cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

get_temporary_link with zip files causing Google Chrome warning

Labels:

get_temporary_link with zip files causing Google Chrome warning

theTutor
Explorer | Level 3
‎06-29-2020 05:01 AM
Go to solution

Hi

 

Google Chrome (83, Mac) has started giving me a 'Dangerous File' warning whenever trying to download zip files specifically served by the 'get_temporary_link' API call. I have 'Safe Browsing' enabled (set to 'Standard'). Until recently I have experienced no issues using this API method (using it for over 2 years now).

 

Apart from virus scanning etc, we've performed the following to isolate the cause:

 

1) The exact same files download without problem when accessing via a standard 'shared' dropbox link (i.e. with dl=1 appended to end)

2) The same files download 100% fine when downloaded through Chrome within our Dropbox account.

3) The exact same files download fine when uploaded to other file hosts. For example, Amazon S3.

4) We have created new zip files that contain nothing by a single plain text file and these are still causing the warning, but only when served via the 'get_tempoary_link' method.

5) We've pasted the temporary dropbox link directly into the Chrome address bar to rule out any potential issues with the php script we are normally using to serve the files

 

This only seems to affect zip files (have tested PDF and txt, no problems there). The only constant variable that causes the warning is the use of the 'get_temporary link' call. Unfortunately I don't have any indepth knowledge of the Dropbox API so am not able to test other API methods, nor am I able to see anything obvious that might be causing this.

 

Can anyone think why this might be any issue? I assume it's either the URL structure itself, or the output headers. 

 

The header is

 

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 29 Jun 2020 08:37:18 GMT
Content-Type: application/zip
Content-Length: 60328012
Connection: keep-alive
cache-control: max-age=0
pragma: public
x-dropbox-request-id: 9292cd205582aa9dc8b7b280e644fd75
x-robots-tag: noindex, nofollow, noimageindex
referrer-policy: no-referrer
etag: 1586602502895794n
accept-ranges: bytes
x-content-type-options: nosniff
content-disposition: attachment; filename="somefile.zip"; filename*=UTF-8''somefile.zip";
content-security-policy: sandbox
x-webkit-csp: sandbox
x-content-security-policy: sandbox
Vary: Origin
X-Server-Response-Time: 566
This is the code we are using to generate the temporary file:



$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.dropboxapi.com/2/files/get_temporary_link");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: Bearer ' . $dropboxKey,
'Content-Type: application/json') );
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "{\"path\":\"/".$record["file"]."\"}");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$data = json_decode(curl_exec($ch), true);

if (curl_errno($ch)) { echo 'Error:' . curl_error($ch); }
curl_close($ch);
$filepath = $data['link'];

 

Any advice appareciated!

Labels:
  • 0 Likes
  • 9 Replies
  • 2,887 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎07-10-2020 11:24 AM
Go to solution

This should be fixed now. Please let us know if you're still seeing any issues like this.

View solution in original post

9 Replies 9

Greg-DB
Dropbox Staff
‎06-29-2020 01:49 PM
Go to solution

Thanks for the report. I just tried this myself and I was able to reproduce this warning in Chrome with a temporary link to a zip file with some junk in it. A txt file worked fine for me though as well.

 

I also accessed my two temporary links directly, and the only differences seem to be, aside from the file data itself:

  • the "Content-Type" header: "application/zip" vs. "text/plain; charset=utf-8"
  • the lack of the "Vary: Accept-Encoding" header
  • the "x-dropbox-request-id" header value (both randomly generated)
  • the "etag" value (though this is opaque anyway) 
  • the "content-disposition" header "filename" value: reflecting the respective file name and extension for each, ".zip" vs. ".txt"

Of those, I think it's likely the "Content-Type" and/or the "content-disposition" that Chrome is suspicious of (since .zip could potentially hide something more dangerous than .txt would), perhaps combined with different levels of trust of the Dropbox API server host as compared to others like S3.

 

Unfortunately, it doesn't look like there's anything for us to fix on our side, since the HTTPS response is valid in both cases, and the logic for this warning is controlled by Google of course. Dropbox also doesn't offer ways to configure the specifics, e.g., the headers, of the response (though we don't know what specifically is causing Chrome to decide to show this anyway).

 

I'll raise this with the team, but I can't promise if this is something we'd be able to resolve. You may wish to raise this as an issue with Google.

0 Likes

theTutor
Explorer | Level 3
‎06-30-2020 12:27 AM
Go to solution

Thanks for the reply. If it helps, I've copied the headers below for the same file downloaded through Amazon S3 (which was considered safe by Google), their headers are more 'threadbare'.

 

But I agree, ultimately this seems down to some internal logic at Google, and while I will report this I wonder if Dropbox could also report this themseleves, considering this is an issue that you've independantly confirmed and one that is likely to affect all dropbox customers using this API call (and potentially other API calls) for delivering zip files?

 

HTTP/1.1 200 OK
x-amz-id-2: 7MxPN6hDhv+Rmb9kvfQN64Z2WnSeGI5jhHvP2s6OGpSo7B4ORWyFQ/A+TnOzkTtqN8AAKnj6He0=
x-amz-request-id: A1EA9FD1D0064990
Date: Mon, 29 Jun 2020 08:32:31 GMT
Last-Modified: Tue, 02 Jun 2020 11:31:27 GMT
ETag: "72b5b016974907dcadc1644b08ff28c6-4"
Accept-Ranges: bytes
Content-Type: application/zip
Content-Length: 60328012
Server: AmazonS3

 

0 Likes

Greg-DB
Dropbox Staff
‎06-30-2020 08:11 AM
Go to solution

Thanks! Yes, we're also looking into what we may be able to do about it on our side. I'll follow up here with any updates.

0 Likes

aciid
New member | Level 2
‎07-08-2020 11:50 PM
Go to solution

any update on this please?

I got a lot of complaints about this.

0 Likes

Greg-DB
Dropbox Staff
‎07-09-2020 08:39 AM
Go to solution

@aciid No, unfortunately I don't have an update on this yet. I'll follow up here once I do.

0 Likes

Greg-DB
Dropbox Staff
‎07-10-2020 11:24 AM
Go to solution

This should be fixed now. Please let us know if you're still seeing any issues like this.

mohammadreza
Helpful | Level 6
‎07-14-2020 02:15 AM
Go to solution

Yes the problem was solved.

0 Likes

aciid
New member | Level 2
‎07-14-2020 02:24 AM
Go to solution

cool :sunglasses:

thank you

0 Likes

theTutor
Explorer | Level 3
‎07-14-2020 02:25 AM
Go to solution
Yes, this seems to be working correctly now. Thanks for getting this fixed!
0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    theTutor Explorer | Level 3
  • User avatar
    aciid New member | Level 2
  • User avatar
    mohammadreza Helpful | Level 6
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?