Google company web browser release ... Simultaneously stable release of a free project , which is the basis of Chrome. Chrome browser the use of Google logos, the presence of a system for sending notifications in case of a crash, the ability to download a Flash module on demand, modules for playing protected video content (DRM), an automatic update system, and transmission on search . Due to the move of developers to work from home amid the SARS-CoV-2 coronavirus pandemic, the release of Chrome 82 was . The next release of Chrome 84 is scheduled for July 14th.
:
- mass inclusion (DoH, DNS over HTTPS) on user systems whose system settings specify DNS providers that support DoH (DoH of the same DNS provider will be enabled). For example, if the user has DNS 8.8.8.8 specified in the system settings, then Google DoH service (βhttps://dns.google.com/dns-queryβ) will be activated in Chrome, if DNS is 1.1.1.1, then DoH Cloudflare service ("https://cloudflare-dns.com/dns-query"), etc. In order to avoid problems with resolving corporate intranets, DoH is not used to determine browser usage in centrally managed systems. DoH is also disabled in the presence of parental control systems.
DoH activation control and change of DoH provider is carried out through the standard configurator. - Suggested by decor web forms that have been optimized for use on touch screens and systems for people with disabilities. The design was optimized by Microsoft as part of the development of the Edge browser and transferred to the main Chromium codebase. Previously, some of the form elements were designed to match the elements of operating systems, and some - in accordance with the most popular styles. Because of this, different elements were suitable for touch screens, systems for people with disabilities and keyboard control in different ways. The purpose of the revision was to unify the design of form elements and eliminate style inconsistencies.
- Changed the design of the "Privacy and Security" settings section, new tools for security management. Settings are now easier to find and easier to understand. Four basic sections are proposed, which contain tools related to clearing history, managing Cookies and site data, security modes and prohibitions or permissions associated with specific sites. The user can quickly enable third-party cookie blocking for incognito mode or all sites, block all cookies for a specific site. The new design is enabled only on the systems of some users, the rest can activate the settings through "chrome://flags/#privacy-settings-redesign".
Site-specific settings are divided into groups - access to the location, camera, microphone, notifications, and background data sending. There is also a section with additional settings for blocking JavaScript, images and redirects on certain sites. Separately highlighted the last action of the user associated with the change of authority.
- Incognito mode is enabled by default to block all cookies set by third-party sites, including ad networks and web analytics systems. An extended interface for controlling the installation of Cookies on sites has also been proposed. For control, the flags "chrome://flags/#improved-cookie-controls" and "chrome://flags/#improved-cookie-controls-for-third-party-cookie-blocking" are provided. After activating the mode, a new icon appears in the address bar, when clicked, it shows the number of blocked Cookies and provides the ability to disable the blocking. You can see which cookies are allowed and blocked for the current site in the "Cookies" section of the context menu, called by clicking on the padlock symbol in the address bar, or in the settings.
- Settings has a new "Safety check" button that provides a summary of potential security issues such as compromised passwords, Safe Browsing status, uninstalled updates, and detection of malicious add-ons.
- Added the ability to password manager all saved logins and passwords in the database of compromised accounts with a warning in case of problems (verification is based on the hash prefix verification on the user side, the passwords themselves and their full hashes are not transferred outside). The check is performed against a database covering more than 4 billion compromised accounts that appeared in leaks of user databases. The warning is also displayed when trying to use trivial passwords such as "abc123".
- Enhanced Safe Browsing, which activates additional checks to protect against phishing, malicious activity, and other threats on the Web. Additional protection is also applied to your Google account and Google services (Gmail, Drive, etc.). If in the normal Safe Browsing mode, checks are performed locally against a database periodically downloaded to the clientβs system, then in Enhanced Safe Browsing, real-time information about pages and downloads is sent to the Google Safe Browsing service for verification on the Google side, which allows you to quickly respond to threats immediately after they are detected, without waiting for the local black list to be updated.
To speed things up, it supports pre-checking against whitelists, which include the hashes of thousands of popular sites that are trustworthy. If the site being opened is not on the whitelist, then the browser checks the URL against the Google server, passing the first 32 bits of the SHA-256 hash of the link, from which possible personal data is cut. According to Google, the new approach allows for a 30% increase in the effectiveness of warnings for new phishing sites.
- Instead of automatically pinning icons of add-ons next to the address bar, a new menu is implemented, indicated by a puzzle icon, which lists all available add-ons and their powers. After installing the add-on, the user must now explicitly enable pinning the add-on icon to the panel, along the way evaluating the permissions granted to the add-on. In order for the add-on not to be lost, an indicator with information about the new add-on is displayed immediately after installation. The new menu is enabled by default for a certain percentage of users, others can enable it using the "chrome://flags/#extensions-toolbar-menu" setting.
- Added the "chrome://flags/#omnibox-context-menu-show-full-urls" setting, when enabled, the "Always show full URL" item appears in the context menu of the address bar, preventing URL distortion. Recall that in Chrome 76, the address bar was switched by default to display links without "https://", "http://" and "www.". There was a setting to disable this behavior, but in Chrome 79 it was removed and users lost the ability to display the full URL in the address bar.
- For all users, the tab grouping feature ("chrome://flags/#tab-groups") is enabled, which allows you to combine several tabs that are similar in purpose into visually separated groups. Each group can have its own color and name. Additionally, an experimental ability to collapse and expand groups is proposed, which does not yet work on all systems. For example, several unread articles can be temporarily collapsed, leaving only a label so that they do not take up space when navigating, and put back in place when you return to reading. To enable the mode, the setting "chrome://flags/#tab-groups-collapse" is proposed.
- Enabled warnings by default when trying (without encryption) of executable files via links from HTTPS pages (in Chrome 84, downloads of executable files will be blocked, and a warning will be issued for archives). It is noted that downloading files without encryption can be used to perform malicious activity through content spoofing during MITM attacks. Also file uploads initiated from isolated iframes.
- Added a warning when activating Adobe Flash that support for this technology will be discontinued in December 2020.
- Implemented technology , which allows you to block DOM manipulations that lead to cross-site scripting (DOM XSS), for example, when incorrect processing of data received from the user in eval () blocks or ".innerHTML" inserts, which can lead to the execution of JavaScript code in the context of a specific page. Trusted types require pre-processing of data before passing it to risky functions. For example, when Trusted types are enabled, doing "anElement.innerHTML = location.href" will result in an error and require the use of special TrustedHTML or TrustedScript objects when assigned. Trusted Types are enabled using CSP (Content-Security-Policy).
- new HTTP headers Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy to enable a special cross-origin isolation mode to securely use privileged operations such as SharedArrayBuffer, Performance.measureMemory() and profiling APIs on the page, which can be used to carry out attacks through third-party channels, such as Specter. The cross-origin isolation mode also prevents the document.domain property from being changed.
- A new implementation of the system for inspecting access to resources over the network is proposed - OOR-CORS (Out-Of-Renderer Cross-Origin Resource Sharing). The old implementation could only inspect the core components of the Blink engine, XHR, and the Fetch API, but did not cover HTTP requests made from some internal modules. The new implementation solves this problem.
- Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- API , which allows you to create web applications that interact with files in the local file system. For example, the new API may be required in browser-based IDEs, text editors, image editors, and video editors. To be able to directly write and read files, use dialogs to open and save files, and navigate through the contents of directories, the application asks the user for a special confirmation;
- Method to estimate memory consumption when processing a web application or web page. It can be used to analyze and optimize memory consumption in web applications, as well as to detect regressive growth in memory consumption.
- Method for scheduling tasks (JavaScript callbacks) with different priority levels (blocks user work, creates visible changes and background work). You can use the TaskController object to change the priority and cancel tasks.
- API , which allows applications to create their own data handlers that are used when encoding and decoding WebRTC MediaStreamTrack. For example, the API can be used to organize end-to-end encryption of streams transmitted through a transit server.
- Added API to detect and decode barcodes in a specific image. The API only works on Android devices with Google Play Services installed.
- Meta tag added , which allows the site to provide full support for the dark theme without the use of CSS transforms.
- Added the ability to use JavaScript modules in .
- In IndexedDB's new argument added
"durability", which allows you to control the flushing of data to the drive. By passing the value "relaxed" instead of the default "strict" mode, you can sacrifice reliability for the sake of performance (previously, Chrome always flushed data to disk after each transaction was written). - @supports has been added to selector() to detect the presence of CSS selectors (for example, you can check if a selector is available before applying CSS styles to it).
@support selector(::before) {
div { background: green };
} - In Intl.DateTimeFormat the fractionalSecondDigits property to set the display format for fractional seconds.
- In V8 engine keeping track of ArrayBuffer in the garbage collector. Modules on WebAssembly are allowed to request up to 4 GB of memory.
- new tools for web developers. For example, a mode appeared to emulate the perception of the page by people with impaired vision and various forms of color blindness. Also added is a locale change emulation mode, changing which affects APIs Intl.*, *.prototype.toLocaleString, navigator.language, Accept-Language, etc.
A COEP (Cross-Origin Embedder Policy) debugger has been added to the network activity inspection interface, which allows you to evaluate the reasons for blocking the download of certain resources over the network. Added cookie-path keyword to filter requests where a Cookie is bound to a specific .
Added developer tools docking mode to the left side of the screen.
The interface for tracking long-running JavaScript code has been redesigned.
- Due to COVID-19 infection, some planned changes have been delayed. For example, code for working with FTP indefinitely. support for TLS 1.0/1.1 protocols before the release of Chrome 84. Initial
support for Client Hints identifier (User-Agent alternative) also up to Chrome 84. Work on carried over to next year.
In addition to innovations and bug fixes, the new version eliminates . Many of the vulnerabilities were identified as a result of automated testing tools , , , ΠΈ . No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the vulnerability bounty program for the current release, Google paid out 28 awards worth $76 (one $20000 award, one $10000 award, two $7500 awards, two $5000 awards, two $3000 awards, two $2000 awards, two $1000 awards and eight $500 awards). The amount of 7 rewards has not yet been determined.
Source: opennet.ru