Google company web browser release ... Simultaneously stable release of a free project , which is the basis of Chrome. Chrome browser the use of Google logos, the presence of a system for sending notifications in case of a crash, the ability to download a Flash module on demand, modules for playing protected video content (DRM), an automatic update system, and transmission on search . The next release of Chrome 80 is scheduled for February 4th.
:
- the Password Checkup component designed to analyze the strength of passwords used by the user. When trying to login to any Password Checkup site verification of the login and password against the database of compromised accounts with a warning in case of problems (verification is carried out based on the hash prefix on the user's side). The check is carried out against a database covering more than 4 billion compromised accounts that appeared in leaks of user databases. The warning is also displayed when trying to use trivial passwords such as "abc123". A special setting has been implemented to control the inclusion of Password Checkup in the "Sync and Google Services" section.
- A new technology for detecting phishing in real time is presented. Previously, verification was performed by accessing locally downloaded Safe Browsing blacklists, which were updated about once every 30 minutes, which turned out to be insufficient, for example, in conditions of frequent domain switching by attackers. The new method allows URL validation on the fly, pre-checking against whitelists that include the hashes of thousands of popular trusted sites. If the site being opened is not on the whitelist, then the browser checks the URL on the Google server, passing the first 32 bits of the SHA-256 hash of the link, from which possible personal data is cut. According to Google, the new approach allows for a 30% increase in the effectiveness of warnings for new phishing sites.
- Added proactive protection against passing Google credentials and any passwords stored in the password manager through phishing pages. If you try to enter a saved password on a site where this password is not normally used, the user will be warned about a potentially dangerous action.
- Connections using TLS 1.0 and 1.1 now show an insecure connection indicator. Fully support TLS 1.0 and 1.1 in Chrome 81 scheduled for March 17, 2020.
- The ability to freeze inactive tabs has been added, which allows you to automatically unload tabs from memory that have been in the background for more than 5 minutes and do not perform meaningful actions. The decision on the suitability of a particular tab for freezing is made on the basis of heuristics. The activation of the function is controlled through the flag "chrome://flags/#proactive-tab-freeze".
- blocking mixed content on pages opened over HTTPS to ensure that pages opened over https:// contain only resources loaded over a secure communication channel. While the most dangerous types of mixed content, such as scripts and iframes, are already blocked by default, images, sound files, and videos could still be downloaded from http://. The previously used mixed content indicator for such inserts is considered ineffective and misleading to the user, as it does not give an unambiguous assessment of the page's safety. For example, through image spoofing, an attacker can substitute cookies for tracking user actions, try to exploit vulnerabilities in image processors, or commit fraud by replacing the information presented in the image. To disable the blocking of mixed components, a special setting has been added, called through the menu that appears when clicking on the lock symbol.
- Added experimental ability to share clipboard content between desktop and mobile versions of Chrome. Instances of Chrome linked by the same account can now access the contents of the clipboard of another device, including the ability to share the clipboard between mobile and desktop. The contents of the clipboard are encrypted using end-to-end encryption, which does not allow access to the text on Google servers. The feature is enabled via the chrome://flags#shared-clipboard-receiver, chrome://flags#shared-clipboard-ui and chrome://flags#sync-clipboard-service options.
- In the address bar at certain times (for example, when saving a password), when profile synchronization is turned off, in addition to the avatar, the name of the current Google account is displayed so that the user can accurately identify the current active account.
- Activated for 1% of users "DNS over HTTPS" (DoH, DNS over HTTPS). The experiment involves only users whose system settings already have DNS providers that support DoH. For example, if the user has DNS 8.8.8.8 specified in the system settings, then the Google DoH service (βhttps://dns.google.com/dns-queryβ) will be activated in Chrome, if the DNS is 1.1.1.1, then DoH Cloudflare service ("https://cloudflare-dns.com/dns-query"), etc. To control whether DoH is enabled, the "chrome://flags/#dns-over-https" setting is provided. Three operating modes are supported "secure", "automatic" and "off". In "secure" mode, hosts are determined only based on previously cached secure values ββ(obtained over a secure connection) and requests via DoH, fallback to regular DNS is not applied. In the "automatic" mode, if DoH and the secure cache are not available, data can be retrieved from the insecure cache and accessed through the traditional DNS. In the "off" mode, the shared cache is first checked and if there is no data, the request is sent through the system DNS.
- Added experimental caching rendered content when changing pages with the forward and backward buttons, which can significantly reduce delays in this type of navigation due to full caching of the entire page, which does not require re-rendering and loading resources. The optimization is especially noticeable in the mobile version, where navigation performance increases by up to 19%. The mode is enabled using the "chrome://flags#back-forward-cache" option.
- setting "chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains", which allowed to return the display of the protocol in the address bar (now all links are always shown without https:// and http:/ / and also without "www.").
- Windows builds include sandbox isolation of the audio playback service. To control whether isolation is enabled, the AudioSandboxEnabled property is proposed.
- Centralized administration tools for enterprises now have the ability to define rules that determine how much memory a browser instance can consume before background tabs begin to unload. The memory released after unloading the tab becomes available for use, and the contents of the tab are loaded again when switching to it.
- Linux has a built-in certificate verification handler that replaces the previously used NSS system. At the same time, the built-in handler continues to use the NSS store during verification, but imposes more stringent requirements when processing incorrectly encoded and separately certified certificates (all certificates must be certified by a certification authority).
- Version for Android platform the ability to assign adaptive icons for installed web applications running in Progressive Web Apps (PWA) mode. Responsive icons can adapt to the interface used by the device manufacturer, such as round, square, or rounded corners.
- API A that provides access to components for creating virtual and augmented reality. The API allows for a unified experience across a variety of device classes, from stationary VR headsets like the Oculus Rift, HTC Vive, and Windows Mixed Reality to mobile-based solutions like Google Daydream View and Samsung Gear VR. Of the applications in which the new API can be applied, there are programs for viewing 360 Β° video, systems for visualizing three-dimensional space, creating virtual cinemas for video presentation, conducting experiments on creating 3D interfaces for shops and galleries;
- In Origin Trials mode (experimental features that require a separate ) proposed several new APIs. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- For all HTML elements, the "rendersubtree" attribute is proposed, which ensures that the rendering of the DOM element is fixed. Setting the attribute to "invisible" will prevent the element's content from being rendered and validated, allowing for optimized rendering. When set to "activatable", the browser will remove the invisible attribute, render the content, and make it visible.
- API option added based on the Promise mechanism, which provides a more secure way to manage turning off the auto-lock screen and putting devices into power-saving modes.
- Implemented the ability to apply the attribute for all HTML and SVG elements that can have input focus.
- For images and videos calculation of the aspect ratio based on the Width or Height attributes, which can be used to determine the size of the image using CSS at the stage when the image is not loaded yet (solves the problem with rebuilding the page after images are loaded).
- Added CSS property , which automatically sets the variable font size in optical coordinates "βif the font supports them. The mode allows you to choose the optimal glyph shape for the specified size, for example, use more contrasting glyphs for headings.
- Added CSS property , which allows you to use any characters instead of dots in lists, such as "-", "+", "β " and "βΈ".
- If it is impossible to execute Worklet.addModule(), an object with detailed information about the nature of the error is now returned, which allows you to more accurately assess the cause of the error (problems with a network connection, incorrect syntax, etc.).
- Element processing stopped ΠΏΡΠΈ ΠΈΡ ΠΏΠ΅ΡΠ΅ΠΌΠ΅ΡΠ΅Π½ΠΈΠΈ ΠΌΠ΅ΠΆΠ΄Ρ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ°ΠΌΠΈ. ΠΡΠΈ ΠΏΠ΅ΡΠ΅Π½ΠΎΡΠ΅ ΠΌΠ΅ΠΆΠ΄Ρ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ°ΠΌΠΈ ΡΠ°ΠΊΠΆΠ΅ ΠΎΡΠΊΠ»ΡΡΠ΅Π½ΠΎ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ ΡΠ²ΡΠ·Π°Π½Π½ΡΡ ΡΠΎ ΡΠΊΡΠΈΠΏΡΠΎΠΌ ΡΠΎΠ±ΡΡΠΈΠΉ Β«errorΒ» ΠΈ Β«loadΒ».
- In the V8 JavaScript engine Optimized handling of field representation changes in objects, resulting in 4% faster execution of AngularJS code in the Speedometer test suite.
- V8 also optimized the processing of getters defined in built-in APIs, such as Node.nodeType and Node.nodeName, in the absence of an IC handler (inline caching). The change reduced the IC runtime time by about 12% when running the Backbone and jQuery tests from the Speedometer suite.
- Caching of the results of the OSR mechanism (called on-stack replacement) has been provided, which performs the substitution of the optimized code during the execution of the function (allows you to start using the optimized code for long-running functions without waiting for them to be restarted). OSR caching makes it possible to use the optimization results when the function is re-run, without the need to go through re-optimization.
In some tests, the change allowed to increase peak performance by 5-18%. - Changes in tools for web developers:
-
debug mode to determine why a request was blocked or a cookie was returned.
- In the block with the Cookie list, the ability to quickly view the value of the selected Cookie by clicking on a certain line has been added.
- Added the ability to simulate different settings for the prefers-color-scheme and prefers-reduced-motion media queries (for example, to check the behavior of the page with a dark system theme or disabled animated effects).
- The design of the Coverage tab has been modernized, allowing you to evaluate the used and not used code. Added the ability to filter information by its type (JavaScript, CSS). Code usage information is also added when displaying the source text.
- Added the ability to debug the reasons for requesting a particular network resource after recording network activity (you can view the trace of the call to the JavaScript code that led to the download of the resource).
- Added setting "Settings > Preferences > Sources > Default Indentation" to determine the type of indentation (2/4/8 spaces or tabs) in the code displayed in the Console and Sources panels.
- In the block with the Cookie list, the ability to quickly view the value of the selected Cookie by clicking on a certain line has been added.
In addition to innovations and bug fixes, 51 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. Two issues (CVE-2019-13725, Access to an already freed memory area in Bluetooth support code, and CVE-2019-13726, Heap overflow in password manager) are marked as critical, i.e. allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. Two critical problems within the same development cycle in Chrome have been identified for the first time. The first vulnerability was found by researchers from Tencent Keen Security Lab and at the Tianfu Cup competition, and the second one was found by Sergey Glazunov from Google Project Zero.
As part of the vulnerability bounty program for the current release, Google has paid out 37 awards worth $80000 (one $20000 award, one $10000 award, two $7500 awards, four $5000 awards, one $3000 award, two $2000 awards, two $1000 and eight $500 awards). The amount of 15 rewards has not yet been determined.
Source: opennet.ru