Drive-by-downloads are one of the most dangerous things non-tech savvy people can come across on the web. The term is used when the website initiates downloading a file without users consent, or by tricking them. I’m sure almost all of you have seen a random file pop up in your download manager. Apparently, Google Chrome is going to fix that.
Historically, the most radical (and the only) way to avoid drive-by-downloads, was to block all JavaScript content on all websites to prevent executing scripts. Google Chrome is going to implement a feature which will do just that but in a smarter way. To understand the solution, first, we must dive into the problem.
Drive-by-downloads are mostly initiated by a JavaScript script running in the background, infected advertising or the iframes. They run automatically without the user ever knowing about it. The industry has been trying to fix the problem since 2013, but a practical workaround hasn’t been deployed so far. BleepingComputer reports that according to Chromium’s Yao Xiao, drive-by-downloads will be identified as such and blocked only when:
- The download is triggered via or navigations. Those are the only types of download that could happen without user gesture.
- The click or the navigation occurs in a sandboxed iframe unless the tokens contain the “allow-downloads-without-user-activation” keyword.
- The frame does not have a transient user gesture at the moment of click or navigation.
SOURCE
0 Komentar