Google is in the process of adding support for automatic blocking of drive-by downloads originating from website iframes, one of the techniques preferred by attackers to drop malware payloads on vulnerable machines, with or without user interaction.
Drive-by downloads are when the browser downloads a file without a user requesting it, and in some cases without them even realizing. This could be done by malvertising, in the background in iframes, or via malicious scripts planted on websites by attackers, without the need of user interaction.
The download blocking in iframes feature was initially proposed for implementation during 2013 within the Web Hypertext Application Technology Working Group (WHATWG) mailing list by Google’s Mike West and revived in the form of an issue on WHATWG’s GitHub’s repository during late 2017.
It was eventually picked up by Chromium project’s Yao Xiao who has published the feature’s design and core principle considerations details in a public Google Docs document appropriately named “Preventing Drive-By-Downloads in Sandboxed Iframes.”
According to Yao Xiao:
Content providers should be able to restrict whether drive-by-downloads can be initiated for content in iframes. Thus, we plan to prevent downloads in sandboxed iframes that lack a user gesture, and this restriction could be lifted via an ‘allow-downloads-without-user-activation’ keyword, if present in the sandbox attribute list.
Furthermore, the necessity of implementing a method to block automated drive-by downloads originating from iframes is explained in the whatwg/html issue by lubin2010: “the popup inherits the sandbox unless you set allow-popups-to-escape-sandbox. But auto popup would be blocked by popup blockers that most browsers have, while auto download won’t. So popups are guarded by user gestures (interactions), but not downloads.”
As described by Yao Xiao, the feature will target downloads triggered by “navigations and simulated clicks on links” that can take place without user interaction.
To be more specific, downloads will be blocked only if ALL of the following conditions will be met:
The download is triggered via or navigations. Those are the only types of download that could happen without user gesture.
The click or the navigation occurs in a sandboxed iframe, unless the tokens contain the “allow-downloads-without-user-activation” keyword.
The frame does not have a transient user gesture at the moment of click or navigation.
Once the drive-by downloads protection feature is implemented, all downloads that will be blocked will fail silently and the only sign of these events will be displayed in the developer console in the form of an error.
This feature could also help prevent malicious ads that are part of malvertising campaigns from pushing malicious downloads on Internet users.
All in all, the implementation of automatic drive-by downloads in Chrome “is a security win, since downloads are a vector to vulnerabilities in lots of cases. And this doesn’t introduce new security vulnerabilities, as we simply block the code path to download in some conditions.”