Chrome Release 84

Google company presented web browser release Chrome 84... Simultaneously available stable release of a free project Chromium, which is the basis of Chrome. Chrome browser is different the use of Google logos, the presence of a system for sending notifications in case of a crash, the ability to download a Flash module on demand, modules for playing protected video content (DRM), an automatic update system, and transmission on search RLZ parameters. The next release of Chrome 85 is scheduled for August 25th.

All changes в Chrome 84:

• Disabled support for TLS 1.0 and TLS 1.1 protocols. To access sites over a secure communication channel, the server must provide support for at least TLS 1.2, otherwise the browser will now display an error. According to Google, currently about 0.5% of web page downloads continue to be carried out using outdated versions of TLS. Shutdown made in accordance with recommendations IETF (Internet Engineering Task Force). The reason for the rejection of TLS 1.0 / 1.1 is the lack of support for modern ciphers (for example, ECDHE and AEAD) and the requirement to support old ciphers, the reliability of which is questioned at the present stage of development of computer technology (for example, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is required, MD5 and authentication are used to check integrity and SHA-1). The setting to revert TLS 1.0/1.1 will be preserved until January 2021.
• Blocking provided insecure boot (without encryption) of executable files and added warnings for insecure downloading of archives. In the future, it is planned to gradually phase out support for downloading files without using encryption. The blocking was implemented because downloading files without encryption can be used to perform malicious actions by replacing the content during MITM attacks.
• Added by initial support identifier Client Hints, developed as an alternative to the User-Agent header. The Client Hints mechanism offers a series of "Sec-CH-UA-*" headers as a replacement for the User-Agent, allowing you to selectively return data about specific browser and system parameters (version, platform, etc.) only after being requested by the server. The user gets the opportunity to determine which parameters are acceptable for return and selectively provide such information to site owners. When using Client Hints, the identifier is not passed by default without an explicit request, which makes passive identification impossible (only the browser name is specified by default). Work by Unification User-Agent postponed until next year.
• Continued activation
  tougher restrictions transmission of cookies between sites, which was canceled due to COVID-19. For non-HTTPS requests, the processing of third-party cookies that are set when accessing sites other than the domain of the current page is prohibited. Such cookies are used to track user movements between sites in the code of advertising networks, social network widgets and web analytics systems.

  Recall that Cookie transmission is controlled by the SameSite attribute specified in the Set-Cookie header, which by default will be set to "SameSite=Lax", restricting Cookie sending for cross-site subrequests, such as requesting an image or downloading content via an iframe from another site. Sites can override the default SameSite behavior by explicitly setting the Cookie to SameSite=None. Moreover, the SameSite=None value for Cookies can only be set in Secure mode (valid for connections via HTTPS). The change will be applied in stages, initially for a small percentage of users, and then gradually expanding coverage.

• Added experimental implementation resource-intensive ad blocker, which can be enabled using the "chrome://flags/#enable-heavy-ad-intervention" setting. The blocker allows you to automatically disable ad iframes after traffic and CPU load thresholds are exceeded. The lock will be triggered if the main thread has spent more than 60 seconds of CPU time in total or 15 seconds in a 30-second interval (consuming 50% of the resources for more than 30 seconds), and also when more than 4 MB of data has been downloaded over the network.

  The blocking will work only if the user has not interacted with the ad unit before the limit was exceeded (for example, did not click on it), which, taking into account the traffic limit, will block autoplay of large videos in ads without explicitly activating playback by the user. The proposed measures will save users from advertising with inefficient implementation of the code or deliberate parasitic activity (for example, performing mining). According to Google statistics, eligible ads make up only 0.30% of all ad units, but these interstitials consume 28% of CPU resources and 27% of traffic from all ads.

• Work has been done to reduce the consumption of CPU resources when the browser window is not in the user's field of vision. Chrome now checks to see if the browser window is being overlapped by other windows and avoids drawing pixels in areas of overlap. The inclusion of the new feature will be made gradually: selectively, for some users, optimization will be enabled in Chrome 84, and for the rest in Chrome 85.
• Protection is enabled by default. annoying notifications, such as spamming requests to receive push notifications. Since such requests interrupt the user's work and divert attention to actions in the confirmation dialogs, instead of a separate dialog in the address bar, an information tooltip will be displayed that does not require user action, warning about blocking the request for permissions, which automatically collapses into an indicator with a strikethrough bell. By clicking on the indicator, you can activate or reject the requested permission at any convenient time.
  

• The user's choice is remembered when opening handlers of external protocols - the user can select "always allow for this site" for a specific handler and the browser will remember this decision in relation to the current site.
• Added protection against changing user settings without explicit consent. If the add-on changes the default search engine or page displayed for a new tab, the browser will now display a dialog prompting you to confirm the specified operation or cancel the change.
• Continued implementation of protection against loading mixed media content (when resources are loaded on an HTTPS page using the http:// protocol). Pages opened via HTTPS will now automatically replace "http://" links with "https://" in blocks related to loading images (scripts and iframes were replaced earlier, autocorrection of audio and video resources is expected in the next release). If the image is not available via https, then its loading is blocked (manually you can mark the blocking through the menu, accessible through the padlock symbol in the address bar).
• Added API support Web OTP (developed as SMS Receiver API), which allows organizing the entry of a one-time password on a web page after receiving an SMS message with a confirmation code delivered to the user's Android smartphone running the browser. SMS confirmation, for example, can be used to verify the phone number provided by the user during registration. If earlier the user had to open the SMS application, copy the code from it to the clipboard, return to the browser and paste this code, the new API makes it possible to automate this process and reduce it to one touch.
• Extended API Web Animations
  to control the playback of the web animation. The new release adds support for compositing operations that allow you to control how effects are combined and provide new handlers to be called when content replacement events occur. The Web Animations API also now supports Promises for sequencing animations and better control of how animations interact with other application features.

• Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
  • API Cookie Store for Service worker access to HTTP Cookies, which is an asynchronous alternative to using document.cookie.
  • API Idle Detection to detect user inactivity, which allows you to determine the time when the user does not interact with the keyboard / mouse, the screen saver is running, the screen is locked, or work is being done on another monitor. Informing the application about inactivity is carried out by sending a notification after reaching the specified threshold of inactivity.
  • Mode Origin Isolation, allows the developer to use more complete isolation of content processing in a separate process in relation to the source (origin - domain + port + protocol), rather than the site, at the cost of deprecating some legacy features, such as synchronous execution of scripts using document.domain and calling postMessage() to send messages to WebAssembly.Module instances. In other words, Origin Isolation allows you to organize the division into different processes based on the domain of the resource, and not on the site with all the extraneous inclusions on the pages.
  • API WebAssembly SIMD for using vector SIMD instructions in WebAssembly applications. For platform independence, a new 128-bit type is provided that can represent different types of packed data, and several basic vector operations for processing packed data. SIMD allows you to improve performance by parallelizing data processing and will be useful when compiling native code in WebAssembly. To enable SIMD support, you can use the "chrome://flags/#enable-webassembly-simd" setting.
• Stabilized and now distributed outside of Origin Trials
  API content indexingA that provides metadata about content that was previously cached by web applications running in Progressive Web Apps (PWS) mode. An application can store various data on the browser side, including images, videos, and articles, and use them when the network connection fails using the Cache Storage and IndexedDB APIs. The Content Indexing API provides the ability to add, find, and remove such resources. In the browser, this API is already used to enumerate the list of pages and media available for offline viewing.

• API variant stabilized Wake lock based on the Promise mechanism, which provides a more secure way to manage turning off the auto-lock screen and putting devices into power-saving modes.
• Version for Android platform added support for application shortcuts that allow you to provide quick access to popular typical actions in the application. To create shortcuts, it is enough to add elements to the manifest of a web application in the PWA (Progressive Web Apps) format.
  

• API enabled for Web Worker Reporting Observer, which allows you to define a handler for generating a report, called when accessing obsolete features. The generated report at the user's choice can be saved, sent to the server or processed by a JavaScript script.
• API updated Resize Observer, which allows you to connect a handler that will be notified about changes in the size of the specified elements on the page. Three new properties have been added to ResizeObserverEntry: contentBoxSize, borderBoxSize, and devicePixelContentBoxSize for more detailed information returned as an array of ResizeObserverSize objects.
• Added keyword "revert' to reset the style of the element to its default value.
• Removed the CSS prefix "-webkit-appearance" and "-webkit-ruby-position" and are now available as "appearance" and "ruby position«.
• In JavaScript implemented support for marking methods and properties of a class as private, after which access to them will be open only inside the class (previously only fields could be private). To mark methods and properties as private, specify a "#" sign before the field name.
• In JavaScript added support weak links (weak reference) to JavaScript objects that allow you to keep a reference to the object, but do not block the removal of the associated object by the garbage collector. Support for finalizers has also been added, which makes it possible to define a handler to be called after a specified object has been garbage collected.
• Launch of applications on WebAssembly is accelerated, thanks to the implementation in the initial (baseline) Liftoff compiler atomic instructions и batch memory operations. Improved tools for debugging WebAssembly, significantly improved debugging performance when using breakpoints (previously, when debugging, the interpreter was used, and now the Liftoff compiler).
• pphttps://developers.google.com/web/updates/2020/05/devtools updated]] panel for performance analysis in web developer tools. Added general information about the metric TBT (Total Blocking Time), showing how long the page seems to be available, but is actually not available (i.e. the page has already been rendered, but the execution of the main thread is still blocked and data input is not possible). Added new section Experience for metric analysis CLS (Cumulative Layout Shift), reflecting the visual stability of the content. In the CSS styles inspection panel, a preview of images specified through the "background-image" property is implemented.

In addition to innovations and bug fixes, the new version eliminates 38 vulnerabilities. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer и AFL. One issue (CVE-2020-6510, buffer overflow in background fetch handler) is marked as critical, i.e. allows you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the Vulnerability Bounty program for the current release, Google paid out 26 awards worth $21500 (two $5000 awards, two $3000 awards, one $2000 award, two $1000 awards, and three $500 awards). The amount of 16 rewards has not yet been determined.

Source: opennet.ru