🥇Chrome 93 release

Google has unveiled the release of the Chrome 93 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing protected video content (DRM), an automatic update system, and transmission when searching for RLZ parameters. The next release of Chrome 94 is scheduled for September 21 (development has been moved to a 4-week release cycle).

Key changes in Chrome 93:

The design of the block with information about the page (page info) has been modernized, in which nested blocks are supported, and drop-down lists with access rights have been replaced with switches. The lists provide the output of the most important information in the first place. The change is not enabled for all users, you can use the "chrome://flags/#page-info-version-2-desktop" setting to activate it.
For a small percentage of users, as an experiment, the secure connection indicator in the address bar was replaced with a more neutral and non-double symbol (the lock was replaced with a “V” sign). Connections established without encryption continue to display the "not secure" indicator. The reason for replacing the indicator is that many users associate the lock indicator with the fact that the content of the site can be trusted, and do not perceive it as a sign of encryption of the connection. According to a Google survey, only 11% of users understand the meaning of the padlock icon.
In the list of recently closed tabs, the contents of closed groups of tabs are displayed (previously, the list simply showed the name of the group without detailing the content) with the ability to return both the entire group and individual tabs from the group at once. The feature is not enabled for all users, so you may need to change the "chrome://flags/#tab-restore-sub-menus" setting to enable it.
For enterprises, new DefaultJavaScriptJitSetting, JavaScriptJitAllowedForSites, and JavaScriptJitBlockedForSites settings have been implemented to control JIT-less mode, which disables JIT compilation when executing JavaScript (only the Ignition interpreter is used) and prohibits the allocation of executable memory during code execution. Disabling JIT can be useful for improving the security of working with potentially dangerous web applications at the cost of reducing the performance of JavaScript execution by about 17%. It is noteworthy that Microsoft went even further and implemented an experimental “Super Duper Secure” mode in the Edge browser, which allows the user to disable JIT and activate JIT-incompatible hardware protection mechanisms CET (Controlflow-Enforcement Technology), ACG (Arbitrary Code Guard) and CFG ( Control Flow Guard) for processes that process web content. If the experiment turns out to be successful, then we can expect it to be transferred to the main composition of Chrome.
The new tab page provides a list of the most requested documents saved in Google Drive. The contents of the list correspond to the Priority section in drive.google.com. You can use the "chrome://flags/#ntp-modules" and "chrome://flags/#ntp-drive-module" settings to control the display of Google Drive content.
The new tab page has new information cards to help you find recently viewed content and related information. Maps are designed to make it easier to continue working with information that was interrupted, for example, maps will help you find a recipe for a dish that you recently found online but lost after closing the page, or continue shopping in stores. As an experiment, users are offered two new maps: "Recipes" (chrome://flags/#ntp-recipe-tasks-module) to search for recipes and show recently viewed recipes; "Purchases" (chrome://flags/#ntp-chrome-cart-module) for reminders of selected products in online stores.
Added optional support for the Android version of the continuous search bar (chrome://flags/#continuous-search) to keep recent Google search results visible (the bar continues to show results after navigating to other pages).
An experimental citation exchange mode (chrome://flags/#webnotes-stylize) has been added to the Android version, which allows you to save a selection in the form of a citation and share it with other users.
Developer two-factor verification is now required when publishing new additions or version updates to the Chrome Web Store.
Google Account users have the option to save payment information to their Google account.
In incognito mode, if the option to clear navigation data is activated, a new operation confirmation dialog has been implemented, explaining that clearing the data will close the window and end all sessions in incognito mode.
Due to identified incompatibilities with the firmware of some devices, support for the new key agreement method added in Chrome 91, resistant to selection on quantum computers, based on the use of the CECPQ1.3 (Combined Elliptic-Curve and Post-Quantum 2) extension in TLSv2, which combines the classic X25519 key exchange mechanism with an HRSS scheme based on the NTRU Prime algorithm developed for post-quantum cryptosystems.
Ports 989 (ftps-data) and 990 (ftps) have been added to the list of forbidden network ports in order to block the ALPACA attack. Previously, ports 69, 137, 161, 554, 1719, 1720, 1723, 5060, 5061, 6566, and 10080 have already been blocked to protect against NAT slipstreaming attacks.
TLS has dropped support for ciphers based on the 3DES algorithm. In particular, the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite, subject to the Sweet32 attack, has been removed.
Ubuntu 16.04 distribution has been discontinued.
Provided the ability to use the WebOTP API between different devices connected through a common Google account. WebOTP allows a web application to read one-time verification codes sent via SMS. The proposed change makes it possible to receive a verification code on a mobile device with Chrome for Android, and apply it on a desktop system.
Extended the User-Agent Client Hints API, developed as a replacement for the User-Agent header. User-Agent Client Hints allows you to organize selective return of data about specific browser and system parameters (version, platform, etc.) only after a request by the server. The user, in turn, can determine what information can be provided to site owners. When using User-Agent Client Hints, the browser identifier is not passed without an explicit request, and only basic parameters are specified by default, which makes passive identification difficult.
The new version supports the Sec-CH-UA-Bitness parameter to return platform bitness data, which can be used to return optimized binary files. By default, the Sec-CH-UA-Platform parameter is sent with general platform data. In the UADataValues value returned when calling getHighEntropyValues(), by default, the return of generic parameters is implemented if it is not possible to return a detailed version. The toJSON method has been added to the NavigatorUAData object, which allows the use of JSON.stringify(navigator.userAgentData) constructs.
The ability to package resources in Web Bundle format packages has been stabilized and offered by default, suitable for organizing more efficient loading of a large number of related files (CSS styles, JavaScript, images, iframes). Among the shortcomings in the existing package support for JavaScript files (webpack) that the Web Bundle is trying to eliminate: the package itself can settle in the HTTP cache, but not its component parts; compilation and execution can only start after the package has been fully downloaded; additional resources such as CSS and images must be encoded as JavaScript strings, resulting in an increase in size and another parsing step.
Enabled the WebXR Plane Detection API, which provides information about flat surfaces in a 3D virtual environment. The specified API makes it possible to do without the resource-intensive processing of data received via the MediaDevices.getUserMedia() call, using our own implementations of machine vision algorithms. Recall that the WebXR API allows you to unify work with various classes of virtual reality devices, from stationary 3D helmets to solutions based on mobile devices.
Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- The Multi-Screen Window Placement API has been proposed, which allows you to place windows on any display connected to the current system, as well as save the position of the window and, if necessary, expand the window to full screen. For example, using the specified API, a presentation web application can display slides on one screen and display a note for the presenter on another.
- The Cross-Origin-Embedder-Policy header, which controls the Cross-Origin isolation mode and allows you to define secure usage rules in the privileged operations page, now supports the "credentialless" parameter to disable the transmission of credential-related information such as cookies and client certificates.
- For stand-alone web applications (PWA, Progressive Web Apps) that control the rendering of window content and process input, an overlay with window controls, such as a title bar and window expand/collapse buttons, is provided. The overlay extends the editable area to the entire window and allows you to add your own elements to the title area.
- Added the ability to create PWA applications that can be used as URL handlers. For example, the music.example.com application can register itself as a URL handler https://*.music.example.com and all transitions from external applications following these links, for example, from instant messengers and email clients, will lead to the opening of this PWA- applications, not a new browser tab.
The ability to load CSS files using the "import" statement, similar to loading JavaScript modules, is provided, which is convenient when creating your own elements and eliminates the need to assign styles to JavaScript code. import sheet from './styles.css' assert { type: 'css' }; document.adoptedStyleSheets = [sheet]; shadowRoot.adoptedStyleSheets = [sheet];
A new static method AbortSignal.abort() has been provided that returns an AbortSignal object that already has the aborted parameter set. Instead of several lines of code to create an AbortSignal object in the aborted state, you can now do with a single line "return AbortSignal.abort()".
Support for the start, end, self-start, self-end, left, and right keywords has been added to the Flexbox element, which complements the center, flex-start, and flex-end keywords with tools for easier alignment of the position of flex items.
The Error() constructor has a new optional "cause" property that can be used to easily link errors to each other. const parentError = new Error('parent'); const error = new Error('parent', { cause: parentError }); console.log(error.cause === parentError); // → true
Support for the noplaybackrate mode has been added to the HTMLMediaElement.controlsList property, which allows you to disable elements of the interface provided in the browser to change the playback speed of multimedia content.
Added the Sec-CH-Prefers-Color-Scheme header, which allows at the stage of sending the request to transfer data about the user's preferred color scheme used in the "prefers-color-scheme" media queries, which will allow the site to optimize the loading of CSS associated with the selected scheme and avoid visible switches from other charts.
The Object.hasOwn property has been added, which is a simplified version of Object.prototype.hasOwnProperty implemented as a static method. Object.hasOwn({ prop: 42 }, 'prop') // → true
Designed for very fast rough compilation, the Sparkplug JIT compiler has added a batch execution mode to reduce the overhead of switching memory pages between write and run mode. Sparkplug now compiles multiple functions at once and calls mprotect once to change the permissions of the entire group. The proposed mode significantly reduces compilation time (up to 44%) without negatively impacting JavaScript execution performance.
The Android version disables the protection mechanisms built into the V8 engine from third-party attacks, such as Specter, which are considered not as effective as isolating sites in separate processes. In the desktop version, these mechanisms were disabled back in the release of Chrome 70. Disabling unnecessary checks allowed us to increase performance by 2-15%.
Improvements have been made to tools for web developers. In the style sheet inspection mode, the ability to edit requests generated using the @container expression is provided. In the network inspection mode, a preview of resources in the Web bundle format is implemented. In the web console, options have been added to the context menu for copying strings in the form of JavaScript or JSON literals. Debugging errors related to CORS (Cross-Origin Resource Sharing) has been simplified.

In addition to innovations and bug fixes, 27 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. Under the Vulnerability Bounty Program for the current release, Google has paid out 19 awards totaling $136500 (three $20000 awards, one $15000 award, three $10000 awards, one $7500 award, three $5000 awards, and three $3000 awards). The amount of 5 rewards has not yet been determined.

Source: opennet.ru

Chrome Release 93

Add a comment Отменить ответ