Deprecate download in ad frames without user gesture

We plan to prevent downloads initiated from ad frames that lack a user gesture ('drive-by downloads'). Removal is expected in Chrome 76.

Downloads don't make sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking downloads in ad frames without user gestures will make the web more secure. Apart from security concerns, it would be a more pleasant user experience for a click to trigger a download on the same page, compared with downloads started automatically when landing at a new page, or started non-spontaneously after the click.

Comments

Ads are identified by Chromium's AdTagging infrastructure: https://cs.chromium.org/chromium/src/docs/ad_tagging.md

Documentation

Status in Chromium

UI>Browser>Downloads


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2019-03-15