Google has published the release of the Chrome 146 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a system for sending notifications in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant inclusion of Sandbox isolation, supply of keys to the Google API and transmission of RLZ parameters during search. For those who need more time to update, the Extended Stable branch is separately supported, supported for 8 weeks. The next release of Chrome 147 is scheduled for April 7.
Google also announced the release of official Chrome builds for Linux systems based on the ARM64 architecture. Linux builds for ARM64 will begin to be released in the second quarter of 2026 and will be available as deb and rpm packages. Previously, official Chrome builds for Linux were only available for the x86_64 architecture, while third-party Chromium builds offered by distributions were the only available builds for the ARM64 architecture. The official version of Chrome features support for connecting to a Google account, integration with Google services, data synchronization across devices, simplified installation of add-ons from the Chrome Web Store, and the ability to enable enhanced security mode.
Key changes in Chrome 146:
- For some users, a selective permission intervention mechanism is enabled, which blocks JavaScript scripts associated with displaying ads from accessing privacy-sensitive features, such as location information, microphone, clipboard, Bluetooth, USB, serial port, and screen capture. The idea is that if a user grants a page access to such features, these permissions will not apply to third-party scripts hosted on that page, whether loaded from other websites (either through an iframe tag or directly through a script tag).
- The structure of security-related settings has been restructured. To simplify matters, users can now choose between standard and enhanced security levels, allowing them to achieve the desired level of security without having to delve into the details and advanced options. When selecting enhanced mode, URL and content verification is additionally performed. серверах Google displays warnings for unsecured connections and slows down websites that are unusual for the user to block attacks. If desired, the user can revert to the old system of separately configuring each setting. To control the activation of the new security settings, a setting has been introduced: "chrome://flags/#bundled-security-settings."
- We've continued to develop the AI mode, which allows interaction with the AI agent from the address bar or from the page displayed when opening a new tab. AI mode allows you to ask complex questions in natural language and receive answers based on aggregation of information from the most relevant pages on a given topic. If necessary, the user can clarify the information with leading questions. The mode also allows you to ask questions about page content directly from the address bar. Chrome 146 introduces the ability to use files from Google Drive as context for the AI agent.
- The autofill mode now allows you to use additional data types that were previously only available when you enabled the Enhanced autofill mode.
- We have begun gradually enabling protection for users against accessing the local system when interacting with public websites. Access from websites to IP addresses A local network (intranet or internal addresses) or loopback interface (127.0.0.0/8) will require user confirmation. Protection applies to resource download attempts, fetch() requests, and iframe insertions. Protection is not currently applied to connections via WebSockets, WebTransport, and WebRTC, but will be added in a future release.
Attackers use internal resource access to indirectly identify and perform CSRF attacks on routers, access points, printers, corporate web interfaces, and other devices and services that accept requests only from the local network. To control which subnets are classified as internal or public, the LocalNetworkAccessIpAddressSpaceOverrides setting has been introduced, and the LocalNetworkAccessPermissionsPolicyDefaultEnabled setting has been added to automatically allow access for child iframes based on the parent iframe's permissions.
- The "animation-trigger" and "trigger-scope" CSS properties have been added to control animations based on the page scroll position. For example, you can start, stop, or restart an animation when a specific scroll position is reached, using only declarative CSS without requiring JavaScript.
- Custom element registry support has been implemented to separate the scope of custom HTML elements, which may be necessary when using multiple different custom HTML elements with the same name on a single page. If multiple libraries defining an element with the same name are used on a page, the CustomElementRegistry JavaScript object can be used to assign elements from each library to specific parts of the DOM hierarchy. For example, if two libraries define different elements with the same name, , then in one part of the page you can use the element from the first library, and on the other - from the second.
- The Sanitizer API has been added, which can be useful for sanitizing incoming external data and stripping HTML tags that can be used to perform XSS attacks. The API provides methods for manipulating HTML and stripping HTML elements from content that affect display and execution. For safe insertion of HTML content, the element.setHTML() method is similar to element.innerHTML, but protects against cross-site scripting (XSS). For safe HTML parsing, the document.parseHTML() method has been implemented. const unsanitizedString = "abc" alert(1) def»; const sanitizer1 = new Sanitizer({ elements: [«div», «p», «button», «script»], }); const target = document.getElementById(«target»); target.setHTML(unsanitizedString, { sanitizer: sanitizer1 });
- The "meta" element implements a parameter named "text-scale" (for example, ), which includes automatic scaling of the font size on the page in accordance with the browser and operating system settings if the page uses relative units of measurement (rem and em).
- The WebGPU API has added an optional compatibility mode that provides a subset of functions that can run on systems running legacy graphics APIs such as OpenGL and Direct3D11.
- JavaScript now supports combining multiple iterators into one using the Iterator.concat() method.
- The "Origin trials" mode implements the WebNN API, which allows the use of machine learning services provided by the operating system and related hardware capabilities.
- In the "Origin trials" mode, the CPU Performance API is implemented to obtain information about the performance level and characteristics of the processor (number of cores, type, architecture, model, frequency, etc.).
- In Origin trials mode, a "focusgroup" attribute has been added that allows you to use the cursor keys instead of tabbing to move between buttons or other elements related to focus switching.
- Improvements have been made to web developer tools. The web console now preserves command edit results when navigating through the history. The Elements panel now displays CSS styles added programmatically to Shadow DOM via a separate "#adopted-style-sheets" node in the DOM tree, similar to viewing and editing styles defined via the <style> tag. .
In addition to new features and bug fixes, the new version addresses 29 vulnerabilities. Many of the vulnerabilities were identified through automated testing using AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. One of the issues (a buffer overflow in WebML) was assigned a critical severity level, implying that the vulnerability allows for bypassing all layers of browser protection and executing code in the system outside the sandbox environment. As part of the vulnerability bounty program for the current release, Google established 29 rewards and paid out $211,000, which set a record for the largest payout in a single release (two rewards of $43000; one reward each of $36000, $33000, $11000, and $7000; two rewards of $10000 and $3000; and four rewards of $2000 and $1000). The size of the 12 rewards has not yet been determined.
Source: opennet.ru
