Deprecate Drive-By Downloads in Sandboxed Iframes (deprecated)

Chrome will prevent downloads in sandboxed iframes that lack a user gesture, though this restriction could be lifted via an 'allow-downloads-without-user-activation' keyword in the sandbox attribute list. This allows content providers to restrict malicious or abusive downloads. Removal is expected in Chrome 76.


Downloads can bring security vulnerabilities to a system. Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox. Apart from security concerns, it would be a more pleasant user experience for a click to trigger a download on the same page, compared with downloads started automatically when landing at a new page, or started non-spontaneously after the click.


Status in Chromium


Deprecated (tracking bug) in:

  • Chrome for desktop release 73
  • Chrome for Android release 73

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals


Last updated on 2019-03-15