Chrome Release 98

Google has unveiled the release of the Chrome 98 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update system, and transmission when searching for RLZ parameters. The next release of Chrome 99 is scheduled for March 1th.

Key changes in Chrome 98:

• The browser has its own store of root certificates of certification authorities (Chrome Root Store), which will be used instead of external stores specific to each operating system. The store is implemented similarly to Firefox's independent root certificate store, which is used as the first link to verify the certificate trust chain when opening websites over HTTPS. The new storage is not used by default yet. To ease the transition of configurations tied to system stores and to ensure portability, there will be a transitional period for some time, during which the Chrome Root Store will include a full selection of certificates approved on most supported platforms.
• The implementation of the plan to strengthen protection against attacks related to accessing resources on the local network or on the user's computer (localhost) from scripts loaded when the site is opened continues. Such requests are used by attackers to carry out CSRF attacks on routers, access points, printers, corporate web interfaces, and other devices and services that accept requests only from the local network.

  To protect against such attacks, if any subresources on the internal network are accessed, the browser will start sending an explicit request for the authority to download such subresources. Requesting permissions is done by sending a CORS (Cross-Origin Resource Sharing) request with the header "Access-Control-Request-Private-Network: true" to the main site server before calling the internal network or localhost. When confirming the operation in response to this request, the server should return the "Access-Control-Allow-Private-Network: true" header. In Chrome 98, the check is implemented in test mode, and if there is no confirmation, a warning is displayed in the web console, but the subresource request itself is not blocked. Blocking is planned to be enabled no earlier than the release of Chrome 101.

• The account settings are integrated with tools for managing the inclusion of an enhanced protection mode from dangerous sites (Enhanced Safe Browsing), which activates additional checks to protect against phishing, malicious activity and other threats on the Web. When you activate a mode in your Google account, you will now be prompted to activate the mode in Chrome as well.
• Added a client-side phishing detection model implemented using the TFLite machine learning framework (TensorFlow Lite) that does not require sending data to perform Google-side verification (it sends telemetry with information about the model version and calculated weights for each category) . If a phishing attempt is detected, the user will be shown a warning page before opening the suspicious site.
• The Client Hints API, which is being developed as a replacement for the User-Agent header and allows you to selectively return data about specific browser and system parameters (version, platform, etc.) only after a request by the server, implements the ability to substitute fictitious names into the list of browser identifiers, according to analogies with the GREASE (Generate Random Extensions And Sustain Extensibility) mechanism used in TLS. For example, in addition to '"Chrome"; v=”98″' and '”Chromium”; v=”98″' a random identifier of a non-existent browser '”(Not;Browser”; v=”12″') can be added to the list. pretend to be other popular browsers to bypass valid browser checks.
• Starting January 17, the Chrome Web Store catalog will no longer accept add-ons that use the second version of the Chrome manifest. New additions will now only be accepted with the third version of the manifest. Developers of previously added add-ons will still be able to publish updates with the second version of the manifest. Full deprecation of the second version of the manifest is scheduled for January 2023.
• Added support for color vector fonts in COLRv1 format (a subset of OpenType fonts that contain a layer with color information in addition to vector glyphs), which can be used, for example, to create multi-color emoji. Unlike the previously supported COLRv0 format, COLRv1 now has the ability to use gradients, overlays, and transforms. The format also provides a compact form of storage, provides efficient compression, and allows for the reuse of outlines, which can significantly reduce the font size. For example, the Noto Color Emoji font occupies 9MB in bitmap format, and 1MB in COLRv1.85 vector format.
• In Origin Trials mode (experimental features that require separate activation), the Region Capture API is implemented, which allows you to crop the captured video. For example, cropping may be needed in web applications that capture video of the contents of their tab to cut out certain content before sending. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a limited time for a specific site.
• Added support for "auto" to the "contain-intrinsic-size" CSS property, which will use the element's last remembered size (when used with "content-visibility: auto", the developer does not need to guess the element's rendered size).
• The AudioContext.outputLatency property has been added, through which you can find out information about the predicted delay before audio is output (the delay between the request for audio and the start of processing the received data by the audio output device).
• The color-scheme CSS property, which makes it possible to determine in which color schemes an element can be displayed correctly (“light”, “dark”, “day mode” and “night mode”), the “only” parameter has been added to prevent forced color changes schemas for individual HTML elements. For example, if you specify "div { color-scheme: only light }", then only the light theme will be used for the div element, even if the browser forces a dark theme.
• Added support for 'dynamic-range' and 'video-dynamic-range' media queries to CSS to determine if a screen that supports HDR (High Dynamic Range) is present.
• Added the ability to choose to open a link in a new tab, new window, or popup window to the window.open() function. Additionally, the window.statusbar.visible property now returns "false" for popups and "true" for tabs and windows. const popup = window.open('_blank',",'popup=1′); // Open in a popup window const tab = window. open('_blank',",'popup=0′); // Open in tab
• For windows and workers, the structuredClone() method is implemented, which allows you to create recursive copies of objects that include the properties of not only the specified object, but also all other objects referenced by the current object.
• The Web Authentication API adds support for an extension to the FIDO CTAP2 specification that allows you to set the minimum allowed PIN length (minPinLength).
• For installed stand-alone web applications, the Window Controls Overlay component has been added, which expands the application's screen area to the entire window, including the title area, on which the standard window control buttons (close, minimize, maximize) are superimposed. The web application can control rendering and input processing for the entire window, except for the overlay block with window control buttons.
• A signal handling property has been added to the WritableStreamDefaultController that returns an AbortSignal object, with which you can immediately stop write operations to the WritableStream without waiting for them to complete.
• WebRTC has removed support for the SDES key negotiation mechanism, which was deprecated in 2013 by the IETF due to security concerns.
• By default, the U2F (Cryptotoken) API is disabled, which was previously deprecated and replaced by the Web Authentication API. The U2F API will be completely removed in Chrome 104.
• The API Directory has deprecated the installed_browser_version field, instead of which a new pending_browser_version field has been proposed, which differs in that it contains information about the version of the browser, taking into account downloaded but not applied updates (i.e. the version that will be valid after the browser is restarted).
• Removed options that allowed reverting support for TLS 1.0 and 1.1.
• Improvements have been made to tools for web developers. Added a tab for evaluating the work of the transition cache (Back-forward cache), which provides an instant transition when using the "Back" and "Forward" buttons. Added the ability to emulate forced-colors media queries. Buttons have been added to the Flexbox editor to support the row-reverse and column-reverse properties. In the "Changes" tab, the display of changes after code formatting is provided, which simplifies the parsing of minified pages.

  The implementation of the code view panel has been updated to the release of the CodeMirror 6 code editor, which significantly improved the performance of working with very large files (WASM, JavaScript), solved problems with random offsets during navigation, and improved recommendations of the autocompletion system when editing code. Added the ability to filter the output by property name or value in the CSS properties panel.

  

In addition to innovations and bug fixes, 27 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. No critical issues that allow bypassing all browser protection levels and executing code in the system outside the sandbox environment have been identified. As part of the vulnerability bounty program for the current release, Google paid out 19 awards worth $88 (two $20000 awards, one $12000 award, two $7500 awards, four $1000 awards, and one each of $7000, $5000, $3000). and $2000.

Source: opennet.ru