Google Chrome to block automatic downloads initiated from ad slot iframes

Google continues its crusade against "drive-by download" attack vectors.

chrome-new-ui.png

Google

Google developers plan to add a feature to Chrome that will prevent advertising slots on a website from triggering automatic file downloads in users browsers.

"We plan to prevent downloads initiated from ad frames that lack a user gesture to prevent unwanted drive-by-downloads," Google developers said in a Chrome browser status page published today.

"Download doesn't make much sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads," Google said. "Blocking download in ad frames without user gesture will make the web less abusive and more secure."

According to a design document that Google also published today, an "ad frame" is "an iframe marked as ad by the Chromium ad detection infrastructure AdTagging." This basically means any iframe that Google believes to be an ad.

Today's news marks the second security feature that Google has announced this year as part of its efforts to block "drive-by downloads," a term used in the information security (infosec) industry to describe a download that happens without the user's knowledge.

Back in January, Google announced that Chrome would also block automatic file downloads (drive-by downloads) initiated from sandboxed iframes --a type of HTML iframes also used for showing ads, but also by exploit kits to plant malware on users' computers.

That first feature is scheduled to be included in Google Chrome 73, set for release tomorrow.

Google didn't say when it plans to start blocking automatic file downloads initiated from ad slots, but the feature is expected this year.

This security feature and the protection it provides is only valid if users don't interact with the ad frames. File downloads will be allowed if users click or swipe on an ad. This will be allowed so ads can show "download" or "get it here" type of buttons.

If Chrome blocks an automatic file download, the browser won't show any visible warnings. The browser maker estimates the performance impact of this feature to be negligible once implemented. Google intends to add this feature to all Chrome versions, except the one that ships for iOS, which isn't based on the Chromium engine, but on WebKit (Safari's engine).

More browser coverage: