Chrome 79 arrives with password warnings, real-time phishing protection, and WebXR Device API

Google today launched Chrome 79 for Windows, Mac, Linux, Android, and iOS. The release includes built-in warnings about compromised passwords, real-time phishing protection, the WebXR Device API, and more. This release thus beefs up security for the world’s most popular browser and sets the stage for bringing virtual reality to the web. You can update to the latest version now using Chrome’s built-in updater or download it directly from

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 79 removes -webkit-appearance keywords for arbitrary elements.

Password Checkup

In February, Google launched a Chrome extension called Password Checkup. The extension warns you if your login credentials for any website have been involved in any sort of known hack or data breach. It compares your usernames and passwords against over 4 billion credentials (hashed and encrypted) that Google knows to be compromised. In October, Google built Password Checkup into Google Accounts. Now, the company has built it into Chrome, effectively making the extension obsolete.

Chrome now checks your passwords

As a result, when you sign in to a website, Chrome will send a SHA256 hashed copy of your username and password to Google. It will be encrypted with a secret key (not even Google will be able to see your credentials, the company says). Using a technique called private set intersection with blinding, Google uses multiple layers of encryption to compare your encrypted username and password with all of the encrypted breached usernames and passwords. If your username and password have been compromised, Chrome will encourage you to change your password.

You can turn this feature on or off in Chrome settings under Sync and Google Services. Enterprise admins can control this feature using this policy.

Real-time phishing protection

Google’s Safe Browsing service provides lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to internet service providers (ISPs). The service shows warnings before users visit dangerous sites or download dangerous files. As of May, Google Safe Browsing protects over 4 billion devices. Similar to the aforementioned password protection, Google can’t see the actual URL itself. Chrome checks a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) against Safe Browsing’s database.

READ  Top 10 Referral Marketing Insights 2019 [Infographic]

But it’s not perfect. Chrome checks the URL of each site you visit or file you download against its local list, which is updated approximately every 30 minutes. Google says that some phishing sites are, however, slipping through this refresh window either by switching domains very quickly or by hiding from the company’s crawlers. Google has thus implemented real-time phishing protections that inspect the URLs of pages visited with Safe Browsing’s servers in real time.

Now when you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe list, Chrome checks the URL anonymously with Google to see if you’re visiting a dangerous site. Google says that in 30% of cases, this results in better protection against malicious sites that are brand new.

You can control this feature in Chrome settings with the “Make searches and browsing better” option. Enterprises administrators can manage this setting via this policy.

Chrome also has predictive phishing protections to warn users when they enter their Google Account password into suspected phishing sites. Google is now expanding this protection to everyone signed in to Chrome and to all credentials in the password manager. Previously it only worked for users that had Sync enabled. If you type a password stored in Chrome’s password manager, or the Google Account password you used to sign in to Chrome, into an unusual site, Chrome will do an anonymous check like with real-time phishing proteciton. If Safe Browsing determines that the site is indeed suspicious or malicious, Chrome will show you a warning and encourage you to change your compromised password.

READ  'My deal or no deal': what the papers say about Boris Johnson's Brexit plan

WebXR Device API

New Chrome releases often introduce new APIs. Chrome 79 implements a big one: the WebXR Device API, which brings virtual reality to the web. Other browsers, including Firefox Reality, Oculus Browser, Edge, and Magic Leap’s Helio browser, are expected to implement the API as well.

Big Bunny WebXR Device API

With the WebXR Device API, developers can now create immersive experiences for smartphones and head-mounted displays in Chrome. Google expects that more immersive features will follow, including supporting augmented reality and other immersive tools. The company even listed a few potential use cases: games, home buying, and viewing products in your home before buying them.

Developer features

Chrome 79 also brings an update to the V8 JavaScript engine. Version 7.9 includes performance improvements, the ability to handle API getters in builtins, OSR caching, and support for multiple code spaces in WebAssembly. Check out the full changelog for more information.

Other developer features in this release include:

  • Adaptive Icon Display for Installed PWAs on Android: Android Oreo introduced adaptive icons, which enforced the same shape for all icons on the home screen and in the launcher. Before Android Oreo, icons could be any shape and there was no background behind each icon. With adaptive icon display, Android will automatically mask irregularly shaped icons to fit properly.
  • Autofocus Support for any Focusable HTML/SVG Element: Adds the autofocus attribute to any focusable HTML or SVG element. The autofocus was previously supported for a limited number of HTML elements, and there were elements that could receive focus but didn’t support the autofocus attribute.
  • Compute img/video Aspect Ratio from Width Or Height HTML Attributes: The aspect ratio of an image is now computed so that it can be used for sizing an image using CSS before it loads. This avoids unnecessary relayouts when the image loads.
  • Font sizing: The font-optical-sizing property automatically sets the font size to the optical sizing axis of variable fonts that support optical sizing. This improves styling and legibility of fonts depending on font size because the font chooses a glyph shape that works optimally at the given font size.
  • list-style-type: <string>: Allows a stylesheet to use an arbitrary character for the list style marker. Examples include “-“, “+”, “★” and “▸”. Since CSS Level 2, list-style-type has supported keywords like disc or decimal to define the appearance of the list item marker.
  • Reject Worklet.addModule() with a More Specific Error: When Worklet.addModule() fails, a promise rejects with a more specific error object than it did previously. Worklet.addModule() can fail for various reasons, including, for example, network errors and syntax errors. Before this change, Worklet.addModule() rejected with AbortError regardless of the actual cause. That made it difficult for developers to debug worklets. After this change, Worklet.addModule() rejects with a clearer error such as SyntaxError.
  • Retrieve a Service Worker Object corresponding to a Worker itself: A service worker can now get its ServiceWorker object with self.serviceWorker in a service worker script and its current state with self.serviceWorker.state. A service worker instance previously had no way to get its current lifecycle state.
  • Stop evaluating script elements moved between documents during fetching:
    Chrome no longer evaluates scripts or fire error and load events if <script> elements are moved between documents during fetching. Script elements can still be moved between documents, but they won’t be executed. This prevents possible security bugs caused by exploitation of <script> elements moved between documents.
READ  US mental health staff warned not to contradict Trump after mass shootings

For a full rundown of what’s new, check out the Chrome 79 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 80 will arrive in early February.



Please enter your comment!
Please enter your name here