Google Chrome will get protection from drive-by-downloads
- The download is triggered via or navigations. Those are the only types of download that could happen without user gesture.
- The click or the navigation occurs in a sandboxed iframe unless the tokens contain the “allow-downloads-without-user-activation” keyword.
- The frame does not have a transient user gesture at the moment of click or navigation.
It should be noted that Chrome will only block the content when all of the conditions are met. Blocking the drive-by-downloads is both a functional and a security feature. While the main goal is to make sure that users don’t get malware on their computers, thus breaching their privacy, I don’t think anyone wants their browsers automatically downloading files with shady names and extensions, as safe as they might be. The feature will reportedly be available on all platforms except iOS. This document goes into the details of the feature. There is currently no expected time of release for the feature, but we’ll make sure to keep you updated.