ProHoster > Blog > internet news > Chrome 86

Chrome 86

The next release of Chrome 86 and the stable release of Chromium have been released.

Key changes in Chrome 86:

  • protection against insecure submission of input forms on pages loaded over HTTPS but sending data over HTTP.
  • Blocking insecure download (http) of executable files has been supplemented by blocking insecure downloading of archives (zip, iso, etc.) and displaying warnings when documents (docx, pdf, etc.) are loaded insecurely. The next release is expected to block documents and issue a warning for images, text and media files. The blocking was implemented because downloading files without encryption can be used to perform malicious actions by replacing the content during MITM attacks.
  • The default context menu shows the option "Always show URL in full", which previously required changing settings on the about:flags page. The full URL can also be viewed by double-clicking on the address bar. Recall that starting from Chrome 76, by default, the address began to be displayed without the protocol and the www subdomain. In Chrome 79, the setting to bring back the old behavior was removed, but after user dissatisfaction, a new experimental flag was added in Chrome 83, adding an item to the context menu to disable hiding and showing the full URL in all conditions.
    For a small percentage of users, an experiment was launched to display only the domain in the address bar by default, without path elements and query parameters. For example, instead of "https://example.com/secure-google-sign-in/" "example.com" will be shown. Bringing the proposed mode to all users is expected in one of the next releases. To disable this behavior, you can use the "Always show full URL" option, and to view the entire URL, you can click on the address bar. The motive for the change is the desire to protect users from phishing that manipulates parameters in the URL - attackers use the inattention of users to create the appearance of opening another site and commit fraudulent actions (if such substitutions are striking for a technically competent user, then inexperienced laymen manipulations).
  • The initiative to remove FTP support has been revived. In Chrome 86, FTP is disabled by default for about 1% of users, and in Chrome 87, the coverage of the disable will be increased to 50%, but support can be returned using the flag "--enable-ftp" or "--enable-features=FtpProtocol". In Chrome 88, FTP support will be completely disabled.
  • In the version for Android, by analogy with the version for desktop systems, the password manager implements a check of saved logins and passwords against the database of compromised accounts with a warning in case of problems or an attempt to use trivial passwords. The check is performed against a database covering more than 4 billion compromised accounts that appeared in leaks of user databases. To preserve privacy, the hash prefix is ​​verified on the user side, and the passwords themselves and their full hashes are not transmitted outside.
  • The Android version also includes the Safety check button and Enhanced Safe Browsing. The "Safety check" button shows a summary of potential security issues such as compromised passwords, Safe Browsing status, uninstalled updates, and detection of malicious add-ons. Advanced protection mode activates additional checks to protect against phishing, malicious activity and other threats on the Web, and also includes additional protection for your Google account and Google services (Gmail, Drive, etc.). Whereas in normal Safe Browsing mode, checks are performed locally against a database periodically downloaded to the client’s system, in Enhanced Safe Browsing real-time information about pages and downloads is sent to Google for verification, which allows you to quickly respond to threats immediately after they are detected, without waiting for the local black list to update.
  • Added support for the ".well-known/change-password" indicator file, with which site owners can specify the address of the web form to change the password. In the event that a user's credentials have been compromised, Chrome will now prompt the user with a password change form based on the information in this file.
  • Implemented a new "Safety Tip" warning displayed when opening sites whose domain is very similar to another site and the heuristic shows that there is a high probability of spoofing (for example, goog0le.com is opened instead of google.com).

    * Implemented support for the transition cache (Back-forward cache), which provides an instant transition when using the "Back" and "Forward" buttons or when navigating through previously viewed pages of the current site. The cache is enabled using the chrome://flags/#back-forward-cache setting.

  • Optimization of CPU resource consumption by out-of-scope windows. Chrome checks to see if the browser window is being overlapped by other windows and avoids drawing pixels in areas of overlap. This optimization was enabled for a small percentage of users in Chrome 84 and 85, and is now enabled globally. Compared to previous releases, we also fixed an incompatibility with virtualization systems that caused blank white pages to be shown.
  • Improved resource truncation for background tabs. Such tabs can no longer consume more than 1% of CPU resources and can be activated no more than once per minute. After five minutes in the background, tabs are frozen, except for tabs that are playing multimedia content or recording.
  • The work on unification of the User-Agent HTTP header has been resumed. In the new version, support for the User-Agent Client Hints mechanism, developed as a replacement for User-Agent, is activated for all users. The new mechanism implies the selective return of data about specific browser and system parameters (version, platform, etc.) only after a request by the server and gives users the opportunity to selectively provide such information to site owners. When using User-Agent Client Hints, the identifier is not passed by default without an explicit request, which makes passive identification impossible (only the browser name is specified by default).
    Changed the indication of the presence of an update and the need to restart the browser to install it. Instead of a colored arrow in the account avatar field, the inscription “Update” now appears.
  • Work has been done to translate the browser to use inclusive terminology. In policy names, the words "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist" (already added policies will continue to work, but a warning about deprecation will be displayed for them). In the code and file names, references to "blacklist" are replaced by "blocklist". User-visible references to “blacklist” and “whitelist” were replaced back in early 2019.
    Added an experimental ability to edit saved passwords, activated using the "chrome://flags/#edit-passwords-in-settings" flag.
  • Moved to the category of stable and public Native File System APIs, which allows you to create web applications that interact with files in the local file system. For example, the new API may be required in browser-based IDEs, text editors, image editors, and video editors. To be able to directly write and read files or use dialogs to open and save files, as well as to navigate through the contents of directories, the application asks the user for special confirmation.
  • Added the ":focus-visible" CSS selector, which uses the same heuristics that the browser uses when deciding whether to show the focus change indicator (moving focus to the button with keyboard shortcuts makes the indicator appear, but not when clicking with the mouse). The previously available ":focus" CSS selector always highlights focus. In addition, the “Quick Focus Highlight” option has been added to the settings, when enabled, an additional focus indicator will be shown next to the active elements, which remains visible even if style elements for visual focus highlighting are disabled on the page via CSS.
  • Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
  • WebHID API for low-level access to HID devices (Human interface devices, keyboards, mice, gamepads, touchpads), which allows you to implement the logic of working with a HID device in JavaScript to organize work with rare HID devices without the presence of specific drivers in the system. First of all, the new API is aimed at providing support for gamepads.
  • The Screen Information API extends the Window Placement API to support multi-screen configurations. Unlike window.screen , the new API allows you to manipulate the placement of a window in the shared screen space of multi-monitor systems without being limited to the current screen.
  • The battery-savings meta tag, with which the site can inform the browser about the need to activate modes to reduce power consumption and optimize the load on the CPU.
  • COOP Reporting API to report potential violations of Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Opener-Policy (COOP) lockdowns without actually applying restrictions.
  • The Credential Management API offers a new PaymentCredential credential type that provides additional confirmation of the payment transaction being made. A relying party, such as a bank, has the ability to generate a PublicKeyCredential that can be requested by the merchant for additional secure payment confirmation.
  • The PointerEvents API for determining the tilt of the stylus * added support for elevation angles (the angle between the stylus and the screen) and azimuth (the angle between the X axis and the projection of the stylus on the screen), instead of the TiltX and TiltY angles (the angles between the plane from the stylus and one of the axes and the plane from the Y and Z axes). Also added conversion functions between altitude/azimuth and TiltX/TiltY.
  • Changed encoding of space in URL when it is evaluated in protocol handlers - navigator.registerProtocolHandler() method now replaces spaces with "%20" instead of "+", which unifies behavior with other browsers such as Firefox.
  • Added "::marker" pseudo-element to CSS to customize color, size, shape and type of numbers and dots for listings in blocks And .
  • Added support for the Document-Policy HTTP header, which allows you to set document access rules similar to the iframe sandbox isolation mechanism, but more versatile. For example, through the Document-Policy, you can limit the use of low-quality images, disable slow JavaScript APIs, configure rules for loading iframes, images and scripts, limit the total size of the document and traffic, prohibit methods that lead to page redrawing, and disable the Scroll-To-Text function.
  • To element added support for the 'inline-grid', 'grid', 'inline-flex' and 'flex' parameters set via the 'display' CSS property.
  • Added ParentNode.replaceChildren() method to replace all children of a parent node with another DOM node. Previously, you could use a combination of node.removeChild() and node.append() or node.innerHTML and node.append() to replace nodes.
  • Expanded the range of URL schemes allowed to be overridden with registerProtocolHandler(). The list of schemes includes cabal, dat, did, dweb, ethereum, hyper, ipfs, ipns, and ssb decentralized protocols, which allows you to define links to elements regardless of the site or gateway that provides access to the resource.
  • The Asynchronous Clipboard API added support for the text/html format for copying and pasting HTML via the clipboard (writing and reading to the clipboard cleans up dangerous HTML constructs). The change, for example, allows web editors to organize the insertion and copying of formatted text with images and links.
  • WebRTC has added the ability to connect its own data handlers called at the stages of encoding or decoding WebRTC MediaStreamTrack. For example, this capability can be used to add support for end-to-end encryption of data transmitted through intermediate servers.
    Implementation of Number.prototype.toString is 8% faster in V75 JavaScript engine. The .name property has been added to asynchronous classes with an empty value. Removed the Atomics.wake method, which was once renamed to Atomics.notify to comply with the ECMA-262 specification. The code for the JS-Fuzzer fuzzing testing tool has been released.
  • The Liftoff baseline compiler for WebAssembly included in the last release includes the ability to use SIMD vector instructions to speed up calculations. Judging by the tests, the optimization made it possible to speed up the passage of some tests by 2.8 times. Another optimization made it possible to significantly speed up the call of imported JavaScript functions from WebAssembly.
  • Expanded tools for web developers: Information about the players used to play video on the page has been added to the Media panel, including event data, logs, property values ​​and frame decoding parameters (for example, you can determine the causes of frame drops and interaction problems from JavaScript) .
  • In the context menu of the Elements panel, the ability to create screenshots of the selected element has been added (for example, you can create a screenshot of the table of contents or a table).
  • In the web console, the problem warning panel has been replaced with a regular message, and issues with third-party cookies are hidden by default in the Issues tab and are enabled by a special checkbox.
  • The "Disable local fonts" button has been added to the Rendering tab, which allows you to simulate the absence of local fonts, and the Sensors tab has the ability to simulate user inactivity (for applications using the Idle Detection API).
  • The Application panel provides detailed information about each iframe, open window, and pop-ups, including data on Cross-Origin isolation using COEP and COOP.

The replacement of the implementation of the QUIC protocol with the version developed in the IETF specification has begun, instead of the Google version of QUIC.
In addition to innovations and bug fixes, 35 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. One vulnerability (CVE-2020-15967, freed memory access in code for interacting with Google Payments) is marked as critical, i.e. allows you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the Vulnerability Bounty program for the current release, Google has paid out 27 awards worth $71500 (one $15000 award, three $7500 awards, five $5000 awards, two $3000, one $200, and two $500 awards). The amount of 13 rewards has not yet been determined.

Taken from opennet.ru

Source: linux.org.ru

Add a comment