[hackerone] always show both file dialogs on windows

[diracdeltas]

see https://bravesoftware.slack.com/archives/C7VLGSR55/p1674762134098869?thread_ts=1674760928.540849&cid=C7VLGSR55 for details

original hackerone issue: https://hackerone.com/reports/1848062 (credit ameenbasha)

[diracdeltas]

upstream issue: https://bugs.chromium.org/p/chromium/issues/detail?id=1410578. i'm asking if they would fix it.

[mkarolin]

QA Steps:

1. Download the file attached to the above mentioned Slack thread.
2. Open the file in Brave
3. Once the file is loaded you will be prompted to pick download saving location. Click Save.
4. Download shelf will appear with the download progress.

Expected result:
Once the file finished downloading you should see a warning in the download shelf informing you that the file may be dangerous. You should see 2 buttons: Keep and Discard.

5. Click on the Discard button.

6. Verify that the file has not been saved in the location selected in step 3.

7. Click on Reload tab button.

8. Repeat steps 3 and 4.

9. This time click on Keep button. Verify that the file has been saved in the location selected in step 3.

10. Navigate to brave://settings/downloads and toggle the "Ask where to save..." to off

11. Repeat steps 2-4 and verify the expected result.

12. Navigate to brave://settings/downloads and toggle the "Ask where to save..." back to on

Test that extensions can be manually installed without a warning.

1. Obtain a packed extension file (.crx). For example, in a different instance of Brave or in Chrome install an extension, then navigate to chrome://extensions. Turn on developer mode and then select pack extension. In the presented dialog specify the extension path (e.g. on Windows c:\Users<yourusername>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<extension_id>\<extension_version>), leave Private Key blank. The packed extension will be saved in the extension path (minus the version) that you specified.
2. Open Brave and navigate to brave://extensions
3. Turn on developer mode
4. Drag the .crx file from step 1 onto the page

Expected result:
There is no download shelf showing a warning about the file being dangerous.

[kjozwiak]

@brave/qa-team can find examples/template that can be used via brave/brave-core#16969 (comment).

[kjozwiak]

The above requires 1.48.164 or higher for 1.48.x verification 👍

[LaurenWags]

@brave/qa-team per discussion via https://bravesoftware.slack.com/archives/C7VLGSR55/p1674760928540849, the plan is to test the OSes as follows:

• Windows: use examples/template as per [hackerone] always show both file dialogs on windows #28079 (comment) and the test plan from [hackerone] always show both file dialogs on windows #28079 (comment)
• macOS: spot check that Safe Browsing is working as expected (can use https://testsafebrowsing.appspot.com/ for this)
• Linux: spot check that Safe Browsing is working as expected (can use https://testsafebrowsing.appspot.com/ for this)

[MadhaviSeelam]

Verification PASSED using

Brave | 1.48.165 Chromium: 110.0.5481.100 (Official Build) (64-bit)
-- | --
Revision | 4be7a36f7cb943af6118e449bbab494b43dcaddd-refs/branch-heads/5481_77@{#14}
OS | Windows 11 Version 21H2 (Build 22000.1574)

Test Case #1 - Brave Default (Ask where to save each file before downloading enabled)

1. ensured that Ask where to save each file before downloading was enabled via brave://settings/downloads
2. ensured that the Windows Save As prompt/modal appeared when opening/loading scfExtension.html
3. ensured that the This type of file can harm your computer. Do you want to keep .... error appeared at the bottom of the window
   • ensured that selecting Keep saved the @aexample.scf into the correct location
   • ensured that selecting Discard removes the file and doesn't save it (removes entry from brave://downloads as well)
   • ensured that clicking on Show all opens brave://downloads and lists the current entry with the warning

step 1	step 2	step 3	step 3a	step 3b

Test Case #2 - Brave Custom (Ask where to save each file before downloading disabled)

1. disable Ask where to save each file before downloading via brave://settings/downloads
2. ensured that the This type of file can harm your computer. Do you want to keep .... error appeared at the bottom of the window
   • ensured that selecting Keep saved the @aexample.scf into the correct location
   • ensured that selecting Discard removes the file and doesn't save it (removes entry from brave://downloads as well)
   • ensured that clicking on Show all opens brave://downloads and lists the current entry with the warning
3. ensured the entry within brave://downloads has the option to Discard or Keep the file
   • ensured that selecting Discard removes the file and doesn't save it (removes entry from brave://downloads as well)
   • ensured that selecting Keep displayed a modal confirmation about saving the file locally
     • ensured that selecting Cancel returns the user back to brave://downloads but doesn't remove the file/decision
     • ensured that selecting Keep downloads the @aexample.scf file locally without any issues
   • ensured that the @aexample.scf entry appears within brave://downloads if Keep was selected

step 1	step 2	step 2a	step 2b	brave://dowloads	step 2c

step 3	step 3a	step 3b	cancel	step 3c

Test Case #3 - Installing Packed Extension

Using the STR/Cases outlined via #28079 (comment), packed the 1Password extension and ensured that it installed without any warnings re: the files not being safe as per the following:

1. launch Chrome browser
2. visit chrome://extensions and install 1 Password extension
3. turn on developer mode and click Pack Extension
4. specified the path in dialog C:\Users\mseel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeblfdkhhhdcdjpifhhbdiojplfjncoa\2.7.0_0
5. leave `Private Key Blank
6. click Pack Extension button
7. return to the File explorer and copy and paste the path C:\Users\mseel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeblfdkhhhdcdjpifhhbdiojplfjncoa\2.7.0_0
8. confirmed 2.7.0_0.crx CRX file is created
9. launch Brave and navigate to brave://extensions
10. enable Developer mode
11. drag 2.7.0_0.crx into brave://extensions page in the download shelf.
12. click Add Extension

Confirmed no warning This type of file can harm your computer. Do you want to keep .... is shown.

(Note: This extension may have been corrupted` message is expected)

step 3	step 4	step 8	step 10	step 11	step 11a

[LaurenWags]

Verified with

Brave | 1.48.165 Chromium: 110.0.5481.100 (Official Build) (x86_64)
-- | --
Revision | 4be7a36f7cb943af6118e449bbab494b43dcaddd-refs/branch-heads/5481_77@{#14}
OS | macOS Version 12.6.3 (Build 21G419)

Generally did the following:

• Using 1.48.165, confirmed Safe Browsing had downloaded (can watch network calls using Fiddler or check profile folder as I did below)
• Navigate to https://testsafebrowsing.appspot.com/
• Spot check various links under "Webpage Warnings", "Desktop Download Warnings", and "IOS/OSX Warnings"

Example	Example	Example	Example	Example	Example

[btlechowski]

Verification passed on

Brave	1.48.166 Chromium: 110.0.5481.100 (Official Build) (64-bit)
Revision	4be7a36f7cb943af6118e449bbab494b43dcaddd-refs/branch-heads/5481_77@{#14}
OS	Ubuntu 18.04 LTS

Generally did the following:

• Using 1.48.16,6 confirmed Safe Browsing had downloaded (can watch network calls using Fiddler or check profile folder as I did below)
• Navigate to https://testsafebrowsing.appspot.com/
• Spot check various links under "Webpage Warnings", "Desktop Download Warnings"