Chrome Release 101

Google has unveiled the release of the Chrome 101 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a system for sending notifications in case of a crash, modules for playing copy-protected video content (DRM), an automatic update system, the constant inclusion of Sandbox isolation, the supply of keys to the Google API and transmission when searching for RLZ- parameters. For those who need more time to update, a separate Extended Stable branch is maintained, followed by 8 weeks, which generates an update for the last release of Chrome 100. The next release of Chrome 102 is scheduled for May 24th.

Key changes in Chrome 101:

• The Side Search function has been added, which makes it possible to view search results in the sidebar at the same time as viewing another page (in one window, you can simultaneously see both the content of the page and the result of accessing the search engine). After visiting a website from a Google search results page, an icon with the letter “G” appears in front of the input field in the address bar, when clicked, a sidebar opens with the results of a previously undertaken search. By default, the function is not enabled on all systems; you can use the “chrome://flags/#side-search” setting to enable it.
• Omnibox's address bar implements prerendering of suggestion content as you type. Previously, to speed up the transition from the address bar, the most likely recommendations were loaded without waiting for the user's click, using the Prefetch call. Now, in addition to loading, they are also rendered in the buffer (including scripts are executed and the DOM tree is formed), which allows for instant display of recommendations after a click. The settings "chrome://flags/#enable-prerender2", "chrome://flags/#omnibox-trigger-for-prerender2" and "chrome://flags/#search-suggestion-for- prerender2".
• The information in the User-Agent HTTP header and JavaScript parameters navigator.userAgent, navigator.appVersion and navigator.platform has been truncated. The header contains only information about the browser name, major version of the browser (the components of the MINOR.BUILD.PATCH version are replaced by 0.0.0), platform and device type (mobile phone, PC, tablet). For additional data, such as exact version and extended platform data, you must use the User Agent Client Hints API. For sites that do not have enough new information and are not yet ready to switch to User Agent Client Hints, until May 2023, the opportunity to return the full User-Agent is provided.
• Changed the behavior of the setTimeout function when passing a null argument that specifies the call delay. Starting with Chrome 101, when specifying "setTimeout(..., 0)", the code will be called immediately, without a delay of 1ms, as required by the specification. Repeated nested setTimeout calls have a delay of 4ms.
• The version for the Android platform implements support for requesting permissions to display notifications (in Android 13, to display notifications, the application must have the “POST_NOTIFICATIONS” permission, without which sending notifications will be blocked). When launching Chrome in an Android 13 environment, the browser will now prompt you for permission to display notifications.
• Removed the ability to use the WebSQL API in third-party scripts. By default, blocking WebSQL in scripts not loaded from the current site was enabled in Chrome 97, but an option was left to disable this behavior. In Chrome 101, this option has been removed. Going forward, we plan to phase out support for WebSQL completely, regardless of the context of use. We recommend using the Web Storage and Indexed Database APIs instead of WebSQL. The WebSQL engine is based on SQLite code and could be used by attackers to exploit vulnerabilities in SQLite.
• Removed enterprise policy names (chrome://policy) containing non-inclusive terms. Starting with Chrome 86, replacements have been proposed for these policies that use inclusive terminology. Cleaned up terms such as "whitelist", "blacklist", "native" and "master". For example, the URLBlacklist policy has been renamed to URLBlocklist, AutoplayWhitelist to AutoplayAllowlist, and NativePrinters to Printers.
• In the Origin Trials mode (experimental features that require separate activation), so far only in builds for the Android platform has begun testing the Federated Credential Management (FedCM) API, which allows you to create federated identity services that ensure privacy and work without cross-site tracking mechanisms, such as handling third-party cookies . Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
• The Priority Hints mechanism has been stabilized and offered to everyone, allowing you to set the importance of a particular downloadable resource by specifying an additional attribute "importance" in tags such as iframe, img and link. The attribute can take the values ​​"auto" and "low", and "high", which affect the order in which the browser loads external resources.
• The AudioContext.outputLatency property has been added, through which you can find out information about the predicted delay before audio is output (the delay between the request for audio and the start of processing the received data by the audio output device).
• Added the font-palette CSS property and the @font-palette-values ​​rule to allow you to select a palette from a color font or define your own palette. For example, this capability can be used to make colored character fonts or emoji match the content's design color, or to enable a dark or light mode for a font.
• The hwb() CSS function has been added to provide an alternative method for specifying sRGB colors in the HWB (Hue, Whiteness, Blackness) format, similar to the HSL (Hue, Saturation, Lightness) format, but easier for human perception.
• In the window.open() method, specifying the popup property in the windowFeatures line, without assigning a value (i.e. when popup is simply specified, and not popup=true) is now treated as enabling the opening of a miniature popup window (similar to "popup=true") instead of assigning the default value "false", which was illogical and misleading developers.
• Support for WebRTC streams has been added to the MediaCapabilities API, which provides information about the capabilities of the device and browser for decoding multimedia content (supported codecs, profiles, bitrates and resolutions).
• The third version of the Secure Payment Confirmation API is proposed, which provides tools for additional confirmation of the payment transaction being made. The new version adds support for identifiers that require input, defining an icon to indicate validation failure, and the optional payeeName property.
• The forget() method has been added to the USBDevice API to revoke previously granted user permissions to access a USB device. In addition, USBConfiguration, USBInterface, USBAlternateInterface, and USBEndpoint instances are now equal when strictly compared ("===", point to the same object) if they are returned for the same USBDevice object.
• Improvements have been made to tools for web developers. Provided the ability to import and export in JSON format recorded user actions (example). The calculation and display of private properties has been improved in the web console and code view interface. Added support for working with the HWB color model. Added the ability to view cascading layers defined using the @layer rule in the CSS panel.

In addition to innovations and bug fixes, 30 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the vulnerability bounty program for the current release, Google paid out 25 awards worth $81 (one $10000 award, three $7500 awards, three $7000 awards, one $6000 award, two $5000 awards, four $2000 awards, three $1000 bonuses and one $500 bonus). The amount of 6 rewards has not yet been determined.

Source: opennet.ru