Firefox to Introduce Additional Protection Against Drive-By Downloads
Starting in October 2020, with the release of Firefox 82, Mozilla engineers will add a new security feature to their browser designed to combat drive-by downloads. Developers have been fighting malicious drive-by downloads for many years. The challenge is that they cannot completely block legitimate browser functions, even if hackers sometimes exploit them. As a result, browsers are constantly introducing new security mechanisms, and attackers eventually learn to bypass them.
How the New Protection Works
In recent years, developers have been addressing the abuse of so-called “sandboxed iframes,” which are typically used by websites to load ads and embedded widgets (such as videos, music tracks, podcasts, and so on). The fact is, websites rarely initiate downloads through sandboxed iframes; most of the time, these are only used for embedding content.
Back in the spring of last year, Google engineers implemented a feature in Chrome version 73 that blocks downloads initiated through sandboxed iframes. In May of this year, with the release of Chrome 83, this functionality was fully enforced.
Now, similar protection will appear in Mozilla’s browser: it is set to be introduced in Firefox 82, scheduled for release in October 2020. Starting with this version, any downloads through sandboxed iframes will be blocked.
Exceptions and Industry Adoption
The only exception will be situations where the website owner or widget provider explicitly sets the allow-download flag for the iframe. However, almost no one does this, as it creates a security risk—this is precisely why sandboxed iframes are used instead of regular iframes.
It’s worth noting that similar functionality is already being discussed by Safari WebKit developers, but there are currently no concrete plans for its implementation.