🥇Chrome 91 release

Google has unveiled the release of the Chrome 91 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing protected video content (DRM), an automatic update system, and transmission when searching for RLZ parameters. The next release of Chrome 92 is scheduled for July 20th.

Key changes in Chrome 91:

Implemented the ability to stop JavaScript execution in a collapsed tab group. Chrome 85 introduced support for grouping tabs into groups, which can be associated with a specific color and label. When a group label is clicked, the tabs associated with it are collapsed and one label remains instead (clicking on the label again expands the group). In the new release, in order to reduce the load on the CPU and save energy, the suspension of activity in minimized tabs is implemented. An exception is made only for tabs that play sound, use the Web Locks or IndexedDB API, connect to a USB device, capture video, sound, or window content. The change will be rolled out gradually, starting with a small percentage of users.
Enabled support for a key agreement method resistant to brute force on quantum computers. Quantum computers are radically faster in solving the problem of decomposing a natural number into prime factors, which underlies modern asymmetric encryption algorithms and cannot be effectively solved on classical processors. For use in TLSv1.3, a CECPQ2 (Combined Elliptic-Curve and Post-Quantum 2) plugin is provided that combines the classic X25519 key exchange mechanism with an HRSS scheme based on the NTRU Prime algorithm designed for post-quantum cryptosystems.
Support for the TLS 1.0 and TLS 1.1 protocols has been completely discontinued, which have been deprecated by the IETF (Internet Engineering Task Force). Including the ability to return TLS 1.0/1.1 through a change in the SSLVersionMin policy has been removed.
Builds for the Linux platform include the use of the DNS over HTTPS (DoH, DNS over HTTPS) mode, which was previously brought to users of Windows, macOS, ChromeOS and Android. DNS-over-HTTPS will be automatically enabled for users whose settings include DNS providers that support this technology (DNS-over-HTTPS uses the same provider that was used for DNS). For example, if the user has DNS 8.8.8.8 specified in the system settings, then Google's DNS-over-HTTPS service ("https://dns.google.com/dns-query") will be activated in Chrome if DNS is 1.1.1.1 , then Cloudflare's DNS-over-HTTPS service ("https://cloudflare-dns.com/dns-query"), etc.
Added port 10080 to the list of forbidden network ports, which is used by Amanda backup and VMWare vCenter. Ports 69, 137, 161, 554, 1719, 1720, 1723, 5060, 5061 and 6566 have already been blocked. For ports in the black list, sending HTTP, HTTPS and FTP requests is blocked in order to protect against a NAT slipstreaming attack that allows opening a web page specially prepared by the attacker in the browser to establish a network connection from the attacker's server to any UDP or TCP port on the user's system, despite the use of the internal address range (192.168.xx, 10.xxx).
Provided the ability to configure the automatic launch of stand-alone web applications (PWA - Progressive Web Apps) when a user logs in (Windows and macOS). Autoplay is configured on the chrome://apps page. The functionality is still being tested on a small percentage of users, and for the rest it requires the activation of the “chrome://flags/#enable-desktop-pwas-run-on-os-login” setting.
As part of the work to translate the browser to use inclusive terminology, the "master_preferences" file has been renamed to "initial_preferences". To maintain compatibility, support for "master_preferences" will remain in the browser for a while. Previously, the browser has already got rid of the use of the words "whitelist", "blacklist" and "native".
The Enhanced Safe Browsing mode, which activates additional checks to protect against phishing, malicious activity and other threats on the Web, has the ability to send downloaded files for verification on the side of Google. In addition, Enhanced Safe Browsing implements accounting for tokens associated with a Google account when detecting phishing attempts, as well as sending Referrer header values to Google servers to check forwarding from a malicious site.
The Android edition has improved the design of web form elements that have been optimized for use on touchscreens and systems for people with disabilities (for desktop systems, the design has been redesigned in Chrome 83). The purpose of the revision was to unify the design of form elements and eliminate style inconsistencies - previously, some of the form elements were designed in accordance with the interface elements of operating systems, and some - in accordance with the most popular styles. Because of this, different elements were suitable for touch screens and systems for people with disabilities in different ways.
Added a user opinion poll shown when opening the Privacy Sandbox settings (chrome://settings/privacySandbox).
When running the Android version of Chrome on large-screen tablets, it prompts for the desktop version of the site, not the mobile edition. You can change the behavior using the "chrome://flags/#request-desktop-site-for-tablets" setting.
The code for rendering tables has been redesigned, which made it possible to solve problems with the inconsistency of behavior when displaying tables in Chrome and Firefox / Safari.
The processing of server certificates from the Spanish certification center Camerfirma has been stopped due to repeated incidents since 2017 related to violations in the issuance of certificates. Support for client certificates has been retained, blocking is applied only to certificates used on sites for HTTPS.
Continued implementation of support for network segmentation to protect against methods of tracking user movements between sites, based on the storage of identifiers in areas not intended for permanent storage of information ("Supercookies"). Because resources in a cache are stored in a common namespace, regardless of the origin domain, one site can determine if a resource is being loaded from another site by checking whether the resource is in the cache. Protection is based on the use of Network Partitioning, the essence of which is to add an additional binding of entries to the domain from which the main page is opened to the shared caches, which limits the scope of the cache for movement tracking scripts only to the current site (the script from the iframe will not be able to check whether the resource was loaded from another site).
The price of segmentation is a decrease in caching efficiency, resulting in a slight increase in page load time (maximum by 1.32%, but for 80% of sites by 0.09-0.75%). To test the partitioning mode, you can launch the browser with the option "--enable-features=PartitionConnectionsByNetworkIsolationKey, PartitionExpectCTStateByNetworkIsolationKey, PartitionHttpServerPropertiesByNetworkIsolationKey, PartitionNelAndReportingByNetworkIsolationKey, PartitionSSLSessionsByNetworkIsolationKey, SplitHostCacheByNetworkIsol ationKey".
Added external REST API VersionHistory (https://versionhistory.googleapis.com/v1/chrome), through which you can get information about Chrome versions in relation to platforms and branches, as well as browser update history.
In iframes loaded from domains other than the domain of the base page, the output of the alert(), confirm() and prompt() JavaScript dialogs is prohibited, which will protect users from an attempt by a third-party script to display messages under the guise that the notification was displayed by the main site.
Stabilized and proposed by default the WebAssembly SIMD API for using vector SIMD instructions in applications in the WebAssembly format. For platform independence, a new 128-bit type is provided that can represent different types of packed data, and several basic vector operations for processing packed data. SIMD allows you to improve performance by parallelizing data processing and will be useful when compiling native code in WebAssembly.
Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- WebTransport is a protocol and accompanying JavaScript API for sending and receiving data between a browser and a server. The communication channel is organized over HTTP / 3 using the QUIC protocol as a transport, which, in turn, is an add-on over the UDP protocol that supports multiplexing of several connections and provides encryption methods equivalent to TLS / SSL.
  WebTransport can be used in place of WebSockets and RTCDataChannel mechanisms, offering additional features such as multistreaming, unidirectional streams, out-of-order delivery, reliable and unreliable delivery modes. In addition, WebTransport can be used instead of the Server Push mechanism that Google has deprecated in Chrome.
- A declarative interface for defining links to standalone web applications (PWAs), enabled by the capture_links parameter in the web application manifest, and allowing sites to automatically open a new PWA window when an application link is clicked, or switch to single-window mode similar to mobile applications.
- The WebXR Plane Detection API has been added to provide information about planar surfaces in a 3D virtual environment. The specified API makes it possible to do without the resource-intensive processing of data received via the MediaDevices.getUserMedia() call, using our own implementations of machine vision algorithms. Recall that the WebXR API allows you to unify work with various classes of virtual reality devices, from stationary 3D helmets to solutions based on mobile devices.
Implemented support for working with WebSockets over HTTP/2 (RFC 8441), which is valid only for secure requests to WebSockets and if there is an HTTP/2 connection already established with the server, in which support for the "WebSockets over HTTP/2" extension is announced.
Accuracy limits on timer values returned by the performance.now() call are unified across all supported platforms and adapted to account for possible isolation of handlers in separate processes. For example, on desktop systems, the accuracy when processing in non-isolated contexts has been reduced from 5 to 100 microseconds.
Desktop builds include the ability to read files from the clipboard (writing files to the clipboard is still disabled). async function onPaste(e) { let file = e.clipboardData.files[0]; let contents = await file.text(); }
CSS implements the @counter-style rule, which allows you to define your own style for counters and labels in numbered lists.
CSS pseudo-classes ":host()" and ":host-context()" added the ability to pass single values of compound selectors ( ) in addition to selector lists ( ).
Added GravitySensor interface for determining volumetric (along three coordinate axes) data from a gravity sensor.
The File System Access API provides the ability to define file name and directory selection recommendations offered in the file creation or opening dialog.
iframes loaded from other domains are allowed to access the WebOTP API if the user grants the appropriate permissions. WebOTP allows you to read one-time verification codes sent via SMS.
Credential sharing is allowed for sites linked using the DAL (Digital Asset Links) mechanism, which allows Android apps to be associated with sites for easier sign-in.
Service worker allows JavaScript modules. When specifying the type 'module' during the constructor call, the specified scripts will be loaded in the form of modules and available for import in the context of the worker. Module support makes it easy to share code across web pages and Service workers.
JavaScript provides the ability to check for the existence of private fields in an object using the "#foo in obj" syntax. class A { static test(obj) { console.log(#foo in obj); } #foo = 0; } A.test(new A()); // true A.test({}); // false
By default, JavaScript allows the use of the await keyword in modules at the top level, which allows you to more smoothly integrate asynchronous calls into the module loading process and avoid wrapping in an "async function". For example, instead of (async function() { await Promise.resolve(console.log('test')); }()); now you can write await Promise.resolve(console.log('test'));
The V8 JavaScript engine improved the efficiency of template caching, resulting in a 4.5% increase in the speed of passing the Speedometer2-FlightJS test.
A large portion of improvements have been made to the tools for web developers. A new Memory inspector mode has been added that provides tools for examining ArrayBuffer data and Wasm memory.
A summary performance indicator has been added to the Performance panel, which allows you to judge whether the site requires optimization or not.

When previewing images in the Elements panel and in the network request analysis panel, information about the aspect ratio of the image, rendering parameters, and file size is provided.

In the network inspection panel, it became possible to change the accepted values of the Content-Encoding header.

In the style panel, you can now quickly view the computed value when navigating through the CSS parameters by selecting "View computed value" from the context menu.

In addition to innovations and bug fixes, 32 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the vulnerability bounty program for the current release, Google has paid out 21 awards worth $92000 (one $20000 award, one $15000 award, four $7500 awards, three $5000 awards, three $3000 awards, two $1000 awards, and two $500). The amount of 5 rewards has not yet been determined.

Source: opennet.ru

Chrome Release 91

Add a comment Отменить ответ