### Key Information - **Title**: Security: Safe Browsing bypass via data URI, no warning if SB fails - **Type**: Vulnerability - **Priority**: P1 - **Severity**: S2 - **Status**: Fixed - **CVE**: 2023-1814 ### Vulnerability Details 1. **Safe Browsing API Limitation**: The Safe Browsing API (https://sb-ssl.google.com/safebrowsing/clientreport/download) returns 413 (Payload Too Large) when data URIs exceed approximately 20MB. The `AddEventUrlToReferrerChain` function does not shorten data URIs within URLs, so if a data URI exceeds about 8MB, the download check can be bypassed. 2. **Download Protection Service**: Even if the download type is `DOWNLOAD_DANGER_TYPE_MAYBE_DANGEROUS_CONTENT`, if the Safe Browsing check is not performed or fails, the `DownloadCheckResult` is set to `UNKNOWN`, and the download type is reset to `DOWNLOAD_DANGER_TYPE_NOT_DANGEROUS`. As a result, users will not receive any warning, potentially leading to a false sense of security and inconsistent user experience. ### Report Link - [Original Report](https://crbug.com/1416794#c8) ### Reference Links - [download_protection_service.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/download_protection/download_protection_service.cc;l=72-84;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89) - [ppapi_download_request.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/download_protection/ppapi_download_request.cc;l=197;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89) - [check_client_download_request_base.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/safe_browsing/download_protection/check_client_download_request_base.cc;l=478;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89) - [chrome_download_manager_delegate.cc](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/download/chrome_download_manager_delegate.cc;l=1298;drc=f37b11fe3cfd8d5f8294ef27d5c6c723a4028d89)