ProHoster > Blog > internet news > Chrome Release 104

Chrome Release 104

Google has unveiled the release of the Chrome 104 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a system for sending notifications in case of a crash, modules for playing copy-protected video content (DRM), an automatic update system, the constant inclusion of Sandbox isolation, the supply of keys to the Google API and transmission when searching for RLZ- parameters. For those who need more time to update, the Extended Stable branch is supported separately, followed by 8 weeks. The next release of Chrome 105 is scheduled for August 30nd.

Key changes in Chrome 104:

  • A cookie lifetime limit has been introduced - all new or updated Cookies will be automatically deleted after 400 days of existence, even if the expiration time set through the Expires and Max-Age attributes exceeds 400 days (for such Cookies, the lifetime will be reduced to 400 days). Cookies created before the implementation of the restriction will retain their lifetime, even if it exceeds 400 days, but will be limited if updated. The change reflects new requirements noted in the draft new specification.
  • Enabled blocking of iframe URLs referencing the local file system (“filesystem://”).
  • To speed up page loading, a new optimization has been added that ensures that a connection to the target host is established the moment you click on a link, without waiting for you to release the button or remove your finger from the touch screen.
  • Added settings for managing the “Topics & Interest Group” API, promoted as part of the Privacy Sandbox initiative, which allows you to define categories of user interests and use them instead of tracking Cookies to identify groups of users with similar interests without identifying individual users. In addition, informational dialogs that are shown once have been added, explaining to the user the essence of the technology and offering to activate its support in the settings.
  • Increased thresholds to limit nested calls to setTimeout and setInterval timers running with an interval of less than 4ms ("setTimeout(..., <4ms)"). The total limit on such calls has been increased from 5 to 100, which makes it possible not to aggressively cut down individual calls, but at the same time prevent abuse that could affect browser performance.
  • Enabled is sending a CORS (Cross-Origin Resource Sharing) authorization confirmation request to the main site server with the header “Access-Control-Request-Private-Network: true” when a page accesses a subresource on the internal network (192.168.xx, 10. xxx, 172.16-31.xx) or to localhost (127.xxx). When confirming the operation in response to this request, the server must return the “Access-Control-Allow-Private-Network: true” header. In Chrome version 104, the confirmation result does not yet affect the processing of the request - if there is no confirmation, a warning is displayed in the web console, but the subresource request itself is not blocked. Enabling no-acknowledgment blocking is not expected until Chrome 107. To enable blocking in earlier releases, you can enable the "chrome://flags/#private-network-access-respect-preflight-results" setting.

    Validation by the server was introduced to strengthen protection against attacks related to accessing resources on the local network or on the user's computer (localhost) from scripts that are loaded when the site is opened. Such requests are used by attackers to carry out CSRF attacks on routers, access points, printers, corporate web interfaces, and other devices and services that accept requests only from the local network. To protect against such attacks, if any subresources on the internal network are accessed, the browser will send an explicit request for the authority to download these subresources.

  • A Region Capture mechanism has been added that allows you to trim unnecessary content from a video generated based on screen capture. For example, using the getDisplayMedia API, a web application can stream video of the content of a tab, and Region Capture allows you to cut out part of the content that includes video conference controls.
  • Added support for the new media query syntax defined in the Media Queries Level 4 specification, which determines the minimum and maximum size of the visible area (viewport). The new syntax allows you to use common mathematical comparison operators and logical operators such as "not", "or" and "and". For example, instead of “@media (min-width: 400px) { … }” you can now specify “@media (width >= 400px) { … }”.
  • Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
    • Added a CSS property “focusgroup” to improve navigation through elements using the arrow keys on the keyboard.
    • The Secure Payment Confirmation API provides the ability for the user to disable the credit card settings store. To display a dialog that allows you to refuse to save credit card parameters, the PaymentRequest() constructor provides the “showOptOut: true” flag.
    • Added the Shared Element Transitions API, which allows you to organize a smooth transition between different content views in single-page web applications.
  • Support for Speculation rules has been stabilized, allowing website authors to provide the browser with information about the most likely pages that the user can go to. The browser uses this information to proactively load and render page content.
  • The mechanism for packaging sub-resources into packages in the Web Bundle format has been stabilized, allowing to increase the efficiency of loading a large number of accompanying files (CSS styles, JavaScript, images, iframes). Unlike packages in the Webpack format, the Web Bundle format has the following advantages: it is not the package itself that is stored in the HTTP cache, but its component parts; compilation and execution of JavaScript begins without waiting for the package to be fully downloaded; It is allowed to include additional resources such as CSS and images, which in webpack would have to be encoded in the form of JavaScript strings.
  • Added the object-view-box CSS property, which allows you to define a part of the image that will be displayed in the area instead of a given element, which can be used, for example, to add a border or shadow.
  • Added the Fullscreen Capability Delegation API, allowing one Window object to delegate to another Window object the right to call requestFullscreen().
  • Added Fullscreen Companion Window API, allowing fullscreen content and popups to be placed on another screen after receiving confirmation from the user.
  • A visual-box attribute has been added to the overflow-clip-margin CSS property, which determines where to start trimming content that goes beyond the border of the area (can take the values ​​content-box, padding-box and border-box).
  • The Async Clipboard API has added the ability to define specialized formats for data transferred via the clipboard, other than text, images, and text with markup.
  • WebGL provides support for specifying a color space for the render buffer and transform when importing from a texture.
  • Support for OS X 10.11 and macOS 10.12 platforms has been discontinued.
  • The U2F (Cryptotoken) API, which was previously deprecated and disabled by default, has been discontinued. The U2F API has been replaced by the Web Authentication API.
  • Improvements have been made to tools for web developers. The debugger now has the ability to restart code from the beginning of a function after hitting a breakpoint somewhere in the function body. Added support for developing add-ons for the Recorder panel. Support for visualizing marks set in a web application through calling the performance.measure() method has been added to the performance analysis panel. Improved recommendations for autocompletion of JavaScript object properties. When autocompleting CSS variables, previews of values ​​not related to colors are provided.
    Chrome Release 104

In addition to innovations and bug fixes, the new version eliminates 27 vulnerabilities. Many of the vulnerabilities were identified as a result of automated testing using the AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL tools. No critical problems have been identified that would allow one to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the cash reward program for discovering vulnerabilities for the current release, Google paid 22 awards worth $84 thousand (one $15000 award, one $10000 award, one $8000 award, one $7000 award, four $5000 awards, one $4000 award, three $3000 awards, four $2000 awards, and three $1000 awards). The size of one reward has not yet been determined.

Source: opennet.ru

Add a comment