Google today launched Chrome 81 for Windows, Mac, Linux, Android, and iOS. Chrome 81 includes an Origin Trial of Web NFC for mobile, early Augmented Reality support, mixed images autoupgraded to HTTPS, TLS 1.0 and TLS 1.1 deprecated, and more developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed. Among other things, Chrome 81 removes the “discard” element and FTP support.

Chrome 81 is arriving late. When the coronavirus crisis took hold, millions found themselves spending more time in their browsers as they learn and work from home. But the crisis is also impacting software developers. Google paused Chrome releases, which typically arrive every six weeks, and later came back with an updated schedule. Ultimately, Chrome 81 was delayed, Chrome 82 is being skipped altogether, and Chrome 83 has been moved up a few weeks. Microsoft has followed suit with Edge’s release schedule, consistent with Google’s open source Chromium project, which both Chrome and Edge are based on. Mozilla, however, today committed to not changing Firefox’s release schedule, which sees a new version every four weeks.

Web NFC for mobile

Back in September, with the release of Chrome 77, Google introduced Origin Trials, which let you try new features and provide feedback on usability, practicality, and effectiveness to the web standards community. Chrome 81 introduces the mobile web to Near Field Communications (NFC) in an Origin Trial.

Web NFC cards demo

NFC is a short-range wireless technology for transmitting small amounts of data between a device and a tag, reader, or another device. Web NFC allows a web app to read and write to NFC tags. Google hopes the feature will be used to provide information about museum exhibits, augment a conference badge, perform inventory management, and so on.

Reading and writing to Web NFC are simple operations, though you will need a little instruction for constructing and interpreting payloads. If you’re a developer, check out Google’s webpage Interact with NFC devices on the web.

Augmented Reality support

In December, Chrome 79 introduced the WebXR Device API, which brings virtual reality to the web. Chrome 81 expands the API with two new immersive features designed to support augmented reality on the web: augmented reality session types and hit testing. Google has also added support for the WebXR Hit Test API, an API for placing objects in a real-world view.

Chrome WebXR Device API augmented reality

The WebXR Hit Test API now lets you place virtual objects on real-world points in a camera view. The new API captures both the location of a hit test and the orientation of the point that was detected, indicated by a broken blue circle.

Google promises that there’s very little you need to learn if you’re already used the WebXR Hit Test API for VR. The spec was designed to have the same application flow regardless of the degree of augmentation or virtualization. The main change you have to worry about is setting and requesting different properties during object creation. To learn more, check out Google’s article on Web AR.

Mixed images autoupgraded to HTTPS

Google has been coaxing developers to avoid HTTP in a bid to get the web to HTTPS. While Chrome users spend over 90% of their browsing time on HTTPS, Google isn’t done yet. The latest push started in October, when Google laid out its plan for mixed content.

HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.

Chrome 79 page info

In December, Chrome 79 introduced a setting (lock icon on HTTPS pages => Site Settings) to unblock mixed scripts, iframes, and other types of content that the browser blocks by default. In February, Chrome 80 began autoupgrading mixed audio and video resources in HTTPS sites by rewriting URLs to HTTPS without falling back to HTTP when secure content is not available. If they fail to load over HTTPS, Chrome will block them by default.

Now, Chrome 81 autoupgrades mixed images to HTTPS. If they fail to load over HTTPS, Chrome will block them by default.

Google ultimately wants to ensure HTTPS pages in Chrome can only load secure HTTPS subresources. If you’re a developer looking to clean up your mixed content, check out the Content Security Policy, Lighthouse, and this HTTPS guide.

TLS 1.0 and TLS 1.1 deprecated

Chrome 81 is also notable for anyone who manages a website, even if they don’t use Chrome at home or at work. Chrome 81 has deprecated Transport Layer Security (TLS) 1.0 and TLS 1.1. Along with other major browser makers Apple, Microsoft, and Mozilla, in October 2018 Google promised to disable support for TLS 1.0 and TLS 1.1. Google is now starting to deliver on that promise.

TLS is a cryptographic protocol designed to provide communications security over a computer network — websites use it to secure all communications between their servers and browsers. TLS also succeeds Secure Sockets Layer (SSL) and thus handles the encryption of every HTTPS connection.

In Chrome 81, sites that do not support TLS 1.2 and above will show a full-page warning telling users that the connection is not fully secure. Website administrators can opt out using the SSLVersionMin policy to disable the security indicator and warning until January 2021. To allow TLS 1.0 and later without additional warnings, set the policy to tls1.

Android and iOS

Chrome 81 for Android is rolling out slowly on Google Play. The changelog isn’t available yet — it merely states that “This release includes stability and performance improvements.” The main change is likely the aforementioned Web NFC Origin Trial.

Chrome 81 for iOS is out on Apple’s App Store. The changelog is as follows:

  • Chrome updated its Terms of Service. You can review the new terms when you create a new tab.
  • You can find your downloads in the downloads folder in Chrome’s menu, or in your device’s Files app.
  • Search suggestions will also include suggestions from the middle of words.

You can read the changes to the terms of services here.

Security fixes

Chrome 81 implements 32 security fixes. The following were found by external researchers:

  • [$7500][1019161] High CVE-2020-6454: Use after free in extensions. Reported by leecraso of Beihang University and Guang Gong of Alpha Team, Qihoo 360 on 2019-10-29
  • [$5000][1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
  • [$3000][1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
  • [$2000][1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
  • [$2000][1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
  • [$1000][852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
  • [$1000][965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
  • [$1000][1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
  • [$500][1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
  • [$N/A][1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
  • [$TBD][1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
  • [$500][639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
  • [$500][714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
  • [$500][868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
  • [$500][894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
  • [$500][959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
  • [$500][1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
  • [$500][1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
  • [$N/A][922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
  • [$N/A][933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [$N/A][933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [$N/A][991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
  • [$N/A][1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26
  • Hosein Askari identified a vulnerability with the Chromium website.
  • [1067891] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $26,500‬ in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

Chrome 81 introduces app icon badging in stable. That means you can now use it on any site without a token. Badging lets you subtly notify the user of new activity or information that might require their attention. It’s more user-friendly than notifications and particularly useful for unread counts. Because it doesn’t interrupt the user, it can be updated more frequently. Google envisions the feature being used for chat or email apps, social media apps, and games.

Chrome 81 also includes the latest V8 JavaScript engine. Version 8.1 introduces the Intl.DisplayNames API to let developers display translated names of languages, regions, scripts, and currencies. Google hopes this will reduce the size of apps (thereby improving latency), make it easier to build internationalized UI components, reduce translation costs, and provide more consistent translations across the web. Check out the full changelog for more information.

Other developer features in this release include:

  • PointerLock unadjustedMovement (Original Trial): Scripts now have the ability to request unadjusted and unaccelerated mouse movement data when in PointerLock. If unadjustedMovement is set to true, then pointer movements will not be affected by the underlying platform modifications such as mouse acceleration.
  • Buffered Flag for Long Tasks: Chrome 81 updates the buffered flag of PerformanceObserver to support long tasks. In particular, this feature provides a way to gain insight into early long tasks for apps or pages that register a PerformanceObserver early.
  • CSS image-orientation property: Chrome will by default respect EXIF metadata within images indicating desired orientation. The accompanying image-orientation property allows developers to override this behavior.
  • CSS Color Adjust: color-scheme: A new meta tag and CSS property lets sites opt-in to following the preferred color scheme when rendering UI elements such as default colors of form controls and scrollbars as well as the used values of the CSS system colors. For Chrome 81, only initial color and background are affected.
  • Exclude Implicit Tracks from grid-template-rows and grid-template-columns Resolved Values: Implicit tracks are now excluded from the resolved values of the grid-template-rows and grid-template-columns. Previously, all tracks were included, whether implicit or explicit.
  • hrefTranslate attribute on HTMLAnchorElement: The HTMLAnchorElement now has an hrefTranslate attribute, providing the ability for a page to hint to a user agent’s translation engine that the destination site of an href should be translated if followed.
  • IntersectionObserver Document Root: The IntersectionObserver() constructor now takes a Document as the ‘root’ argument, causing intersections to be calculated against the scrolling viewport of the document. This is primarily targeted towards observers running in an iframe. Previously, there was no way to measure intersection with the scrolling viewport of the iframe’s document.
  • Modernized Form Controls: In version 81, Chrome modernizes the appearance of form controls on Windows, ChromeOS, and Linux while improving their accessibility and touch support. (Mac and Android support are coming soon.) It’s hoped that this will reduce the need to build custom form controls. This change is the result of collaboration between Microsoft and Google. For more information, see the recent talk at CDS or the MS blog post. For a closer look at the controls, this page gives an example of all of the elements that changed.
  • Move onwebkit{animation,transition}XX handlers to GlobalEventHandlers: Until now, the prefixed onwebkit{animation,transition}XX handlers were only available on the Window object in Chrome. They are now on HTMLElement and Document as required by the spec. This fix brings Chrome in line with Gecko and Webkit.
  • Position State for Media Session: Adds support for tracking position state in a media session. The position state is a combination of the playback rate, duration, and current playback time. This can then be used by browsers to display position in the UI and with the addition of seeking can support seeking/scrubbing too. A code sample and demonstration is available here.
  • SubmitEvent: Chrome now supports a SubmitEvent type, an Event subtype which is dispatched on form submission. The SubmitEvent has a submitter property that refers to attributes of the submitter button including the entry data, the formaction attribute, the formenctype attribute, the formmethod attribute, and the formtarget attribute.
  • WebAudio: ConvolverNode.channelCount and channelCountMode: For a ConvolverNode, the channelCount can now be set to 1 or 2. The channelCountMode can be "explicit" or "clamped-max". Previously, a channelCount of 1 was not allowed and neither was a mode of "explicit".
  • This release also extends ConvolverNode capabilities slightly to allow developers to choose the desired behavior without having to add a GainNode to do the desired mixing.
  • RTCPeerConnection.onicecandidateerror event changes: The candidateerror event now has an explicit address and port, replacing hostCandidate.
  • onclosing Event for RTCDataChannel: Adds the onclosing event to the RTCDataChannel object, which signals to the user of a data channel that the other side has started closing the channel. The user agent will continue reading from the queue (if it contains anything) until the queue is empty, but no more data can be sent.
  • WorkerOptions for shared workers constructor: Adds the WorkerOptions object as the second argument for a shared worker constructor. The previous second argument, a string containing the worker’s name is still supported.
  • WritableStream.close(): WritableStream objects now have a close() method that closes a stream if it is unlocked. This is directly equivalent to getting a writer, using the writer to close the stream, and then unlocking it again.

For a full rundown of what’s new, check out the Chrome 81 milestone hotlist. Google is skipping Chrome 82, and Chrome 83 will arrive in mid-May.


You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here