Google company web browser release ... Simultaneously stable release of a free project , which is the basis of Chrome. Chrome browser the use of Google logos, the presence of a system for sending notifications in case of a crash, the ability to download a Flash module on demand, modules for playing protected video content (DRM), an automatic update system, and transmission on search . The next release of Chrome 87 is scheduled for November 17th.
:
- Added protection against insecure submission of input forms on pages loaded via HTTPS, but sending data via HTTP, which creates the risk of interception and data spoofing during MITM attacks. Protection comes down to three changes:
- Disabled auto-completion of any mixed input forms, similar to how auto-completion of authentication forms has been disabled for a long time on pages opened via HTTP. Previously, opening a page with a form via HTTPS or HTTP served as a sign to disable, now it also takes into account the use of encryption when submitting data to the form handler. The password manager for mixed forms of authentication is not disabled, because the risk of using a weak password and reusing passwords on different sites exceeds the risk of potential traffic interception.
- At the beginning of input in mixed forms, a warning is provided, informing the user that the completed data is being sent through an unencrypted communication channel.
- When you try to submit a mixed form, a separate page is displayed with a notice about the potential risk of sending data through an unencrypted communication channel. In past versions, a lock indicator in the address bar was used to indicate mixed forms, but such a mark was not obvious to users and did not effectively reflect the risks involved.
- Blocking (without encryption) of executable files added blocking insecure loading of archives (zip, iso, etc.) and displaying warnings in case of insecure loading
documents (docx, pdf, etc.). The next release is expected to block documents and issue a warning for images, text and media files. The blocking is implemented because downloading files without encryption can be used to perform malicious actions by replacing the content during MITM attacks. - The default context menu shows the option "Always show URL in full", which previously required changing settings on the about:flags page. The full URL can also be viewed by double-clicking on the address bar. Recall that starting from by default, the address began to be shown without the protocol and the www subdomain. IN the setting was removed to return the old behavior, but after user dissatisfaction in A new experimental flag has been added that adds an item to the context menu to disable hiding and showing the full URL under all conditions.
- For a small percentage of users launched by by default, in the address bar only the domain, without path elements and query parameters. For example, instead of "https://example.com/secure-google-sign-in/" it will show "example.com". Bringing the proposed mode to all users is expected in one of the next releases. To disable this behavior, you can use the "Always show full URL" option, and to view the entire URL, you can click on the address bar. The motive for the change is the desire to protect users from phishing that manipulates parameters in the URL - attackers use the inattention of users to create the appearance of opening another site and commit fraudulent actions (if such substitutions are striking for a technically competent user, then inexperienced laymen manipulations).
- Renewed to remove FTP support. In Chrome 86, FTP is disabled by default for about 1% of users, and in Chrome 87, the disable coverage will be increased to 50%, but support can be returned using the "--enable-ftp" or "--enable-features=FtpProtocol" flag. In Chrome 88, FTP support will be completely disabled.
- In the version for Android, by analogy with the version for desktop systems, the password manager implements a check of saved logins and passwords against the database of compromised accounts with a warning in case of problems or an attempt to use trivial passwords. The check is performed against a database covering more than 4 billion compromised accounts that appeared in leaks of user databases. To maintain privacy verification of the hash prefix on the user side, and the passwords themselves and their full hashes are not transmitted outside.
- The Android version also Safety check button and Enhanced Safe Browsing. The "Safety check" button shows a summary of potential security issues such as compromised passwords, Safe Browsing status, uninstalled updates, and detection of malicious add-ons. Advanced protection mode activates additional checks to protect against phishing, malicious activity and other threats on the Web, and also includes additional protection for your Google account and Google services (Gmail, Drive, etc.). Whereas in normal Safe Browsing mode, checks are performed locally against a database periodically downloaded to the client’s system, in Enhanced Safe Browsing real-time information about pages and downloads is sent to Google for verification, which allows you to quickly respond to threats immediately after they are detected, without waiting for the local black list to update.
- support for the “.well-known/change-password” indicator file, with which site owners can specify the address of the web form to change the password. In the event that a user's credentials have been compromised, Chrome will now prompt the user with a password change form based on the information in this file.
- Implemented a new "Safety Tip" warning displayed when opening sites whose domain is very similar to another site and the heuristic shows that there is a high probability of spoofing (for example, goog0le.com is opened instead of google.com).
- support for the transition cache (Back-forward cache), which provides an instant transition when using the "Back" and "Forward" buttons or when navigating through previously viewed pages of the current site. The cache is enabled using the chrome://flags/#back-forward-cache setting.
- Optimized CPU resource consumption by windows
out of scope. Chrome checks to see if the browser window is being overlapped by other windows and avoids drawing pixels in areas of overlap. This optimization was enabled for a small percentage of users in Chrome 84 and 85, and is now enabled globally. Compared to previous releases, we also fixed an incompatibility with virtualization systems that caused blank white pages to be displayed. - Improved resource truncation for background tabs. Such tabs can no longer consume more than 1% of CPU resources and can be activated no more than once per minute. After five minutes in the background, tabs are frozen, except for tabs that are playing multimedia content or recording.
- Resumed work on HTTP header User-Agent. In the new version, support for the mechanism is activated for all users , developed as a replacement for User-Agent. The new mechanism implies the selective return of data about specific browser and system parameters (version, platform, etc.) only after a request by the server and gives users the opportunity to selectively provide such information to site owners. When using User-Agent Client Hints, the identifier is not passed by default without an explicit request, which makes passive identification impossible (only the browser name is specified by default).
- Changed the indication of the presence of an update and the need to restart the browser to install it. Instead of a colored arrow in the account avatar field, the inscription “Update” now appears.
- Work has been done to translate the browser to use inclusive terminology. In policy names, the words "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist" (already added policies will continue to work, but a warning about deprecation will be displayed for them). IN и references to "blacklist" have been replaced with "blocklist".
User-visible references to “blacklist” and “whitelist” were replaced back in early 2019. - Added an experimental ability to edit saved passwords, activated using the "chrome://flags/#edit-passwords-in-settings" flag.
- Moved to stable and public API , which allows you to create web applications that interact with files in the local file system. For example, the new API may be required in browser-based IDEs, text editors, image editors, and video editors. To be able to directly write and read files or use dialogs to open and save files, as well as to navigate through the contents of directories, the application asks the user for special confirmation.
- Added CSS selector "“, which uses the same heuristics that the browser uses when deciding whether to show the focus change indicator (moving focus to the button with keyboard shortcuts causes the indicator to appear, but not when clicking with the mouse). The previously available ":focus" CSS selector always highlights focus.
In addition, the “Quick Focus Highlight” option has been added to the settings, when enabled, an additional focus indicator will be shown next to the active elements, which remains visible even if style elements for visual focus highlighting are disabled on the page via CSS. - Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- for low-level access to HID devices (Human interface devices, keyboards, mice, gamepads, touch panels), which allows you to implement the logic of working with a HID device in JavaScript to organize work with rare HID devices without the presence of specific drivers in the system.
First of all, the new API is aimed at providing support for gamepads. - , extends the Window Placement API to support multi-screen configurations. Unlike window.screen , the new API allows you to manipulate the placement of a window in the shared screen space of multi-monitor systems without being limited to the current screen.
- Meta tag , with which the site can inform the browser about the need to activate modes to reduce power consumption and optimize the load on the CPU.
- API to inform about potential violations of isolation regimes (COEP) and (COOP), without applying the actual limits.
- In the API proposed new credential type , which provides additional confirmation of the payment transaction being made. A relying party, such as a bank, has the ability to generate a PublicKeyCredential that can be requested by the merchant for additional secure payment confirmation.
- for low-level access to HID devices (Human interface devices, keyboards, mice, gamepads, touch panels), which allows you to implement the logic of working with a HID device in JavaScript to organize work with rare HID devices without the presence of specific drivers in the system.
- In the API to determine the tilt of the stylus, support for the angles of height (the angle between the stylus and the screen) and azimuth (the angle between the X axis and the projection of the stylus on the screen) is added, instead of the TiltX and TiltY angles (the angles between the plane from the stylus and one of the axes and the plane from the Y and Z). Also added conversion functions between altitude/azimuth and TiltX/TiltY.
- Changed encoding of space in URL when it is evaluated in protocol handlers - navigator.registerProtocolHandler() method now replaces spaces with "%20" instead of "+", which unifies behavior with other browsers such as Firefox.
- Pseudo-element added to CSS "", which allows you to customize the color, size, shape and type of numbers and points for enumerations in blocks And .
- Added HTTP header support , document access rules, similar to iframe sandboxing, but more versatile. For example, through the Document-Policy, you can restrict the use of low-quality images, disable slow JavaScript APIs, configure rules for loading iframes, images and scripts, limit the total size of the document and traffic, prohibit methods that lead to page redrawing, disable the function .
- To element added support for the 'inline-grid', 'grid', 'inline-flex' and 'flex' parameters set via the 'display' CSS property.
- Added method to replace all children of the parent node with another DOM node. Previously, you could use a combination of node.removeChild() and node.append() or node.innerHTML and node.append() to replace nodes.
- the range of URL schemes allowed to be overridden with registerProtocolHandler(). The list of schemes includes cabal, dat, did, dweb, ethereum, hyper, ipfs, ipns, and ssb decentralized protocols, which allows you to define links to elements regardless of the site or gateway that provides access to the resource.
- In the API added support for the text/html format for copying and pasting HTML via the clipboard (when writing and reading to the clipboard, dangerous HTML constructs are cleaned). The change, for example, allows web editors to organize the insertion and copying of formatted text with images and links.
- In WebRTC the ability to connect your own data handlers called at the stages of encoding or decoding WebRTC MediaStreamTrack. For example, this capability can be used to add support for end-to-end encryption of data transmitted through intermediate servers.
- In V8 JavaScript engine by 75% implementation of Number.prototype.toString. The .name property has been added to asynchronous classes with an empty value. Removed the Atomics.wake method, which was once renamed to Atomics.notify to comply with the ECMA-262 specification. Fuzzing testing toolkit open source .
- Liftoff's baseline compiler for WebAssembly enabled in the last release to use vector instructions to speed up calculations. Judging by the tests, the optimization made it possible to speed up the passage of some tests by 2.8 times. Another optimization made it possible to significantly speed up the call of imported JavaScript functions from WebAssembly.
- tools for web developers: Information about the players used to play video on the page has been added to the Media panel, including event data, logs, property values, and frame decoding options (for example, you can determine the causes of frame drops and problems when interacting from JavaScript).
In the context menu of the Elements panel, the ability to create screenshots of the selected element has been added (for example, you can create a screenshot of the table of contents or a table).
In the web console, the problem warning panel has been replaced with a regular message, and issues with third-party cookies are hidden by default in the Issues tab and are enabled by a special checkbox.
The "Disable local fonts" button has been added to the Rendering tab, which allows you to simulate the absence of local fonts, and the Sensors tab has the ability to simulate user inactivity (for applications using the Idle Detection API).
The Application panel provides detailed information about each iframe, open window, and pop-ups, including data on Cross-Origin isolation using COEP and COOP.
- replacing the implementation of the protocol to the version developed in the IETF specification instead of the Google version of QUIC.
In addition to innovations and bug fixes, the new version eliminates . Many of the vulnerabilities were identified as a result of automated testing tools , , , и . One vulnerability (CVE-2020-15967, freed memory access in code for interacting with Google Payments) is marked as critical, i.e. allows you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the Vulnerability Bounty program for the current release, Google has paid out 27 awards worth $71500 (one $15000 award, three $7500 awards, five $5000 awards, two $3000, one $200, and two $500 awards). The amount of 13 rewards has not yet been determined.
Source: opennet.ru