[drivebyacct2]

Usually I groan when people complain about the Malware features in Chrome in relation to privacy but this is definitely one I'd not heard of. The hash of the whole file is bad enough, but even if it were unique, the full URL could easily contain sensitive information or information about the file contents.

[tmzt]

why wouldn't it be a hash of the download URL only?

[pests]

Perhaps they are worried about the same url being used to serve multiple files. Eg: example.php/download/invoice.pdf might be customer / order specific.

[tmzt]

Right, I can see why the hash of the file would be important, but I can't see why they would include the plain text URL instead of a hash.

It would be interesting to have a hash of a file that could identify embedded data but exclude private data. For instance, for a Microsoft Office file it would include hashes of embedded binary assets but exclude the text of the document.

[drivebyacct2]

No idea, I'm taking the GP at their word, their phrasing made me think that they work in the browser space and know that as a fact.

I can't say I've inspected Chrome specifically in Wireshark, nor looked at the code, so I will refrain from making any claims; I simply don't know.