We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
get_temporary_link with zip files causing Google Chrome warning
Hi
Google Chrome (83, Mac) has started giving me a 'Dangerous File' warning whenever trying to download zip files specifically served by the 'get_temporary_link' API call. I have 'Safe Browsing...
This should be fixed now. Please let us know if you're still seeing any issues like this.
Greg-DB
Dropbox Staff
Dropbox StaffThanks for the report. I just tried this myself and I was able to reproduce this warning in Chrome with a temporary link to a zip file with some junk in it. A txt file worked fine for me though as well.
I also accessed my two temporary links directly, and the only differences seem to be, aside from the file data itself:
- the "Content-Type" header: "application/zip" vs. "text/plain; charset=utf-8"
- the lack of the "Vary: Accept-Encoding" header
- the "x-dropbox-request-id" header value (both randomly generated)
- the "etag" value (though this is opaque anyway)
- the "content-disposition" header "filename" value: reflecting the respective file name and extension for each, ".zip" vs. ".txt"
Of those, I think it's likely the "Content-Type" and/or the "content-disposition" that Chrome is suspicious of (since .zip could potentially hide something more dangerous than .txt would), perhaps combined with different levels of trust of the Dropbox API server host as compared to others like S3.
Unfortunately, it doesn't look like there's anything for us to fix on our side, since the HTTPS response is valid in both cases, and the logic for this warning is controlled by Google of course. Dropbox also doesn't offer ways to configure the specifics, e.g., the headers, of the response (though we don't know what specifically is causing Chrome to decide to show this anyway).
I'll raise this with the team, but I can't promise if this is something we'd be able to resolve. You may wish to raise this as an issue with Google.
Thanks for the reply. If it helps, I've copied the headers below for the same file downloaded through Amazon S3 (which was considered safe by Google), their headers are more 'threadbare'.
But I agree, ultimately this seems down to some internal logic at Google, and while I will report this I wonder if Dropbox could also report this themseleves, considering this is an issue that you've independantly confirmed and one that is likely to affect all dropbox customers using this API call (and potentially other API calls) for delivering zip files?
HTTP/1.1 200 OK x-amz-id-2: 7MxPN6hDhv+Rmb9kvfQN64Z2WnSeGI5jhHvP2s6OGpSo7B4ORWyFQ/A+TnOzkTtqN8AAKnj6He0= x-amz-request-id: A1EA9FD1D0064990 Date: Mon, 29 Jun 2020 08:32:31 GMT Last-Modified: Tue, 02 Jun 2020 11:31:27 GMT ETag: "72b5b016974907dcadc1644b08ff28c6-4" Accept-Ranges: bytes Content-Type: application/zip Content-Length: 60328012 Server: AmazonS3
- Greg-DB
Thanks! Yes, we're also looking into what we may be able to do about it on our side. I'll follow up here with any updates.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
