Deprecate Drive-By Downloads in Sandboxed Iframes (deprecated)
Chrome will prevent downloads in sandboxed iframes that lack a user gesture, though this restriction could be lifted via an 'allow-downloads-without-user-activation' keyword in the sandbox attribute list. This allows content providers to restrict malicious or abusive downloads. Removal is expected in Chrome 76.
Documentation
Status in Chromium
Deprecated (tracking bug) in:
- Chrome for desktop release 73
- Chrome for Android release 73
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- No public signals
- No public signals
- No public signals
- No signals
Owner
Last updated on 2019-03-15
Comments
Downloads can bring security vulnerabilities to a system. Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox. Apart from security concerns, it would be a more pleasant user experience for a click to trigger a download on the same page, compared with downloads started automatically when landing at a new page, or started non-spontaneously after the click.