Google Git
Sign in
chromium / chromium / src / 918e870ffaf29177b0566e8ee58d40257f72c545 / . / components / safe_browsing / proto / csd.proto
blob: a7216fd7fde829d5316eaa370bfa22949730caf8 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// This proto file includes:
// (1) Client side phishing and malware detection request and response
// protocol buffers. Those protocol messages should be kept in sync
// with the server implementation.
//
// (2) Safe Browsing reporting protocol buffers.
// A ClientSafeBrowsingReportRequest is sent when a user opts-in to
// sending detailed threat reports from the safe browsing interstitial page.
// It is a list of Resource messages, which may contain the url of a
// resource such as the page in the address bar or any other resource
// that was loaded for this page.
// In addition to the url, a resource can contain HTTP request and response
// headers and bodies.
//
// If you want to change this protocol definition or you have questions
// regarding its format please contact chrome-anti-phishing@googlegroups.com.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package safe_browsing;
// Protocol buffer describing the Chrome user population of the user reporting
// data.
message ChromeUserPopulation {
enum UserPopulation {
UNKNOWN_USER_POPULATION = 0;
SAFE_BROWSING = 1;
EXTENDED_REPORTING = 2;
}
optional UserPopulation user_population = 1;
// If user enabled history sync.
optional bool is_history_sync_enabled = 2;
// The finch active groups this user belongs to (if any). Active group is
// defined by finch trial name and group name. Trial name and group name are
// concatenated with separator "|", e.g. "PingOnlyTrial|DefaultGroup".
repeated string finch_active_groups = 4;
// Whether and how the current Chrome profile is being managed.
enum ProfileManagementStatus {
// Value not set.
UNKNOWN = 0;
// Profile management status is unavailable.
UNAVAILABLE = 1;
// The profile is not managed.
NOT_MANAGED = 2;
// Chrome is being managed by enterprise policies.
ENTERPRISE_MANAGED = 3;
}
optional ProfileManagementStatus profile_management_status = 5
[default = UNKNOWN];
// Indicates if user opted in advanced protection program.
optional bool is_under_advanced_protection = 6;
// Indicates if user is in incognito mode.
optional bool is_incognito = 7;
}
message ClientPhishingRequest {
// URL that the client visited. The CGI parameters are stripped by the
// client.
optional string url = 1;
// A 5-byte SHA-256 hash prefix of the URL. Before hashing the URL is
// canonicalized, converted to a suffix-prefix expression and broadened
// (www prefix is removed and everything past the last '/' is stripped).
//
// Marked OBSOLETE because the URL is sent for all users, making the hash
// prefix unnecessary.
optional bytes OBSOLETE_hash_prefix = 10;
// Score that was computed on the client. Value is between 0.0 and 1.0.
// The larger the value the more likely the url is phishing.
required float client_score = 2;
// Note: we're skipping tag 3 because it was previously used.
// Is true if the features for this URL were classified as phishing.
// Currently, this will always be true for all client-phishing requests
// that are sent to the server.
optional bool is_phishing = 4;
message Feature {
// Feature name. E.g., 'PageHasForms'.
required string name = 1;
// Feature value is always in the range [0.0, 1.0]. Boolean features
// have value 1.0.
required double value = 2;
}
// List of features that were extracted. Those are the features that were
// sent to the scorer and which resulted in client_score being computed.
repeated Feature feature_map = 5;
// The version number of the model that was used to compute the client-score.
// Copied from ClientSideModel.version().
optional int32 model_version = 6;
// Field 7 is only used on the server.
// List of features that are extracted in the client but are not used in the
// machine learning model.
repeated Feature non_model_feature_map = 8;
// The referrer URL. This field might not be set, for example, in the case
// where the referrer uses HTTPs.
// OBSOLETE: Use feature 'Referrer=<referrer>' instead.
optional string OBSOLETE_referrer_url = 9;
// Field 11 is only used on the server.
// List of shingle hashes we extracted.
repeated uint32 shingle_hashes = 12 [packed = true];
// The model filename (basename) that was used by the client.
optional string model_filename = 13;
// Population that the reporting user is part of.
optional ChromeUserPopulation population = 14;
}
message ClientPhishingResponse {
required bool phishy = 1;
// A list of SafeBrowsing host-suffix / path-prefix expressions that
// are whitelisted. The client must match the current top-level URL
// against these whitelisted expressions and only apply a positive
// phishing verdict above if the URL does not match any expression
// on this whitelist. The client must not cache these whitelisted
// expressions. This whitelist will be empty for the vast majority
// of the responses but might contain up to 100 entries in emergency
// situations.
//
// Marked OBSOLETE because the URL is sent for all users, so the server
// can do whitelist matching.
repeated string OBSOLETE_whitelist_expression = 2;
}
message ClientMalwareRequest {
// URL that the client visited. The CGI parameters are stripped by the
// client.
required string url = 1;
// Field 2 is deleted and no longer in use.
// Field 3 is only used on the server.
// The referrer URL. This field might not be set, for example, in the case
// where the referrer uses HTTPS.
optional string referrer_url = 4;
// Field 5 and 6 are only used on the server.
message UrlInfo {
required string ip = 1;
required string url = 2;
optional string method = 3;
optional string referrer = 4;
// Resource type, the int value is a direct cast from the Type enum
// of ResourceType class defined in //src/webkit/commom/resource_type.h
optional int32 resource_type = 5;
}
// List of resource urls that match the malware IP list.
repeated UrlInfo bad_ip_url_info = 7;
// Population that the reporting user is part of.
optional ChromeUserPopulation population = 9;
}
// The message is used for client request to determine whether the provided URL
// is safe for the purposes of entering user credentials for logging in.
message LoginReputationClientRequest {
// The top level frame URL of the webpage that hosts the login form.
optional string page_url = 1;
// Type for the request.
// It could be low reputation request or password reuse request.
enum TriggerType {
TRIGGER_TYPE_UNSPECIFIED = 0;
UNFAMILIAR_LOGIN_PAGE = 1;
PASSWORD_REUSE_EVENT = 2;
}
optional TriggerType trigger_type = 2;
// The message contains features which can describe a frame. A frame can be
// a top level web page or an iframe.
message Frame {
// Id of a frame. The frame whose index = 0 is the top level web page.
optional int32 frame_index = 1;
// Id of the parent frame.
optional int32 parent_frame_index = 2;
// Url of the frame. If could be top level url (from web page) or url of
// the iframe.
optional string url = 3;
// Whether the frame contains password field.
optional bool has_password_field = 4;
// If we can find the complete referrer chain, this field will contains URLs
// transitions from landing referrer to event in reverse chronological
// order, i.e. event url comes first in this list, and landing referrer
// comes last.
// For Safe Browsing Extended Reporting or Scout users, if the referrer
// chain is empty or partially missing, we will add/append recent navigation
// events to this list. The type of these entries will be RECENT_NAVIGATION.
repeated ReferrerChainEntry referrer_chain = 5;
// Options and metadata about the above referrer chain.
optional ReferrerChainOptions referrer_chain_options = 7;
// The message contains features of a form.
message Form {
// Action url of the form.
optional string action_url = 1;
// Whether the form contains password field.
optional bool has_password_field = 2;
}
repeated Form forms = 6;
// next available tag number: 8.
}
repeated Frame frames = 3;
// The message contains fields needed for a password reuse event.
// Next tag: 4
message PasswordReuseEvent {
// Domains from the Chrome password manager DB that are associated with
// the same password as the one triggering this event. The field is filled
// in only when TriggerType is PASSWORD_REUSE_EVENT, and only for users
// opted in to extended reporting.
repeated string domains_matching_password = 1;
// The frame that the password reuse is detected.
optional int32 frame_id = 2;
// Whether the reused password is used for Chrome signin.
optional bool is_chrome_signin_password = 3;
// Sync account type. Only set if |is_chrome_signin_password| is true.
enum SyncAccountType {
// Not a sign-in user.
NOT_SIGNED_IN = 0;
// User signed in with @gmail.com, or @googlemail.com account.
GMAIL = 1;
// User signed in with a G Suite account.
GSUITE = 2;
}
optional SyncAccountType sync_account_type = 4;
// Type of password being reused.
enum ReusedPasswordType {
REUSED_PASSWORD_TYPE_UNKNOWN = 0;
// Password saved in Chrome's password manager.
SAVED_PASSWORD = 1;
// Password used in Chrome sign-in.
SIGN_IN_PASSWORD = 2;
// Other Gaia password used in Chrome's content area other than Chrome's
// sign-in password.
OTHER_GAIA_PASSWORD = 3;
// Non-Gaia enterprise password captured from enterprise login page.
ENTERPRISE_PASSWORD = 4;
}
optional ReusedPasswordType reused_password_type = 5
[default = REUSED_PASSWORD_TYPE_UNKNOWN];
}
optional PasswordReuseEvent password_reuse_event = 4;
// The number of verdicts stored on the client.
optional int32 stored_verdict_cnt = 5;
// Chrome user population.
optional ChromeUserPopulation population = 6;
// If user clicked through safe browsing interstitial on this page.
optional bool clicked_through_interstitial = 7;
// The MIME type of the page, e.g. "application/pdf".
optional string content_type = 8;
// Content area height in DIPs. This field should only be filled for extended
// reporting users.
optional int32 content_area_height = 9;
// Content area width in DIPs. This field should only be filled for extended
// reporting users.
optional int32 content_area_width = 10;
// Visual features of the current page. This field should only be filled for
// extended reporting users.
optional VisualFeatures visual_features = 11;
}
// The message is used for client response for login reputation requests.
message LoginReputationClientResponse {
// Type of verdicts issued by the server.
enum VerdictType {
VERDICT_TYPE_UNSPECIFIED = 0;
// No warning will be displayed.
SAFE = 1;
// The site has low reputation or low popularity.
LOW_REPUTATION = 2;
// The url matches with blacklist entries.
PHISHING = 3;
}
optional VerdictType verdict_type = 1;
// TTL of the verdict in seconds.
optional int64 cache_duration_sec = 2;
// A host-suffix/path-prefix expression which defines a collections of pages
// with common ownership from the same domain.
// Generally, the pattern is defined on the granularity of domains.
// For domains managed by multiple parties, especially in the case of large
// hosting sites (e.g., geocities.com), we further divide the domains.
//
// Examples:
// www.google.com/foo/bar?param=val -> google.com
// www.geocities.com/foo/bar.html -> geocities.com/foo
// adwords.blogspot.com/index.html -> adwords.blogspot.com
//
// The pattern will always match the page_url of the request, and will be
// a substring of page_url.
optional string cache_expression = 3;
// Deprecated.
optional bool DEPRECATED_cache_expression_exact_match = 4 [deprecated = true];
// A token unique to each request which correlates response and post-warning
// actions.
optional bytes verdict_token = 5;
}
// This message encapsulates all the visual features of the current page.
message VisualFeatures {
// One bin in a color histogram.
message ColorHistogramBin {
// The average x-coordinate of the pixels in this bin.
optional float centroid_x = 1;
// The average y-coordinate of the pixels in this bin.
optional float centroid_y = 2;
// The quantized R-value for this bin.
optional int32 quantized_r = 3;
// The quantized G-value for this bin.
optional int32 quantized_g = 4;
// The quantized B-value for this bin.
optional int32 quantized_b = 5;
// The normalized weight of this bin.
optional float weight = 6;
}
// Represents the color histogram of a login page.
message ColorHistogram { repeated ColorHistogramBin bins = 1; }
// Color histogram of the current page.
optional ColorHistogram color_histogram = 1;
// Represents the blurred, downsampled image of the login page.
message BlurredImage {
// The width of the image.
optional int32 width = 1;
// The height of the image.
optional int32 height = 2;
// The image data, stored in RGB order. This will have length
// 3*width*height. The bytes are stored in row-major order, starting from
// the top most row.
optional bytes data = 3;
}
// Blurred, downsampled image of the current page.
optional BlurredImage image = 2;
// The final pHash for the current page.
optional bytes phash = 3;
}
message ClientMalwareResponse {
required bool blacklist = 1;
// The confirmed blacklisted bad IP and its url, which will be shown in
// malware warning, if the blacklist verdict is true.
// This IP string could be either in IPv4 or IPv6 format, which is the same
// as the ones client sent to server.
optional string bad_ip = 2;
optional string bad_url = 3;
}
message ClientDownloadRequest {
// The final URL of the download (after all redirects).
required string url = 1;
// This message contains various binary digests of the download payload.
message Digests {
optional bytes sha256 = 1;
optional bytes sha1 = 2;
optional bytes md5 = 3;
}
required Digests digests = 2;
// This is the length in bytes of the download payload.
required int64 length = 3;
// Type of the resources stored below.
enum ResourceType {
// The final URL of the download payload. The resource URL should
// correspond to the URL field above.
DOWNLOAD_URL = 0;
// A redirect URL that was fetched before hitting the final DOWNLOAD_URL.
DOWNLOAD_REDIRECT = 1;
// The final top-level URL of the tab that triggered the download.
TAB_URL = 2;
// A redirect URL thas was fetched before hitting the final TAB_URL.
TAB_REDIRECT = 3;
// The document URL for a PPAPI plugin instance that initiated the download.
// This is the document.url for the container element for the plugin
// instance.
PPAPI_DOCUMENT = 4;
// The plugin URL for a PPAPI plugin instance that initiated the download.
PPAPI_PLUGIN = 5;
}
message Resource {
required string url = 1;
required ResourceType type = 2;
optional bytes remote_ip = 3;
// This will only be set if the referrer is available and if the
// resource type is either TAB_URL or DOWNLOAD_URL.
optional string referrer = 4;
// TODO(noelutz): add the transition type?
}
// This repeated field will store all the redirects as well as the
// final URLs for the top-level tab URL (i.e., the URL that
// triggered the download) as well as for the download URL itself.
repeated Resource resources = 4;
// A trust chain of certificates. Each chain begins with the signing
// certificate of the binary, and ends with a self-signed certificate,
// typically from a trusted root CA. This structure is analogous to
// CERT_CHAIN_CONTEXT on Windows.
message CertificateChain {
// A single link in the chain.
message Element {
// DER-encoded X.509 representation of the certificate.
optional bytes certificate = 1;
// Fields 2 - 7 are only used on the server.
}
repeated Element element = 1;
}
// This is an OS X only message to report extended attribute informations.
// Extended attributes on OS X are used for various security mechanisms,
// which makes them interesting to Chrome.
message ExtendedAttr {
// This is the name of the extended attribute.
required string key = 1;
// This is the value of the extended attribute.
optional bytes value = 2;
}
message SignatureInfo {
// All certificate chains for each of the binary's signers. Multiple chains
// may be present if the binary or any certificate has multiple signers.
// Absence of certificate chains does not imply that the binary is not
// signed (in that case, SignedData blobs extracted from the binary may be
// preset), but does mean that trust has not been verified.
repeated CertificateChain certificate_chain = 1;
// True if the signature was trusted on the client.
optional bool trusted = 2;
// On Windows, PKCS#7 SignedData blobs extracted from a portable executable
// image's attribute certificate table. The presence of these does not imply
// that the signatures were deemed trusted by the client.
// On Mac, this is the code signature blob referenced by the
// LC_CODE_SIGNATURE load command.
repeated bytes signed_data = 3;
// On OS X, code signing data can be contained in the extended attributes of
// a file. As Gatekeeper respects this signature, we look for it and collect
// it.
repeated ExtendedAttr xattr = 4;
}
// This field will only be set if the binary is signed.
optional SignatureInfo signature = 5;
// True if the download was user initiated.
optional bool user_initiated = 6;
// Fields 7 and 8 are only used on the server.
// Name of the file where the download would be stored if the
// download completes. E.g., "bla.exe".
optional string file_basename = 9;
// Starting with Chrome M19 we're also sending back pings for Chrome
// extensions that get downloaded by users.
enum DownloadType {
WIN_EXECUTABLE = 0; // Currently all .exe, .cab and .msi files.
CHROME_EXTENSION = 1; // .crx files.
ANDROID_APK = 2; // .apk files.
// .zip files containing one of the other executable types.
ZIPPED_EXECUTABLE = 3;
MAC_EXECUTABLE = 4; // .dmg, .pkg, etc.
ZIPPED_ARCHIVE = 5; // .zip file containing another archive.
ARCHIVE = 6; // Archive that doesn't have a specific DownloadType.
// A .zip that Chrome failed to unpack to the point of finding exe/zips.
INVALID_ZIP = 7;
// A .dmg, .pkg, etc, that Chrome failed to unpack to the point of finding
// Mach O's.
MAC_ARCHIVE_FAILED_PARSING = 8;
// A download request initiated via PPAPI. Typically the requestor is
// a Flash applet.
PPAPI_SAVE_REQUEST = 9;
// A file we don't support, but we've decided to sample and send
// a light-ping.
SAMPLED_UNSUPPORTED_FILE = 10;
// .rar file containing one of the other executable types.
RAR_COMPRESSED_EXECUTABLE = 11;
// .rar file containing another archive.
RAR_COMPRESSED_ARCHIVE = 12;
// .rar file that Chrome failed to unpack to the point of finding
// executables or archives.
INVALID_RAR = 13;
}
optional DownloadType download_type = 10 [default = WIN_EXECUTABLE];
// Locale of the device, eg en, en_US.
optional string locale = 11;
message PEImageHeaders {
// IMAGE_DOS_HEADER.
optional bytes dos_header = 1;
// IMAGE_FILE_HEADER.
optional bytes file_header = 2;
// IMAGE_OPTIONAL_HEADER32. Present only for 32-bit PE images.
optional bytes optional_headers32 = 3;
// IMAGE_OPTIONAL_HEADER64. Present only for 64-bit PE images.
optional bytes optional_headers64 = 4;
// IMAGE_SECTION_HEADER.
repeated bytes section_header = 5;
// Contents of the .edata section.
optional bytes export_section_data = 6;
message DebugData {
// IMAGE_DEBUG_DIRECTORY.
optional bytes directory_entry = 1;
optional bytes raw_data = 2;
}
repeated DebugData debug_data = 7;
}
message MachOHeaders {
// The mach_header or mach_header_64 struct.
required bytes mach_header = 1;
message LoadCommand {
// |command_id| is the first uint32 of |command| as well, but is
// extracted for easier processing.
required uint32 command_id = 1;
// The entire data stream of the load command.
required bytes command = 2;
}
// All the load commands of the Mach-O file.
repeated LoadCommand load_commands = 2;
}
message ImageHeaders {
// Windows Portable Executable image headers.
optional PEImageHeaders pe_headers = 1;
// OS X Mach-O image headers.
repeated MachOHeaders mach_o_headers = 2;
};
// Fields 12-17 are reserved for server-side use and are never sent by the
// client.
optional ImageHeaders image_headers = 18;
// Fields 19-21 are reserved for server-side use and are never sent by the
// client.
// A binary or archive contained in an archive (e.g., a .exe in a .zip
// archive, or a .zip inside a .zip).
message ArchivedBinary {
optional string file_basename = 1;
optional DownloadType download_type = 2;
optional Digests digests = 3;
optional int64 length = 4;
optional SignatureInfo signature = 5;
optional ImageHeaders image_headers = 6;
// Indicates if the given file is password protected.
optional bool is_encrypted = 7;
}
repeated ArchivedBinary archived_binary = 22;
// Population that the reporting user is part of.
optional ChromeUserPopulation population = 24;
// True if the .zip or DMG, etc, was 100% successfully unpacked.
optional bool archive_valid = 26;
// True if this ClientDownloadRequest is from a whitelisted domain.
optional bool skipped_url_whitelist = 28;
// True if this ClientDownloadRequest contains a whitelisted certificate.
optional bool skipped_certificate_whitelist = 31;
// PPAPI_SAVE_REQUEST type messages may have more than one suggested filetype.
// Each element in this collection indicates an alternate extension including
// the leading extension separator.
repeated string alternate_extensions = 35;
// If we can find the complete referrer chain, this field will contains URLs
// transitions from landing referrer to event in reverse chronological
// order, i.e. event url comes first in this list, and landing referrer
// comes last.
// For Safe Browsing Extended Reporting or Scout users, if the referrer chain
// is empty or partially missing, we will add/append recent navigation events
// to this list. The type of these entries will be RECENT_NAVIGATION.
repeated ReferrerChainEntry referrer_chain = 36;
// Options and metadata about the above referrer chain.
optional ReferrerChainOptions referrer_chain_options = 50;
// Deprecated.
optional bool DEPRECATED_download_attribution_finch_enabled = 39
[deprecated = true];
// The Mac disk image code signature.
// The underlying structure of code signature is defined at
// https://opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/sys/codesign.h
optional bytes udif_code_signature = 40;
// Mac-only. A detached code signature contains the DER-encoded PKCS7 data
// of a codesigned artifact. Detached signatures are used for signing files
// that are not Mach-O and thus cannot have a LC_CODE_SIGNATURE load command.
message DetachedCodeSignature {
required string file_name = 1;
required bytes contents = 2;
}
repeated DetachedCodeSignature detached_code_signature = 59;
// When this is set to true, we expect the server to provide heightened
// protection for Advanced Protection users.
optional bool request_ap_verdicts = 67;
// next available tag number: 68;
}
message ReferrerChainOptions {
// The number of recent navigations we'd like to collect. This number is
// controlled by Finch parameter and its default value is 0.
optional int32 recent_navigations_to_collect = 1 [default = 0];
}
// Please update SafeBrowsingNavigationObserverManager::SanitizeReferrerChain()
// if you're adding more fields to this message.
message ReferrerChainEntry {
enum URLType {
// URL of safe browsing events that are at the end of the referrer chain.
// e.g. URL of a download, URL of a low reputation login page, etc.
EVENT_URL = 1; // e.g.
// Landing page is the page user directly interacts with to trigger the
// above event, e.g. the page where user clicks a download button.
LANDING_PAGE = 2;
// Landing referrer is the one user directly interacts with right before
// navigating to the landing page.
LANDING_REFERRER = 3;
// Client redirect refers to committed navigation between landing page and
// the targeted event, or between landing referrer page and landing page.
// Client redirect is not triggered by user gesture.
CLIENT_REDIRECT = 4;
DEPRECATED_SERVER_REDIRECT = 5; // Deprecated
// For Safe Browsing Extended Reporting or Scout users, if the referrer
// chain is empty or partially missing, we will add/append recent navigation
// events to this list. RECENT_NAVIGATION type is set for these cases.
RECENT_NAVIGATION = 6;
// The REFERRER type is used for entries that recede the LANDING_REFERRER in
// the referrer chain, when more than two gestures are included in the
// referrer chain.
REFERRER = 7;
}
enum NavigationInitiation {
// Convenient default value, should not be used in real ReferrerChainEntry.
UNDEFINED = 0;
// Navigation is initiated by the browser process. e.g. user enters url into
// address bar, or user opens a bookmark. This isn't perfect reliable due to
// some edge cases, such as forward/back navigation and opening a link from
// context menu.
BROWSER_INITIATED = 1;
// Navigation is initiated by the renderer process and there is no user
// gesture associate with this navigation. e.g.
// * redirect via the <meta http-equiv="refresh"> tag
// * change window.location.href
RENDERER_INITIATED_WITHOUT_USER_GESTURE = 2;
// Navigation is initiated by the renderer process and there is a clear user
// gesture associate with this navigation. e.g.
// * <a> link click
// * using window.history.pushState (i.e. back, forward button interaction)
RENDERER_INITIATED_WITH_USER_GESTURE = 3;
}
message ServerRedirect {
// [required] server redirect url
optional string url = 1;
// Additional fields for future expansion.
}
// [required] The url of this Entry.
optional string url = 1;
// Only set if it is different from |url|.
optional string main_frame_url = 9;
// Type of URLs, such as event url, landing page, etc.
optional URLType type = 2 [default = CLIENT_REDIRECT];
// IP addresses corresponding to this host.
repeated string ip_addresses = 3;
// Referrer url of this entry.
optional string referrer_url = 4;
// Main frame URL of referrer.
// Only set if it is different from |referrer_url|.
optional string referrer_main_frame_url = 5;
// If this URL loads in a different tab/frame from previous one.
optional bool is_retargeting = 6;
optional double navigation_time_msec = 7;
// Set only if server redirects happened in navigation.
// The first entry in |server_redirect_chain| should be the original request
// url, and the last entry should be the same as |url|.
repeated ServerRedirect server_redirect_chain = 8;
// How this navigation is initiated.
optional NavigationInitiation navigation_initiation = 10;
// Whether we think this entry may have been launched by an external
// application. This will have no false negatives, but some false positives
// are possible.
optional bool maybe_launched_by_external_application = 11;
// next available tag number: 12.
} // End of ReferrerChainEntry
message ClientDownloadResponse {
enum Verdict {
// Download is considered safe.
SAFE = 0;
// Download is considered dangerous. Chrome should show a warning to the
// user.
DANGEROUS = 1;
// Download is uncommon. Chrome should display a less severe warning.
UNCOMMON = 2;
// The download is potentially unwanted.
POTENTIALLY_UNWANTED = 3;
// The download is from a dangerous host.
DANGEROUS_HOST = 4;
// The backend doesn't have confidence in its verdict of this file.
// Chrome should show the default warning if configured for this file type.
UNKNOWN = 5;
}
optional Verdict verdict = 1 [default = SAFE];
message MoreInfo {
// A human-readable string describing the nature of the warning.
// Only if verdict != SAFE. Localized based on request.locale.
optional string description = 1;
// A URL to get more information about this warning, if available.
optional string url = 2;
}
optional MoreInfo more_info = 2;
// An arbitrary token that should be sent along for further server requests.
optional bytes token = 3;
// Whether the server requests that this binary be uploaded.
optional bool upload = 5;
}
// The following protocol buffer holds the feedback report gathered
// from the user regarding the download.
message ClientDownloadReport {
// The information of user who provided the feedback.
// This is going to be useful for handling appeals.
message UserInformation { optional string email = 1; }
enum Reason {
SHARE = 0;
FALSE_POSITIVE = 1;
APPEAL = 2;
}
// The type of feedback for this report.
optional Reason reason = 1;
// The original download ping
optional ClientDownloadRequest download_request = 2;
// Stores the information of the user who provided the feedback.
optional UserInformation user_information = 3;
// Unstructed comments provided by the user.
optional bytes comment = 4;
// The original download response sent from the verdict server.
optional ClientDownloadResponse download_response = 5;
}
// This is used to send back upload status to the client after upload completion
message ClientUploadResponse {
enum UploadStatus {
// The upload was successful and a complete response can be expected
SUCCESS = 0;
// The upload was unsuccessful and the response is incomplete.
UPLOAD_FAILURE = 1;
}
// Holds the upload status
optional UploadStatus status = 1;
// Holds the permalink where the results of scanning the binary are available
optional string permalink = 2;
}
message ClientIncidentReport {
message IncidentData {
message TrackedPreferenceIncident {
enum ValueState {
UNKNOWN = 0;
CLEARED = 1;
WEAK_LEGACY_OBSOLETE = 2;
CHANGED = 3;
UNTRUSTED_UNKNOWN_VALUE = 4;
BYPASS_CLEARED = 5;
BYPASS_CHANGED = 6;
}
optional string path = 1;
optional string atomic_value = 2;
repeated string split_key = 3;
optional ValueState value_state = 4;
}
message BinaryIntegrityIncident {
optional string file_basename = 1;
optional ClientDownloadRequest.SignatureInfo signature = 2;
optional ClientDownloadRequest.ImageHeaders image_headers = 3;
optional int32 sec_error = 4;
message ContainedFile {
optional string relative_path = 1;
optional ClientDownloadRequest.SignatureInfo signature = 2;
optional ClientDownloadRequest.ImageHeaders image_headers = 3;
}
repeated ContainedFile contained_file = 5;
}
message ResourceRequestIncident {
enum Type {
UNKNOWN = 0;
TYPE_PATTERN = 3;
}
optional bytes digest = 1;
optional string origin = 2;
optional Type type = 3 [default = UNKNOWN];
}
optional int64 incident_time_msec = 1;
optional TrackedPreferenceIncident tracked_preference = 2;
optional BinaryIntegrityIncident binary_integrity = 3;
// Note: skip tag 4,5,6 because they were previously used.
reserved 4 to 6;
optional ResourceRequestIncident resource_request = 7;
// Note: skip tag 8 because it was previously used.
reserved 8;
}
repeated IncidentData incident = 1;
message DownloadDetails {
optional bytes token = 1;
optional ClientDownloadRequest download = 2;
optional int64 download_time_msec = 3;
optional int64 open_time_msec = 4;
}
optional DownloadDetails download = 2;
message EnvironmentData {
message OS {
optional string os_name = 1;
optional string os_version = 2;
message RegistryValue {
optional string name = 1;
optional uint32 type = 2;
optional bytes data = 3;
}
message RegistryKey {
optional string name = 1;
repeated RegistryValue value = 2;
repeated RegistryKey key = 3;
}
repeated RegistryKey registry_key = 3;
optional bool is_enrolled_to_domain = 4;
}
optional OS os = 1;
message Machine {
optional string cpu_architecture = 1;
optional string cpu_vendor = 2;
optional uint32 cpuid = 3;
}
optional Machine machine = 2;
message Process {
optional string version = 1;
repeated string OBSOLETE_dlls = 2;
message Patch {
optional string function = 1;
optional string target_dll = 2;
}
repeated Patch patches = 3;
message NetworkProvider {}
repeated NetworkProvider network_providers = 4;
enum Channel {
CHANNEL_UNKNOWN = 0;
CHANNEL_CANARY = 1;
CHANNEL_DEV = 2;
CHANNEL_BETA = 3;
CHANNEL_STABLE = 4;
}
optional Channel chrome_update_channel = 5;
optional int64 uptime_msec = 6;
optional bool metrics_consent = 7;
// Obsolete: extended consent is now required for incident reporting.
optional bool OBSOLETE_extended_consent = 8;
message Dll {
enum Feature {
UNKNOWN = 0;
LSP = 1;
}
optional string path = 1;
optional uint64 base_address = 2;
optional uint32 length = 3;
repeated Feature feature = 4;
optional ClientDownloadRequest.ImageHeaders image_headers = 5;
}
repeated Dll dll = 9;
repeated string blacklisted_dll = 10;
message ModuleState {
enum ModifiedState {
UNKNOWN = 0;
MODULE_STATE_UNKNOWN = 1;
MODULE_STATE_UNMODIFIED = 2;
MODULE_STATE_MODIFIED = 3;
}
optional string name = 1;
optional ModifiedState modified_state = 2;
repeated string OBSOLETE_modified_export = 3;
message Modification {
optional uint32 file_offset = 1;
optional int32 byte_count = 2;
optional bytes modified_bytes = 3;
optional string export_name = 4;
}
repeated Modification modification = 4;
}
repeated ModuleState module_state = 11;
// Obsolete: field trials no longer enable incident reporting.
optional bool OBSOLETE_field_trial_participant = 12;
}
optional Process process = 3;
}
message ExtensionData {
message ExtensionInfo {
enum ExtensionState {
STATE_UNKNOWN = 0;
STATE_ENABLED = 1;
STATE_DISABLED = 2;
STATE_BLACKLISTED = 3;
STATE_BLOCKED = 4;
STATE_TERMINATED = 5;
}
optional string id = 1;
optional string version = 2;
optional string name = 3;
optional string description = 4;
optional ExtensionState state = 5 [default = STATE_UNKNOWN];
optional int32 type = 6;
optional string update_url = 7;
optional bool has_signature_validation = 8;
optional bool signature_is_valid = 9;
optional bool installed_by_custodian = 10;
optional bool installed_by_default = 11;
optional bool installed_by_oem = 12;
optional bool from_bookmark = 13;
optional bool from_webstore = 14;
optional bool converted_from_user_script = 15;
optional bool may_be_untrusted = 16;
optional int64 install_time_msec = 17;
optional int32 manifest_location_type = 18;
optional string manifest = 19;
}
optional ExtensionInfo last_installed_extension = 1;
}
optional EnvironmentData environment = 3;
// Population that the reporting user is part of.
optional ChromeUserPopulation population = 7;
optional ExtensionData extension_data = 8;
message NonBinaryDownloadDetails {
optional string file_type = 1;
optional bytes url_spec_sha256 = 2;
optional string host = 3;
optional int64 length = 4;
}
optional NonBinaryDownloadDetails non_binary_download = 9;
}
message ClientIncidentResponse {
optional bytes token = 1;
optional bool download_requested = 2;
message EnvironmentRequest { optional int32 dll_index = 1; }
repeated EnvironmentRequest environment_requests = 3;
}
message DownloadMetadata {
optional uint32 download_id = 1;
optional ClientIncidentReport.DownloadDetails download = 2;
}
// A Detailed Safebrowsing Report from clients. Chrome safebrowsing reports are
// only sent by Chrome users who have opted into extended Safe Browsing.
// This proto is replacing ClientMalwareReportRequest.
// Next tag: 26
message ClientSafeBrowsingReportRequest {
// Note: A lot of the "optional" fields would make sense to be
// "required" instead. However, having them as optional allows the
// clients to send "stripped down" versions of the message in the
// future, if we want to.
enum ReportType {
UNKNOWN = 0;
URL_PHISHING = 1;
URL_MALWARE = 2;
URL_UNWANTED = 3;
URL_CLIENT_SIDE_PHISHING = 4;
URL_CLIENT_SIDE_MALWARE = 5;
DANGEROUS_DOWNLOAD_RECOVERY = 6;
DANGEROUS_DOWNLOAD_WARNING = 7;
DANGEROUS_DOWNLOAD_BY_API = 10;
URL_PASSWORD_PROTECTION_PHISHING = 12;
DANGEROUS_DOWNLOAD_OPENED = 13;
AD_SAMPLE = 14;
URL_SUSPICIOUS = 15;
BILLING = 16;
APK_DOWNLOAD = 17;
}
message HTTPHeader {
required bytes name = 1;
optional bytes value = 2;
}
message HTTPRequest {
message FirstLine {
optional bytes verb = 1;
optional bytes uri = 2;
optional bytes version = 3;
}
optional FirstLine firstline = 1;
repeated HTTPHeader headers = 2;
optional bytes body = 3;
// bodydigest and bodylength can be useful if the report does not
// contain the body itself.
optional bytes bodydigest = 4; // 32-byte hex md5 digest of body.
optional int32 bodylength = 5; // length of body.
}
message HTTPResponse {
message FirstLine {
optional int32 code = 1;
optional bytes message = 2;
optional bytes version = 3;
}
optional FirstLine firstline = 1;
repeated HTTPHeader headers = 2;
optional bytes body = 3;
optional bytes bodydigest = 4; // 32-byte hex md5 digest of body.
optional int32 bodylength = 5; // length of body.
optional bytes remote_ip = 6; // IP of the server.
}
message Resource {
required int32 id = 1;
optional string url = 2;
optional HTTPRequest request = 3;
optional HTTPResponse response = 4;
optional int32 parent_id = 5;
repeated int32 child_ids = 6;
optional string tag_name = 7;
}
optional ReportType type = 10;
// Only set if ReportType is DANGEROUS_DOWNLOAD_RECOVERY,
// DANGEROUS_DOWNLOAD_WARNING or DANGEROUS_DOWNLOAD_BY_API.
optional ClientDownloadResponse.Verdict download_verdict = 11;
// URL of the page in the address bar.
optional string url = 1;
// Must be set if the ReportType is not one of DANGEROUS_DOWNLOAD_RECOVERY,
// DANGEROUS_DOWNLOAD_WARNING, DANGEROUS_DOWNLOAD_BY_API,
// DANGEROUS_DOWNLOAD_OPENED, URL_PASSWORD_PROTECTION_PHISHING.
optional string page_url = 2;
optional string referrer_url = 3;
repeated Resource resources = 4;
// Contains the hierarchy of elements on the page (ie: the DOM). Some
// elements can be Resources and will refer to the resources list (above).
repeated HTMLElement dom = 16;
// Whether the report is complete.
optional bool complete = 5;
// The ASN and country of the client IP. These fields are filled up by
// csd_frontend
repeated string client_asn = 6;
optional string client_country = 7;
// Whether user chose to proceed.
optional bool did_proceed = 8;
// Whether user visited this origin before.
optional bool repeat_visit = 9;
// The same token in ClientDownloadResponse or LoginReputationClientResponse.
// This field is only set if its report type is DANGEROUS_DOWNLOAD_RECOVERY,
// DANGEROUS_DOWNLOAD_WARNING, DANGEROUS_DOWNLOAD_BY_API,
// URL_PASSWORD_PROTECTION_PHISHING, or DANGEROUS_DOWNLOAD_OPENED.
optional bytes token = 15;
enum SafeBrowsingUrlApiType {
SAFE_BROWSING_URL_API_TYPE_UNSPECIFIED = 0;
// Native implementation of Safe Browsing API v3 protocol.
PVER3_NATIVE = 1;
// Native implementation of Safe Browsing API v4 protocol.
PVER4_NATIVE = 2;
// Android SafetyNet API.
// https://developer.android.com/training/safetynet/safebrowsing.html
ANDROID_SAFETYNET = 3;
// Flywheel (data compression service).
FLYWHEEL = 4;
}
// The information propagated from the client about various environment
// variables including SDK version, Google Play Services version and so on.
message SafeBrowsingClientProperties {
optional string client_version = 1;
optional int64 google_play_services_version = 2;
optional bool is_instant_apps = 3;
optional SafeBrowsingUrlApiType url_api_type = 4;
}
optional SafeBrowsingClientProperties client_properties = 17;
// Only set if report type is DANGEROUS_DOWNLOAD_EXECUTION.
// True means user opened the folder where this download is in via browser.
// False means user directly executed this download via download shelf or
// other download UIs.
optional bool show_download_in_folder = 18;
// If we can find the complete referrer chain, this field will contains URLs
// transitions from landing referrer to event in reverse chronological
// order, i.e. event url comes first in this list, and landing referrer
// comes last.
repeated ReferrerChainEntry referrer_chain = 23;
message DownloadItemInfo {
// URL of the download payload.
optional string url = 1;
// This message contains various binary digests of the download payload.
message Digests { optional bytes sha256 = 1; }
optional Digests digests = 2;
// This is the length in bytes of the download payload.
optional int64 length = 3;
// Name of the file where the download would be stored if the
// download completes. E.g., "bla.exe".
optional string file_basename = 4;
}
optional DownloadItemInfo download_item_info = 24;
// The SafetyNet ID of the Android device.
optional string safety_net_id = 25;
}
// An HTML Element on the page (eg: iframe, div, script, etc).
message HTMLElement {
// Id of this element.
optional int32 id = 1;
// The tag type of this element (eg: iframe, div, script, etc).
optional string tag = 2;
// IDs of elements that are children of this element.
repeated int32 child_ids = 3;
// If this element represents a Resource then this is the id of the
// Resource, which contains additional data about the Resource. Otherwise
// unset.
optional int32 resource_id = 5;
// An Attribute of the element (eg: id, border, foo etc) and its value.
message Attribute {
optional string name = 1;
optional string value = 2;
}
repeated Attribute attribute = 6;
}
// Protobuf for Chrome extension webstore install request.
message ExtensionWebStoreInstallRequest {
// If we can find the complete referrer chain, this field will contain URL
// transitions from landing referrer to event in reverse chronological
// order, i.e. event url comes first in this list, and landing referrer
// comes last.
// For Safe Browsing Extended Reporting or Scout users, if the referrer
// chain is empty or partially missing, we will add/append recent navigation
// events to this list. The type of these entries will be RECENT_NAVIGATION.
repeated ReferrerChainEntry referrer_chain = 1;
// Options and metadata about the above referrer chain.
optional ReferrerChainOptions referrer_chain_options = 2;
}