Google plans to improve Chrome's drive-by-download protection
Google plans to introduce a new protective feature in the company's Chrome web browser that blocks automatic downloads in ad frames.
File downloads are usually initiated by users. Users may click on links to download files, use drag and drop (from the browser to the desktop), or use the right-click context menu to download files.
Google notes that there are not many legitimate use cases for ad initiated downloads.
Download doesn't make much sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking download in ad frames without user gesture will make the web less abusive and more secure.
Some downloads are initiated automatically in Chrome.
Tip: it is a good idea to block automatic downloads in Chrome.
Google identified two cases of automatic downloads that it considers problematic when they originate from an ad frame:
- Simulated activation of download links.
- Navigation-triggered downloads.
Google engineers plan to block these automatic types of downloads in future versions of Google Chrome. The feature will land in all versions of Google Chrome except for the iOS version as it is based on another architecture.
Downloads will be blocked if the automatic download originated from an ad frame. Chromium's ad detection system, AdTagging, identifies ad frames automatically and Chrome will base the blocking decision on that.
The change won't disallow all automatic downloads that originate from ad frames though. Downloads are allowed if Chrome recognizes user interaction with the element.
Downloads in an ad frame without user gesture account for 0.00001% page loads according to metrics that Google collected. The company expects that there won't be major breakage due to the low use number and the fact that a sample of top URLs did not make use of the feature at all.
Automatic downloads that originate from ad frames without user interaction will be blocked automatically and users won't receive a notification about that.
The move closes one method to attack user systems with drive-by-downloads. Drive-by-downloads push malicious files to user systems automatically using automated download functions.
Google has not set a date for the inclusion in the Chrome web browser. The tracking bug is protected at the time of writing.