RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Google Chrome

Product
Developers: Google
Last Release Date: 2024/08/26
Branches: Internet services

Content

Main article: Web browser

Usage indicators

2022: Browser's Global Market Share - 67.1%

As of June 2022

2020: Google Chrome Market Share for March 68.5%

On April 2, 2020, it became known that, browser Edge released Microsoft simultaneously with, it took OS Windows 10 second place in the global ranking of desktop observers in terms of the number of users. According to NetMarketShare statistics for March 2020, Edge's total market share browsers was 7.59% (second place) versus 7.37% in February 2020 (third place) and 5.2% in March 2019 (fourth place).

As reported, the leader among all browsers was and remains Google Chrome, which has existed since 2008, and Edge cannot yet catch up with it. As of March 2019, its share was 67.88%, and for the year it increased to 68.5%. Read more here.

2012

May 2012

Google Chrome is recognized as the most popular browser in the world, reports The Verge, citing data from the StatCounter service, which tracks data on visitors to more than 3 million websites from around the world.

This conclusion allowed the publication to make the fact that Chrome for the first time held out in first place in popularity for a whole week - from May 14 to 20, explains The Verge. Prior to that, the honorable first place sometimes belonged to Chrome only on weekends.

According to the latest StatCounter data, Chrome owned 32.76% of the market, while Internet Explorer owned 31.94%. In third place is Firefox with a share of 25.47%. On the fourth - Safari with a share of 7.08%. The top five most popular web browsers are closed by Opera, which owns 1.74%.

It should be added that statistical service data can vary significantly. For example, according to Net Applications, the most popular browser is still Internet Explorer. Moreover, Chrome is only in third place. It is also ahead of Firefox.

The w3schools data is also different, although it also indicates that the most popular browser is Google Chrome, and since March this year. As for the second place, here the opinion coincides with the opinion of Net Applications (Firefox). Finally, Safari's share is significantly less than StatCounter's and closer to Opera's.

6 February 2012

The agency cyber security Germany recently recommended that users Windows 7 use Google's Chrome browser, citing advantages such as automatic updates and the presence of application protection functionality in the so-called sandbox.

Guided by practical security considerations, the German federal agency for the protection of information technology, known by the German abbreviation BSI (Bundesamt fuer Sicherheit in der Informationstechnik), called Chrome the best browser. "Your system's internet browser is a key component for accessing services on the Internet, therefore, it represents the main target for cyber attacks," BSI noted in published recommendations. "If you use Google Chrome in combination with other measures described above, you can significantly reduce the effect of likely attacks."

BSI noted the presence of a sandbox in Chrome as the basis for such recommendations, which isolates the browser from both operating system the computer, the invisible update mechanism, and the Chrome-Flash software bundle Adobe. "This [sandbox] protection technology is most consistently implemented in Chrome..., similar mechanisms in other browsers are currently weak or do not exist," BSI explained.

BSI, unlike similar US agencies, has a tradition of advising users on software, in particular browsers. Two years ago, BSI urged Germans to stop using Internet Explorer (IE) until Microsoft fixes a vulnerability that was allegedly exploited by Chinese hackers to infiltrate networks owned by Google and dozens of other Western companies.

Unlike in the US, where Windows 7 users automatically turn on IE as the default browser, Germans are shown a browser selection menu on screen when they first run Windows. This helps users select the browser they want to install as the default viewer and, if necessary, download and install it.

The procedure for this choice is based on an agreement between Microsoft and the antitrust authorities of the European Union, which was concluded in 2009, two years after Opera Software officially complained about unfair competition from Microsoft. Mindful of this, it is not surprising that Google was delighted with the recommendations. "We are honored to discover in this recommendation the recognition of several security benefits [in Chrome]," Wieland Holfelder, head of technical development at Google in Germany, wrote in the company's official blog.

To read PDF documents, BSI recommended Adobe Reader X, which, like Chrome, was created using sandbox technology to protect users from exploits, and urged citizens to use Windows Automatic Update to support their computers with all operating system security updates and fixes.

Currently, according to StatCounter, Chrome accounts for only 14.3% of all browsers used in Germany. Firefox has 51% of the German market, while IE has 24.8%.

At the same time, Mozilla, accelerating the development of an automatic update mechanism for its browser, will not be able to complete the project until June 2012. Technology like the "sandbox" Chrome will also not be included in the new release of Firefox, but the company is working to delineate the processes of each tab (something similar suggests Chrome) in order to make the browser more resistant to failures.

Today Chrome is a popular browser: according to StatCounter, its share is 28.4%, which puts it in second place after 37.5% IE, but ahead of Firefox with its 24.8%.

2011

On December 1, 2011, the Irish analytics company StatCounter, which collects statistics on visiting billions of web pages, elevated Google Chrome to second place among the most popular web browsers in the world. Prior to that, the second place for a long time belonged to the browser, Mozilla Firefox which now, according to StatCounter, is in third place. The first place still belongs to Internet Explorer , Microsoft which is offered as the default browser operating system Windows[1]

According to StatCounter, in November, the share of Chrome reached 25.70% against 25.23% for Firefox. Internet Explorer took 40.63% of the market.

Chrome continues to confidently gain an audience. A year earlier, the Google web browser, which was created only three years ago, owned only 4.66% of the global market, and in July 2011 it became the second most popular web browser among users in the UK, TechCrunch writes.

StatCounter was the first to announce that Chrome has become more popular than Firefox. Net Applications, which also collects data on website visitors, is in no hurry to release a similar report.

According to Net Applications data for November 2011, Firefox is still in second place with a share of 22.14%, Chrome is in third with a share of 18.18%. Earlier, Net Applications experts reported that they expect a reshuffle no earlier than April 2012, if the dynamics continue.

The growing popularity of Google Chrome is partly due to the short cycles of updating the browser, which allows developers to add new features to it and increase stability as soon as possible. Since launch, Google has been updating the application every 6 weeks, and now the sixteenth version of the browser is in beta testing, the final release of which is scheduled for December 2011.

In addition, Chrome leads in performance. According to a study conducted in early November by ZDNet among the most recent versions of Chrome, Firefox, IE and Opera, Google's browser has shown record results in the most tests among other programs.

2009

According Net Applications to August 2009 statistics Google Chrome , 2.9% of the global web browser market belonged. Internet Explorer Firefox Safari Opera – 66,6%, – 23,3%, – 4,1%, – 2,9%. Thus, Google's web browser ranks fourth.

With the release of the third version, Google announced ambitious plans: to increase Chrome's share of the web browser market to 5% by the second anniversary of the product (September 2010) and to 10% by the end of the third year of existence (September 2011). According to analyst Ray Valdes of Gartner, such a plan is incredibly complex, but feasible: "Google has a huge impact on the Internet, but to achieve such a share, the company will need to do something more than what it is doing now. These, for example, can be various initiatives. " One of these initiatives has already been launched - in the summer of 2009, Sony began preinstalling Chrome on its computers. In addition, Google should be more actively engaged in the development of a browser for Mac OS X and Linux, the analyst said, so far neither for the platform of the final, completed version of the program has been released.

According to Net Applications, in January 2010, Internet Explorer remained the most popular browser, seriously losing ground from 62.1 to 56% in a year . In December, Microsoft controlled 57.1% of the market. Firefox ranks second (22.8 %). A year earlier, this figure was 24.4%. Google Chrome closes the top three, taking the 10% mark for the first time , ending January with 10.7%. A year earlier, 5.2% of users preferred this package. The number of Apple Safari adherents during the past month increased from 5.9 to 6.3%. Opera's share rose from 2.2% to 2.3%, while Opera Mini has slightly lost ground and now occupies 0.9% of the market against about 1.0% in December. All other browsers occupy 1.1% of the market.

According to Net Applicatons, in November 2010 its share in the world reached 9.27%, an increase of one percentage point compared to the previous month, mainly due to the displacement of Internet Explorer. The growth is also due to the rapid distribution of the latest stable version - Chrome 7 - released in mid-October this year. For the month, it reached a share of 5.64%. Chrome, currently released in September 2008, is the third most popular browser in the world, after Internet Explorer and Firefox. In Russia, it is the fourth most popular, behind Opera as well.

According to Net Applications, in January 2011, Google Chrome crossed the 10% mark in the browser market for the first time, ending the month with 10.7% and ranking third among the most popular browsers. The championship in popularity was retained by Internet Explorer with 56%. Firefox is in second place with 22.8%

Google representatives during the Google I/O conference (May 2011) reported that the user base of the Chrome browser has "more than doubled" over the past year. There are now about 160 million Chrome users worldwide, up from 70 million a year earlier. According to employees of the Internet giant, they managed to achieve such an impressive result largely thanks to the launch of Chrome versions for all major operating systems - Linux, Windows and OS X. Over the next months, Google plans to implement a number of large-scale improvements in its browser, including support for voice commands and improved HTML5 rendering.

Chronicle

2024

Yandex Browser bypassed Google Chrome for the first time in terms of market share in Russia

On October 29, 2024, it became known that at the end of September 2024, the share of users visiting sites through the Yandex Browser, Yandex with Alice and Yandex Start applications reached 36.23% and for the first time exceeded Google Chrome in Russia. This was reported by the press service of Yandex. Google's product share was 34.79%, down 1.44 percentage points. Read more here.

Critical Vulnerability Analysis CVE-2024-7965

Experts BI.ZONE conducted a technical analysis of the critical vulnerabilities in JavaScript the V8 movement, which is used browser Google in Chrome. The study found it posed a risk to users - and Androidsmartphones on laptops macOS certain models. BI.Zone announced this on September 17, 2024.

Google announced the exploitation of the CVE-2024-7965 vulnerability on August 26, 2024, a few days after the release of version 128.0.6613.84, where the error was fixed. This vulnerability allows an attacker to seize control of the victim's browser renderer if they go to a site with specially crafted JavaScript code. On the CVSS scale, the vulnerability was rated 8.8 out of 10 points.

Google also noted that the CVE-2024-7965 was used by cybercriminals in conjunction with the CVE-2024-7964 - a vulnerability of the Privacy Sandbox platform in Chrome. In combination, these two vulnerabilities allow an attacker to seize control of the victim's browser and obtain sensitive data: passwords, browser history, saved cookies. Successful exploitation also allows you to install spyware on your device that will track all user actions in the browser.

 All Chromium-based browsers are also vulnerable. In some of them, the error may still not be fixed.

File:Aquote1.png
A detailed analysis of the vulnerability of the CVE-2024-7965 has not been published before. The results of this and similar studies are used by BI.ZONE specialists to provide security analysis services, such as pentest and red team, and help strengthen the security of our customers. This also benefits the cybersecurity community: such materials allow ethical hackers to improve their skills, "said Mikhail Sidoruk, head of the security analysis department.
File:Aquote2.png

The study found that the vulnerability extends to devices with ARM processor architecture: Apple laptops released after November 2020 and Android smartphones of any version. 

Experts have found that the CVE-2024-7965 is associated with incorrect processing of values ​ ​ during optimization during the execution of JavaScript code. The error leads to the ability to write and read outside the legitimate memory area, which, in turn, makes it possible to seize control of code execution. This allows a cybercriminal, in the presence of a common XSS vulnerability on a subdomain of a popular site (for example, my.example.com), to steal a user's session on the main site and all other subdomains (for example, example.com and mail.example.com). The consequences of such attacks range from stealing sensitive data to infecting a device with malware.

To protect your devices, we recommend that you upgrade your browser to the latest version if you do not configure automatic updates.

Chrome 128

On August 26, 2024, it became known that Google had published the release of the Chrome 128 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 129 is scheduled for September 17, 2024.

Chrome 128

As reported, the main changes in Chrome 128 affected the following:

  • It is possible to search in the history of visits, taking into account the content of the pages opened, and not just URL the headings. At this stage, the feature is only available to English-speaking users from. USA The search functionality content is implemented using a Google-based system, for machine learning training and optimization of which the relevant ones can data be sent to Google servers (sending can be disabled in the settings).
  • The JSON parser is used, rewritten from C++ to Rust, and provides higher security by reducing the likelihood of errors when working with memory. It is noted that switching to this parser may lead to the termination of parsing some incorrectly designed content in the JSON format, but at the same time it also solves problems when working with an incorrect JSON, which previously caused an emergency, and now leads to the return of the error code.
  • The page displayed when opening the tab has been added the ability to place a section with data from Google Calendar, which allows you to keep the upcoming meetings and events before your eyes.
  • In Chrome for Android, a section has been added to the tab switching interface, to which inactive tabs that have been open for more than 60 days are automatically transferred. You can close all old tabs at once. By default, this feature is enabled for 1% of users.
  • Chrome for Android has added support for Safety Check, which periodically checks for problems in the browser and informs the user if threats that require attention are identified. In addition, the design of the Safety Check page in the settings (chrome ://settings/safetyCheck) has been changed.
  • In the WebView component in Chrome for Android, it was decided to temporarily disable support for CHIPS (Cookies Having Independent Partitioned State) technology, developed as part of the Privacy Sandbox initiative and allowing you to isolate Cookies in binding to a first-level domain using the "Partitioned" attribute. The reason for the shutdown was problems with accessing partitioned Cookies using the CookieManager API provided by the Android platform.
  • In centrally managed systems, the administrator is given the opportunity to create his own shortcuts for quick search through the address bar (you can create a "@ name" shortcut for searching on a specific site), as well as manage unencrypted passwords in the built-in password manager (for example, you can configure the removal of such passwords remaining after migration to another device using third-party software).
  • The Chrome OS version adds support for the IWA (Isolated Web Apps) self-sufficient web application launch mechanism, which extends PWA (Progressive Web Apps) by using stricter application isolation in case of server compromise. Isolation is achieved by certifying a package with an application with a digital signature that protects against third-party changes to the package, which allows you to distribute the application through third-party channels without maintaining your server.
  • The CSS property position-try-options is renamed to position-try-fallbacks, in accordance with the recommendation of the CSSWG (CSS working group), since the word "options" is misleading and does not reflect the real essence of the property.
  • In the ruby HTML element, which allows you to attach annotation to text, shown at the top, bottom or next to text, for example, to clarify the pronunciation or meaning of characters, it became possible to synchronously arrange line breaks when transferring long base text and annotations that do not fit in one line and were previously transferred separately. A ruby-align CSS property has also been added to control the alignment of the base text and annotation.
  • The Promise.try () method has been added, which allows you to convert the result of any callback call to Promise to optimize error handling when executing functions performed in both asynchronous and synchronous modes.
  • The PointerEvent interface has added the PointerEvent.deviceProperties attribute, with which you can separately identify the different digital feathers used with the graphics tablet (for example, you can assign a different color and pen shape for each device).
  • The specification complies with the implementation of the zoom CSS property, which allows you to reduce or zoom in on individual elements.
  • In the "Origin trials" mode, experimental support for the Digital Credentials API is implemented, which allows sites to request the credentials necessary for identification from mobile wallet applications using the IdentityCredential CredMan system provided in Android.
  • The WebGPU has added experimental support for subgroups that allow you to use the SIMPLE (Single instruction, multiple data) principle to parallelize calculations.
  • An experimental ability to block access to IP 0.0.0.0 has been implemented to prevent attacks on local services.
  • Changes have been made to the tools for web developers. The animation inspection panel has added the ability to capture animation and edit key personnel on the fly. Enhanced performance analysis panel capabilities. For most European countries, the ability to display explanations in the web console about the essence of errors generated using the large AI language model Gemini is included.

Chrome 128

In addition to changes and bug fixes, 38 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. 7 problems are assigned a high level of danger. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary remuneration for discovering vulnerabilities for the current release, Google paid 20 premiums in the amount of 95 thousand US dollars (one premium each of $36,000, $10,000, $5,000 and $2,000, two premiums of $11,000, $7,000 and $500, four premiums of $1,000). The size of 5 rewards for August 2024 is not defined[2].

Google Chrome browser lost passwords to more than 15 million users

Google Chrome experienced a massive crash, as a result of which users browser of the M127 version operating system Windows stopped displaying both old and new passwords versions in the browser manager. This was announced on August 5, 2024 by the press service of a member of the committee on State Duma of the Russian Federation information policy, information technology and communications. Anton Nemkin

Google reported that the change in the system configuration that caused the error affected about 25% of browser users, of which about 2% faced the problem of disrupting the password manager - this is almost 15 million people.

Violation of functionality is not the only error that browser users have recently encountered. Not so long ago, some users of the company stopped requesting verification email when creating new accounts in the workspace. Google Workspace It is reported that this vulnerability allowed to to hackers data compromise the accounts of third-party services, including. Dropbox

File:Aquote1.png
According to statistics from the StatCounter service, in 2023 it accounted for about 45% of users, although most recently it occupied a leading position. Why this happens is understandable. Firstly, Russian solutions have long become competitive, and in some areas they have long overtaken the American browser. For example, Yandex.Browser has long bypassed Chrome in terms of automatic page translation, the introduction of artificial intelligence-based search, and security issues. Let me remind you that, according to Softline Group of Companies, the browser detects phishing pages more efficiently than others. Secondly, the introduction of a norm for the mandatory pre-installation of Russian software on smartphones had a positive effect, - said the deputy.
File:Aquote2.png

File:Aquote1.png
Most of us do store sensitive information in password managers. Including data from accounts of banking organizations and government services. This is very convenient - the information is filled out automatically, while nothing special needs to be remembered. However, the consequence of such comfort can be the compromise of user information. Cybercriminals are constantly "hunting" for service data. For example, as a result of an attack on a popular LastPass manager, about 33 million users faced the risk of compromising information, the deputy said.
File:Aquote2.png

File:Aquote1.png
The best option is to minimize the use of such technologies. First of all, do not save the data of accounts of banking applications, government services, social networks and e-mail. This is the best preventive strategy that will protect against possible leaks, the deputy explained.
File:Aquote2.png

File:Aquote1.png
In addition, you can use the password generator, but only by making sure that the generation service is well-known and reliable. This will reduce the risks of repeating or predicting the password to almost zero, the deputy recommended.
File:Aquote2.png

Google admitted to spying on Chrome users and will now delete billions of their entries

On April 1, 2024 San Francisco , a settlement agreement was sent to a federal court to settle a class action lawsuit related to surveillance in. browser Chrome As part of this process, Google agreed to remove "billions of records" of users.

The proceedings were initiated in 2020. It concerns Incognito mode in the Chrome web browser. The lawsuit claims that Google secretly collected personal data of Chrome users even in private view. This information can be used, for example, for advertising purposes.

Chrome browser surveillance lawsuit settled

In addition to destroying the accumulated information, Google will update its Incognito data collection policy. For five years, users will be given the opportunity to block third-party cookies in private mode. Although the plaintiffs demanded $5 billion in damages, the settlement does not include payment of compensation from Google. Instead, users will be able to claim damages on a case-by-case basis by suing Google in American courts, according to court documents. As of early April 2024, about 50 people had done so.

Lawyers for the plaintiffs called the settlement "ground-breaking" and a "historic move" that aims to provide big tech companies with transparency for users about how they collect and use personal data. Google's consent to remove previously accumulated user information is a significant concession, since this information forms the basis of the company's profitable advertising business.

File:Aquote1.png
The rise of class action lawsuits and privacy-related complaints suggests consumers are getting better at the issue and taking steps to protect their personal data, says Stephanie Liu, senior analyst at Forrester.[3]
File:Aquote2.png

Google will delete billions of data on user actions

The American company Google has agreed to delete the data of more than 130 million US citizens using the Chrome browser amid allegations of illegal surveillance of users. This was announced on April 5, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

The lawsuit alleged that Google collected information about visited sites through Google Analytics, Google Ad Manager and plugins, including smartphone applications, regardless of whether the user followed links to advertisements published by Google. To do this, it was enough just to visit this or that site.

File:Aquote1.png
Google plans to destroy an array of data reflecting the web browsing history of millions of users as part of a settlement of a lawsuit alleging that the company followed people without their knowledge, the Wall Steet Journal said in a statement.
File:Aquote2.png

Officially, the terms of the deal between the defendant and the plaintiffs will not be approved until July 30, when the first hearings will take place. However, it is already known that under the terms of the settlement, Google, in addition to deleting billions of records from data centers, will have to more clearly inform about the degree of confidentiality that is available to the user when using incognito mode. So, in the latest version of the description of the "incognito" mode in the Google Chrome browser, the company has already obviously admitted that even in this mode it remains possible to track user activity.

The agreement also provides for other additional controls designed to limit the company's collection of personal information. At the same time, the plaintiffs will not receive any payments. The situation with Google and the incognito mode once again reminds you that you need to use foreign services extremely carefully - they have repeatedly proved that the privacy and security of users for them is far from the first place, said Anton Nemkin.

File:Aquote1.png
Western IT giants have already been caught spying on users and transferring personal data to US intelligence agencies many times. I want to emphasize once again that violation of the privacy of users' personal data, especially without their knowledge, is unacceptable. Keeping users' personal information private is a major challenge in the digital age. However, Western IT giants are in no hurry to perform it, so for Google, collecting data for later use for its own purposes has already become the norm. For example, according to Bloomberg, the same Google sells data every day, while performing more than 70 billion information transfer operations, the deputy emphasized.
File:Aquote2.png

2023

Google admits to tracking Chrome users in anonymous web browsing mode

At the end of December 2023, Google announced an amicable agreement in the case of tracking Chrome users in anonymous web browsing mode. Although the terms of the agreement were not disclosed, it became clear that the company pleaded guilty.

The lawsuit against Google was filed in 2020 in the US state of California. It covers "millions" of users of the company's services and claims damages of at least $5,000 for each victim for violations of federal wiretap laws and California privacy laws.

Google agreed to settle $5 billion lawsuit over incognito collection of Chrome user data

Google's apps allowed the company to track user activity even when they put Google's Chrome browser into private "incognito" view mode, the plaintiffs said. Thus, the company could receive information about friends, hobbies, favorite dishes, consumer habits and "potentially embarrassing things" that people are looking for on the Internet.

Google tried to dismiss the lawsuit : it claimed that it warned users about data collection - each time it opened incognito mode, a message appeared that the browser did not save user actions, but they would be visible to the sites that they visited. In August 2023 , the court refused the company and decided to consider the claim.

In total, the initiators of the lawsuit demanded compensation from Google in the amount of $5 billion. By the end of December 2023, the terms of the settlement agreement have not been made public. It will be submitted to the court, which will consider the document in February 2024.

In  the years since the lawsuit was filed, Google has announced it will not accurately target ads, saying it will no longer track specific users while browsing the web. The company also planned to abandon the use of third-party cookies, which many websites use  to store user data , in their Chrome browser.[4]

Chrome 120

On December 6, 2023, it became known that Google published the release of the Chrome 120 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 121 is scheduled for January 23, 2024.

Chrome 120

As reported, the main changes in Chrome 120 affected the following:

  • An experiment has begun to disable support for third-party Cookies exposed when accessing sites other than the domain of the current page. Such Cookies are used to track user movements between sites in the code of advertising networks, social network widgets and web analytics systems. In January 2024, third-party Cookies will be disabled for 1% of browser users. The changes are being pushed through the Privacy Sandbox initiative, which aims to strike a compromise between users' need for privacy and the desire of ad networks and sites to track visitor preferences. Instead of tracking cookies, it is proposed to use the following APIs:
    • FedCM (Federated Credential Management), allows you to create combined identity services that ensure privacy and work without third-party Cookies.
    • Private State Tokens, allows you to separate different users without using intersite identifiers and transfer user authentication information between different contexts.
    • Topics (criticism) makes it possible to determine the categories of user interests that can be used to select groups of users with similar interests without identifying individual users using trackers. Cookie Leads are calculated based on user activity browser in and stored on the user's device. Using API Topics, the advertising network can obtain general information about individual interests without having information about a specific user activity.
    • Protected Audience, solving the problems of retargeting and evaluating your own audience (working with users who have already visited the site).
    • Attribution Reporting, allows you to evaluate advertising performance characteristics such as transitions and conversion (purchase on the site after transition).
    • Storage Access API, can be used to ask the user for permission to access the Cookie store if third-party Cookies are blocked by default.

  • In accordance with the requirements of the DMA (Digital Markets Act) adopted in the European Union, some users will be shown a dialogue to select a default search engine, the capabilities of which correspond to the chrome ://settings/search settings. In Chrome 120, the dialog will be shown to 1% of users, and by the time Chrome 122 is published, it has been brought to 100%.
  • The process of ending support for the Theora video codec has begun. At the initial stage, Theora is disabled for 1% of users, but by January 16, 2024 it is planned to be disabled for all users. At the transition stage, the setting "chrome ://flags/# theora-video-codec" is provided to return the codec. As a reason for the termination of Theora support, concerns are mentioned that the Theora implementation, which has a rather complex logic for parsing binary data and decoding streams, may have vulnerabilities similar to recent critical problems with the VP8 encoder.
  • Chrome Web Store catalog design has been redesigned to optimize search and add-on management. Added add-on categories (for example, added a category with machine learning-based add-ons and the section "revision selection"). The ability to return the previous design has been added to the ⋮ menu.
  • The functionality of the "Safety check" interface has been expanded, showing a summary of possible security problems, such as the use of compromised passwords, the state of checking malicious sites (Safe Browsing), the presence of unidentified updates and the detection of malicious add-ons. This version offers a proactive mode that periodically performs security-related browser checks and informs the user in case of problems. Parameters have been added to the settings to manage actions in proactive mode.
  • An adaptive toolbar is implemented, which varies depending on the change in window size.
  • Password Manager allows sharing of individual passwords for members of the Google Family Group configured through Google Account. At one time, you can only grant access to one password, after which the shared password cannot be updated or revoked by the sender.
  • Interaction with printers has been transferred to a separate service process, which made it possible to optimize the stability of the browser and the responsiveness of the page preview interface before printing.
  • TLS includes an implementation of the Key Encapsulation Mechanism (KEM), which uses a hybrid X25519Kyber768 algorithm that is resistant to selection on quantum computers. To create session keys used to encrypt data inside TLS connections, a combination of a X25519 key exchange mechanism based on elliptic curves and now used in TLS can now be used with a Kyber-768 algorithm using cryptography methods based on solving problems of lattice theory, the solution time of which does not differ on ordinary and quantum computers.
  • The Permission Suggestions Service provides accounting for the URL of the page requesting authority (hashes from those requesting URL authority will be transmitted to Google servers).
  • The Android version has discontinued support for the Android 7.0 "Nougat" platform.
  • A framework has been added with the implementation of the concept of Close requests, allowing the user to request the closure of modal and pop-up dialogs by pressing the Esc key or using the on-screen gesture or the Back button on smartphones. Support for Close queries has been added for dialogs created using the popover element<dialog> or property. Also added is the CloseWatcher API, which allows application developers to track Close requests and respond to their arrival (for example, you can create a button-back handler on an Android smartphone).
  • Added <details>support for the "name" attribute to the element, <details>which allows groups to be created through a <details>single name element series definition<details>.
  • An "enterpictureinpicture" event has been added to the Media Session API to allow the site to register a handler called when opening content in picture-in-picture mode.
  • The syntax of nested CSS blocks is optimized - nested CSS rules can now start with any element, without the need to specify an ampersand character before the nested rule or use the is () function.
  • The CSS property "background-clip" has added support for the "text" parameter to display the selected background only in the area limited by text characters. For example, specifying "background: linear-gradient (60deg, red, yellow, red, yellow, red); background-clip: text; color: rgba (0, 0, 0, 0.2) "will lead to the display:
  • A "scripting" media query has been added to CSS, which can be used to determine whether scripts, such as JavaScript, can be executed on the current page.
  • A pseudo-class ": dir ()" has been added to CSS, allowing you to select elements depending on the directivity of the text (for example, ": dir (ltr)" will cover elements in which the text is output from left to right).
  • The exponential functions pow (), sqrt (), hypot (), log (), and exp () have been added to CSS.
  • CSS added support for mask, mask-image, mask-repeat, mask-position, mask-clip, mask-origin, mask-size, mask-composite, and mask-mode properties to hide an element by blending an image at specific points.
  • The check () method has been added to the FontFaceSet API, which allows you to check whether text can be displayed with selected fonts without using fonts in FontFaceSet that have not yet been loaded.
  • The WebGPU API has added the ability to use f16 16-bit floating-point shaders.
  • The Media Capabilities API has added hdrMetadataType, colorGamut, and transferFunction fields to the decodingInfo () method to determine HDR support.
  • The MediaStreamTrack API has added the ability to obtain information about the counters of received and discarded video personnel.
  • Added the ability to transfer an ArrayBuffer object to the constructors VideoFrame, AudioData, EncodedVideoChunk, EncodedAudioChunk and ImageDecoder for direct use of a byte array without creating a copy of it.
  • In accordance with the changed specification, support for the "data:" URL, which was not previously supported in the WebKit engine, was discontinued to optimize protection against XSS attacks and portability between browsers in SVGUseElement.
  • Added experimental (origin trial) support for the HTTP header "Priority," through which you can transfer information about the priority of processing the request (RFC 9218) at the stage of the first access to the resource.
  • Changes have been made to the tools for web developers. In the debugger, by default, ignoring scripts located in the "/node_modules/" and "/bower_components/" directories with Node.js modules is enabled. In remote debugging mode, a switch is implemented to choose between the mouse and the touch screen. Tween debugging is optimized. The "media" switch has been added to the Elements panel to debug the and elements<audio>. <video>By default, warnings about the use of third-party cookies are enabled. The Privacy Sandbox Analysis utility has added an analysis of Cookies used on the site and the output of recommendations for using other APIs instead of Cookies.

In addition to changes and bug fixes, 10 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of the automated testings tools AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary rewards for discovering vulnerabilities for the current release, Google has paid 13 bonuses worth 15 thousand (US dollars one premium of $10,000, one premium of $2,000 and three bonuses of $1,000)[5]

Chrome 116

On August 16, 2023, it became known that Google introduced the release of the Chrome 116 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 117 is scheduled for September 12, 2023.

Chrome 116

According to the company, the main changes to Chrome 116 include the following:

  • The cycle of forming intermediate updates with the elimination of vulnerabilities has been reduced. If earlier, within the framework of the 4-week cycle of forming a significant release, corrective updates were released two weeks after the next release, then starting with Chrome 116, such updates will be formed every week if there are vulnerabilities. In a situation where critical or already exploited vulnerabilities are eliminated, as before, the update will be released out of schedule.
  • The Android version has changed the interface for transferring links and excerpts of text to third-party applications (Share). On devices with Android 14, instead of its own implementation of the interface for sending data to Chrome, the standard interface of the Android platform will be called, which lacks such features as sending information cards and taking a screenshot. On devices with older Android releases, the old interface will continue to be used by default, and you can call the system interface in the "More" section.
  • In Chrome for Android, when you click on the address bar, the output of contextual search recommendations related to the page already open at the moment is implemented. When you go to the address bar, the tab provides the display of search queries that are gaining popularity (trending). The Touch to Search function, which allows you to form a search query based on the selected word, implements the display of popular queries with this word. The number of contextual recommendations shown in the search has been increased from 6 to 10.
  • Chrome for Android optimizes scrolling performance and provides a smoother scrolling content shift.
  • A contextual sidebar is enabled to refine information about the content of the page you are currently viewing, for example, you can send searches, view answers to questions related to the current page, and get more detailed information about the site.
  • The interface for managing downloads has been upgraded. The download list widget appears to the right of the address bar, not at the bottom of the screen. The loading process is clearly highlighted using an animation in the panel, and after the download is completed for a while, a hint about the operation performed is displayed. The download management widget shows the list of downloads in the last 24 hours by default. You can pause and resume downloads. You can get more detailed information about all downloads on the "chrome ://downloads" page, and you can configure the widget behavior and the default directory for saving files on the "chrome ://settings/downloads" page.
  • Chrome 116 users have the opportunity to participate in testing AI a search assistant that allows them to ask clarifying questions and highlight the summary of articles.
  • An implementation of the Key Encapsulation Mechanism (KEM) has been added, using a hybrid X25519Kyber768 algorithm that is resistant to selection on quantum computers. To create session keys used to encrypt data inside TLS connections, a combination of a X25519 key exchange mechanism based on elliptic curves and now used in TLS can now be used with a Kyber-768 algorithm using cryptography methods based on solving problems of lattice theory, the solution time of which does not differ on ordinary and quantum computers.
  • Expanded information about the memory that was released in the "Memory Saver" mode, which makes it possible to reduce the consumption of RAM by freeing up memory occupied by inactive tabs. Replaced tabs are now marked with a special indicator. A hint has been added with information about the use of memory by active and inactive tabs. Optimize the interface to add exceptions that prohibit the displacement of tabs with specific sites from memory (in the settings, you can now choose which of the current tabs cannot be replaced, and in the context menu of an already preempted tab, you can prohibit the application of memory optimization for this site in the future).
  • When the Safe browser Browsing mode is enabled servers , telemetry with data on user interaction with the browser is transmitted to Google. The collection data is carried out in order to analyze the actions taken by the user on phishing the sites, and to study how the user responds to the output of phishing warnings.
  • For pages whose caching ban is set to the HTTP"Cache-Control: no-store" heading, the transition cache (BFCache - Back-forward cache) is used by default, which provides navigation when using the "Back" and "Forward" buttons or when navigating through previously viewed pages of the current site. The only exceptions are pages that have sensitive data, such as data fields. authentications NotRestoredReason is offered to determine why a page does not fall into the navigation cache API.
  • For centrally managed systems, the administrator is given the option to set the action after the specified inactivity period has expired. For example, when the user does not interact with the browser for a long time, you can automatically close the browser, clear the Cookie, or go to the profile selection interface.
  • On systems with fresh updates to Windows 11 (starting with Windows Insider Dev Build 23486), the webauthn.dll system library is used to support Passkey technology instead of the interface implementation built into the browser. Passkey allows the user to authenticate without passwords using biometric identifiers such as fingerprint or face recognition.
  • The VaapiVideoDecodeAccelerator engine, used to optimize video decoding using the VA-API (Video Acceleration API), has been replaced by an updated implementation of VaapiVideoDecoder, which works correctly only on systems with Intel GPU.
  • The CSS functions circle (), ellipse (), rect (), inset (), xywh (), polygon (), ray (), and url () implement the ability to specify a motion path, which allows the developer to explicitly set the motion path of an object when creating an animation, relative to its starting position. In addition to animating an object along a specific trajectory, updated capabilities can be used, for example, for positioning using polar coordinates.
  • CSS animation tools based on key personnel support the automatic setting of "display: none" or "content-visibility: hidden" values ​ ​ to animated elements after the exit animation ends. Display and content-visibility properties can also be used in rules that determine the state of key personnel, for example, as final states after the effect of smooth disappearance of elements is applied.
  • The AbortSignal.any () method has been added, which returns a signal that is interrupted if any original signal is interrupted, which can be used in fetch () to combine several interrupt signals, for example, AbortSignal.timeout () and AbortController.
  • The Fetch API for Response.body adds support for efficient direct transmission of binary data from ArrayBuffer, bypassing internal queues (BYOB mode).
  • The Document Picture-in-Picture API has been added to open arbitrary HTML content in picture-in-picture mode, not just video. Unlike opening a window by calling window.open (), windows created through the API are always displayed on top of other windows, do not remain after closing the original window, do not support navigation and cannot explicitly determine the position of the output.
  • For browser add-ons, the chrome.sidePanel.open API has been added to programmatically open the sidebar. Service Workers supports the WebSocket API. TabCapture API implements the ability to record sound and video in the background. Added runtime.getContexts () API for context information associated with the current attachment.
  • Changes have been made to the tools for web developers. Optimized detection and debugging of problems related to the inability to load CSS files. For example, "Sources > Page" now shows only successfully applied styles, and in the web console and in the style editor ("Sources > Editor") added indicators and prompts with information about errors in loading styles through @ import, url () and href.

Chrome 116

In addition to changes and bug fixes, the updated version has fixed 26 vulnerabilities. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary rewards for discovering vulnerabilities for the current release, Google paid 21 bonuses worth 63 thousand US dollars (one premium of $30,000, two bonuses of $5,000, three bonuses of $3,000, four bonuses of $2,000, five premiums of $1,000 and two premiums of $500). The size of the 4 rewards has not yet been determined[6]

Chrome 115

On July 20, 2023, Google unveiled the release of the Chrome 115 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 116 is scheduled for August 15, 2023.

Chrome 115

As reported, the main changes in Chrome 115 affected the following:

  • Enhanced sidebar capabilities that are enabled for some users and will be activated for a wider audience in the next release.
  • The sidebar mode is implemented, which allows you to clarify information about the content with the page being viewed at the moment, for example, you can send search queries, view answers to questions related to the current page and receive more detailed information about the site (enabled through chrome ://flags/# side-search).
  • Added the ability to display in the sidebar the search results for text selected on the main page and sent to the search engine by clicking "Find in Google" in the context menu (chrome ://flags/# search-web-in-side-panel).
  • Added support for adding site notes. (chrome://flags/#user-notes-side-panel).
  • It became possible to display page content in reading mode in the sidebar, in which only significant page text is displayed, and all related controls, banners, menus, navigation panels and other non-content-related parts of the page are hidden (chrome ://flags/# read-anything). To quickly activate the mode, the "Open in Read Mode" link has been added to the context menu displayed for the selected text.
  • For a small proportion of users (about 1%) whose system uses DNS server 9.9.9.9 (Quad9) or Cox provider DNS servers to resolve names, DNS traffic encryption is enabled by default using DoH (DNS over HTTPS).
  • For some users, HTTPS-First mode is enabled, which automatically redirects HTTP requests to HTTPS. If the site is not available via HTTPS, the site is rolled back to HTTP. On the chrome ://settings/content/page in the Insecure Content section, you can disable this behavior or configure the exception list. To force the splash, the "chrome ://flags# https-upgrades" parameter was added. Automatic forwarding can lead to problems on sites where the content given over HTTP and HTTPS differs, for example, when enabled, but HTTPS is not configured on the server. In order to maintain compatibility with such sites, but protect the system from attacks that roll back HTTPS to HTTP, HTTPS-First mode will automatically turn on only if past HTTPS calls are recorded in the history of visits for the current site.
  • For some users, support for the ECH (Encrypted Client Hello) mechanism is enabled, which continues to develop ESNI (Encrypted Server Name Indication) and is used for enciphering information TLS session parameters, such as the requested domain name. The key difference between ECH and ESNI is that in ECH, instead of encryption at the level of individual fields, the entire ClientHello TLS message is encrypted, which allows blocking leaks through fields that ESNI does not cover, for example, the PSK (Pre-Shared Key) field. ECH also uses the HTTPSSVC DNS record instead of a TXT record to transmit information about the public key and uses enciphering the Hybrid Public Key Encryption (HPKE) authenticated end-to-end to obtain and encrypt the key. To control the activation of ECH, you can use the "chrome ://flags# encrypted-client-hello" parameter. On platforms Windows and for Linux ECH to work, the "Secure DNS" configuration must be active.
  • The dialog requesting permission for the site to access the user's location data, camera or microphone has been added the ability to open access only once for the current session, without remembering the selected option. To control the display of the option, the parameter "chrome ://flags# one-time-permission" is provided.
  • For centrally managed configurations, the ExtensionUnpublishedAvailability setting has been added to block the operation of add-ons removed from the Chrome Web Store directory.
  • TLS has discontinued support for negotiation of connections with servers using digital signatures based on SHA1 hashes. Support for SHA1 in server certificates was discontinued in 2017, SHA1-based client certificates continue to be supported.
  • Users continued to switch to the Maglev JIT compiler, which aims to quickly generate high-performance machine code for actively used JavaScript code. The inclusion of Maglev allows you to optimize the passage of the Jetstream performance test by 7.5%, and the Speedometer test by 5%.
  • It is provided to show information how much memory was released when the tab was supplanted in Memory Saver mode. Memory Saver mode makes it possible to significantly reduce RAM consumption by freeing up memory occupied by inactive tabs, which allows you to provide the necessary resources for processing currently viewed sites in situations where other memory-intensive applications are running in parallel on the system. When you switch to inactive tabs that have been preempted from memory, their contents are loaded automatically. The mode is enabled in the "Performance/Memory Saving" settings. Additionally testing , a heuristic mode for displacing tabs ("chrome ://flags/# heuristic-memory-saver-mode") is carried out, taking into account different factors to select the tab to be supplanted.
  • Extended support for Scroll-driven content Animation, which, for example, allows you to create indicators to visualize a position on a page or add effects that change content when visible during scrolling. For use, two ScrollTimeline modes are available for snapping to the scroll position relative to the coordinate axis and ViewTimeline for snapping to the relative offset of the display of individual content items in the scroll area. By default, when you attach an animation to an item, the DocumentTimeline continues to be used, using a timer that begins to increase after the page is loaded.
  • As part of the Privacy Sandbox initiative, support for the HTML element "fencedframe" has been implemented. This element resembles "iframe" and also allows you to embed third-party content on a page. Differences boil down to limiting the interaction of embedded content with page content at the DOM and attribute level. For example, the news.example page, which uses fencedframe to build an ad block downloaded from shoes.example, cannot access shoes.example data, and in turn code from shoes.example cannot get data related to news.example.
  • Added API Topics to define a category of user interests that can be used to highlight groups of users with similar interests without identifications individual users using tracers. Cookie Leads are calculated based on user activity browser in and stored on the user's device. Using API Topics, the network advertizing can obtain general information about individual interests without having information about a specific user activity.
  • The maximum size of the WebAssembly module, which can be compiled by the WebAssembly.Module () constructor in the main stream in synchronous mode (can block the stream), has been increased to 8 MB. If the module size exceeds 8 MB in the main thread, the constructor can only compile in asynchronous mode using the WebAssembly.compile () method or in synchronous mode in a separate worker. Previously, a 4 KB limit was used, which has been changed taking into account the recent optimization of WebAssembly runtime and assessment of compilation performance on the Google Pixel 1 smartphone.
  • The WebGPU added experimental support for Direct3D 11 (--use-webgpu-adapter=d3d11), implemented the wgslLanguageFeatures API to obtain a list of WGSL extensions supported in the GPU, added the ability to reset the vertex buffer by specifying null when calling setVertexBuffer ().
  • Multiple keywords are allowed in the CSS property "display." For example, you can specify "display: inline flex;," which will be equivalent to the previously available predefined summary keyword "inline-flex."
  • Added the ability to specify only the name of the property in CSS queries style (), without detailing the value, which will cover all values ​ ​ that differ from the original ones. For example, you can now specify "style (--my-property)" instead of "style (--my-property: initial)."
  • In the "origin trial" mode, support for the Compute Pressure API has been added, which allows you to obtain information about the current state of the hardware, for example, in general terms, you can get information about the CPU load being created (specify levels: minimum load with power saving enabled; allowable load, which allows you to run additional tasks without any problems; high load, but in maximum permissible values ​ ​ and does not interfere with the operation of the system; critical load close to resource depletion).
  • In the "origin trial" mode, tooltip comments have been added, allowing you to attach information to the functions that they must be disassembled and compiled in the first place.
  • Changes have been made to the tools for web developers. Added experimental support for inspection of nested CSS grid (subgrid). A prompt with the values ​ ​ of its own CSS properties is displayed. The syntax of CSS files in SASS, SCSS and LESS formats is highlighted. Added the combination "Ctrl + click on the line number in the code editor" to quickly set conditional breakpoints.

In addition to changes and bug fixes, the updated version has fixed 20. vulnerabilities Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay cash rewards for discovering vulnerabilities for the current release, Google has paid 11 premiums worth 34 thousand (US dollars two $7,000 premiums, two $5,000 premiums, four $2,000 premiums and two $1,000 premiums[7]

Chrome 111

On March 8, 2023, it became known that Google presented the release of the Chrome 111 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 112 is scheduled for April 4, 2023.

Chrome 111

As reported, the main changes in Chrome 111 affected the following:

  • Updated the interface elements associated with the Privacy Sandbox initiative to allow you to define categories of user interests and use them instead of tracking Cookies to highlight groups of users with similar interests without identifying individual users. The updated version adds a dialog telling users about the possibilities of Privacy Sandbox and redirecting to a page with settings on which you can configure the information transmitted to advertising networks.
  • An updated dialogue with information on enabling synchronization between browsers of settings, history, bookmarks, auto-completion database and other data is proposed.
  • On platforms, name Linux Android determination operations DNS are removed from a separate network process into a non-isolated browser process, since when working with a system resolver, some sandbox restrictions applied to other network services cannot be implemented (because of this, it was necessary to disable sandbox isolation of the process with network services in Linux and Android).
  • Added support for automatic user login to Microsoft Identity Services (Azure AD SSO) using account information from Microsoft Windows.
  • The Chrome update mechanism in Windows and macOS provides update processing for the latest 12 versions of the browser.
  • To use the Payment Handler API, which optimizes integration with existing payment systems, you now need to explicitly determine the source of the downloaded data by specifying the connect-src (Content-Security-Policy) domains to which requests are sent in the CSP parameter.
  • Removed the PPB_VideoDecoder (Dev) API, which lost its relevance after the end of support for Adobe Flash.
  • The View Transitions API has been added to optimize the creation of transient animation effects between different DOM states (for example, smooth transition from one image to another).
  • The CSS query "@ container" has added support for the style () function to apply styles based on the calculated values ​ ​ of the user properties of the parent element.
  • added the CSS trigonometric functions sin (), cos (), tan (), asin (), acos (), atan (), and atan2 ().
  • An experimental (origin trial) API Document Picture in Picture has been added to open arbitrary HTML content in picture-in-picture mode, not just video. Unlike opening a window by calling window.open (), windows created through the updated API are always displayed on top of other windows, do not remain after closing the original window, do not support navigation and cannot explicitly determine the position of the output.
  • You can increase or decrease the size of ArrayBuffer, as well as increase the size of SharedArrayBuffer.
  • WebRTC provides support for SVC (Scalable Video Coding) extensions to adapt the video stream to client bandwidth and transmit several video streams of different quality in one stream.
  • The Media Session API adds the actions "previousslide" and "nextslide" to organize navigation between the past and the next slides.
  • The syntax of the pseudo-classes ": nth-child (an + b)" and ": nth-last-child ()" has been added, allowing a selector to be obtained to pre-filter children before executing the main logic of the selection "An + B" with them.
  • CSS has added the root element font size units rex, rch, ric, and rlh.
  • Full support for CSS Color Level 4 specification is implemented, including support for seven color palettes (sRGB, RGB 98, Display p3, Rec2020, ProPhoto, CIE and HVS) and 12 color spaces (sRGB Linear, LCH, okLCH, LAB, okLAB, Display p3, Rec2020, a98 RGB, ProPhoto, XD50 YZ R65 You can use your own color spaces for animation and gradients.
  • CSS has added a color () function that can be used to define a color in any color space in which colors are set using R, G, and B channels.
  • The color-mix () function, defined in the CSS Color 5 specification, has been added and allows you to mix colors in any color spaces based on the specified percentage (for example, to add 10% blue to white, you can specify "color-mix (in srgb, blue 10%, white);").
  • Changes have been made to the tools for web developers. The Styles panel adds support for the CSS Color Level 4 specification and its optional color spaces and palettes. The color detection tool for arbitrary pixels ("eyedropper") adds support for additional color spaces and the ability to convert between different color formats. The debugger JavaScript has redesigned the breakpoint control panel.

In addition to changes and bug fixes, 40 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary remuneration for detecting vulnerabilities for the current release, Google paid 24 bonuses in the amount of 92 thousand US dollars (one bonus of $15,000 and $4,000, two bonuses of $10,000 and $700, three bonuses of $5,000, $2000 and $1,000, five premiums of $3,000)[8].

Chrome 110

On February 9, 2023, it became known that Google presented the release of the Chrome 110 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 111 is scheduled for March 7, 2023.

Chrome 110

As reported, the main changes in Chrome 110 affected the following:

  • An optional option is implemented biometric authentications before each automatic filling of fields with. passwords
  • For separate web applications, the default page is implemented, which is shown in case of problems with access to the network, if the developers of the web application have not provided for the ability to work offline.
  • The implementation of the headless mode has been updated, which allows you to run the browser on systems without a monitor and graphics subsystem, for example, on servers. The mode allows you to automatically perform works that require a full-fledged web browser, for example, you can automate system configuration through web interfaces, extract web pages and create your own web content rendering services. The updated implementation is close to the standard mode of operation of Chrome and supports such advanced features as accounting for corporate policies.
  • When you enable the enhanced browser protection (Safe Browsing > Enhanced protection), you collect telemetry about Cookies requested by the add-ons in order to detect malicious activity in the add-ons on the Google side and inappropriate access to identifiers transmitted through Cookies. In addition, the updated version on the Android platform provides whitelisting synchronization for the Enhanced Safe Browsing and Make Browsing Better modes using the standard update delivery component.
  • The process of changing the password in the event of a compromise of the user base on the current site has been optimized. The password verification tool has expanded the database of links to password change forms of various sites (now you can immediately switch to changing the password from the site compromise notification).
  • The sixth stage of information truncation in the HTTP header of the User-Agent and JavaScript parameters navigator.userAgent, navigator.appVersion and navigator.platform is activated, implemented in order to reduce information that can be used for passive user identification. Chrome 110 abbreviated the information displayed in the User-Agent line about the Android platform (for example, it was "Android 9; SM-A205U, "will become" Android 9; S").
  • The page "chrome ://settings/language" offers advanced translation settings that allow you to select the current target language, languages ​ ​ for which you do not need to translate and languages ​ ​ for which you should always translate.
  • The pseudo-class CSS ": picture-in-picture" is proposed, with which you can change the design of the interface elements for watching video in picture-in-picture mode.
  • The manifest of separate web applications implements support for the launch_handler block, with which you can control the behavior when launching a web application, for example, opening in a separate or existing window.
  • The iframe element has been added the attribute "credentialless," which allows you to organize embedding through the iframe of third-party content, which will be processed in an environment isolated from the main site with empty Cookies and separate repositories such as LocalStorage and CacheStorage. The attribute in iframe allows you to do without posting a COEP (Cross-Origin Embedder Policy) header on the site.
  • Added an initial-letter CSS property to set the size and offset to adjacent initial letter lines in paragraphs.
  • The remove () method has been added to the FileSystemHandle API to delete files by the file descriptor associated with the file selected by the user in the showSaveFilePicker dialog (this is not about deleting arbitrary files, but about the situation when the user chose the file name in the save dialog, the web application saved the file, but then it was necessary to delete this saved file).
  • The AudioContext.setSinkId () method has been added, through which you can select a device to output sound, for example, when the user needs to redirect sound to a connected external device.
  • When processing URL by analogy Firefox Safari with and, the approved mode for processing internationalized names in URL (IDNA 2008) is used, which differs from the transient time mode in that in transient mode the character is ß reflected in ss, ς in σ, and empty delimiters ZWJ and ZWNJ are deleted. The use of different modes, for example, led to the fact that when accessing to the domain faß.de in Firefox and Chrome, different sites were opened.
  • Support for//has been discontinued, and operating systems Windows 788.1 support for releases Windows Server 2012 and 2012 R2 has been partially discontinued, for which it is possible to form updates to eliminate critical vulnerabilities by October 10, 2023.
  • In order to protect against MITM attacks, processing WebAuthn requests on sites with problems with TLS certificates is prohibited.
  • The ability to use the WebSQL API is completely blocked, regardless of the context (previously, the use of WebSQL was prohibited only in scripts loaded not from the current site). Instead of WebSQL, we recommend using the Web Storage and Indexed Database APIs. The WebSQL handler is based on SQLite library code. WebSQL support was discontinued because this API was not supported in other browsers, bound to the external library API and increased the risk of security problems (WebSQL could be used by cybercriminals to exploit vulnerabilities in SQLite).
  • The window.webkitStorageInfo quota management API was removed, which was considered outdated since 2013 and was replaced by the standardized StorageManager API.
  • Changes have been made to the tools for web developers. The content of the Performance panel is cleared when you click on the page reload button. Recorder implements the highlighting of the code associated with the current execution stage, provides the ability to edit the content without interrupting the recording and adds the ability to record only certain types of selectors. The web console has expanded the capabilities of auto-completion of input. In the Sources panel, by default, the pretty print mode of minified JavaScript code is enabled and the highlighting of Vue, JSX, Dart, LESS, SCSS, SASS and inline CSS structures is optimized.

In addition to changes and bug fixes, the version has fixed 15 vulnerabilities. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary remuneration for discovering vulnerabilities for the current release, Google paid 10 premiums in the amount of 26.5 thousand US dollars (one premium each of $7,000, $4,000 and $1,500, two premiums of $3,000 and $1,000, three premiums of $2,000).

Chrome 109

On January 11, 2023, it became known that Google introduced the release of the Chrome 109 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 110 is scheduled for February 7, 2023.

Chrome 109

As reported, the main changes in Chrome 109 affected the following:

  • Support for the MathML Core (Mathematical Markup Language) markup language was returned to determine the mathematical formulas embedded in HTML and SVG documents (MathML was removed from the Blink engine in 2013). To customize the MathML-specific style, CSS properties math-style, math-depth and math-shift are proposed, as well as the math value for the display properties, the math-auto value for the text-transform property, and the math name for the font-family property. To manipulate MathML from JavaScript, the MathMLElement interface is proposed.
  • The authorization indicator built into the address bar is implemented, which is shown instead of the icon with a lock within 4 seconds after the user confirms or denies the permissions requested by the site. The indicator allows you to make sure that the correct selection is made and, if necessary, go to editing authorizations.
  • An icon with a camera for searching by image using the Google Lens service has been added to the page displayed when the tab is opened. The image to be searched can be specified both in the form of a URL and as a local file.
  • A multi-platform update installation engine is offered, which optimizes performance and reliability.

When using a - DNSprovider Cox-based resolver on the user system, automatic mode activation is provided. "DNS over HTTPS" (DoH, DNS over HTTPS)

  • In Safe Browsing mode, when scanning files for malicious code, 7z archives are unpacked (previously only zip and rar were supported).
  • As part of the Privacy Sandbox initiative, accounting for the use of Web API sites is implemented in order to identify typical scenarios of indirect identification (fingerprinting) of the user.
  • Added the page "About this page" with information about the page, the sources used and the topic of the site.
  • Added detailed warnings about downloading dangerous content. For example, when determining that a downloaded file could potentially leak user information, instead of a general notification about blocking dangerous content, it will now be clarified that this is malware for stealing personal data.
  • The page "chrome ://settings/language" offers advanced translation settings that allow you to select the current target language, languages ​ ​ for which you do not need to translate and languages ​ ​ for which you should always translate.
  • The ability to execute specialized Chrome Apps web applications is disabled, replaced by separate web applications based on Progressive Web Apps (PWA) technology and standard Web APIs. Initially, Google announced its intention to abandon Chrome Apps back in 2016 and planned to stop supporting them until 2018, but then postponed this plan.
  • An OPFS (Origin-Private FileSystem) API has been added, which is an extension to the File System Access API to host files in the local file system associated with the repository associated with the current site. A kind of virtual file system tied to the site is created (other sites cannot access), which allows web applications to read, modify and save files and directories on the user's device, the HTMLElement.offsetParent API, HTMLElement.offsetTop and HTMLElement.offsetLeft are brought to Firefox and Safari behavior when using Shadow DOM.
  • Changed the behavior of generating mouse events - clicking on a form element with the "disabled" attribute will now lead to the formation of other events, including mousemove, mouseenter, mouseleave and mouseover events, and sending click, mouseup and mousedown events for some parent handlers will be limited.
  • When checking the Access-Control-Allow-Methods header, a switch was made to using case-sensitive checking (automatic conversion of the request method to uppercase has been stopped). The change does not affect post and put methods that normalize to specification requirements.
  • The Android version provides support for the Secure Payment Confirmation API, which provides tools for additional confirmation of the payment transaction.
  • Added features aimed at optimizing the sharing of the screen. The Conditional Focus API has been added, adding a CaptureController object to getDisplayMedia (), with which the application that captures the window or tab can control the translation of focus to the broadcast window or tab. Also added is the MediaTrackSupportedConstraints.suppressLocalAudioPlayback property, which allows you to control whether the sound played in the tab will be displayed on locally connected speakers, or will only be broadcast to an external system used, for example, when showing a presentation at a conference.
  • The non-standard Event.path API has been discontinued and should be replaced by the Event.composedPath () method.
  • Expanded support for Speculation rules, which allow site authors to transfer to the browser information about the most likely pages that the user can navigate to. The browser uses this information to proactively load and render page content. Chrome 109 allows the use of API Specialization Rules to organize proactive rendering of resources from other domains (cross-origin), subject to confirmation of credentials data and access to, to storage as well as activation using the title "Supports-Loading-Mode: credentialized-prerender."
  • The font-weight, font-style, and font-stretch options supported by the @ font-face CSS rule allow you to specify an auto value that specifies the initial values for the variable font style.
  • The CSS has added a unit "lh" corresponding to the calculated value of the line-height property for the element with which it is used. For example, using "lh" for the textarea block, you can set the height equivalent to a certain number of lines of text.
  • The CSS property "hyphenate-limit-chars" has been added, which can be used to specify the minimum number of characters in parts of a word separated when the end of a word is transferred to another line.
  • The behavior of the Blink engine is close to the Gecko and WebKit engines when calculating the width of the border and outline before rendering. Previously, when using non-integer border widths due to rounding, a noticeable one-pixel gap could occur between the border of the parent element and the background of the child element (for example, if the border-width property was set to 10.75px, it was rounded during rendering to 10px, and during processing the layout to 11px).
  • Fixed problem with low scrolling speed in Linux when using Wayland.
  • Changes have been made to the tools for web developers. The JavaScript debugger has been optimized, which implements deobfuscation of variable names in Generator and async functions, added the new.target property to define a function or constructor call using the new operator, added a WeakRef object to hold a reference to another object so that it is not preempted by the garbage collector. The Styles panel adds hints for inactive CSS properties inline height/width, flex, and grid. The Performance panel provides the output of normal function names defined through sourcemap.

In addition to changes and bug fixes, 17 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary remuneration for discovering vulnerabilities for the current release, Google paid 14 bonuses in the amount of 39 thousand US dollars (one bonus each of $8,000, $5,000 and $4,000, three bonuses each of $3,000 and $2,000, two bonuses each of $2,500 and $1,000). The amount of one reward has not yet been determined[9].

2022

Chrome 108

November 30, 2022 it became known that Google presented the release of the Chrome 108 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 109 is scheduled for January 10, 2023.

Chrome 108

As reported, the main changes in Chrome 108 affected the following:

  • The appearance of the Cookie and site data control dialog has been changed (called through the Cookies link after pressing the lock in the address bar). The dialog is optimized and now displays information broken down into sites.
  • Two browser optimization modes are proposed - Memory Saver and Energy Saver, which are offered in the performance settings (Settings > Performance). Modes are currently only available on ChromeOS, Windows and macOS platforms.
  • The password manager provides the ability to attach a note to each saved password. As well as the password, the note is shown on a separate page only after authentication.
  • The Linux version uses the built-in DNS client by default, which was previously used only in versions for Windows, macOS, Android and ChromeOS.
  • On the Windows platform, when Chrome is installed, the shortcut to start the browser is now automatically attached to the taskbar.
  • Added the ability to track price changes for selected items in some online stores (Shopping List). When the price is reduced, a notification or e-mail is sent to the user (in Gmail). Add a tracking item by clicking the "Track price" button in the address bar when you are on the item page. The tracked items are saved with the tabs. The function is available only to users with an active Google account, when you enable synchronization and activate the Web & App Activity service.
  • The ability to view search results in the sidebar at the same time as viewing another page is enabled (in one window you can see both the content of the page and the result of accessing the search engine at the same time). After going to a site from a page with search results in Google, an icon with the letter "G" appears in front of the input field in the address bar, when you click on which a side panel opens with the results of a previously undertaken search.
  • In the File System Access API, which allows web applications to read and write data directly to files and directories on the user's device, the getSize (), truncate (), flush (), and close () methods in the FileSystemSyncAccessHandle object are translated from an asynchronous to a synchronous execution model, similar to the read () and write () methods. The change made it possible to provide a fully synchronous FileSystemSyncAccessHandle API that allows you to improve the performance of WebAssembly (WASM) based applications.
  • Added support for additional visible area sizes (viewport) - "small" (s), "large" (l) and "dynamic" (d), as well as data-related unit sizes - "* vi" (vi, svi, lvi and dvi), "* vb" (vb, svb, lvb and dvb), "* vh" (svh, lvh, dvh), "* vax" w "(svw, lvw, dvw)," svin "* vax" (max * max " The proposed units of measure allow you to snap the size of elements to the smallest, largest, and most dynamic size of the visible area as a percentage (the size varies depending on the display, hide, and status of the toolbar).
  • Support for variable color vector fonts in COLRv1 format is enabled (a subset of OpenType fonts containing, in addition to vector glyphs, a layer with color information).
  • The font-tech () and font-format () functions were added to the CSS rule @ supports to verify support for color fonts, and the tech () function was added to the CSS rule @ font-face.
  • The Federated Credential Management (FedCM) API is proposed, which allows you to create combined identification services that ensure privacy and work without cross-site tracking mechanisms, such as processing third-party cookies.
  • It is possible to apply the already existing CSS property "overflow" to replaced elements displayed abroad, which, in combination with the object-view-box property, can be used to create images with its own shadow.
  • Added break-before, break-after, and break-inside CSS properties to customize break behavior in fragmented output across individual pages, columns, and regions. For example, "figure {break-inside: avoid;}" will prevent you from tearing the page inside the picture.
  • The align-items, justify-items, align-self, and justify-self CSS properties allow you to use the last baseline value to align to the last baseline in the flex or grid layout.
  • Added ContentVisibilityAutoStateChanged event generated for items with content-visibility: auto property when item rendering state changes.
  • It is possible to access the Media Source Extensions API in the context of workers, which can be used, for example, to optimize the performance of buffered multimedia playback by creating a MediaSource object in a separate worker and translating the results of its work in HTMLMediaElement in the main stream.
  • The HTTP Permissions-Policy header used to delegate authority and enable advanced features allows the use of masks.
  • Удалены устаревшие API window.defaultStatus, window.defaultstatus, ImageDecoderInit.premultiplyAlpha, navigateEvent.restoreScroll(), navigateEvent.transitionWhile().
  • Changes have been made to the tools for web developers. In the Styles pane, you have added hints for inactive CSS properties. The Recorder panel provides automatic detection of XPath and text selectors. The debugger provides the ability to step through comma-separated expressions. Advanced Settings > Ignore List.

In addition to changes and bug fixes, 28 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary remuneration for discovering vulnerabilities for the current release, Google paid 10 premiums worth 74 thousand US dollars (one premium each of $15,000, $11,000 and $6,000, five premiums of $5,000, three premiums of $3,000 and $2,000, two premiums of $1,000). The size of the 6 rewards has not yet been determined[10]

Chrome 107

On October 26, 2022, it became known that Google presented the release of the Chrome 107 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 108 is scheduled for November 29, 2022.

Chrome 107

According to the company, the main changes in Chrome 107 include the following:

  • Added support for the ECH (Encrypted Client Hello) mechanism, which continues to develop ESNI (Encrypted Server Name Indication) and is used for enciphering information TLS session parameters, such as the requested domain name. The key difference between ECH and ESNI is that in ECH, instead of encryption at the level of individual fields, the entire ClientHello TLS message is encrypted, which allows blocking leaks through fields that ESNI does not cover, for example, the PSK (Pre-Shared Key) field. ECH also uses the HTTPSSVC DNS record instead of a TXT record to transmit about information the public key and uses HPKE-based authenticated end-to-end encryption (Hybrid Public Key Encryption) to obtain and encrypt the key. To control the activation of ECH, the setting "chrome ://flags# encrypted-client-hello" is proposed.
  • Hardware acceleration support for video decoding in H.265 format (HEVC) is enabled.
  • The fifth stage of information truncation in the HTTP header of the User-Agent and JavaScript parameters navigator.userAgent, navigator.appVersion and navigator.platform is activated, implemented in order to reduce information that can be used for passive user identification. Chrome 107 reduces platform and processor information for desktop users in the User-Agent line, and freezes the content of the JavaScript parameter navigator.platform. The change is noticeable only in versions for the Windows platform, for which a specific version of the platform has been replaced with "Windows NT 10.0." On Linux, the content of the platform in the User-Agent has not changed.
  • Previously, the digits MINOR.BUILD.PATCH, which make up the browser version, were replaced by 0.0.0. In the future, it is planned to leave in the title only information about the name of the browser, a significant version of the browser, the platform and the type of device (mobile phone, PC, tablet). The User Agent Client Hints API must be used to obtain additional data, such as exact version and advanced platform data. For sites that do not have enough information and are not yet ready to switch to User Agent Client Hints, until May 2023, it is possible to return the full User-Agent.
  • The Android version has discontinued support for the Android 6.0 platform, and the browser now requires at least Android 7.0.
  • Changed the appearance of the download status interface. Instead of the lower bar with data on the download progress, an indicator has been added to the bar with the address bar, when you click on which the progress of downloading files and the history with the list of already downloaded files are shown. Unlike the bottom panel, the button is constantly displayed on the panel and allows you to quickly access the download history. The updated interface has so far been proposed by default only for some users and will be distributed to everyone in the absence of problems.
  • Desktop users can import passwords saved in a CSV file. Previously, passwords from a file to a browser could only be transferred through the passwords.google.com service, and now this can be done through the password manager (Google Password Manager) built into the browser.
  • After the user creates a profile, an invitation is displayed to enable synchronization and go to the settings through which you can change the profile name and select a color theme.
  • The version for the Android platform offers an updated interface for choosing multimedia files for downloading photos and videos (instead of its own implementation, the standard Android Media Picker interface is used).
  • Automatic revocation of permission to display notifications for sites found to be sending notifications and messages that interfere with the user is provided. Moreover, for such sites, the display of requests for permission to send notifications is suspended.
  • The Screen Capture API has added properties related to screen sharing - selfBrowserSurface (allows you to exclude the current tab when calling getDisplayMedia ()), surfaceSwitching (allows you to hide the button for switching tabs) and displaySurface (allows you to limit sharing to a tab, window or screen).
  • The renderBlockingStatus property has been added to the Performance API to identify the resources that have suspended page rendering until they are loaded.
  • Several additional APIs have been added in the Origin Trials mode. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a specific site for a limited time.
  • Declarative API PendingBeacon, which allows you to control the sending of data to the server that does not require a response (beacon). The updated API allows you to delegate the sending of such data to the browser, without the need to call send operations at a certain time, for example, to organize the transfer of telemetry after the user closes the page.
  • The HTTP header Permissions-Policy (Feature Policy), which is used to delegate authority and enable advanced features, adds support for the unload value, which allows you to disable the unload event handlers on the page.
  • The tag<form> adds support for the "rel" attribute, which allows you to apply the "rel=noreferrer" parameter to navigation through web forms to disable the transfer of the Referer header or "rel=noopener" to disable the setting of the Window.opener property and prevent access to the context from which the transition was made.
  • The CSS Grid adds support for interpolating the grid-template-columns and grid-template-rows properties to ensure a smooth transition between different grid states.
  • Changes have been made to the tools for web developers. Added the ability to configure hotkeys. Optimized memory inspection of C/C + + application objects converted to WebAssembly format.

In addition to changes and bug fixes, 14 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary rewards for discovering vulnerabilities for the current release, Google has paid 10 premiums worth 57 thousand US dollars (one premium each of $20,000, $17,000 and $7,000, two premiums of $3,000, three premiums of $2,000 and one premium of $1,000). The amount of one reward has not yet been determined[11].

Disabling Windows 7 support

On October 25, 2022, it became known that Google is preparing to end support for the Windows 7 operating system in its Chrome browser. Read more here.

Introduction of Passkeys technology

Google announced the introduction of Passkeys technology - authentications the latest generation standard Android , in and Chrome. This became known on October 13, 2022. According to experts, this technology should reliably protect users from and, phishing hacker attacks since Passkeys cannot be intercepted and/or reused.

This authentication standard was developed by the alliance FIDO with the support of Apple and. Microsoft Its task is to replace logins passwords and digital keys, as well as make life easier for users, eliminating the need to remember accounts. data

To use Passkeys, you just need to confirm the account information, after which you can enter various online biometrics services or an access key stored on the device.

One of the fattest advantages of this authentication standard is that it can be used to authorize on another device. For example, from an Android smartphone, you can log on to a website in Safari on iOS or MacOS if it supports Passkeys.

Another advantage of the technology is its security. According to Google, all generated access keys are securely stored in the cloud and synchronized in it using Google Password Manager, which will help prevent loss of access to sites and services in the event of loss of the main device.

The statement also said that developers can start integrating Passkeys on their sites using the WebAuthn API. By the way, about the API: already in 2022, Google will also release an API for native Android applications so that they can use the new technology[12].

Detection of password leakage from fields with hidden input preview

browser Chrome has identified a problem with sending confidential data ones to servers Google when you enable the advanced proofing mode, which involves performing a scan using an external service. The problem also manifests itself browser in Edge when using Microsoft the Editor add-on. This became known on September 18, 2022.

It turned out that the text for verification is also transmitted from input forms containing confidential data, including fields containing usernames, addresses, email, passport data and even passwords, if the password input fields are not limited to the standard tag <input type=password>"." For example, the problem leads to sending googleapis.com passwords to the server if you enable the option to display the entered password, implemented in Google Cloud (Secret Manager), AWS (Secrets Manager), Facebook (recognized as an extremist organization and banned in Russia), Office 365, Alibaba Cloud and LastPass. Of the 30 well-known sites tested, including social media, banks, cloud platforms and online retailers, 29 were affected by the leak.

In AWS and LastPass, the problem has already been quickly resolved by adding the "spellcheck=false" parameter to the "input" tag. To block sending data on the user side, you must disable advanced validation in the settings (the "Languages/Spell check/Enhanced spell check" section or "Languages/Proofing/Advanced validation," by default, advanced validation is disabled).

Image:CFD0C5CECEC5D4 1663480135.png
Image:CFD0C5CECEC5D4 1663479149.png

Chrome 105

On September 1, 2022, it became known that Google presented the release of the Chrome 105 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 106 is scheduled for September 27, 2022.

Chrome 105

As reported, the main changes in Chrome 105 affected the following:

  • Support for specialized web applications Chrome Apps has been discontinued, replaced by separate web applications based on Progressive Web Apps (PWA) technology and standard Web APIs. Initially, Google announced its intention to abandon Chrome Apps back in 2016 and planned to stop supporting them until 2018, but then postponed this plan. In Chrome 105, when you try to install Chrome Apps, you will be warned to stop supporting them, but the apps themselves will continue to run. Chrome 109 will disable the ability to run Chrome Apps.
  • Additional isolation of the renderer process responsible for rendering is provided. This process is now performed in an additional container (App Container) implemented on top of the existing sandbox isolation system. If the vulnerability is exploited in the rendering code, the added restrictions will prevent the attacker from accessing the network, due to the prohibition of accessing system calls related to network capabilities.
  • Implemented its own unified store of root certificates of certification centers (Chrome Root Store). The updated storage is not yet enabled by default, and until the implementation is complete, certificates continue to be checked using each operating system-specific storage. The tested solution resembles the approach of Mozilla, which supports a separate independent root certificate store for Firefox, used as the first link to verify the certificate trust chain when opening sites over HTTPS.
  • Preparations have begun to discontinue support for the Web SQL API, which is not standardized, almost unused, and requires reworking to meet modern security requirements. Chrome 105 does not allow access to Web SQL from code downloaded without using HTTPS, and also adds a warning to DevTools about technology aging. In 2023, the Web SQL APIs are planned to be removed. For developers who need such functionality, a replacement based on WebAssembly will be prepared.
  • Chrome sync has discontinued support for synchronization with Chrome 73 and earlier releases.
  • For macOS and Windows platforms, the built-in certificate viewer is activated, which replaced the interface call provided by the operating system. Previously, the built-in viewer was used only in Linux and ChromeOS assemblies.
  • The platform version Android has added settings for managing " API Topics & Interest Group," promoted as part of the Privacy Sandbox initiative and allowing you to define categories of user interests and use them instead of tracking Cookie users for highlighting groups of users with similar interests without identifications individual users. In the last release, similar settings were added to Linux, ChromeOS, macOS and Windows versions.
  • When you enable browser Safe Browsing > Enhanced protection, you collect telemetry about installed add-ons, accessing APIs, and connecting to external sites. These data are used on servers Google to detect harmful activity and rule violations by browser add-ons.
  • Moved to the obsolete category and will be blocked in the Chrome 106 release from using non-ASCII characters in domains specified in the Cookie header (domains in punycode format should be specified for IDN domains). The change will bring the browser in line with the requirements of RFC 6265bis and the behavior implemented in Firefox.
  • The Custom Highlight API is proposed, designed to arbitrarily change the style of selected areas of text and allows not to be limited to the fixed style provided by the browser for selected areas (:: selection,:: inactive-selection) and highlighting syntax errors (:: spelling-error,:: grammar-error). The first version of the API provides support for changing the color of text and background using pseudo-elements color and background-color, but in the future other options for customizing the style will be added.
  • As an example of tasks that can be solved using the updated API, we mention adding to web frameworks that provide tools for editing text, their own mechanisms for selecting text, different selection while simultaneously editing by several users, searching for virtualized documents and marking errors when checking spelling. If earlier, to create a non-standard selection, complicated manipulations with the DOM tree were required, then the Custom Highlight API provides ready-made operations for adding and removing backlight that do not affect the DOM structure and apply styles in reference to Range objects.
  • The @ container query has been added to CSS, allowing you to style items based on the size of the parent item. "@ container" resembles the queries "@ media," but is applied in binding not to the size of the entire visible area, but to the size of the block (container) in which the element is placed, which allows you to set your own style selection logic for children, regardless of where the element is placed on the page.
  • The CSS pseudo-class ": has ()" has been added to check for the presence of a child in the parent. For example, "p: has (span)" covers

    elements within which an element exists.

  • The HTML Sanitizer API has been added, which allows you to cut elements from the content that affect the display and execution when output through the setHTML () method. The API can be useful for cleaning data coming from outside to cut HTML tags from them, which can be used to carry out XSS attacks.
  • It is possible to use the API Streams (ReadableStream) to send fetch requests before the response body is loaded, i.e. you can start sending data without waiting for the page generation to complete.
  • For stand-alone web applications (PWA, Progressive Web App), it is possible to change the appearance of the window title area using Window Controls Overlay components that expand the display area of ​ ​ the web application to the entire window and allow you to give the web application the look of a regular desktop application. The web application can control the rendering and processing of input in the entire window, with the exception of an overlaid block with standard window control buttons (close, collapse, expand).
  • The ability to access Media Source Extensions from dedicated workers (in the context of DedicatedWorker) has been stabilized, which can be used, for example, to optimize the performance of buffered multimedia playback by creating a MediaSource object in a separate worker and translating the results of its work in HTMLMediaElement in the main stream.
  • The Client Hints API, which is being developed to replace the User-Agent header and allows you to selectively report data specific browser and system parameters (version, platform, etc.) only after a request, server has added support for the Sec-CH-Viewport-Heath property, which allows you to get information about the height of the visible area. Markup format has been changed to set Client Hints parameters for external resources in the "meta" tag.
  • Added the ability to create global onbeforeinput event handlers (document.documentElement.onbeforeinput), with the help of which web applications can override the behavior when editing text in blocks, and <input><textarea>other elements with the "contenteditable" attribute set, at the stage before the browser changes the contents of the element and the DOM tree.
  • Enhanced the Navigation API, which allows web applications to intercept navigation operations in a window, initiate a transition, and analyze activity history with the application. Added additional intercept () methods to intercept the transition and scroll () to scroll to the specified position.
  • Added a static method Response.json (), which allows you to form a response body based on data of type JSON.
  • Changes have been made to the tools for web developers. In the debugger, when a breakpoint is triggered, editing of the top of the function stack is allowed, without interrupting the debug session. The Recorder panel, with which you can record, play back and analyze user actions on the page, supports breakpoints, step-by-step playback and recording mouse pointing events.
  • LCP ( Largest Contentful Paint) metrics have been added to the performance analysis panel to detect delays in rendering large (user-visible) elements in the visible area, such as images, videos, and block elements. The Elements panel implements the marking of the upper layers displayed on top of other content with a special icon. WebAssembly provides the ability to load debug data in DWARF format.

In addition to innovations and bug fixes in this version, 24 have been eliminated. vulnerabilities Many of the vulnerabilities were identified as a result of the automated testings tools AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL. One of the problems (CVE-2022-3038) is assigned a critical level of danger, which implies the ability to bypass all levels of browser protection and execute code on the system outside the sandbox environment. Details on this vulnerability have not yet been disclosed, it is only known that it is caused by accessing the freed memory block (use-after-free) in the Network Service. As part of the program to pay a monetary reward for discovering vulnerabilities for the current release, Google paid 21 bonuses worth 60,500 (US dollars one premium of $10,000, one premium of $9,000, one premium of $7,500, one premium of $7,000, two premiums of $5,000, four premiums of $3,000, two premiums of $2,000 and one premium of $1,000). The size of the seven rewards has not yet been determined[13]

Discontinuing support for Server Push technology in Chrome 106

The company Google warned of disabling support for Server Push technology in the Chrome 106 release scheduled for September 27. This became known on August 20, 2022. The change will also affect others browsers based on the Chromium codebase. Server Push technology is defined in/2 and HTTP HTTP/3 standards, and allows to the server you to send resources to the client without waiting for their explicit request. It is assumed that in this way the server can speed up the loading of the page, since the necessary for rendering the page, files CSS scripts and images by the time of the request by the client will have already been transmitted to its side.

As a reason for the termination of support, an unnecessary complication of the implementation of the technology is mentioned in the presence of simpler and equally effective alternatives, such as a tag, on the <link rel="preload">basis of which the browser can request a resource without waiting for its use on the page. On the one hand, preload, compared to Server Push, leads to unnecessary packet exchange (RTT), but on the other hand, it avoids sending resources that are already in the browser cache. In general, the differences in delays when using Server Push and preload are marked as insignificant.

To initiate a proactive download on the server side, it is proposed to use the HTTP response code 103, which allows you to inform the client about the content of some HTTP headers immediately after the request, without waiting for the server to perform all operations related to the request and begin to return content. In a similar way, hints can be given about the elements associated with the page being given that can be preloaded (for example, links to CSS and JavaScript used on the page can be given). Having received information about such resources, the browser can start loading them without waiting for the end of the main page, which allows you to reduce the total processing time of the request.

In addition to optimizing resource loading, the Server Push mechanism could also be used to stream data from the server to the client, but for this purpose the W3C consortium is developing the WebTransport protocol. The communication channel in WebTransport is organized on top of the HTTP/3 using the QUIC protocol as a transport. WebTransport offers advanced features such as multi-stream transmission, unidirectional flows, out-of-order delivery, reliable and unreliable delivery modes.

According to Google statistics, Server Push technology has not received proper distribution. Despite the fact that Server Push is present in the HTTP/3 specification, in practice many server and client software products, including the Chrome browser, did not initially implement it. In 2021, about 1.25% of HTTP/2 sites used Server Push. In 2022, this figure decreased to 0.7%[14].

Fix the fifth 0-day vulnerability

August 16, 2022 Google released a set of fixes for Chrome, eliminating the dangerous vulnerability zero day. Tracked under the CVE-2022-2856 ID, the security flaw is due to insufficient validation of Intents inputs data. The vulnerability was discovered by Google Threat Analysis Group specialists Ashley Shen and Christian Resell, who reported it on July 19, 2022.

Google has not released any technical details about the vulnerability, lest it provoke an even greater wave of attacks on users. However, the IT company admitted that the exploit for CVE-2022-2856 exists in the wild.

In addition to 0-day, the latest update fixed 10 other security holes, browser most of which arise due to the Use-After-Free vulnerability associated with incorrect use of heap memory during the operation of FedCM, SwiftShader, ANGLE and Blink components. Google has also eliminated the possibility of a buffer overflow in Downloads.

Experts recommend that users update Google Chrome to version 104.0.5112.101 (for and macOS Linux) or 104.0.5112.102/101 (for). Windows Users of Chromium-based browsers (,, and) are Microsoft Edge Brave also Opera Vivaldi advised to apply fixes as they appear. Google[15]

Chrome 104

On August 3, 2022, it became known that Google introduced the release of the Chrome 104 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks. The next release of Chrome 105 is scheduled for August 30, 2022.

Google Chrome 104 has been released with patches for 27 vulnerabilities. Photo: tomsguide.com.

As reported, major changes to Chrome 104 include the following:

  • The limit time for the existence of Cookies has been entered - all Cookies will be automatically deleted after 400 days of existence, even if the aging time set through the Expires and Max-Age attributes exceeds 400 days (for such Cookies, the life time will be reduced to 400 days). Cookies created before the restriction are introduced will retain their lifetime, even if it exceeds 400 days, but will be limited if updated. The change reflects the updated requirements noted in the draft BOM.
  • Enabled to block calls from iframe to URL referencing the local file system ("filesystem ://").
  • To speed up page loading, an optimization has been added to ensure that you connect to the target host when you click on the link, without waiting for the button to release or remove your finger from the touch screen.
  • Added settings for managing the Topics & Interest Group API, promoted under the Privacy Sandbox initiative and allowing you to define categories of user interests and use them instead of tracking Cookies to highlight groups of users with similar interests without identifying individual users. In addition, information dialogs shown once have been added, explaining to the user the essence of the technology and offering to activate its support in tinctures.
  • Increased thresholds to limit nested calls to setTimeout and setInterval timers running at intervals less than 4 ms ("setTimeout (..., <4ms)"). Суммарный лимит на подобные вызовы увеличен с 5 до 100, что позволяет агрессивно не урезать единичные вызовы, но при этом не допускать злоупотреблений, способных повлиять на производительность browser.
  • It is enabled to send a CORS (Cross-Origin Resource Sharing) authorization request to the server of the main site with the heading "Access-Control-Request-Private-Network: true," if a page is accessed from a sub-resource on the internal network (192.168.x.x, 10.x.x.x, 172.16-31.x.x) or to localhost (127.x.x.x). When confirming an operation in response to this request, the server must return the header "Access-Control-Allow-Private-Network: true." In Chrome 104, the confirmation result does not yet affect the processing of the request - if there is no confirmation in the web console, a warning is displayed, but the sub-resource request itself is not blocked. Enabling blocking if there is no confirmation from the server is expected no earlier than in the Chrome 107 release. To enable blocking in earlier releases, you can activate the "chrome ://flags/# private-network-access-respect-preflight-results" setting. Server authorization is introduced to strengthen protection against attacks related to accessing resources on the local network or on the user's computer (localhost) from scripts loaded when the site is opened. Such requests are used by attackers to carry out CSRF attacks on routers, access points, printers, corporate web interfaces and other devices and services that receive requests only from the local network. To protect against such attacks in the event of access to any sub-resources on the internal network, the browser will send an explicit request for the authority to load these sub-resources.
  • The Region Capture mechanism has been added, which allows you to trim extra content from video generated based on screen capture. For example, using the getDisplayMedia API, a web application can organize the transfer of video with the contents of a tab, and Region Capture allows you to cut out part of the content that includes video conferencing controls.
  • Added support for the media request syntax defined in the Media Queries Level 4 specification, which determines the minimum and maximum size of the visible area (viewport). This syntax allows you to use ordinary mathematical comparison operators and logical operators such as "not," "or," and "and." For example, instead of "@ media (min-width: 400px) {...}," you can now specify "@ media (width >=400px) {...}."
  • Several additional APIs have been added in the Origin Trials mode. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a specific site for a limited time.
    • Added the "focusgroup" CSS property to optimize item navigation using the cursor arrows on the keyboard.
    • The Secure Payment Confirmation API allows the user to disable the credit card settings store. To display a dialog that allows you to refuse to save credit card parameters, the "showOptOut: true" flag is provided in the PaymentRequest () constructor.
    • The Shared Element Transitions API has been added, allowing for a smooth transition between different content views in single-page web applications.

  • Support for Speculation rules has been stabilized, allowing site authors to transfer information about the most likely pages to which the user can navigate to the browser. The browser uses this information to proactively load and render page content.
  • The mechanism for packaging subresources into packages in the Web Bundle format has been stabilized, which allows you to optimize the download efficiency of a large number of related files (CSS styles, JavaScript, images, iframe). Unlike Webpack packages, the Web Bundle format has the following advantages: in the HTTP cache, it is not the package itself that settles, but its components; Compilation and execution of JavaScript begins without waiting for the package to fully load; You can include additional resources such as CSS and images that you want webpack to encode as JavaScript strings.
  • An object-view-box CSS property has been added to define the part of the image that will be displayed in the area instead of the specified element, which can be used, for example, to add a border or shadow.
  • The Fullscreen Capability Delegation API has been added to allow one Window object to transfer to another Window object the right to call requestFullscreen ().
  • The Fullscreen Companion Window API has been added, allowing you to place full-screen content and pop-ups on another screen after receiving confirmation from the user.
  • The visual-box attribute has been added to the CSS property overflow-clip-margin, which determines from where to start cropping content that has gone outside the region (can take the values ​ ​ of content-box, padding-box and border-box).
  • The Async Clipboard API has added the ability to define specialized formats for data transmitted via the clipboard, other than text, images and text with markup.
  • WebGL provides support for specifying color space for the rendering buffer and conversion when importing from a texture.
  • Support for OS X 10.11 and macOS 10.12 platforms has been discontinued.
  • Support for the U2F API (Cryptotoken), which was previously declared obsolete and disabled by default, has been discontinued. API U2F was replaced by API Web Authentication.
  • Changes have been made to the tools for web developers. The debugger has added the ability to restart the code from the beginning of the function, after the breakpoint is triggered somewhere in the body of the function. Added support for developing add-ons for the Recorder panel. In the performance analysis panel, support has been added for rendering labels set in the web application through a call to the performance.measure () method. The recommendations for auto-completing the properties of JavaScript objects are optimized. When autocomplete CSS variables, a preview of values ​ ​ that are not related to colors is provided.

In addition to innovations and bug fixes, 27 have been fixed in this version. vulnerabilities Many of the vulnerabilities were identified as a result of the automated testings tools AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay cash rewards for detecting vulnerabilities for the current release, Google paid 22 bonuses worth 84 thousand (US dollars one premium of $15,000, one premium of $10,000, one premium of $8,000, one premium of $7,000, four bonuses of $5,000, one premium of $4,000, three bonuses of $3,000, four bonuses of $2,000 and three bonuses of $1,000). The amount of one reward has not yet been determined[16]

Fix 0-day vulnerability

In a fresh update, Google has fixed a dangerous 0-day vulnerability in Chrome. Tracked under the CVE-2022-2294 identifier, the vulnerability is related to a heap overflow in the Web Real-Time Communications (WebRTC) component. This became known on July 5, 2022.

On July 1, 2022, 0-day was discovered by Jan Vožtesek, an Avast Threat Intelligence team specialist. Google did not disclose technical details regarding the vulnerability in order to prevent its further use. Most likely, the company wants most users to install the update first.

CVE-2022-2294 became the fourth 0-day vulnerability fixed in the Chrome browser. Before her, specialists managed to eliminate CVE-2022-0609, CVE-2022-1096 and CVE-2022-1364.

Experts strongly recommend that users update their browser to version 103.0.5060.114 on all available platforms. Users of Chromium-based browsers are also advised to install updates as they become available[17].

Add Enterprise Security Module

Google has announced additional security modules in Chrome and Chrome OS for businesses. This became known on May 27, 2022.

The company wants to help enterprise cybersecurity professionals better manage the right tools.

The company believes this will allow IT teams to improve the security of employees working in the Chrome browser and on devices with Chrome OS.

The set of modules is available on the Chrome Enterprise Connectors Framework, which allows you to integrate Chrome and Chrome OS with Netskope, Okta, BlackBerry, Samsung, VMware, Splunk, CrowdStrike and Palo Alto Networks products. Not all of them are available at once, but Google says they will all be coming soon.

According to the company, Netskope modules optimize user access to sensitive data, BlackBerry and Samsung modules will make it easier for IT teams to manage devices with Chrome OS on board, and Splunk will allow you to get important information about potentially dangerous events as quickly as possible.

In addition to all this, a feature was added - Chrome OS Data Controls, which will help organizations prevent data leakage by creating a set of rules that work with certain actions (copying and pasting, screen capture or printing)[18].

The appearance of the function of automatic replacement of compromised passwords

Google In the Chrome version Android , a function has appeared that allows the system to automatically change those hacked from passwords accounts. This became known on May 5, 2022. More. here

Chrome 101

On April 27, 2022, it became known that Google presented the release of the Chrome 101 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), an automatic update installation system, constant activation of Sandbox isolation, delivery of keys to the Google API and transfer of RLZ parameters when searching. For those who need more time to update, the Extended Stable branch is separately supported, accompanied by 8 weeks, in which an update was formed for the last release of Chrome 100. The next release of Chrome 102 is scheduled for May 24, 2022.

Chrome 101

As reported, major changes to Chrome 101 include the following:

  • The Side Search function has been added, which allows you to view search results in the sidebar simultaneously with viewing another page (in one window you can simultaneously see both the content of the page and the result of accessing the search engine). After going to a site from a page with search results in Google, an icon with the letter "G" appears in front of the input field in the address bar, when you click on which a side panel opens with the results of a previously undertaken search. By default, the function is not enabled on all systems, you can use the "chrome ://flags/# side-search" setting to enable.
  • The Omnibox address bar provides a proactive rendering of the content of the recommendations offered as you type. Previously, to speed up the transition from the address bar, the most likely recommendations for the transition were loaded without waiting for the user to click using the Prefetch call. Now, in addition to loading, they are also rendered in the buffer (including scripts are executed and a DOM tree is formed), which allows you to display recommendations after a click. To control proactive rendering, the settings "chrome ://flags/# enable-prerender2," "chrome ://flags/# omnibox-trigger-for-prerender2" and "chrome ://flags/# search-suggestion-for-prerender2" are proposed.
  • Information began to be truncated in the HTTP header of the User-Agent and JavaScript parameters navigator.userAgent, navigator.appVersion and navigator.platform. At this stage, the digits MINOR.BUILD.PATCH, which make up the browser version, have been replaced with 0.0.0 (the change will be brought to users gradually). Next, only information about the name of the browser, a significant version of the browser, the platform and the type of device (mobile phone, PC, tablet) will be left in the header. The User Agent Client Hints API must be used to obtain additional data, such as exact version and advanced platform data. For sites that do not have enough information and are not yet ready to switch to User Agent Client Hints, until May 2023, it is possible to return the full User-Agent.
  • Changed the behavior of the setTimeout function when passing a null argument that specifies call delay. Starting with Chrome 101, when specifying "setTimeout (..., 0)," the code will be called immediately, without a delay of 1ms, as required by the specification. For repeated nested setTimeout calls, a delay of 4 ms is applied.
  • The version for the Android platform supports the request for notifications (in Android 13, to display notifications, the application must have the "POST_NOTIFICATIONS" permission, without which sending notifications will be blocked). When you start Chrome in an Android 13 environment, the browser will now prompt you for permission to display notifications.
  • Removed the ability to use the WebSQL API in third-party scripts. By default, WebSQL blocking in scripts not loaded from the current site was enabled in Chrome 97, but an option was left to disable this behavior. In Chrome 101, this option has been removed. In the future, it is planned to gradually completely end support for WebSQL, regardless of the context of use. Instead of WebSQL, we recommend using the Web Storage and Indexed Database APIs. The WebSQL handler is based on SQLite code and could be used by attackers to exploit vulnerabilities in SQLite.
  • Removed enterprise policy names (chrome ://policy) that contain non-inclusive terms. Starting with Chrome 86, replacements have been proposed for these policies that use inclusive terminology. Terms such as "whitelist," "blacklist," "native" and "master" were cleaned. For example, the URLBlacklist policy is renamed URLBlocklist, AutoplayWhitelist to AutoplayAllowlist, and NativePrinters to Printers.
  • In the Origin Trials mode (experimental capabilities that require separate activation), so far only in assemblies for the Android platform, testing of the Federated Credential Management (FedCM) API has begun, which allows you to create combined identification services that ensure privacy and work without cross-site tracking mechanisms, such as processing third-party cookies. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a specific site for a limited time.
  • The Priority Hints mechanism has been stabilized and proposed to everyone, which allows you to set the importance of a particular downloaded resource by specifying an additional attribute "import" in tags such as iframe, img and link. The attribute can take the values ​ ​ "auto" and "low," and "high," which affect the order in which the browser loads external resources.
  • The AudioContext.outputLatency property has been added, through which you can find out information about the predicted delay before outputting sound (the delay between requesting sound and starting processing the received data by the audio output device).
  • Added font-palette CSS property and @ font-palette-values rule to select a palette from a color font or to define your own palette. For example, this feature can be used to bring colored character fonts or emoji to the color of the content, or to turn on the dark or light mode for the font.
  • The CSS function hwb () has been added, which provides an alternative method for specifying sRGB colors in HWB (Hue, Whiteness, Blackness) format, similar to HSL (Hue, Saturation, Lightness) format, but easier for human perception.
  • In the window.open () method, specifying the popup property in the windowFeatures string, without assigning a value (that is, when popup is simply specified, and not popup=true), is now treated as enabling the opening of a miniature pop-up window (similar to "popup=true") instead of assigning the default value "false," which was illogical and misleading for developers.
  • The MediaCapabilities API, which provides information about the capabilities of the device and browser to decode multimedia content (supported codecs, profiles, bitrates and permissions), has added support for WebRTC streams.
  • A third version of the Secure Payment Confirmation API is proposed, which provides tools for additional confirmation of the payment transaction. This release adds support for identifiers that require data entry, an icon definition to indicate a validation failure, and an optional payeeName property.
  • The USBDevice API has added the forget () method to revoke previously granted user permissions to access a USB device. In addition, USBConfiguration, USBInterface, USBAlternateInterface, and USBEndpoint instances are now equal with strict comparison ("===," point to one object) if they are returned for the same USBDevice object.
  • Changes have been made to the tools for web developers. You can import and export recorded user actions in JSON format (example). In the web console and the code viewing interface, the calculation and display of private properties are optimized. Added support for working with the HWB color model. The CSS panel adds the ability to view cascading layers specified using the @ layer rule.

In addition, 30 vulnerabilities have been fixed. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environmentChrome 101 release.

Chrome 100.0.4896.127 with 0-day vulnerability fix

Google has formed the Chrome 100.0.4896.127 update for Windows, Mac and Linux, which fixes a serious vulnerability (CVE-2022-1364) already used by attackers to carry out attacks (0-day). This became known on April 15, 2022. Details have not yet been disclosed, it is only known that the 0-day vulnerability is caused by incorrect Type Confusion processing in the V8 JavaScript engine, which allows processing an object with an incorrect type, which, for example, makes it possible to form a 64-bit pointer based on a combination of two different 32-bit values ​ ​ to organize access to the entire address space of the process. Users are advised not to wait for the automatic delivery of the update, but to check for it and initiate installation through the "Chrome > Help > About Google Chrome" menu[19].

Chrome 100

On March 30, 2022, it became known that the American corporation Google has updated its Chrome browser to version 100. This is the first web browser in the history of the Internet to grow to a version with a three-digit number.

Illustration: cnews.ru

This is a threat to the stable operation of the World Wide Web, and is due to the fact that not all sites are ready for three-digit versions of browsers. Many of them will define Chrome 100 as Chrome 10, which was released 11 years ago, in March 2011. Its support has long been discontinued, and sites may simply not open and issue a message about the need to update software.

Major changes

Despite the historic release, there are no major innovations in Chrome 100. The main emphasis is on security - Google has fixed 28 vulnerabilities in its browser. The vast majority turned out to be insignificant, and only nine were considered critical.

One significant change is the logo, which has become noticeably flatter but also brighter.

Illustration: cnews.ru

By the release of version 100, Google had built into Chrome, making it API easier for the browser to work on multiple configurations. monitors For example, it may be laptop connected to an external screen with high resolution and other proportions. This API allows you to adapt not only the browser itself, but also the web applications launched in it for several monitors.

At the same time, there is less than one feature in Chrome 100. Google has stripped it of its mobile version of the traffic saving option. For Russians, this would be a very useful function if the tariffs for cellular communications with unlimited mobile Internet disappear in the country. Google also decided to disable traffic savings in previous versions of the browser.

Version indexes

Chrome has grown to version 100 in 13.5 years - its first stable build with the 1.0 index was released in December 2008. It was Google that initiated the version race. Before Google entered the browser market, developers of other browsers with the next release of their product changed only the numbers after the first point in the version index. They increased the first digit in the version number by one only with the release of a fairly significant update. Google chose a different path - Chrome 2 was released in May 2009, Chrome 3 appeared in another five months. As a result, by early 2010, Google had updated its browser to version 4. In the future, the following numbered versions of Chrome were often released several times a month, which eventually led to the release of Chrome 50 in April 2016, that is, 7.5 years after the introduction of Chrome 1. The next 50 versions of Google took another six years without one month.

In the future, other browsers joined the race. Firefox did it first, and Opera did it a little later. The latter held on until the latter, until the developers abandoned their own engine in favor of the universal Blink.

The authors of the classic Opera in January 2015 created the Vivaldi browser. He does not participate in the race - by the end of March 2022, his current version had an index of 5.2.

Firefox 100

The problem with incorrect operation of sites in browsers with a three-digit version index will be aggravated, according to the source, in May 2022. Firefox 100 is scheduled for release this month.

In this case, little depends on users. It is their owners who should teach sites to "read" the browser version correctly.

The popularity of Chrome in Russia is gradually falling. Illustration: cnews.ru

Users can simply disable the automatic update of Firefox and Chrome and work in their existing versions. This will not affect the stability of the display of sites in any way in the future of the next few months.

There is a more radical option - you can change the browser to any of the existing ones, whose version is far from 100. In addition to the mentioned Vivaldi, this may be the same Opera, which was updated to version 85 on March 23, 2022. And Apple has its own Safari browser, which received version 15.3 in February 2022. At the same time, Microsoft's Edge in this case is not the best alternative to Chrome, since on March 17, 2022, an update to version 99 was released for it.

At the end of March 2022, Chrome occupies 62.78% of the global browser market (statistics StatCounter for February 2022). Russia Its share is 54.98% against 16.08% of the domestic "." Yandex.Browser The latter was updated to version 22 in March 2022. which also allows it to be used as an alternative to Chrome 100.[20]

Google fixed 0-day vulnerability in Chrome

On March 28, 2022, it became known that Google had fixed the 0-day vulnerability in Chrome.

Google Windows macOS Linux encourages users to urgently update browser Chrome to version 99.0.4844.84. The reason is the discovery of a vulnerability that is already being exploited in. hacker attacks

Illustration: itcrumbs.ru

The company does not disclose details about the vulnerability to give users time to install updates. For the same reason, it has not yet been reported whether it affects third-party libraries used in other projects. It is only known that the problem is a mismatch of the entered data types (Type Confusion) in the V8 engine, and it is assigned a CVE-2022-1096 identifier. An anonymous researcher notified Google about it on March 23, 2022.

V8 is a JavaScript engine in Chrome, also used in Node.js. Whether the vulnerability affects Node.js has not yet been reported.

Immediately after Google, Microsoft issued its own security notice, according to which the same vulnerability was also fixed in version Edge 99.0.1150.55.

Recently it became known about the exploitation of another zero-day vulnerability in Chrome (CVE-2022-0609) by two groups supported by the North Korean government.[21]

Phishing tool that allows browser-in-browser attacks to steal logins and passwords

On March 23, 2022, lard was known that a security expert known as mr.dox published a phishing tool code on GitHub that allows you to create fake Chrome browser windows. Its purpose is to intercept the details of access (login and password) to online resources. Read more here.

Chrome 99

On March 2, 2022, Google unveiled the release of the Chrome 99 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser is distinguished by the use of Google logos, the presence of a notification system in the event of a crash, modules for playing copy-protected video content (DRM), a system for automatically installing updates and transmitting RLZ parameters when searching. The next release of Chrome 100 is scheduled for March 29, 2022.

Chrome 99

According to the company, Chrome for Android includes the use of the Certificate Transparency mechanism, which ensures the maintenance of an independent public log of all issued and revoked certificates. The public log makes it possible to conduct an independent audit of all changes and actions of certification centers, and will allow you to immediately track any attempts to secretly create fake records. Certificates that are not reflected in the Certificate Transparency will be automatically rejected by the browser, displaying the corresponding error. Previously, this mechanism was enabled only for the desktop version and for a small percentage of Android users. Due to the large number of complaints, the Private Network Access mechanism previously proposed in test mode is disabled, aimed at strengthening protection against attacks related to accessing resources on the local network or on the user's computer (localhost) from scripts downloaded when the site is opened. To protect against such attacks in the event of access to any sub-resources on the internal network, it is proposed to send an explicit request for the authority to load such sub-resources. According to company representatives, Google will revise the implementation taking into account the feedback received and in one of the future releases will offer an optimized version. The ability to delete the default search engines is returned.

Starting with Chrome 97 in the configurator in the "Search Engine Management" section, the ability to remove elements from the default search engines list (Google, Bing, Yahoo) and edit search engine parameters was discontinued, which caused dissatisfaction of many users.

On the Windows platform, it is possible to remove self-sufficient web applications (PWA, Progressive Web App) through system settings or a control panel, similar to removing Windows applications.

Final testing of a possible disruption of sites is being carried out after the browser reaches a version of three digits instead of two (at one time, after the release of Chrome 10, many problems surfaced in the User-Agent parsing libraries). When the "chrome ://flags# force-major-version-to-100" option is activated, the User-Agent header starts to display version 100. CSS supports cascading layers defined using the @ layer rule and imported through the @ import CSS rule using the layer () function. CSS rules within one cascade layer cascade together, optimizing the management of the entire cascade, providing flexible options for changing the order of layers and allowing more explicit control of CSS files, preventing conflicts. Cascading layers are useful for themes, defining default feature styles, and moving component appearances to external libraries. The HTMLInputElement class has added the showPicker () method, which allows you to display ready-made dialogs to fill in typical values ​ ​ in fields<input> with the types "date," "month," "week," "time," "datetime-local," "color" and "file," as well as for fields that support autofill and list selection (datalist). For example, you can display an interface in the form of a calendar to select a date or a palette to enter a color.

Origin Trials mode (experimental capabilities that require separate activation) implements the ability to enable dark design mode for web applications. The colors and background for the dark theme are selected using the color_scheme_dark field in the file with the manifest of the web application. Origin Trial implies the ability to work with the specified API from applications downloaded from localhost or 127.0.0.1, or after registering and receiving a special token that is valid for a specific site for a limited time. Stabilized and offered to everyone API Handwriting Recognition, which allows you to use handwriting recognition services provided by the operating system.

For stand-alone web applications (PWA, Progressive Web App), the Window Controls Overlay component has been stabilized, expanding the application screen area to the entire window, including the header area, which is overlaid with standard window control buttons (closing, minimizing, maximizing). The web application can control the rendering and processing of input throughout the window, with the exception of an overlaid block with window control buttons. The CSS function calc () allows specifying "infinity," "-infinity," and "NaN," or expressions that result in similar values, such as' calc (1/0) '.

The CSS property color-scheme, which allows you to determine in which color schemes an element can be correctly shown ("light," "dark," "day mode" and "night mode"), has added the "only" parameter, which allows you to exclude forced changes in the color scheme for individual HTML elements. For example, if you specify "div {color-scheme: only light}," then only a light theme will be used for the div element, even if dark design is forcibly enabled in the browser. You can now use push () and pop () operations instead of completely reassigning the property to change the values of the document.adoptedStyleSheets property. For example, "document.adoptedStyleSheets.push (newSheet);."

The implementation of the interface CanvasRenderingContext2D added support for ContextLost and ContextRestored events, the reset () method, the willReadFrequently option, CSS text modifiers, the roundRect rendering primitive, and conical gradients. Optimized support for SVG filters. Got rid of the prefix "-webkit-" of the property" text-emphasis, "" text-emphasis-color, "" text-emphasis-position "and" text-emphasis-style. "Pages opened without HTTPS are prohibited from accessing the Battery Status API, which allows you to obtain information about the battery charge.

The navigator.getGamepads () method provides an array of Gamepad objects instead of GamepadList. GamepadList is no longer supported in Chrome, which meets the standard requirement and the behavior of the Gecko and Webkit engines. The WebCodecs API complies with the specification. In particular, the EncodedVideoChunkOutputCallback () method and the VideoFrame () constructor have been changed. In the V8 JavaScript engine, the Intl.Locale API has added calendars, collations, hourCycles, numberingSystems, timeZones, textInfo and weekInfo properties that display information about supported calendars, time zones and time and text parameters.

Changes have been made to the tools for web developers. The network panel provides the ability to slow down WebSocket requests to debug work in conditions of a slow network connection. A panel has been added to the Application tab to track reports generated through the Reporting API. In the Recorder panel, before playing a recorded command, support for waiting before the element becomes visible or available for clicking is implemented. The emulation of the dark skin has been changed. Optimized control of panels from touch screens. The web console added support for escape sequences to highlight text in color, added support for% s,% d,% i, and% f lookup masks, and optimized message filters.

In addition to innovations and bug fixes, 28 vulnerabilities have been fixed in this version. Many of the vulnerabilities were identified as a result of automated testing by the AddressSanitiser, MemorySanitiser, Control Flow Integrity, LibFuzzer and AFL tools. There are no critical problems that allow you to bypass all levels of browser protection and execute code on the system outside the sandbox environment. As part of the program to pay monetary rewards for detecting vulnerabilities for the current release, Google paid 21 bonuses worth 96 thousand US dollars (one premium of $15,000, two bonuses of $10,000, six premiums of $7,000, two premiums of $5,000, two premiums of $3,000 and one premium of $2000 and $1000[22]

Allow users to add password notes

On February 26, 2022, it became known that Google it had already moved on to testing another useful feature: now users will be able to add their notes to those saved in. browser to passwords This will allow you to enter any additional text in the note field. Usually important for the account or one that cannot be remembered in any way.

Illustration: droidnews.ru

More specifically, each user will be able to edit an existing password by adding a useful one for themselves. information Presumably, these can be addresses from, email control answers to questions and any other data necessary to simplify login.

The benefits of the presented function are important for people who struggle to remember such things. However, everything is ambiguous, because the question remains open. safety So, the user risks being vulnerable to malware thefts data.

At the same time, by capturing the list of Chrome passwords, fraudsters will not be able to deceive the multifactor authentication configured by users in personal accounts. If you save MFA backup codes and other personal information, the risk increases.

This is an important aspect that Google should pay attention to.[23]

2021

Prevent ad blockers from working in the browser

  • 1 XLIFFService: Error in XliffFile2XliffString method.

it became known that Google plans to transfer the Chrome browser to the Manifest V3 developer platform, which will entail the termination of the work of reclassifiers. - >

Illustration: www.zoo.team

From January 2023, only Manifest V3 extensions will be supported in the browser, as a result of which, some developers are sure, it will be very difficult to create add-ons, and their functions will be significantly limited. In fact, extensions will become nothing more than toys, and ad blockers will lose in efficiency.

The developers of the extensions uBlock Origin, uMatrix and NoScript say that the filters that allow the interface to be used will not be enough to build even the simplest software. That means ads on Google will now be inevitable. The ability to block ads will be saved only for corporate clients.[24]

  • 1 XLIFFService: Error in XliffFile2XliffString method.

than its predecessor, "-}} Lee clarified that extensions to Manifest V2 will cease to be accepted in the Chrome Web Store from January 17, 2022, and existing extensions can be updated. From January 2023, extensions on the old standard will stop running, and they will no longer be updated. -- >

Announcement of the date of termination of support for Manifest V2

Google announced that the add-ons for its proprietary Chrome browser, developed in accordance with the Manifest V2 specification, will stop working in January 2023. This became known on September 28, 2021.

Thus, Chrome will remain supporting exclusively the next, third version of the platform for Manifest V3 extensions. This change may complicate development for Chrome, according to some of the authors of the extensions.

File:Aquote1.png
This is an evolution of the extension platform, taking into account both the changing web landscape and the future of browser extensions, "said a Google spokesman.
File:Aquote2.png

Lee also clarified that the Chrome Web Store will stop accepting add-ons using the Manifest V2 API starting January 17, 2022. However, the extensions already present in it will still be able to receive updates. At the beginning of 2023, Chrome for private users will lose the ability to run V2 extensions, corporate users will have a little more time to adapt - for them support for the "outdated" Manifest V2 will stop in June 2023.

In January 2019, it became known that the Internet giant is working on the next version with updated features and restrictions - Manifest V3. With the release of Chrome 88 in January 2021, the browser has acquired full support for the third version of the "manifesto." Since then, V2- and V3 extensions have been able to coexist. Google promises to continue the development of Manifest V3 and over time add new features to it, demanded by the add-on development community[25].

Chrome 89 with read list and tab search

Google has released the Chrome 89 browser with additional features, including ones borrowed from Microsoft Edge and Apple Safari. Distribution of the update began and Windows 10 users have already received it. This became known on March 3, 2021.

The changes in Chrome 89 concern, for the most part, the user's interaction with the browser and are aimed at simplifying and improving their use. Developers will also find certain functions browser. However, not everyone will be able to install this version, from this version the browser will cease to support the old processors Intel and. AMD

As a result, those who still work on a PC or laptop over 15 years old will have to continue to use Chrome 88 or look for an alternative browser.

One of the changes in Chrome 89 is an alternative for the classic bookmark feature, designed for pages that the user wants to read later. Now he does not have to add them to bookmarks and delete them from there after reading - for such sites, the so-called "Read List" or Reading List appeared in the browser.

Read List

This list is available by clicking on the icon with the image of an asterisk in the address bar - in previous versions it was responsible for adding sites to bookmarks, but now it has more opportunities. In fact, the "read list" is a repeatedly simplified bookmark manager - the user can add pages to it and delete them, and he himself is divided into two sections - "read" and "unread." Google borrowed this feature from Apple Safari and from Microsoft Edge, which has been running Chromium since 2019.

Additional features will only be available when activated through the hidden settings menu

This feature is not available to all users for unknown reasons. Even after upgrading to version 89, the "read list" in Chrome is disabled by default. This change is still considered experimental, and you need to activate it through the Reading list flag (chrome ://flags/# read-later - enter it in the browser bar).

In Chrome 89, the developers have added the ability to customize user profiles. For each of the accounts in the browser, you can now select your own color scheme, which allows you to quickly determine which of the profiles is being used at the moment.

Changing will allow you to distinguish profiles in the browser according to the selected shade

The interface with accounts has also changed, becoming more intuitive. This property is not available to mobile users at the beginning of March 2021 - it is implemented exclusively in the desktop version of the browser.

Another feature in Chrome is tab search, available by clicking the arrow icon in the upper right corner of the browser window. This is a drop-down list of all open pages in all open Chrome windows, which displays five tabs by default, plus there is a search bar.

Search for tabs

This line is needed to find the necessary tabs by keywords. The function will be useful for those who regularly have dozens of tabs open in the browser, and they have to spend a lot of time finding what they need among them. As with the read list, tab search should be activated through flags (chrome ://flags/# enable-tab-search).

Chrome 89 no longer supports desktop and mobile processors without Streaming SIMD Extensions 3 or SSE3 instructions. These are very old Celeron, Pentium 4, as well as Athlon 64 FX, regular Athlon 64, Opteron and Sempron with steppings below E3 and E4[26].

2020

Browser update - speed up, processor load reduction

On November 18, 2020, Google released an updated Chrome browser, which the company said received the biggest performance boost in years thanks to a host of internal improvements.

According to the developers, Chrome now launches 25% faster, and the speed of downloading Internet pages has increased by 7%, while the program consumes less power and RAM than before.

Chrome product director Matt Waddell claims that Chrome in the new version prioritizes active tabs over those that are open but not used. Thanks to this, the load on the central processor has been reduced by up to 5 times and the devices will be able to work longer - according to Google's own data, the growth in battery life of the equipment reaches 1.25 hours relative to the use of previous versions of the browser on the same technique.

Google has released an updated Chrome, the browser launches 25% faster, and the processor load has decreased by 5 times

In addition, Google says that pages in the Android version of the browser began to load almost instantly. Among other innovations - users will be able not only to pin or group tabs, but also to use the search. Users will be able to see the list of open tabs, regardless of which window they are in, and quickly find what they need.

The address bar has become more useful thanks to the Chrome Actions feature - "a faster way to perform an action with just a few keystrokes," Google said.

Performance optimization occurred, among other things, due to JavaScript timers. At some point, Google found out that such timers use more than 40% of the resources in the background tabs. Therefore, the developers decided to wake up JavaScript timers once a minute to perform certain functions.[27]

Google has fixed two more zero-day vulnerabilities in Chrome

On November 12, 2020, it became known that Google had fixed two more vulnerabilities actively exploited by hackers in Chrome, which became the fourth and fifth zero-day vulnerabilities in the browser over the past few weeks. The problems were fixed in Chrome version 86.0.4240.198 for Windows, Mac and Linux, which users will receive in the next few days/weeks.

Google has fixed two more zero-day vulnerabilities in Chrome

As explained, unlike the previous three zero-day vulnerabilities, the CVE-2020-16013 and CVE-2020-16017 vulnerabilities were not discovered by Google Project Zero specialists, but by anonymous researchers. Google is aware of the existence of exploits for them, but it does not provide more information until all users receive a corrected version of the browser.

CVE-2020-16013: incorrect implementation of the V8 engine for rendering JavaScript; Google was notified of the problem on November 9, 2020.

CVE-2020-16017: vulnerability of memory corruption after release in the site isolation function; Google was notified of it on November 7, 2020.

It is noteworthy that the fixed zero-day vulnerability in Chrome (CVE-2020-16009) also exists due to an incorrect implementation of the V8 engine and allows code to be executed remotely. Whether both problems are related to each other, at the moment of 2020, the moment is unclear.

Recently, Google has reported a number of vulnerabilities actively exploited by hackers not only in Chrome, but also in Windows, iOS and macOS. Although some of them have been combined into one chain of exploits, the company has not yet disclosed either the cybercriminal groups using them or the victims. To avoid possible cyber attacks, users are advised to install updates[28]

Google will create its own root certificate store for Chrome

On November 2, 2020, it became known that the company Google plans to make a significant change to the architecture of its browser Chrome and create its own root certificate store for it. This store is a list of root certificates used operating system for application authentication ON during installation.

Browsers, including Chrome, use the root certificate list to authenticate an HTTPS connection. They find out if the root certificate with which the TLS site certificate was generated is present in the local root certificate store.

Since its launch in 2009 to this day, Chrome has been using the root certificate store installed on the computer operating system. For example, Chrome on a Windows PC checks TLS site certificates with Microsoft's Trusted Root Program, and Chrome on macOS relies on Apple's root certificate program, etc.

However, things may soon change, as Google intends to create its own Chrome Root Program root certificate store for Chrome, which will include all versions of Chrome for all platforms except iOS. The program is still at the earliest stage, and the dates for the browser to switch to using its own certificate list have not yet been set.

So far, Google has only published rules for certification centers (CAs) that issue TLS certificates for sites. The company encourages CAs to familiarize themselves and follow the rules if they want to be included in the Chrome Root Program. [29]

Google fixed zero-day vulnerability in Chrome

On October 20, 2020, it became known that Google released an updated version of its Chrome browser 86.0.4240.111, which fixed a zero-day vulnerability actively exploited by cybercriminals. The memory corruption vulnerability (CVE-2020-15999) is present in the FreeType font rendering library included in standard Chrome distributions.

Attacks exploiting this vulnerability were discovered by one of the researchers of the Google Project Zero team. According to its head Ben Hawkes, cybercriminals use a bug in the FreeType library to attack Chrome users. However, it recommends that manufacturers of other applications that use FreeType also release fixes in case hackers decide to switch to them.

The patch for the vulnerability is implemented in FreeType 2.10.4, released on October 20, 2020.

Google has not yet disclosed details about the vulnerability in order not to give clues to cybercriminals. As a rule, the company does not publish details about vulnerabilities in its products for months, giving users enough time to fix them.

However, since the patch for the vulnerability is visible in the FreeType source code (the library is an open source project), attackers can reverse engineer and develop an exploit within a few weeks or even days.

Over the past twelve months, this is the third zero-day vulnerability in Chrome, actively exploited by hackers. The first (CVE-2019-13720) was fixed in October 2019, and the second (CVE-2020-6418) - in February 2020[30]

Google tests displaying domain names in address bar instead of URL

The feature will be tested in the upcoming Chrome 86 release. Google expects the change to help protect users from fraudulent and phishing attacks using misleading URLs.

Domain names and URLs are one of the main forms of web security that allows users to quickly find out which site they are on. However, they can be used to mislead. Hackers and scammers often create fake websites that look plausible. To do this, they use URLs with typos (twittter.com), subdomains (yourbank.sign-in.info) or domains with hyphens (secure-gmail.com). Unsuspecting users go to such a URL and give their data to scammers.

Browser Safari, displays only the domain name in the address bar. This display looks clearer and makes it easier to identify fraudulent sites. If the user is used to seeing facebook.com in the address bar and at some point the browser suddenly displays facebook.com.money.biz.scam.inc this will alert the user.

Google says the new feature will be shown to a random subset of users in the Chrome 86 version. The company wants to make sure this change helps users understand that they are visiting a malicious site and protects them from phishing and social engineering attacks. If this really turns out to be the case, then in the future this function will become permanent.

Vulnerability in Chrome threatens data of billions of users

A vulnerability in browsers based on the Chromium engine allows attackers to bypass the content protection policy (Security Policy, CSP) on sites in order to steal data and inject malicious code. This became known on August 12, 2020.

Chromium

The vulnerability (CVE-2020-6519) was discovered by PerimeterX security researcher Gal Weizman. The problem is present in Chrome, Opera and Edge on Windows, Mac and Android and affects billions of Internet users. As for Chrome, versions 73 (released in March 2019) to 83 are vulnerable. Chrome 84, released in July 2020, has already fixed the problem.

CSP is a web standard that provides an additional layer of protection and helps detect and mitigate some types of attacks, including cross-site scripting (XSS) and data injection. CSP prompts site administrators to specify domains that the browser can consider a trusted source for loading executable scripts. Browsers that support this standard will only run and download files from specified domains.

Among others, CSPs are used by Internet giants such as, ESPN,, Facebook,, Gmail,, and Instagram. TikTok WhatsApp Wells Fargo Zoom The problem does not affect,,,,, GitHub Google Play Store LinkedIn page and PayPal Twitter"." authorizations Yahoo Yandex

To exploit the vulnerability, an attacker must first gain access to the web server (for example, by picking up a password using brute force, or in some other way) in order to be able to modify the JavaScript codes he uses. An attacker can then add frame-src and child-src attributes to JavaScript code, allowing the embedded code to download and execute them and thereby bypass CSP.

Since the vulnerability requires access to a web server to exploit, it is considered medium-dangerous (6.5 points out of 10 on the CvSS scale). However, since the bug affects compliance with content protection policies, its exploitation could have serious consequences, Wiseman warned[31] of[32].

Due to a marriage in Chrome, users downloaded spy extensions from the Google catalog 32 million times

In mid-June 2020, researchers from Awake Security discovered that due to a marriage in Chrome, users downloaded spy extensions from the Google catalog 32 million times. Researchers immediately alerted Google, which removed more than 70 malicious add-ons from its official online store.

Most spyware was advertised as extensions to protect users from questionable websites, however instead they downloaded browsing history and credentials. It was the largest malicious campaign to hit Chrome. Google declined to discuss the scale of the damage and the reasons why the spy ON hit the online store.

Spyware that collects search history and other user data was installed by Google Chrome users through 32 million downloads of various browser extensions

Who was behind the spread of the malware is still unclear. Awake analysts said the developers provided false contact information. All extensions were designed to avoid detection by antivirus programs or software that evaluates the reputation of web domains.

All the suspect domains the researchers found, more than 15,000, were purchased from a small registrar in Israel, Galprom, formally known as CommuniGal Communication. The owner of Galprom believes his company has nothing to do with it. The internet corporation, which oversees registrars, said there had been very few complaints about Galprom in all its years, and none of them involved malware.

Virus developers have long used the Google Chrome Store as a distribution channel. In 2018, Google promised to improve store security, but in February 2020, independent researcher Jamila Kaya and Cisco Systems Duo Security revealed a similar campaign to distribute Chrome malware, which stole data from about 1.7 million users.[33]

Sites can still detect incognito mode in Chrome

On June 4, 2020, it became known that sites can still detect incognito mode in Chrome. In August 2019, Google promised to fix the problem, but has not yet done so. Despite all Google's efforts in 2019, sites can still determine whether Chrome uses incognito mode.

Chrome

Some sites block their content for users who have enabled incognito mode in the browser, and there are a number of reasons for this. For example, many use this mode to freely access paid content and bypass various filters and limiters. In addition, at the beginning of June 2020, the incognito mode has aggressive anti-tracking functions that block sites from tracking user activity and monetizing their traffic. All of the above negatively affects the income of sites, so in recent years scripts have gained great popularity, allowing you to find out whether incognito mode is enabled in the browser.

In early 2019, Google decided to implement protection against such scripts in its browser. Chrome 76, released in July 2019, has a mechanism that blocks sites from using the FileSystem API to detect incognito mode. Before Chrome 76 in incognito mode, the FileSystem API was not available. Sites requested this API, and if it was not available, determined that anonymous mode was used.

To solve the problem, Google made the FileSystem API available in all modes. The catch, however, is that it has not become fully available. The manufacturer has set a hard limit on the amount of memory available for windows in incognito mode (up to 120 MB). After only a week, the programmers realized what was what, and created a script that examines the FileSystem API for the amount of memory available to the site and thereby allows them to indirectly determine whether anonymous mode is used.

In August 2019, Google promised to fix the problem and block the ability to detect incognito mode. Still, nine months have passed, but the company has never lived up to its promise. In both Chrome and other Chromium-based browsers (including Edge, Opera, Vivaldi and Brave), it is still possible to determine whether anonymous mode is enabled. Moreover, the developers have added support for Firefox and Safari to their scripts. [34].