Deprecate download in ad frames without user gesture

We plan to prevent downloads initiated from ad frames that lack a user gesture ('drive-by downloads'). Removal is expected in Chrome 76.

Downloads don't make sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking downloads in ad frames without user gestures will make the web more secure. Apart from security concerns, it would be a more pleasant user experience for a click to trigger a download on the same page, compared with downloads started automatically when landing at a new page, or started non-spontaneously after the click.

Comments

Ads are identified by Chromium's AdTagging infrastructure: https://cs.chromium.org/chromium/src/docs/ad_tagging.md

Documentation

• Design Doc:
• https://docs.google.com/document/d/1fBa8nwvb9g21KTji_kIDHzd7FjCb72pVf33MSb9jSWY

Status in Chromium

Blink components: UI>Browser>Downloads

In development (tracking bug)

Consensus & Standardization

• Firefox: No public signals
• Edge: No public signals
• Safari: No public signals
• Web Developers: No signals

Owner

• yaoxia@chromium.org

Last updated on 2019-03-15