Google Chrome will get protection from drive-by-downloads


Drive-by-downloads are one of the most dangerous things non-tech savvy people can come across on the web. The term is used when the website initiates downloading a file without users consent, or by tricking them. I’m sure almost all of you have seen a random file pop up in your download manager. Apparently, Google Chrome is going to fix that. 

Historically, the most radical (and the only) way to avoid drive-by-downloads, was to block all JavaScript content on all websites to prevent executing scripts. Google Chrome is going to implement a feature which will do just that but in a smarter way. To understand the solution, first, we must dive into the problem.

Drive-by-downloads are mostly initiated by a JavaScript script running in the background, infected advertising or the iframes. They run automatically without the user ever knowing about it. The industry has been trying to fix the problem since 2013, but a practical workaround hasn’t been deployed so far. BleepingComputer reports that according to Chromium’s Yao Xiao, drive-by-downloads will be identified as such and blocked only when:
  • The download is triggered via or navigations. Those are the only types of download that could happen without user gesture.
  • The click or the navigation occurs in a sandboxed iframe unless the tokens contain the “allow-downloads-without-user-activation” keyword.
  • The frame does not have a transient user gesture at the moment of click or navigation.
It should be noted that Chrome will only block the content when all of the conditions are met. Blocking the drive-by-downloads is both a functional and a security feature. While the main goal is to make sure that users don’t get malware on their computers, thus breaching their privacy, I don’t think anyone wants their browsers automatically downloading files with shady names and extensions, as safe as they might be. The feature will reportedly be available on all platforms except iOS. This document goes into the details of the feature. There is currently no expected time of release for the feature, but we’ll make sure to keep you updated.

SOURCE