Google Chrome v76 is getting a new security feature to fight popup spam.
Google engineers are planning to change how the Escape key works in the Chrome browser, and it’s all being done as part of a security-focused change meant to make it harder for shady sites to open popups.
The feature is expected to ship with Chrome version 76, scheduled for release at the end of July 2019.
The general idea is that starting with Chrome 76, pressing the Escape key on your keyboard will not “activate” a page and prevent it from running JavaScript code — like it did until now.
“Browsers prevent calls to abusable APIs (like popup, fullscreen, vibrate, etc.) unless the user activates the page through direct interactions,” Google said earlier this month.
“Not all interactions trigger user activation. For example, clicking on a link or typing in a textbox does, but swiping fingers on a screen or hovering with the mouse cursor doesn’t.”
Google will now classify pressing the Escape key in the same category as the above-mentioned actions.
“Since users never intend to interact with the page through the ESC key, it should not trigger user activation,” Google said.
ABUSED IN THE WILD
According to Google, there is at least one malware campaign that is abusing Escape key-generated popups to spam users.
This demo page shows how current versions of Chrome will open a new page/popup for the example.com domain. But when opening the same page in Chrome Canary (v76), the browser will block the new page/popup using Chrome’s built-in ad-blocker tool.
Firefox already includes a similar feature.
In the previous months, Google has rolled out similar security-minded features to protect Chrome users from spammers and malicious advertisers.
For example, in Chrome v73, Google added a security feature that would prevent malicious code loaded in iframes from initiating a download on a user’s device.
The company also fixed an “evil cursor” bug abused by tech support scammers and banned extensions using obfuscated code from the Chrome Web Store.