Google today launched Chrome 79 for Windows, Mac, Linux, Android, and iOS. The release includes built-in warnings about compromised passwords, real-time phishing protection, the WebXR Device API, and more. This release thus beefs up security for the world’s most popular browser and sets the stage for bringing virtual reality to the web. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 79 removes
-webkit-appearance keywords for arbitrary elements.
In February, Google launched a Chrome extension called Password Checkup. The extension warns you if your login credentials for any website have been involved in any sort of known hack or data breach. It compares your usernames and passwords against over 4 billion credentials (hashed and encrypted) that Google knows to be compromised. In October, Google built Password Checkup into Google Accounts. Now, the company has built it into Chrome, effectively making the extension obsolete.
As a result, when you sign in to a website, Chrome will send a SHA256 hashed copy of your username and password to Google. It will be encrypted with a secret key (not even Google will be able to see your credentials, the company says). Using a technique called private set intersection with blinding, Google uses multiple layers of encryption to compare your encrypted username and password with all of the encrypted breached usernames and passwords. If your username and password have been compromised, Chrome will encourage you to change your password.
Real-time phishing protection
Google’s Safe Browsing service provides lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to internet service providers (ISPs). The service shows warnings before users visit dangerous sites or download dangerous files. As of May, Google Safe Browsing protects over 4 billion devices. Similar to the aforementioned password protection, Google can’t see the actual URL itself. Chrome checks a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) against Safe Browsing’s database.
But it’s not perfect. Chrome checks the URL of each site you visit or file you download against its local list, which is updated approximately every 30 minutes. Google says that some phishing sites are, however, slipping through this refresh window either by switching domains very quickly or by hiding from the company’s crawlers. Google has thus implemented real-time phishing protections that inspect the URLs of pages visited with Safe Browsing’s servers in real time.
Now when you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe list, Chrome checks the URL anonymously with Google to see if you’re visiting a dangerous site. Google says that in 30% of cases, this results in better protection against malicious sites that are brand new.
Chrome also has predictive phishing protections to warn users when they enter their Google Account password into suspected phishing sites. Google is now expanding this protection to everyone signed in to Chrome and to all credentials in the password manager. Previously it only worked for users that had Sync enabled. If you type a password stored in Chrome’s password manager, or the Google Account password you used to sign in to Chrome, into an unusual site, Chrome will do an anonymous check like with real-time phishing proteciton. If Safe Browsing determines that the site is indeed suspicious or malicious, Chrome will show you a warning and encourage you to change your compromised password.
WebXR Device API
New Chrome releases often introduce new APIs. Chrome 79 implements a big one: the WebXR Device API, which brings virtual reality to the web. Other browsers, including Firefox Reality, Oculus Browser, Edge, and Magic Leap’s Helio browser, are expected to implement the API as well.
With the WebXR Device API, developers can now create immersive experiences for smartphones and head-mounted displays in Chrome. Google expects that more immersive features will follow, including supporting augmented reality and other immersive tools. The company even listed a few potential use cases: games, home buying, and viewing products in your home before buying them.
Other developer features in this release include:
- Adaptive Icon Display for Installed PWAs on Android: Android Oreo introduced adaptive icons, which enforced the same shape for all icons on the home screen and in the launcher. Before Android Oreo, icons could be any shape and there was no background behind each icon. With adaptive icon display, Android will automatically mask irregularly shaped icons to fit properly.
- Autofocus Support for any Focusable HTML/SVG Element: Adds the
autofocusattribute to any focusable HTML or SVG element. The
autofocuswas previously supported for a limited number of HTML elements, and there were elements that could receive focus but didn’t support the
- Compute img/video Aspect Ratio from Width Or Height HTML Attributes: The aspect ratio of an image is now computed so that it can be used for sizing an image using CSS before it loads. This avoids unnecessary relayouts when the image loads.
- Font sizing: The
font-optical-sizingproperty automatically sets the font size to the optical sizing axis of variable fonts that support optical sizing. This improves styling and legibility of fonts depending on font size because the font chooses a glyph shape that works optimally at the given font size.
- list-style-type: <string>: Allows a stylesheet to use an arbitrary character for the list style marker. Examples include “-“, “+”, “★” and “▸”. Since CSS Level 2,
list-style-typehas supported keywords like
decimalto define the appearance of the list item marker.
- Reject Worklet.addModule() with a More Specific Error: When
Worklet.addModule()fails, a promise rejects with a more specific error object than it did previously.
Worklet.addModule()can fail for various reasons, including, for example, network errors and syntax errors. Before this change,
AbortErrorregardless of the actual cause. That made it difficult for developers to debug worklets. After this change,
Worklet.addModule()rejects with a clearer error such as
- Retrieve a Service Worker Object corresponding to a Worker itself: A service worker can now get its ServiceWorker object with
self.serviceWorkerin a service worker script and its current state with
self.serviceWorker.state. A service worker instance previously had no way to get its current lifecycle state.
- Stop evaluating script elements moved between documents during fetching:
Chrome no longer evaluates scripts or fire
<script>elements are moved between documents during fetching. Script elements can still be moved between documents, but they won’t be executed. This prevents possible security bugs caused by exploitation of
<script>elements moved between documents.
For a full rundown of what’s new, check out the Chrome 79 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 80 will arrive in early February.