModuleState module_state = 11

• optional bool field_trial_participant = 12

Used in: Process

• CHANNEL_UNKNOWN = 0

• CHANNEL_CANARY = 1

• CHANNEL_DEV = 2

• CHANNEL_BETA = 3

• CHANNEL_STABLE = 4

Used in: Process

• optional string path = 1

• optional uint64 base_address = 2

• optional uint32 length = 3

• repeated Dll.Feature feature = 4

• optional ClientDownloadRequest.ImageHeaders image_headers = 5

Used in: Dll

• UNKNOWN = 0

• LSP = 1

Used in: Process

• optional string name = 1

• optional ModuleState.ModifiedState modified_state = 2

• repeated string OBSOLETE_modified_export = 3

• repeated ModuleState.Modification modification = 4

Used in: ModuleState

• optional uint32 file_offset = 1

• optional int32 byte_count = 2

• optional bytes modified_bytes = 3

• optional string export_name = 4

Used in: ModuleState

• UNKNOWN = 0

• MODULE_STATE_UNKNOWN = 1

• MODULE_STATE_UNMODIFIED = 2

• MODULE_STATE_MODIFIED = 3

Used in: Process

(message has no fields)

Used in: Process

• optional string function = 1

• optional string target_dll = 2

Used in: ClientIncidentReport

• optional ExtensionData.ExtensionInfo last_installed_extension = 1

Used in: ExtensionData

• optional string id = 1

• optional string version = 2

• optional string name = 3

• optional string description = 4

• optional ExtensionInfo.ExtensionState state = 5

• optional int32 type = 6

• optional string update_url = 7

• optional bool has_signature_validation = 8

• optional bool signature_is_valid = 9

• optional bool installed_by_custodian = 10

• optional bool installed_by_default = 11

• optional bool installed_by_oem = 12

• optional bool from_bookmark = 13

• optional bool from_webstore = 14

• optional bool converted_from_user_script = 15

• optional bool may_be_untrusted = 16

• optional int64 install_time_msec = 17

• optional int32 manifest_location_type = 18

• optional string manifest = 19

Used in: ExtensionInfo

• STATE_UNKNOWN = 0

• STATE_ENABLED = 1

• STATE_DISABLED = 2

• STATE_BLACKLISTED = 3

• STATE_BLOCKED = 4

• STATE_TERMINATED = 5

Used in: ClientIncidentReport

• optional int64 incident_time_msec = 1

• optional IncidentData.TrackedPreferenceIncident tracked_preference = 2

• optional IncidentData.BinaryIntegrityIncident binary_integrity = 3

• optional IncidentData.BlacklistLoadIncident blacklist_load = 4

• optional IncidentData.VariationsSeedSignatureIncident variations_seed_signature = 6

  Note: skip tag 5 because it was previously used.

• optional IncidentData.ResourceRequestIncident resource_request = 7

• optional IncidentData.SuspiciousModuleIncident suspicious_module = 8

Used in: IncidentData

• optional string file_basename = 1

• optional ClientDownloadRequest.SignatureInfo signature = 2

• optional ClientDownloadRequest.ImageHeaders image_headers = 3

• optional int32 sec_error = 4

• repeated BinaryIntegrityIncident.ContainedFile contained_file = 5

Used in: BinaryIntegrityIncident

• optional string relative_path = 1

• optional ClientDownloadRequest.SignatureInfo signature = 2

• optional ClientDownloadRequest.ImageHeaders image_headers = 3

Used in: IncidentData

• optional string path = 1

• optional ClientDownloadRequest.Digests digest = 2

• optional string version = 3

• optional bool blacklist_initialized = 4

• optional ClientDownloadRequest.SignatureInfo signature = 5

• optional ClientDownloadRequest.ImageHeaders image_headers = 6

Used in: IncidentData

• optional bytes digest = 1

• optional string origin = 2

• optional ResourceRequestIncident.Type type = 3

Used in: ResourceRequestIncident

• UNKNOWN = 0

• TYPE_PATTERN = 3

Used in: IncidentData

• optional string path = 1

• optional ClientDownloadRequest.Digests digest = 2

• optional string version = 3

• optional ClientDownloadRequest.SignatureInfo signature = 4

• optional ClientDownloadRequest.ImageHeaders image_headers = 5

Used in: IncidentData

• optional string path = 1

• optional string atomic_value = 2

• repeated string split_key = 3

• optional TrackedPreferenceIncident.ValueState value_state = 4

Used in: TrackedPreferenceIncident

• UNKNOWN = 0

• CLEARED = 1

• WEAK_LEGACY_OBSOLETE = 2

• CHANGED = 3

• UNTRUSTED_UNKNOWN_VALUE = 4

Used in: IncidentData

• optional string variations_seed_signature = 1

Used in: ClientIncidentReport

• optional string file_type = 1

• optional bytes url_spec_sha256 = 2

• optional string host = 3

• optional int64 length = 4

• optional bytes token = 1

• optional bool download_requested = 2

• repeated ClientIncidentResponse.EnvironmentRequest environment_requests = 3

Used in: ClientIncidentResponse

• optional int32 dll_index = 1

• required string url = 1

  URL that the client visited. The CGI parameters are stripped by the client.

• optional string referrer_url = 4

  The referrer URL. This field might not be set, for example, in the case where the referrer uses HTTPS.

• repeated ClientMalwareRequest.UrlInfo bad_ip_url_info = 7

  List of resource urls that match the malware IP list.

• optional ChromeUserPopulation population = 9

  Population that the reporting user is part of.

Used in: ClientMalwareRequest

• required string ip = 1

• required string url = 2

• optional string method = 3

• optional string referrer = 4

• optional int32 resource_type = 5

  Resource type, the int value is a direct cast from the Type enum of ResourceType class defined in //src/webkit/commom/resource_type.h

• required bool blacklist = 1

• optional string bad_ip = 2

  The confirmed blacklisted bad IP and its url, which will be shown in malware warning, if the blacklist verdict is true. This IP string could be either in IPv4 or IPv6 format, which is the same as the ones client sent to server.

• optional string bad_url = 3

• optional string url = 1

  URL that the client visited. The CGI parameters are stripped by the client.

• optional bytes OBSOLETE_hash_prefix = 10

  A 5-byte SHA-256 hash prefix of the URL. Before hashing the URL is canonicalized, converted to a suffix-prefix expression and broadened (www prefix is removed and everything past the last '/' is stripped). Marked OBSOLETE because the URL is sent for all users, making the hash prefix unnecessary.

• required float client_score = 2

  Score that was computed on the client. Value is between 0.0 and 1.0. The larger the value the more likely the url is phishing.

• optional bool is_phishing = 4

  Is true if the features for this URL were classified as phishing. Currently, this will always be true for all client-phishing requests that are sent to the server.

• repeated ClientPhishingRequest.Feature feature_map = 5

  List of features that were extracted. Those are the features that were sent to the scorer and which resulted in client_score being computed.

• optional int32 model_version = 6

  The version number of the model that was used to compute the client-score. Copied from ClientSideModel.version().

• repeated ClientPhishingRequest.Feature non_model_feature_map = 8

  List of features that are extracted in the client but are not used in the machine learning model.

• optional string OBSOLETE_referrer_url = 9

  The referrer URL. This field might not be set, for example, in the case where the referrer uses HTTPs. OBSOLETE: Use feature 'Referrer=<referrer>' instead.

• repeated uint32 shingle_hashes = 12

  List of shingle hashes we extracted.

• optional string model_filename = 13

  The model filename (basename) that was used by the client.

• optional ChromeUserPopulation population = 14

  Population that the reporting user is part of.

Used in: ClientPhishingRequest

• required string name = 1

  Feature name. E.g., 'PageHasForms'.

• required double value = 2

  Feature value is always in the range [0.0, 1.0]. Boolean features have value 1.0.

• required bool phishy = 1

• repeated string OBSOLETE_whitelist_expression = 2

  A list of SafeBrowsing host-suffix / path-prefix expressions that are whitelisted. The client must match the current top-level URL against these whitelisted expressions and only apply a positive phishing verdict above if the URL does not match any expression on this whitelist. The client must not cache these whitelisted expressions. This whitelist will be empty for the vast majority of the responses but might contain up to 100 entries in emergency situations. Marked OBSOLETE because the URL is sent for all users, so the server can do whitelist matching.

A Detailed Safebrowsing Report from clients. Chrome safebrowsing reports are only sent by Chrome users who have opted into extended Safe Browsing. This proto is replacing ClientMalwareReportRequest. Next tag: 16

Note: A lot of the "optional" fields would make sense to be "required" instead. However, having them as optional allows the clients to send "stripped down" versions of the message in the future, if we want to.

• optional ClientSafeBrowsingReportRequest.ReportType type = 10

• optional ClientDownloadResponse.Verdict download_verdict = 11

  Only set if ReportType is DANGEROUS_DOWNLOAD_RECOVERY, DANGEROUS_DOWNLOAD_WARNING or DANGEROUS_DOWNLOAD_BY_API.

• optional string url = 1

  URL of the page in the address bar.

• optional string page_url = 2

• optional string referrer_url = 3

• repeated ClientSafeBrowsingReportRequest.Resource resources = 4

• optional bool complete = 5

  Whether the report is complete.

• repeated string client_asn = 6

  The ASN and country of the client IP. These fields are filled up by csd_frontend

• optional string client_country = 7

• optional bool did_proceed = 8

  Whether user chose to proceed.

• optional bool repeat_visit = 9

  Whether user visited this origin before.

• optional bytes token = 15

  The same token in ClientDownloadResponse. This field is only set if its report type is DANGEROUS_DOWNLOAD_RECOVERY, DANGEROUS_DOWNLOAD_WARNING or DANGEROUS_DOWNLOAD_BY_API.

Used in: HTTPRequest, HTTPResponse

• required bytes name = 1

• optional bytes value = 2

Used in: Resource

• optional HTTPRequest.FirstLine firstline = 1

• repeated HTTPHeader headers = 2

• optional bytes body = 3

• optional bytes bodydigest = 4

  bodydigest and bodylength can be useful if the report does not contain the body itself.

  32-byte hex md5 digest of body.

• optional int32 bodylength = 5

  length of body.

Used in: HTTPRequest

• optional bytes verb = 1

• optional bytes uri = 2

• optional bytes version = 3

Used in: Resource

• optional HTTPResponse.FirstLine firstline = 1

• repeated HTTPHeader headers = 2

• optional bytes body = 3

• optional bytes bodydigest = 4

  32-byte hex md5 digest of body.

• optional int32 bodylength = 5

  length of body.

• optional bytes remote_ip = 6

  IP of the server.

Used in: HTTPResponse

• optional int32 code = 1

• optional bytes reason = 2

• optional bytes version = 3

Used in: ClientSafeBrowsingReportRequest

• UNKNOWN = 0

• URL_PHISHING = 1

• URL_MALWARE = 2

• URL_UNWANTED = 3

• CLIENT_SIDE_PHISHING_URL = 4

• CLIENT_SIDE_MALWARE_URL = 5

• DANGEROUS_DOWNLOAD_RECOVERY = 6

• DANGEROUS_DOWNLOAD_WARNING = 7

• DANGEROUS_DOWNLOAD_BY_API = 10

Used in: ClientSafeBrowsingReportRequest

• required int32 id = 1

• optional string url = 2

• optional HTTPRequest request = 3

• optional HTTPResponse response = 4

• optional int32 parent_id = 5

• repeated int32 child_ids = 6

• optional string tag_name = 7

This is used to send back upload status to the client after upload completion

• optional ClientUploadResponse.UploadStatus status = 1

  Holds the upload status

• optional string permalink = 2

  Holds the permalink where the results of scanning the binary are available

Used in: ClientUploadResponse

• SUCCESS = 0

  The upload was successful and a complete response can be expected

• UPLOAD_FAILURE = 1

  The upload was unsuccessful and the response is incomplete.

• optional uint32 download_id = 1

• optional ClientIncidentReport.DownloadDetails download = 2