Google company web browser release ... Simultaneously stable release of a free project , which is the basis of Chrome. Chrome browser the use of Google logos, the presence of a system for sending notifications in case of a crash, the ability to download a Flash module on demand, modules for playing protected video content (DRM), an automatic update system, and transmission on search . The next release of Chrome 77 is scheduled for September 10th.
:
- by default, third-party cookie protection mode, which in the absence of the SameSite attribute in the Set-Cookie header, defaults to "SameSite=Lax", restricting the sending of Cookies for inserts from third-party sites (but sites will still be able to override the restriction by explicitly setting setting Cookie to SameSite=None). So far, the browser has passed a cookie on any request to a site that has a cookie set, even if another site is originally opened, and the request is made indirectly by loading an image or via an iframe. In 'Lax' mode, cookie transmission is blocked only for cross-site subrequests, such as requesting an image or downloading content via an iframe, which are often used to launch CSRF attacks and track user movements between sites.
- Stopped playing Flash content by default. Until the release of Chrome 87, expected in December 2020, Flash support can be returned in the settings (Advanced > Privacy and Security > Site Settings), followed by explicit confirmation of the operation to play Flash content for each site (confirmation is remembered until the browser is restarted). The complete code removal to support Flash is in sync with Adobe's earlier plan to end support for Flash in 2020;
- For enterprises, the ability to search for files in the Google Drive storage has been added to the address bar;
- Started in Chrome, inappropriate ads that interfere with the experience and do not meet the criteria set out by the Ad Improvement Coalition;
- An adaptive mode of switching to a new page has been implemented, in which the current content is cleared and the white background is displayed not immediately, but after a short delay. For fast loading pages, clearing only results in a flicker and does not carry a payload designed to inform the user that a new page is starting to load. In the new release, if the page opens quickly and fits within a small delay, then the new page is displayed in place, seamlessly replacing the previous one (for example, it is convenient when switching to other pages of the same site that are similar in design and color scheme). If the page takes some time to be visible to the user, then the screen will be pre-cleared as before;
- The criteria for determining user activity on the page have been tightened. Chrome only allows pop-up notifications and annoying video/audio content to be played after the user interacts with the page. In the new release, pressing Escape, hovering over a link, and touching the screen are no longer treated as page-activating interactions (requires an explicit click, typing, or scrolling);
- the "prefers-color-scheme" media query, which allows sites to detect whether the browser is using a dark theme and automatically enable dark for the site being viewed.
- When you enable the dark theme in builds for Linux, the address bar is now displayed in dark color;
- the ability to determine the opening of a page in incognito mode through manipulations with the FileSystem API, which was previously used by some publications to impose a paid subscription in case of anonymous opening of pages without remembering Cookies (so that users do not use private mode to bypass the mechanism for providing free trial access). Previously, when working in incognito mode, the browser blocked access to the FileSystem API to prevent data settling between sessions, which allowed JavaScript to check the ability to save data through the FileSystem API and, in case of failure, judge the activity of incognito mode. Now access to the FileSystem API is not blocked, and the content is cleared after the session ends;
- new challenges in
API Payment Request and Payment Handler. A new changePaymentMethod() method has appeared in the PaymentRequestEvent object, and a new paymentmethodchange event handler has been added to the PaymentRequest object, which allow the site or web application that collects payments to respond to the user changing the payment method. The new release also makes it easier to test applications using self-signed certificates in the payment-related APIs. A new command line option "--ignore-certificate-errors" has been added to ignore certificate validation errors during development; - In the address bar next to the bookmark button for web applications running in Desktop Progressive Web Apps (PWA) mode, a shortcut for installing a web application into the system to work as a standalone program;
- For mobile devices, the ability to control the display of a mini-panel with an invitation to add an application to the home screen is provided. For PWA (Progressive Web App) apps, the default minibar is automatically shown when you first open the site. The developer can now refuse to display this panel and implement his own installation prompt, for which you can set an event handler
beforeinstallprompt and attach a call to preventDefault();
- Increased the frequency of update checks for PWA (Progressive Web App) applications installed in the Android environment. WebAPK updates are now checked once a day instead of once every three days as before. If a change in at least one key property is detected in the manifest during such a check, the browser will download and install a new WebAPK;
- In the API added the ability to programmatically read and write images via the clipboard using the navigator.clipboard.read() and navigator.clipboard.write() methods;
- Implemented support for a group of HTTP headers (Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site and Sec-Fetch-User), which allow you to send additional metadata about the nature of the request (cross-site request, request via the img tag, etc.) for acceptance by a server of measures to protect against certain types of attacks (for example, it is unlikely that a link to a handler for transferring money will be set via an img tag, so such requests can be blocked without being passed to the application);
- Feature added , which initiates a programmatic submission of the form data, similar to clicking on the submit button. The function can be used when developing your own form submit buttons, for which calling form.submit() is not sufficient due to the fact that it does not lead to interactive parameter validation, raising the 'submit' event and passing the data bound to the submit button;
- Feature added to IndexedDB A that allows transactions associated with an IDBTransaction object to be committed without waiting for event handlers in all associated requests to complete. Using commit() allows you to increase the throughput of write and read requests to the storage and explicitly control the completion of the transaction;
- Options added to Intl.DateTimeFormat functions such as formatToParts() and resolveOptions() , which allow you to request locale-specific styles for displaying dates and times;
- The BigInt.prototype.toLocaleString() method has been changed to format numbers based on the locale, while the Intl.NumberFormat.prototype.format() method and the formatToParts() function have been adapted to support BigInt input values;
- API allowed in all types of Web Workers, which can be used to select the optimal parameters when creating a MediaStream from a worker;
- Added method , which returns only fulfilled or rejected promises, ignoring pending promises;
- Removed the "--disable-infobars" option, which could previously be used to hide pop-up warnings in the Chrome interface (CommandLineFlagSecurityWarningsEnabled has been proposed to hide security-related warnings);
- To the interface for working with blobs text(), arrayBuffer() and stream() methods for reading certain data types;
- Added "white-space:break-spaces" CSS property, specifying that any sequence of whitespace leading to line overflow must be broken;
- Work has begun on cleaning flags in chrome://flags, for example, a flag to disable the "ping" attribute, which allows site owners to track clicks on links from their pages. In the case of following a link with the "ping=URL" attribute in the "a href" tag, the browser can no longer disable sending an additional POST request to the URL specified in the attribute with information about the transition. The point of blocking ping is lost because this attribute in the HTML5 specs, and there are many workarounds for doing the same thing (for example, forwarding through a transit link or hooking clicks with JavaScript handlers);
- Removed flag to disable , in which pages of different hosts are always located in the memory of different processes, each of which uses its own sandbox.
- In the V8 engine, the performance of scanning and parsing the JSON format has been significantly increased. For popular web pages, JSON.parse is up to 2.7 times faster. The conversion of unicode strings has been significantly accelerated, for example, the speed of calls to String#localeCompare, String#normalize, as well as some Intl APIs, has almost doubled. The performance of operations with frozen arrays has also been significantly optimized when using operations like frozen.indexOf(v), frozen.includes(v), fn(β¦frozen), fn(β¦[β¦frozen]) and fn.apply(this, [β¦ frozen]).
In addition to innovations and bug fixes, the new version eliminates . Many of the vulnerabilities were identified as a result of automated testing tools , , , ΠΈ . No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the vulnerability bounty program for the current release, Google paid 16 bonuses worth $23500 (one $10000 bonus, one $6000 bonus, two $3000 bonuses, and three $500 bonuses). The amount of 9 rewards has not yet been determined.
Source: opennet.ru