Google has unveiled the release of the Chrome 94 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing protected video content (DRM), an automatic update system, and transmission when searching for RLZ parameters. The next release of Chrome 95 is scheduled for October 19th.
Starting with the release of Chrome 94, development has moved into a new release cycle. Significant new releases will now be published every 4 weeks instead of once every 6 weeks, which will speed up the delivery of new features to users. It is noted that the optimization of the release preparation process and the improvement of the testing system make it possible to generate releases more often without sacrificing quality. For enterprises and those who need more time to update, there will be a separate Extended Stable edition every 8 weeks, which will allow you to switch to new functional releases not every 4 weeks, but every 8 weeks.
Key changes in Chrome 94:
- Added HTTPS-First mode, which is reminiscent of Firefox's earlier HTTPS Only mode. If the mode is enabled in the settings, when trying to open a resource without encryption via HTTP, the browser will first try to access the site via HTTPS, and if the attempt fails, the user will be shown a warning about the lack of HTTPS support and prompted to open the site without encryption. In the future, Google is considering activating HTTPS-First by default for all users, restricting access to some web platform features for pages opened via HTTP, and adding additional warnings to inform users about the threats that arise when accessing sites without encryption. The mode is enabled in the "Privacy and security" > "Security" > "Advanced" section of the settings.
- For pages opened without HTTPS, sending requests (loading resources) to local URLs (for example, "http://router.local" and localhost) and internal address ranges (127.0.0.0/8, 192.168.0.0/16, 10.0.0.0 .8/1.2.3.4 etc.). An exception is made only for pages loaded from servers with internal IPs. For example, a page loaded from server 192.168.0.1 will not be able to access a resource hosted on IP 127.0.0.1 or IP 192.168.1.1, while a page loaded from server XNUMX will be able to. The change introduces an additional layer to protect against exploitation of vulnerabilities in handlers that accept requests on local IPs, and will also allow you to protect yourself from DNS rebinding attacks.
- Added the "Sharing Hub" function, which allows you to quickly share a link to the current page with other users. It provides the ability to generate a QR code from a URL, save a page, send a link to another device associated with a user account, and share a link to third-party sites such as Facebook, WhatsUp, Twitter and VK. The opportunity has not yet been brought to all users. You can use the settings "chrome://flags/#sharing-hub-desktop-app-menu" and "chrome://flags/#sharing-hub-desktop-omnibox" to force the inclusion of the "Share" button in the menu and address bar .
- Restructuring in the browser settings interface has been carried out. Each section of the settings is now displayed on a separate page, and not on one general page.
- Implemented support for dynamic updating of the log of issued and revoked certificates (Certificate Transparency), which will now be updated without being tied to a browser update.
- Added "chrome://whats-new" service page with an overview of user-visible changes in the new release. The page is displayed automatically immediately after an update or is available through the What's New button on the Help menu. The page currently mentions tab search, the ability to split profiles, and a background color changer that are not specific to Chrome 94 and were introduced in past releases. Page display is not yet enabled for all users: to control activation, you can use the settings "chrome://flags#chrome-whats-new-ui" and "chrome://flags#chrome-whats-new-in-main-menu- new-badge".
- Deprecated accessing the WebSQL API from content loaded from third-party sites (for example, via an iframe). In Chrome 94, when trying to access WebSQL from third-party scripts, a warning is displayed, but starting with Chrome 97, such accesses will be blocked. We plan to phase out support for WebSQL completely in the future, regardless of the context of use. The WebSQL engine is based on SQLite code and could be used by attackers to exploit vulnerabilities in SQLite.
- For security reasons and to prevent malicious activity, the obsolete MK (URL:MK) protocol, once used in Internet Explorer and allowing web applications to extract information from compressed files, began to be blocked.
- Dropped support for syncing with older versions of Chrome (Chrome 48 and older).
- Support for the "display-capture" flag has been added to the Permissions-Policy HTTP header, which is intended to enable certain capabilities and control access to the API, to control the use of the Screen Capture API on the page (by default, the ability to capture screen content from external iframes is blocked).
- Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- Added the WebGPU API, which replaces the WebGL API and provides the means to perform GPU operations such as rendering and computing. Conceptually, WebGPU is close to the Vulkan, Metal, and Direct3D 12 APIs. Conceptually, WebGPU differs from WebGL in much the same way that the Vulkan graphics API differs from OpenGL, but is not based on a specific graphics API, but is a universal layer that uses the same low-level primitives , found in Vulkan, Metal, and Direct3D 12.
WebGPU provides JavaScript applications with low-level control over the organization, processing and transmission of commands to the GPU, and also allows control of associated resources, memory, buffers, texture objects, and compiled graphics shaders. This approach allows you to achieve higher performance graphics applications by reducing overhead and increasing the efficiency of the GPU. The API also makes it possible to create complex 3D projects for the Web that work as well as standalone programs, but are not tied to specific platforms.
- For stand-alone PWA applications, the ability to register as URL handlers has been implemented. For example, the music.example.com application can register itself as a URL handler https://*.music.example.com and all transitions from external applications following these links, for example, from instant messengers and email clients, will lead to the opening of this PWA- applications, not a new browser tab.
- Implemented support for a new HTTP response code, 103, which can be used to prefetch headers. Code 103 allows you to inform the client about the content of some HTTP headers immediately after the request, without waiting for the server to perform all the operations associated with the request and start serving the content. Similarly, you can provide hints about elements associated with the rendered page that can be preloaded (for example, links to the css and javascript used on the page can be provided). Having received information about such resources, the browser will start downloading them without waiting for the end of the return of the main page, which reduces the total processing time of the request.
- Added the WebGPU API, which replaces the WebGL API and provides the means to perform GPU operations such as rendering and computing. Conceptually, WebGPU is close to the Vulkan, Metal, and Direct3D 12 APIs. Conceptually, WebGPU differs from WebGL in much the same way that the Vulkan graphics API differs from OpenGL, but is not based on a specific graphics API, but is a universal layer that uses the same low-level primitives , found in Vulkan, Metal, and Direct3D 12.
- Added a WebCodecs API for low-level manipulation of media streams, in addition to the high-level APIs of HTMLMediaElement, Media Source Extensions, WebAudio, MediaRecorder, and WebRTC. The new API may be in demand in areas such as game streaming, client-side effects, stream transcoding, and support for non-standard media containers. Instead of implementing individual codecs in JavaScript or WebAssembly, the WebCodecs API provides access to ready-made, high-performance components built into the browser. In particular, the WebCodecs API provides audio and video decoders and encoders, image decoders, and functions for working with individual video frames at a low level.
- The Insertable Streams API has been stabilized, making it possible to manipulate raw media streams transmitted via the MediaStreamTrack API, such as camera and microphone data, screen capture results, or intermediate codec decoding data. WebCodec interfaces are used to represent raw frames, after which a stream is generated similar to what the WebRTC Insertable Streams API generates based on RTCPeerConnections. On the practical side, the new API allows you to implement functionality such as applying machine learning methods to identify or annotate objects in real time, or to add effects such as background clipping before encoding or after decoding by a codec.
- The scheduler.postTask() method has been stabilized to control the scheduling of tasks (JavaScript callbacks) with different priority levels. Three priority levels are provided: 1 - run first, even though user operations may be blocked; 2 - changes visible to the user are allowed; 3 - execution in the background). You can use the TaskController object to change the priority and cancel tasks.
- Stabilized and now distributed outside the Origin Trials API Idle Detection to detect user inactivity. The API allows you to determine when the user is not interacting with the keyboard / mouse, the screen saver is running, the screen is locked, or work is being done on another monitor. Informing the application about inactivity is carried out by sending a notification after reaching the specified threshold of inactivity.
- The process of color management in the CanvasRenderingContext2D and ImageData objects and the use of the sRGB color space in them has been formalized. Provided the ability to create CanvasRenderingContext2D and ImageData objects in non-sRGB color spaces, such as Display P3, to take advantage of the advanced features of modern monitors.
- Methods and properties have been added to the VirtualKeyboard API to control whether the virtual keyboard is shown or hidden, and to get information about the size of the displayed virtual keyboard.
- JavaScript makes it possible for classes to use static initialization blocks to group code that is executed once when the class is processed: class C { // The block will be run when the class itself is processed static { console.log("C's static block"); } }
- The flex-basis and flex CSS properties implement the content , min-content , max-content , and fit-content keywords for more flexible control over the size of the main Flexbox area.
- Added the scrollbar-gutter CSS property to control how much screen space is reserved for the scrollbar. For example, when you don't want content to scroll, you can expand the output to take up the scrollbar area.
- The Self Profiling API has been added with the implementation of a profiling system that allows you to measure the execution time of JavaScript on the user side to debug performance problems in JavaScript code without resorting to manual manipulation in the interface for web developers.
- After removing the Flash plugin, it was decided to return empty values ββin the navigator.plugins and navigator.mimeTypes properties, but as it turned out, some applications used them to check for the presence of plugins for displaying PDF files. Since Chrome has a built-in PDF viewer, from now on the navigator.plugins and navigator.mimeTypes properties will return a fixed list of standard PDF viewer plugins and MIME types - "PDF Viewer, Chrome PDF Viewer, Chromium PDF Viewer, Microsoft Edge PDF Viewer and WebKit built-in PDF.
- Improvements have been made to tools for web developers. Added Nest Hub and Nest Hub Max devices to screen simulation list. A button for inverting filters has been added to the network activity inspection interface (for example, when setting the βstatus-code: 404β filter, you can quickly view all other requests), as well as the ability to view the initial values ββof the Set-Cookie headers (allows you to evaluate the presence of incorrect values ββthat are removed during normalization). The web console sidebar has been deprecated and will be removed in a future release. Added an experimental ability to hide issues in the Issues tab. Added the ability to select the interface language in the settings.
In addition to innovations and bug fixes, 19 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the Vulnerability Bounty program for the current release, Google paid out 17 awards worth $56500 (one $15000 award, two $10000 awards, one $7500 award, four $3000 awards, two $1000 awards). The amount of 7 rewards has not yet been determined.
Source: opennet.ru