Chrome Release 80

Google company presented web browser release Chrome 80... Simultaneously available stable release of a free project Chromium, which is the basis of Chrome. Chrome browser is different the use of Google logos, the presence of a system for sending notifications in case of a crash, the ability to download a Flash module on demand, modules for playing protected video content (DRM), an automatic update system, and transmission on search RLZ parameters. The next release of Chrome 81 is scheduled for March 17th.

All changes в Chrome 80:

• For a small percentage of users, a tab grouping feature has been proposed that allows you to combine several tabs that are similar in purpose into visually separated groups. Each group can have its own color and name. Users who were not included in the first wave of activation can enable grouping support through the "chrome://flags/#tab-groups" option.
  

• Added function support Scroll To Text, which allows you to create links to individual words or phrases, without explicitly specifying tags in the document using the "a name" tag or the "id" property. The syntax of such links is planned to be approved as a web standard, which is still at the stage draft. The jump mask (essentially a scrolling search is performed) is separated from the regular anchor by a ":~:" sign. For example, when opening the link "https://opennet.ru/52312/#:~:text=Chrome", the page will move to the position with the first mention of the word "Chrome" and this word will be highlighted.
• Applied a more restrictive restriction on the transfer of cookies between sites, for non-HTTPS requests, prohibiting the processing of third-party cookies set when accessing sites other than the domain of the current page. Such cookies are used to track user movements between sites in the code of advertising networks, social network widgets and web analytics systems. Recall that Cookie transmission is controlled by the SameSite attribute specified in the Set-Cookie header, which is now set to "SameSite=Lax" by default, restricting Cookie sending for cross-site subrequests, such as requesting an image or downloading content via an iframe from another site. Sites can override the default SameSite behavior by explicitly setting the Cookie to SameSite=None. At the same time, the SameSite=None value for Cookies can only be set in Secure mode (valid for connections via HTTPS). The change will start in stages apply February 17, initially for a small percentage of users, and then gradually expanding coverage.
• Added by protection from annoying notifications related to confirmation of authority. Since such activity, such as spamming requests to receive push notifications, interrupts the user experience and diverts attention from actions in confirmation dialogs, in Chrome 80, instead of a separate dialog, an information tooltip with a warning about permission request blocking can now be displayed in the address bar, which then folds into an indicator with the image of a crossed-out bell. By clicking on the indicator, you can activate or reject the requested permission at any convenient time. Automatically, the new mode will be selectively enabled for users who previously usually blocked such requests, as well as for sites that have a high percentage of request rejections. To enable the new mode for all requests, a special option has been added to the settings (chrome://flags/#quiet-notification-prompts).
  

• Forbidden displaying pop-up windows (calling the window.open() method) and sending synchronous XMLHttpRequest requests in page close or hide event handlers (unload, beforeunload, pagehide, and visibilitychange);
• Initial protection from loading mixed media content (when resources are loaded on an HTTPS page using the http:// protocol). On pages opened via HTTPS, links "http://" to "https://" will now be automatically replaced in blocks related to the playback of audio and video files. If an audio or video resource is not available via https, then its download is blocked (you can manually mark the blocking through the menu accessible through the padlock symbol in the address bar).

  Images will continue to load unchanged (autocorrect will be applied in Chrome 81), but site developers have been provided with the upgrade-insecure-requests and block-all-mixed-content CSP properties to replace them with https or block images. For scripts and iframes, mixed content blocking has already been implemented previously.

• Gradual Disconnection FTP support. By default, FTP support is retained for now, but will be carried out an experiment in which FTP support will be disabled for a certain percentage of users (to return, you will need to launch a browser with the “--enable-ftp” option). Recall that in previous releases, the display in the browser window of the contents of resources downloaded via the “ftp://” protocol was already disabled (for example, the display of HTML documents and README files was stopped), the use of FTP when downloading subresources from documents was prohibited, and proxy support was discontinued. for FTP. However, it was still possible to download files via direct links and display the contents of directories.
• Added by
  the ability to use vector SVG images as site icons (favicon).

• The ability to selectively disable certain types of data transmitted during synchronization between browsers has been added to the settings.
• Added rule for centrally administered corporate users BlockExternalExtensions, which allows you to prohibit the installation of external add-ons on the device.
• Implemented opportunity one-time check of the entire chain of properties or calls in JavaScript. For example, when accessing "db.user.name.length", previously it was required to step by step check the definition of all constituent parts, for example, through "if (db && db.user && db.user.name)". Now using the operation "?." you can refer to the value "db?.user?.name?.length" without preliminary checks and such access will not lead to an error output. In case of problems (if some element is treated as null or undefined), the output will be "undefined".
• JavaScript introduces a new logical union operator "??", which returns the right operand if the left operand is NULL or undefined, and vice versa. For example, "const foo = bar?? 'default string'" if bar is null will return the string or the value of bar otherwise, including when bar is 0 and ' ', as opposed to the "||" operator.
• In Origin Trials mode (experimental features that require a separate activation) is proposed by the Content Indexing API. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site. API content indexing, provides metadata about content that was previously cached by web applications running in Progressive Web Apps (PWS) mode. An application can store various data on the browser side, including images, videos, and articles, and use them when the network connection fails using the Cache Storage and IndexedDB APIs. The Content Indexing API provides the ability to add, find, and remove such resources. In the browser, this API is already used to enumerate the list of pages and media available for offline viewing.
  

• Stabilized and now distributed outside the Origin Trials API Contact Picker, which allows the user to select entries from the address book and pass certain details about them to the site. The query defines a list of properties to be retrieved. These properties are explicitly displayed to the user, who decides to pass these properties or not. The API can be used, for example, in a web-based email client to select recipients for a sent message, in a web application with a VoIP function to initiate a call to a specific number, or in a social network to search for already registered friends. At the same time, some new Contact Picker properties were proposed as part of the Origin Trials: in addition to the previously available full name, email and phone number, the ability to transfer a postal address and image has been added.
• In Web Workers proposed a new way to load ECMAScript modules, which eliminates the use of the importScripts() function, which blocks the worker while processing the imported script and executes it in the global context. The new way involves creating special modules for Web Workers that support standard JavaScript import mechanisms and can be loaded dynamically without blocking the worker's execution. To load modules in the Worker constructor, a new resource type is provided - 'module':

  const worker = new Worker('worker.js', {
  type: 'module'
  });

• Implemented built-in ability to process compressed streams in JavaScript, which does not require the use of external libraries. Added API for compression and decompression CompressionStream and DecompressionStream. Compression is supported using the gzip and deflate algorithms.

  const compressionReadableStream
  = inputReadableStream.pipeThrough(new CompressionStream('gzip'));

• Added CSS property "line-break: anywhere", allowing breaks at the level of any typographic character, including breaks next to punctuation characters, predefined spaces ( ) and in the middle of words. Also added CSS property "overflow-wrap: anywhere» that allows you to break non-breaking sequences of characters anywhere if you could not find a position suitable for breaking in the string.
• For media content processed in encrypted form, the method is supported MediaCapabilities.decodingInfo(), which provides information about the browser's capabilities related to decoding protected content (for example, the specified method can be used to select scenarios for high-quality or energy-saving decoding methods, taking into account the available bandwidth and screen size).
• Added method HTMLVideoElement.getVideoPlaybackQuality(), through which you can get information about the performance of video playback to adjust the bitrate, resolution, and other video parameters.
• In API Payment Handler, which simplifies integration with existing payment systems, added the ability delegation processing the address and contact information to an external processor of the payment system (the application of the payment system may have more accurate information than the browser).
• Added HTTP header support Sec-Fetch-Dest, which allows you to send additional metadata about the type of content associated with the request (for example, for a request via the img tag, the type "image" is indicated, for fonts - "font", for scripts - "script", for styles - "style", etc. ). Based on the specified type, the server can take measures to protect against some types of attacks (for example, it is unlikely that the link to the money transfer handler will be set via the img tag, so such requests do not need to be processed).
• In the V8 JavaScript engine optimization storing pointers on the heap. Instead of a full 64-bit value, only the unique lower bits of the pointer are stored. Such optimization allowed to reduce memory consumption in the heap by 40%, at the cost of performance degradation by 3-8%.
  
  

• Changes in web developer tools:
  • The web console now has the ability to override let and class expressions.
    

  • Improved WebAssembly debugging tools. Added support DWARF for stepping through debugging, specifying breakpoints, and analyzing stack traces in the source code that the WebAssembly application is written in.
    

  • Improved panel for analyzing network activity. Added the ability to view the call chain of scripts associated with initiating a request.
    

    Added new Path and URL columns that show the absolute path and full URL for each network resource. Provided highlighting of the selected query in the overview diagram.

    

  • An option has been added to the Network Conditions tab to change the User-Agent setting.
    

  • A new interface for setting up the audit panel has been proposed.
    

  • The tab Coverage given the choice of collecting coverage data for each function or for each block of code (more detailed statistics, but requires more resources).
    

• AppCache manifest action (a technology for organizing the work of a web application in offline mode) limited the site's current directory (if the manifest was loaded from www.example.com/foo/bar/, then the URL override option will only work inside /foo/bar/). In Chrome 82, AppCache support is planned to be completely removed. The reason given is the desire to get rid of one of the attack vectors associated with cross-site scripting. API is recommended instead of AppCache cache.
• discontinued support for the legacy WebVR 1.1 API, which can be replaced by the API WebXR Device, which allows you to access components for creating virtual and augmented reality and unify work with various classes of devices, from stationary virtual reality helmets to solutions based on mobile devices.
• Protocol handlers connected via the registerProtocolHandler() and unregisterProtocolHandler() methods can now only work in a secure context (when accessed via HTTPS).

In addition to innovations and bug fixes, the new version eliminates 56 vulnerabilities. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer и AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the Vulnerability Bounty program for the current release, Google has paid out 37 awards worth $48 (one $10000 award, three $5000 awards, three $3000 awards, four $2000 awards, three $1000 awards, and six $500 awards). The amount of 17 rewards has not yet been determined.

Source: opennet.ru