ProHoster > Blog > internet news > Chrome Release 90

Chrome Release 90

Google has unveiled the release of the Chrome 90 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing protected video content (DRM), an automatic update system, and transmission when searching for RLZ parameters. The next release of Chrome 91 is scheduled for May 25th.

Key changes in Chrome 90:

  • All users are enabled to open sites by default via HTTPS when typing hostnames in the address bar. For example, entering the host "example.com" will default to https://example.com, and if there are problems opening, it will fall back to http://example.com. The setting "chrome://flags#omnibox-default-typed-navigations-to-https" has been proposed to control the use of "https://" by default.
  • The ability to assign different labels to windows for their visual separation in the desktop panel has been implemented. Support for changing the window name will simplify the organization of work when using separate browser windows for different tasks, for example, when opening separate windows for work tasks, personal interests, entertainment, delayed materials, etc. The name is changed through the "Add window title" item in the context menu that appears when you right-click on an empty area in the tab bar. After changing the name in the application bar, instead of the name of the site from the active tab, the selected name is displayed, which can be useful when opening the same sites in different windows linked to separate accounts. The binding persists between sessions and upon restart the windows will be restored with the selected names.
    Chrome Release 90
  • Added the ability to hide the "Reading List" without having to change the settings in "chrome://flags" ("chrome://flags#read-later"). To hide, you can now use the "Show Reading List" option at the bottom of the context menu shown when you right-click on the bookmarks bar. Recall that in the last release, for some users, when they click on an asterisk in the address bar, in addition to the Add Bookmark button, a second Add to Reading List button appears, and the Reading List menu appears in the right corner of the bookmarks bar, which lists everything previously pages added to the list. When you open a page from the list, it is marked as read. Pages in the list can also be marked as read and unread manually or removed from the list.
  • Added support for network segmentation to protect against methods of tracking user movements between sites based on storing identifiers in areas not intended for permanent storage of information ("Supercookies"). Because resources in a cache are stored in a common namespace, regardless of the origin domain, one site can determine if a resource is being loaded from another site by checking whether the resource is in the cache. Protection is based on the use of Network Partitioning, the essence of which is to add an additional binding of records to the domain from which the main page is opened to the shared caches, which limits the scope of the cache for movement tracking scripts only to the current site (the script from the iframe will not be able to check whether the resource was loaded from another site). The price of segmentation is a decrease in caching efficiency, resulting in a slight increase in page load time (maximum by 1.32%, but for 80% of sites by 0.09-0.75%).
  • The black list of network ports for which the sending of HTTP, HTTPS and FTP requests is blocked has been added to protect against NAT slipstreaming attack, which allows, when opening a web page specially prepared by the attacker in the browser, to establish a network connection from the attacker's server to any UDP or TCP port on the user's system , despite using the internal address range (192.168.xx, 10.xxx). Added 554 (RTSP protocol) and 10080 (used in Amanda backup and VMWare vCenter) to the number of prohibited ports. Ports 69, 137, 161, 554, 1719, 1720, 1723, 5060, 5061 and 6566 have already been blocked.
  • Added initial browser support for PDF documents with XFA forms.
  • For some users, a new settings section “Chrome Settings > Privacy and security > Privacy sandbox” has been activated, which allows you to manage the parameters of the FLoC API, which is aimed at determining the category of user interests without individual identification and without reference to the history of visiting specific sites.
  • Provided a more understandable notification with a list of allowed actions that is shown when a user connects to a profile for which centralized management is enabled.
  • Made less intrusive permission request interface. Requests that the user is not likely to approve are now automatically blocked with the display of the corresponding indicator in the address bar, with which the user can go to the interface for managing permissions in relation to each site.
    Chrome Release 90
  • Enabled support for Intel CET (Intel Control-flow Enforcement Technology) extensions for hardware protection against the execution of exploits built using return-oriented programming (ROP, Return-Oriented Programming) techniques.
  • Work continued on the translation of the browser to the use of inclusive terminology. The "master_preferences" file has been renamed to "initial_preferences" so as not to hurt the feelings of users who perceive the word master as a hint of the past slavery of their ancestors. To maintain compatibility, support for "master_preferences" will remain in the browser for a while. Previously, the browser has already got rid of the use of the words "whitelist", "blacklist" and "native".
  • In the Android version, when the "Lite" traffic saving mode is enabled, the bitrate is reduced when downloading video when connected via the networks of mobile operators, which will reduce the costs of users who have traffic-based tariffs enabled. The "Lite" mode also provides compression of images requested from publicly available resources (not requiring authentication) via HTTPS.
  • An AV1 video format encoder has been added, specially optimized for use in video conferences based on the WebRTC protocol. The use of AV1 in videoconferencing can improve the efficiency of compression and provide the ability to broadcast on channels with a bandwidth of 30 kbps.
  • In JavaScript, the at() method is implemented in the Array, String, and TypedArrays objects, which allows you to use relative indexing (the relative position is specified as the array index), including specifying negative values ​​relative to the end (for example, "arr.at(-1)" will return the last element of the array).
  • In JavaScript for regular expressions, the ".indices" property has been added, containing an array with the start and end positions of the match groups. The property is populated only when the regular expression is executed with the "/d" flag. const re = /(a)(b)/d; const m = re.exec('ab'); console.log(m.indices[0]); // 0 - all match groups // → [0, 2] console.log(m.indices[1]); // 1 is the first group of matches // → [0, 1] console.log(m.indices[2]); // 2 is the second group of matches // → [1, 2]
  • Optimized the performance of "super" properties (for example, super.x) that use an inline cache. The performance of using "super" is now close to that of accessing normal properties.
  • Calling WebAssembly functions from JavaScript is greatly accelerated due to the use of inline deployment. This optimization is still experimental and requires running with the "--turbo-inline-js-wasm-calls" flag.
  • Added the WebXR Depth Sensing API, which allows you to determine the distance between objects in the user's environment and the user's device, for example, to create more realistic augmented reality applications. Recall that the WebXR API allows you to unify work with various classes of virtual reality devices, from stationary 3D helmets to solutions based on mobile devices.
  • The WebXR AR Lighting Estimation feature has been stabilized, allowing WebXR AR sessions to determine ambient lighting parameters to give models a more natural look and more harmonious integration with the user's environment.
  • The Origin Trials mode (experimental features that require separate activation) has added several new APIs that are currently limited to the Android platform. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
    • The getCurrentBrowsingContextMedia() method, which makes it possible to organize the capture of a MediaStream video stream reflecting the contents of the current tab. Unlike the similar getDisplayMedia() method, when you call getCurrentBrowsingContextMedia() , a simple dialog is displayed to the user to either confirm or block the video transfer operation with the tab content.
    • The Insertable Streams API, which makes it possible to manipulate raw media streams passed through the MediaStreamTrack API, such as camera and microphone data, screen capture results, or intermediate codec decoding data. WebCodec interfaces are used to represent raw frames, after which a stream is generated similar to what the WebRTC Insertable Streams API generates based on RTCPeerConnections. On the practical side, the new API allows you to implement functionality such as applying machine learning methods to identify or annotate objects in real time, or to add effects such as background clipping before encoding or after decoding by a codec.
    • The ability to pack resources into packages (Web Bundle) to organize more efficient loading of a large number of related files (CSS styles, JavaScript, images, iframes). Among the shortcomings in the existing package support for JavaScript files (webpack) that the Web Bundle is trying to eliminate: the package itself can settle in the HTTP cache, but not its component parts; compilation and execution can only start after the package has been fully downloaded; additional resources such as CSS and images must be encoded as JavaScript strings, resulting in an increase in size and another parsing step.
    • Support for exception handling in WebAssembly.
  • Stabilized the Declarative Shadow DOM API to create new root branches in the Shadow DOM, for example to decouple an imported third-party element style and its associated DOM highlight from the main document. The proposed declarative API allows you to bypass HTML-only DOM branches without having to write JavaScript code.
  • The aspect-ratio CSS property, which allows you to explicitly bind the aspect ratio to any element (to automatically calculate the missing size when you specify only the height or width), has the ability to interpolate values ​​during animation (smooth transition from one aspect ratio to another).
  • Added the ability to reflect the state of custom HTML elements (custom element) in CSS via the ":state()" pseudo-class. The functionality is implemented by analogy with the ability of standard HTML elements to change their state depending on user interaction.
  • The 'appearance' CSS property now supports the 'auto' value, which is set by default for And , and on the Android platform additionally for , , , And .
  • Support for the "clip" value has been added to the "overflow" CSS property, when set, content that goes beyond the block is clipped at the border of the block's allowable overflow without the possibility of scrolling. The value that determines how far the content can extend beyond the actual border of the block before clipping is set via the new "overflow-clip-margin" CSS property. Compared to "overflow: hidden", using "overflow: clip" allows for better performance.
    Chrome Release 90Chrome Release 90
  • The Feature-Policy HTTP header has been replaced by a new Permissions-Policy header to control delegation of privileges and enable advanced features, which includes support for structured field values ​​(for example, you can now specify "Permissions-Policy: geolocation=()" instead of "Feature- Policy: geolocation 'none'").
  • Strengthened protection against the use of Protocol Buffers to carry out attacks caused by speculative execution of instructions in processors. Protection is implemented by adding the "application/x-protobuffer" MIME type to the list of never listened (sniffed) MIME types, which is processed through the Cross-Origin-Read-Blocking mechanism. Previously, the MIME type “application/x-protobuf” was already included in such a list, but “application/x-protobuffer” was left out.
  • The File System Access API implements the ability to shift the current position in a file past its end, filling the resulting gap with zeros during subsequent writing via the FileSystemWritableFileStream.write() call. This feature allows you to create sparse files with voids and greatly simplifies the organization of writing streams to a file with out-of-order receipt of data blocks (for example, this is practiced in BitTorrent).
  • The StaticRange constructor has been added with the implementation of lightweight Range types that do not require updating all related objects every time the DOM tree changes.
  • Implemented the ability to specify width and height parameters for elements specified inside the element . This feature allows you to calculate the aspect ratio for elements , by analogy with how it is done for , And .
  • Non-standard support for RTP Data Channels has been removed from WebRTC, and it is recommended to use SCTP-based data channels instead.
  • The navigator.plugins and navigator.mimeTypes properties now always return an empty value (these properties were no longer needed after Flash was discontinued).
  • A large portion of small improvements have been made to the web developer tools and a new flexbox CSS debugging tool has been added.
    Chrome Release 90

In addition to innovations and bug fixes, 37 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the Vulnerability Reward Program for the current release, Google has paid out 19 awards worth $54000 (one $20000 award, one $10000 award, two $5000 awards, three $3000 awards, one $2000 award, one $1000 award, and four $500 awards). ). The amount of 6 rewards has not yet been determined.

Separately, it can be noted that yesterday, after the formation of the corrective release 89.0.4389.128, but before the release of Chrome 90, another exploit was published that used a new 0-day vulnerability that was not fixed in Chrome 89.0.4389.128. It is not yet clear if this problem has been fixed in Chrome 90. As in the first case, the exploit covers only one vulnerability and does not contain code to bypass sandbox isolation Notepad runs on the Windows platform). The vulnerability associated with the new exploit affects WebAssembly technology.

Source: opennet.ru

Add a comment