Google always want to keep its user secure. So It is going to take another step. Google is working on the drive-by-downloads protection on Chrome browser.
Google is in the process of adding the support for automatic blocking of drive-by downloads that originate from website iframes. The term is used when the website initiates downloading a file automatically without users consent, or by tricking them. This technique is used by attackers to inject malware payloads on vulnerable machines, with or without user interaction.
This could be done by malvertising, mostly initiated by a JavaScript script running in the background or in iframes, or through a malicious script planted on websites by attackers, without the need of user interaction. The industry has been trying to fix the problem since 2013 but not yet fixed.
Hackers also leave iframes on hacked sites to infect unsuspecting visitors. According to Chrome statistics, around 0.002117 percent of pages loaded in Chrome browser, trigger a drive-by download.
BleepingComputer reports that according to the Chromium’s Yao Xiao, drive-by-downloads will be downloads will be blocked only if ALL of the following conditions will be met:
- The download is triggered via or navigations. Those are the only types of download that could happen without user gesture.
- The click or the navigation occurs in a sandboxed iframe unless the tokens contain the “allow-downloads-without-user-activation” keyword.
- The frame does not have a transient user gesture at the moment of click or navigation.
Yao said “Content providers should be able to restrict whether drive-by-downloads can be initiated for content in iframes. Thus, we plan to prevent downloads in sandboxed iframes that lack a user gesture, and this restriction could be lifted via an ‘allow-downloads-without-user-activation’ keyword if present in the sandbox attribute list.”
Google has not confirmed the release date of this feature. We will soon update you when it will release.