Did you miss a session from GamesBeat Summit 2022? All sessions are available to stream now. Learn more.
Google today launched Chrome 86 for Windows, Mac, Linux, Android, and iOS. Chrome 86 brings password protections for Android and iOS, VP9 for macOS Big Sur, autoupgrades for insecure forms, File System Access API, focus indicator improvements, and a slew of developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 86, for example, deprecates support for FTP URLs, starting with 1% of users and ramping up to 100% by Chrome 88.
Security improvements on Android and iOS
Chrome for Android and iOS now tells you if the passwords you’ve asked Chrome to remember have been compromised. Chrome sends an encrypted copy of your usernames and passwords to Google, which checks them against lists of credentials known to be compromised. Because they are encrypted, Google cannot see your username or password, the company claims. If you have a compromised password, Chrome will take you directly to the right “change password” form.
The last part works if the website in question has set a well-known URL for changing passwords (such as domain.com/change-password). The purpose of the URL is to redirect users to the actual change password page. For more information, see “Help users change passwords easily by adding a well-known URL for changing passwords.”
Google also announced today it plans to bring Safety Check, first introduced in Chrome 83, to mobile. In addition to handling compromised passwords for you, Safety Check also flags whether Google’s Safe Browsing service is turned off and your Chrome version is up-to-date.
Chrome 86 for Android is rolling out slowly on Google Play. The changelog isn’t available yet — it merely states that “This release includes stability and performance improvements.”
We do know, however, that Chrome for Android now has Google’s Enhanced Safe Browsing, which the company brought to Chrome for desktop earlier this year. Safe Browsing protects over 4 billion devices by providing lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to internet service providers (ISPs). Enhanced Safe Browsing takes that a step further with more proactive and tailored protections from phishing, malware, and other web-based threats. If you turn it on, Chrome proactively checks whether pages and downloads are dangerous by sending information about them to Google Safe Browsing.
If you’re signed in to Chrome, Enhanced Safe Browsing will further protect your data in Google apps you use (Gmail, Drive, etc.) “based on a holistic view of threats you encounter on the web and attacks against your Google Account.” Of those users who have enabled checking websites and downloads in real time, Google says its predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites.
Chrome 86 for iOS meanwhile is out on Apple’s App Store with the usual “stability and performance improvements.” Here is the full changelog:
- You can now make Chrome your default browser.
- You can check if your saved passwords have been compromised and, if so, how to fix them. Go to Chrome settings > passwords > check passwords.
- You now have more sharing, opening and other options when you tap and hold on Bookmarks, history, recent tabs, and read later.
- You’ll see improvements to the personalized stories on your new tab page.
- If you have “Make searches and browsing better” turned on, Chrome will offer some additional protection by checking known phishing websites with Google in real time.
Google also promises that the next Chrome for iOS release will add more password features. There will be a biometric authentication step before autofilling passwords — you’ll be able to authenticate using Face ID, Touch ID, or your phone passcode.
You will soon also be able to autofill saved login details into other apps or browsers.
VP9 for macOS Big Sur
Chrome 86 brings the VP9 video codec to macOS Big Sur whenever it’s supported in the underlying hardware. VP9 is the successor to VP8, both of which fall under Google’s WebM project of freeing web codecs from royalty constraints.
If you use the Media Capabilities API to detect playback smoothness and power efficiency, the logic in your video player should automatically start preferring VP9 at higher resolutions. To take full advantage of this feature, Google recommends that developers encode their VP9 files in multiple resolutions to accommodate varying user bandwidths and connections.
Autoupgrading mixed content
Google has been coaxing developers to avoid HTTP in a bid to get the web to HTTPS. While Chrome users spend over 90% of their browsing time on HTTPS, Google isn’t done yet. Chrome 79 introduced a setting to unblock mixed scripts, iframes, and other types of content that the browser blocks by default. Chrome 80 started autoupgrading mixed audio and video resources in HTTPS sites by rewriting URLs to HTTPS without falling back to HTTP when secure content is not available. Chrome 81 started autoupgrading mixed images to HTTPS.
Chrome 86 now autoupgrades forms that don’t submit data securely. Chrome for desktop and Android will show you a mixed form warning before you submit a non-secure form that’s embedded in an HTTPS page. Chrome 86 will also block or warn on insecure downloads initiated by secure pages for commonly abused file types. Secure pages will eventually only be able to initiate secure downloads of any type.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
Google’s ultimate goal is to ensure HTTPS pages in Chrome can only load secure HTTPS subresources. If you’re a developer looking to clean up your mixed content, check out the Content Security Policy, Lighthouse, and this HTTPS guide.
Chrome 86 implements 35 security fixes. The following were found by external researchers:
- [$N/A] Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
- [$5000] High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09
- [$500] High CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous on 2020-09-03
- [$N/A] High CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub Security Lab on 2020-07-22
- [$N/A] High CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-08-07
- [$TBD] High CVE-2020-15972: Use after free in audio. Reported by Anonymous on 2020-08-13
- [$TBD] High CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
- [$TBD] High CVE-2020-15991: Use after free in password manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
- [$15000] Medium CVE-2020-15973: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-17
- [$7500] Medium CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im (junorouse) of Theori on 2020-07-10
- [$7500] Medium CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous on 2020-07-29
- [$7500] Medium CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-08-31
- [$5000] Medium CVE-2020-6557: Inappropriate implementation in networking. Reported by Matthias Gierlings and Marcus Brinkmann (NDS Ruhr-University Bochum) on 2020-05-15
- [$5000] Medium CVE-2020-15977: Insufficient data validation in dialogs. Reported by Narendra Bhati (https://twitter.com/imnarendrabhati) on 2020-06-22
- [$5000] Medium CVE-2020-15978: Insufficient data validation in navigation. Reported by Luan Herrera (@lbherrera_) on 2020-08-14
- [$5000] Medium CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-09-11
- [$3000] Medium CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室） on 2020-06-08
- [$3000] Medium CVE-2020-15981: Out of bounds read in audio. Reported by Christoph Guttandin on 2020-08-28
- [$2000] Medium CVE-2020-15982: Side-channel information leakage in cache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- [$N/A] Medium CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-30
- [$TBD] Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-05-07
- [$N/A] Medium CVE-2020-15985: Inappropriate implementation in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2020-06-25
- [$N/A] Medium CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of Google Project Zero on 2020-06-29
- [$N/A] Medium CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke on 2020-09-14
- [$N/A] Medium CVE-2020-15992: Insufficient policy enforcement in networking. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-28
- [$500] Low CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by Samuel Attard on 2020-06-08
- [$N/A] Low CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans (Microsoft) on 2020-07-22
Google thus spent at least $72,000 in bug bounties for this release, a massive amount compared to its usual spend. As always, the security fixes alone should be enough incentive for you to upgrade.
The File System Access API, first available as an Origin Trial, is now available in Chrome 86. The API lets developers build powerful web apps that interact with files on the user’s local device such as IDEs, photo and video editors, text editors, and so on.
Chrome 86 introduces two improvements for focus indicator, a crucial feature for users who rely on assistive tech to navigate the web. The first is a CSS selector,
:focus-visible, which lets a developer opt-in to the same heuristic the browser uses when it’s deciding whether to display a default focus indicator. The second is a user setting called Quick Focus Highlight, a setting that causes an additional focus indicator to appear over the active element. Importantly, this indicator will be visible even if the page has disabled focus styles with CSS, and it causes any :focus or :focus-visible styles to always be displayed.
Chrome offers Origin Trials, which let you try new features and provide feedback to the web standards community. Chrome 86 has five new Origin Trials: WebHID API, cross-screen window placement, battery-savings meta tag, secure payment confirmation, and Cross-Origin-Opener-Policy Reporting API.
Other developer features in this release include:
- Altitude and Azimuth for PointerEvents v3: Adds Altitude and Azimuth angles to PointerEvents. Adds tiltX and tiltY to altitude and azimuth transformation and altitude and azimuth to tiltX and tiltY transformation, depending on which pair is available from the device. These angles are those commonly measured by devices. Altitude and azimuth can be calculated using trigonometry from tiltX, tiltY. From a hardware perspective it is easier and less expensive to measure tiltX and tiltY.
- Change Encoding of Space Character when URLs are Computed by Custom Protocol Handlers: The navigator.registerProtocolHandler() handler now replaces spaces with “%20” instead of “+”. This makes Chrome consistent with other browsers such as Firefox.
- CSS ::marker Pseudo-Element: Adds a pseudo-element for customizing numbers and bullets for <ul> and <ol> elements. This change lets developers control the color, size, bullet shape, and number type.
- Document-Policy Header: Document Policy restricts the surface area of the web platform on a per-document basis, similar to iframe sandboxing, but more flexibly.
- EME persistent-usage-record Session: Adds a new MediaKeySessionType named “persistent-usage-record session”, for which the license and keys are not persisted and for which a record of key usage is persisted when the keys available within the session are destroyed. This feature may help content providers understand how decryption keys are used for purposes like fraud detection.
- FetchEvent.handled: A FetchEvent dispatched to a service worker is in a loading pipeline, which is performance sensitive. The new FetchEvent.handled property returns a promise that resolves when a response is returned from a service worker to its client. This enables a service worker to delay tasks that can only run after responses are complete.
- HTMLMediaElement.preservesPitch: Adds a property to determine whether the pitch of an audio or video element should be preserved when adjusting the playback rate. This feature is wanted for creative purposes (for example, pitch-shifting in “DJ deck” style applications). It also prevents the introduction of artifacts from pitch-preserving algorithms at playback speeds very close to 1.00. It is already supported by Safari and Firefox.
- Imperative Shadow DOM Distribution API: Web developers can now explicitly set the assigned nodes for a slot element. For information on how the new API solves these issues, see the Imperative Shadow DOM Distribution API explainer.
- Move window.location.fragmentDirective: The window.location.fragmentDirective property has been moved to document.fragmentDirective. This is a change to the text fragments feature.
- New Display Values for the <fieldset> Element: The <fieldset> element now supports ‘inline-grid’, ‘grid’, ‘inline-flex’, and ‘flex’ keywords for the CSS ‘display’ property.
- ParentNode.replaceChildren() Method: Adds a method to replace all children of the ParentNode with the passed-in nodes.
- Safelist Distributed Web Schemes for registerProtocolHandler(): Chrome has extended the list of URL schemes that can be overridden via registerProtocolHandler() to include cabal, dat, did, dweb, ethereum, hyper, ipfs, ipns, and ssb. Extending the list to include decentralized web protocols allows resolution of links to generic entities independently of the website or gateway that’s providing access to it. For more information, see Programmable Custom Protocol Handlers at are we distributed yet?
- text/html Support for the Asynchronous Clipboard API: The Asynchronous Clipboard API currently does not support the text/html format. Chrome 86 adds support for copying and pasting HTML from the clipboard. The HTML is sanitized when it is read and written to the clipboard. This is also intended to help the replacement of document.execCommand() for copy and paste functionality.
- WebRTC Insertable Streams: Enables the insertion of user-defined processing steps in the encoding and decoding of a WebRTC MediaStreamTrack. This allows applications to insert custom data processing. An important use case this supports is end-to-end encryption of the encoded data transferred between RTCPeerConnections via an intermediate server.
For a full rundown of what’s new, check out the Chrome 86 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 87 will arrive in mid-November.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.