[tmzt]

why wouldn't it be a hash of the download URL only?

[pests]

Perhaps they are worried about the same url being used to serve multiple files. Eg: example.php/download/invoice.pdf might be customer / order specific.

[tmzt]

Right, I can see why the hash of the file would be important, but I can't see why they would include the plain text URL instead of a hash.

It would be interesting to have a hash of a file that could identify embedded data but exclude private data. For instance, for a Microsoft Office file it would include hashes of embedded binary assets but exclude the text of the document.

[drivebyacct2]

No idea, I'm taking the GP at their word, their phrasing made me think that they work in the browser space and know that as a fact.

I can't say I've inspected Chrome specifically in Wireshark, nor looked at the code, so I will refrain from making any claims; I simply don't know.