14 DAY TRIAL // Google Chrome browser will soon get new capabilities that will help block unintended downloads.
The application, which according to third-party data runs on more than 65 percent of desktop computers, will be updated with a security feature to block drive-by-downloads.
Technically, the concept of drive-by-downloads refers to downloads that are generated without users specifically requesting them. In most of the cases, they are used by malicious actors by embedding them into website iFrames, thus being able to hide malware or other dangerous payloads inside the content of pages looking legitimately.
Google believes it can resolve this issue by making it harder for unintended downloads to show up, enhancing its filters to block such actions unless they meet three different conditions.
The downloads will just fail silently without any warning to users
First of all, the download must be triggered by the user, so unless you click on a download link, no file should be offered to you. Then, even if you click a sandboxed iFrame, the token must contain the “allow-downloads-without-user-activation” keyword. And last but not least, Google says the download will be blocked if the frame does not have a transient user gesture at the moment of click or navigation.
Chromium engineer Yao Xiao discusses this feature in a recently-discovered document, but without offering any specifics as to when it could go live for all users.
“Content providers should be able to restrict whether drive-by-downloads can be initiated for content in iframes. Thus, we plan to prevent downloads in sandboxed iframes that lack a user gesture, and this restriction could be lifted via an ‘allow-downloads-without-user-activation’ keyword, if present in the sandbox attribute list,” he says.
The implementation will be made without any visible change, and the downloads would just fail silently. Developers will, however, receive a console error, the paper explains.