Google has unveiled the release of the Chrome 95 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing protected video content (DRM), an automatic update system, and transmission when searching for RLZ parameters. In accordance with the new 4-week development cycle, the next release of Chrome 96 is scheduled for November 16th. For those who need more time to update, a separate Extended Stable branch is maintained, followed by 8 weeks, which generated an update for the last release of Chrome 94.
Key changes in Chrome 95:
- For Linux, Windows, macOS and ChromeOS users, a new sidebar is offered, shown to the right of the content and activated by clicking on a special icon in the address bar. The panel displays a summary with bookmarks and a reading list. The change is not enabled for all users, you can use the "chrome://flags/#side-panel" setting to activate it.
- Implemented the output of an explicit request for permissions to save addresses entered in web forms for subsequent use in the form autofill system. When determining the presence of addresses in forms, the user is now shown a dialog that allows you to save the address, edit, update a previously saved address, or refuse to save.
- Removed code to support FTP protocol. In Chrome 88, FTP support was disabled by default, but a flag was left to enable it.
- Dropped support for URLs with hostnames ending in a number that do not match IPv4 addresses. For example, the URLs "http://127.1/", "http://foo.127.1/", and "http://127.0.0.0.1" will now be considered invalid.
- For WebAssembly, the ability to create exception handlers is implemented, which can catch execution in case an exception occurs while executing certain code. It supports both catching exceptions known to the WebAssembly module and exceptions in the process of calling imported functions. To catch exceptions, a WebAssembly module must be built by an exception-aware compiler such as Emscripten.
It is noted that exception handling at the WebAssembly level can significantly reduce the size of the generated code, compared with exception handling by JavaScript. For example, building the Binaryen optimizer with exception handling by JavaScript leads to a 43% increase in code, and by 9% using WebAssembly. In addition, when using the "-O3" optimization mode, code with exception handling by WebAssembly is practically no different in performance from code without exception handlers, while exception handling with JavaScript leads to a 30% slowdown in execution.
- It is forbidden to share WebAssembly modules between different domains (cross-origin) when processing one site.
- Several new APIs have been added to the Origin Trials mode (experimental features that require separate activation). Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
- Enabled trimming of information in the User-Agent HTTP header and JavaScript parameters navigator.userAgent, navigator.appVersion and navigator.platform. The header contains only information about the browser name, major version of the browser, platform and device type (mobile phone, PC, tablet). For additional data, such as exact version and extended platform data, you must use the User Agent Client Hints API. The start of user-agent cuts on consumer systems is scheduled for the release of Chrome 102, which will be published in half a year.
- The possibility of creating access handles (Access Handles) for the File System Access API is proposed, which allows web applications to read and write data directly to files and directories on the user's device. To reduce the way web applications access the file system, Google plans to merge the File System Access and Storage Foundation APIs. As a preparatory stage for such a merger, support for access descriptors is proposed, which supplements the methods of work based on file descriptors with advanced features, such as setting a write lock by other processes and creating separate streams for writing and reading, including support for reading and writing from workers in synchronous mode.
- The Secure Payment Confirmation API has been stabilized and proposed by default with the implementation of a new 'payment' extension that provides additional confirmation of the payment operation being made. A relying party, such as a bank, has the ability to generate a PublicKeyCredential that can be requested by the merchant for additional secure payment confirmation via the Payment Request API using the 'secure-payment-confirmation' payment method.
- Callbacks set through the PerformanceObserver constructor now have the droppedEntriesCount property passed, which allows you to understand how many site performance metrics were dropped because they did not fit in the provided buffer.
- The EyeDropper API has been added, which allows you to call the interface provided by the browser to determine the color of arbitrary pixels on the screen, which can be used, for example, in graphic editors implemented as web applications. const eyeDropper = new EyeDropper(); const result = await eyeDropper.open(); // result = {sRGBHex: '#160731'}
- The self.reportError() function has been added to allow scripts to print errors to the console, emulating the occurrence of an uncaught exception.
- Added the URLPattern API to check if a URL matches a certain pattern, which can be used, for example, to parse links and redirect requests to handlers in a service worker. const p = new URLPattern({ protocol: 'https', hostname: 'example.com', pathname: '/:folder/*/:fileName.jpg', });
- The Intl.DisplayNames API has been expanded, through which you can get localized names of languages, countries, currencies, date elements, etc. The new version adds new types of names "calendar" and "dateTimeField", through which you can find out the localized names of the calendar and date and time fields (for example, the name of the months). Added support for the use of language dialects for the "language" type.
- Added support for new values ββof the timeZoneName parameter in the Intl.DateTimeFormat API: "shortGeneric" to display a short time zone identifier (for example, "PT", "ET"), "longGeneric" - a long one ("Pacific Time", "Mountain Time"), "shortOffset" - with a short offset relative to GMT ("GMT+5") and "longOffset" with a long offset relative to GMT ("GMT+0500").
- Deprecated the U2F (Cryptotoken) API, which should be replaced by the Web Authentication API. The U2F API will be disabled by default in the release of Chrome 98 and completely removed in Chrome 104.
- Improvements have been made to tools for web developers. The Styles panel makes it easier to adjust CSS properties related to size (height, padding, etc.). The Issues tab provides the ability to hide individual issues. Improved display of properties in the web console, Sources and Properties panels (custom properties are now bold and shown at the top of the list).
In addition to innovations and bug fixes, 19 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the vulnerability bounty program for the current release, Google has paid out 16 awards worth $74 (one $20000 award, two $10000 awards, one $7500 award, one $6000 award, three $5000 awards, and one $3000 award). , $2000 and $1000). The amount of 5 rewards has not yet been determined.
Source: opennet.ru