For administrators who manage Chrome browser or ChromeOS devices for a business or school.
- For emails about future releases, sign up here.
- To try out new features before they're released, sign up for the trusted tester program.
- Connect with other Chrome Enterprise IT admins through the Chrome Enterprise Customer Forum.
- Sign up to take the ChromeOS administrator credential exam.
- Get help and see additional resources below.
Table updated: January 29, 2025
Chrome 132
Chrome 132 release summary
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser changes
- Search with Google Lens
In Chrome 132, we begin to roll out this enhanced feature across all platforms. Admins can control all elements of this feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged. To contextualize the search to the document or website the user is viewing, the PDF bytes or website HTML is sent to Google servers but is not linked to any IDs or accounts, not viewable by any human, and the data or data generated about its contents is not logged.
Desktop
Since Chrome 126, users can search any images or text they see on their Desktop screen with Google Lens. To use this feature, go to a website and click the Google Lens chip on the on-focus omnibox or by right-clicking on an image and selecting Search with Google Lens. Users can select anywhere on the screen to search its contents, and refine their search by adding questions to the search box. Starting in Chrome 132, users can also ask questions about entire web pages or PDF documents and answers will reference their current document and the web. To use this feature, invoke Search with Google Lens as described above and enter queries into the search box on the top right corner of the Chrome window. A side panel will open on the right side of the browser window with search results.
iOS
Since Chrome 131, users can search any images or text they see on their iOS Chrome screen with Google Lens. To use this feature, go to a website and click on the 3-dot menu > Search with Google Lens. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the search box.
Rollout details:
- Chrome 126 on ChromeOS, Linux, macOS, Windows: Rollout of the feature at 1% Stable
- Chrome 127 on ChromeOS, Linux, macOS, Windows: Rollout to 100% Stable
- Chrome 131 on iOS: Rollout of the feature at 1% Stable
- Chrome 132 on ChromeOS, Linux, macOS, Windows: Rollout of the expanded feature at 1% Stable
- Network Service sandboxed on Windows
To improve security and reliability, the network service, already running in its own process, is now sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions.
You can report any issues you encounter.
- Chrome 132 on Windows
Network Service sandboxed on Windows
- Chrome 132 on Windows
- Ad-hoc code signatures for Progressive Web App shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures result in each PWA app shim having a unique identity to macOS, where previously every PWA looked like the same application to macOS.
This update addresses problems when attempting to include multiple Progressive Web Applications in macOS's Open at Login preference pane, and permits future improvements to handling of user notifications within PWAs on macOS.
Admins should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be enabled for this testing using
chrome://flags/#use-adhoc-signing-for-web-app-shims
. They can then install a Progressive Web App and ensure that it launches as expected.If there is an incompatibility between the feature and their current security policies, the AdHocCodeSigningForPWAsEnabled policy can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS
Feature disabled behind a flag (chrome://flags/#use-adhoc-signing-for-web-app-shims
) so that enterprises can test for compatibility with their endpoint security tools, such as Santa. If it is not currently compatible they can disable the feature via the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated. - Chrome 132 on macOS
This feature will begin to roll out to stable, starting at 1% rollout.
- Chrome 129 on macOS
- Batch upload
Since Chrome 128, users have access to their passwords and addresses from their Google Account at the point of sign-in (in addition to their payment methods, which was an existing sign-in feature). These data-types have two distinct storages: local and account. With Chrome 132, we are providing users an opportunity to upload any local data they have to their Google Account. This will first be made available for passwords and addresses and will be expanded to include other data types in the future.
The SyncTypesListDisabled policy applies equally to sync and data upload. Therefore, if either passwords or addresses are disabled, they are not made available for upload in the batch uploader.
- Chrome 132 on Linux, macOS, Windows
- Connectors Disclaimer workflow updates
We have made updates to our Terms of Service for Chrome Enterprise Core that includes a section on 3rd party data-sharing. These updates improve the sign-up flow for Chrome browser Enterprise connectors.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
- DownloadRestrictions is stricter on file type restrictions
You can control downloads within your organization using the DownloadRestrictions policy, with options to allow you select an appropriate level of file type restrictions:
0 = No special restrictions. Default.
Where option value = 1, this means:
1 = Block malicious downloads and dangerous file types.
2 = Block malicious downloads, uncommon or unwanted downloads and dangerous file types.
3 = Block all downloads.
4 = Block malicious downloads. Recommended.- Chrome browser blocks malicious files flagged by the Safe Browsing server AND blocks all dangerous file types. Only recommended for OUs, browsers, or users that have a high tolerance for false positives.
Where option value = 2, this means:
- Chrome browser blocks malicious files flagged by the Safe Browsing server AND blocks uncommon or unwanted files flagged by the Safe Browsing server AND blocks all dangerous file types. Only recommended for OUs, browsers, or users that have a high tolerance for false positives.
Previously, the "dangerous file types" blocking was not being correctly applied by Chrome, and this has now been fixed. This means, however, that the policy is now much stricter on certain file types that could be dangerous to the user, like `
.exe
` or `.msi
` files on Windows. If this induces too many false positives, you can leave the policy unset or set the policy value to 4.- Chrome 132 on Windows
- Updates to Chrome Identity model on desktop
Instead of having to set up Chrome sync on your device, you can now simply sign in to Chrome to access and save items to your Google Account. This new identity model on Desktop also includes an explicit sign-in to Chrome from a web sign-in.
Signing into the web (using Gmail) prompts users to sign-in to Chrome. If they decline, they won’t be signed-in to Chrome, only to the web.
- If they accept, profile management (user-based policies), payments (already available today), passwords, addresses, bookmarks*, extensions*, search engine prefs*, themes* and PWAs* will be enabled.
- If they decline, Chrome can still use the sign-in credentials to facilitate a one-click sign-in to Chrome.
- Synchronizing history, Open tabs and tab groups still exist behind a separate opt-in for now.
- Invalidated credentials (e.g. signing out of the web or remote sign-out) will put Chrome in a ‘pending’ state, previously ‘sync paused’. Autofill data will not be available from the user’s Google Account. Users in this state will be prompted to “Verify it’s you” in the Chrome toolbar.
*These data types will be enabled behind sign-in (instead of sync opt in) in upcoming Chrome milestones.
Web sign-in intercepts can be controlled using the SigninInterceptionEnabled policy. For more details, see Force users to create a separate profile.
- Chrome 132 on Linux, macOS, Windows Roll-out starts
- HTTPS-First Mode for Typically Secure Users
HTTPS-First Mode (HFM) enables a default-HTTPS experience in Chrome by automatically upgrading sites to HTTPS. If a site doesn’t support HTTPS, HFM shows a warning before loading the HTTP version. HFM significantly improves the security guarantees of HTTPS by preventing loading of HTTP URLs without explicit user approval.
HFM for typically secure users (this feature) is a heuristic that can automatically enable HFM for the user if the user has a typically secure browsing pattern. Typically secure browsing pattern is determined by keeping track of HTTPS-Upgrade fallbacks (failed HTTPS Upgrades, which would be HFM interstitials if the user manually enabled HFM) and a few other factors such as profile age and overall site engagement score.
If these signals indicate that the user mostly visits secure sites, the heuristic will automatically enable HFM setting. HFM interstitials caused by this heuristic will display a custom message. The user can disable HFM by simply turning off the UI setting and the heuristic will never kick in again.
This feature can be controlled using the existing enterprise policies HttpsOnlyMode and HttpAllowlist.
- Chrome 132 on ChromeOS, Linux, macOS, Windows, Fuchsia
- Passkeys on iOS
Passkeys are a more secure alternative to passwords. Unlike passwords, which can be phished or guessed, passkeys let users authenticate to sites and apps using public-key cryptography, as defined in the Webauthn standard.
Google Password Manager passkeys are already available in Chrome on other platforms; this launch brings them to the iOS platform, through enhancements to Chrome's existing Credential Provider Extension ("Passwords in Other Apps"). Using the Extension, Google Password Manager passkeys can be used to sign in to pages in Chrome and other browsers, as well as to native apps.
Passkeys are saved to a user's Google Account and available whenever the user is signed in to Chrome. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 132 on iOS
- Password Leak toggle move
The PasswordLeakDetectionEnabled toggle that was originally found on
chrome://settings/security
is moving from under the standard protection heading to further down on the page under the Advanced section.This feature will also remove the PasswordLeakDetectionEnabled dependency on a user's safe browsing status. Previously, a user who had no protection or no safe browsing would not get the PasswordLeakDetectionEnabled functionality. Now, a user has free choice to select the PasswordLeakDetectionEnabled toggle regardless of their safe browsing protection level.
- Chrome 132 on ChromeOS, Linux, macOS, Windows, Fuchsia
- Removal of old Headless from the Chrome binary
Running Chrome with `--headless=old` no longer launches the old Headless mode, and instead prints the following log message:
Old Headless mode has been removed from the Chrome binary. Please use the new Headless mode or the chrome-headless-shell which is a standalone implementation of the old Headless mode.
- Chrome 132 on Linux, macOS, Windows
- Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, ThirdPartyBlockingEnabled will be removed in Chrome 135. If you have feedback about this removal, please file a bug here.
- Chrome 132 on Windows
Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows
Removal of ThirdPartyBlockingEnabled policy
- Chrome 132 on Windows
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed in Chrome 132.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows
- Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example, git://example.com/path. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Chrome 132 on Windows, macOS, Linux, Android
- Chrome 134 on Windows, macOS, Linux, Android: Feature flag being removed
- Translate for Search with Google Lens
Augmented Reality-based (AR) Translation capabilities are being implemented to the Search with Google Lens feature. The LensOverlaySettings enterprise policy is in place allowing you to turn the feature on or off.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Chrome 132 on ChromeOS, Linux, macOS, Windows
In Chrome 131, the translate feature was introduced. In Chrome 132, the translate feature is being expanded with additional language support.
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar and clicking the chip launches the app. A flag is available to control this feature:chrome://flags/#enable-user-link-capturing-pwa
.- Chrome 132 on Linux, macOS, Windows
Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 132 on Linux, macOS, Windows
- Keyboard-focusable scroll containers
Improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
Note: The previous rollout of this feature (started first in Chrome 127 and again in Chrome 130) was stopped due to an accessibility regression, which should be fixed in the current implementation shipping in Chrome 132.
- Chrome 132 on Windows, macOS, Linux, Android
- Remove Prefixed HTMLVideoElement Fullscreen APIs
The prefixed HTMLVideoElement-specific fullscreen APIs have been deprecated since Chrome 38. They were replaced by the Element.requestFullscreen() API, which first shipped un-prefixed in Chrome 71, in 2018. As of 2024, most browsers have had support for the un-prefixed APIs for a few years now.
This feature tracks removing the following APIs from HTMLVideoElement:
- readonly attribute boolean webkitSupportsFullscreen;
- readonly attribute boolean webkitDisplayingFullscreen;
- void webkitEnterFullscreen();
- void webkitExitFullscreen();
// Note the different capitalization of the "S" in FullScreen.
- void webkitEnterFullScreen();
- void webkitExitFullScreen();
These methods are now only aliases for the modern API. Their use has declined steadily over the years.
- Chrome 132 on Windows, macOS, Linux, Android
- Throw exception for popovers or dialogs in non-active documents
This is a corner case change that does not impact developers. Previously calling `showPopover()` or `showModal()` on a popover or dialog that resides within an inactive document would silently fail. This means that no exception would be thrown, but since the document is inactive, no popover or dialog would be shown. These situations now throw InvalidStateError. For more information, see the relevant spec pull request on Github.
- Chrome 132 on Windows, macOS, Linux, Android
- New policies in Chrome browser
Policy Description CACertificates TLS certificates that should be trusted for server authentication CACertificateManagementAllowed Allow users to manage all certificates TLS certificates that should be distrusted for server authentication CAHintCertificates TLS certificates that are not trusted or distrusted but can be used in path-building for server authentication CACertificatesWithConstraints TLS certificates that should be trusted for server authentication with constraints PasswordManagerPasskeysEnabled Enable saving passkeys to the password manager SharedWorkerBlobURLFixEnabled Make SharedWorker blob URL behavior aligned with the specification TranslatorAPIAllowed Allows the use of Translator API
- Removed policies in Chrome browser
Policy Description LegacySameSiteCookieBehaviorEnabledForDomainList Revert to legacy behavior for cookies on all sites NativeClientForceAllowed Forces Native Client (NaCl) to be allowed to run PrefixedVideoFullscreenApiAvailability Manage the deprecated prefixed video fullscreen API's availability
Chrome Enterprise Core changes
- Customized Chrome Web Store for enterprises
Admins can leverage new settings to customize the Chrome Web Store for their managed users, which includes the ability to:
- Add company logos
- Add hero banners and custom announcements
- Curate extension collections
- Hide extension categories
These settings are configurable via the Admin console (learn more) and are available to all signed-in managed users (users signed-in to the Chrome Web Store with a managed Google Account).
Additionally, all managed users who sign in to the Chrome Web Store will see the following changes:
- New tags for items “Blocked by their admin” when searching for an item
- Private domain item search and advanced filtering capabilities
- Private items and recommended items are relocated to the “Extensions” tab
Enrolled browsers (without the need to sign in) will be supported later in 2025.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
- New Chrome user management capabilities in the Admin console
Admins can now get more visibility into Chrome user profiles in their organization with a new profile list and reporting features for signed-in Google Accounts. This centralized view in the Google Admin console provides detailed reports about user profiles in your organization, including profile information, browser version, applied policies and installed extensions. For more details, see View Chrome browser profile details.
To get started, IT administrators can simply turn on the new Chrome Managed profile reporting policy to view the reporting information about managed profiles.
- Chrome 132 on Android, Linux, macOS, Windows
- Copy Source conditions in Chrome DLP paste rule
In this feature, we are adding copy source conditions, namely Source URL, Source URL category and Source Chrome context in Paste trigger rule for all customers. Admins can now create paste rules using the OnBulkDataEntryEnterpriseConnector policy, with conditions matching where the data or text being pasted is copied from.
For more details, see Use Chrome Enterprise Premium to integrate DLP with Chrome.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
In this rollout, we are adding copy source conditions, namely Source URL category and Source Chrome context in Paste trigger rule for all customers. Admins will be able to create Paste rules (policy) with conditions matching where the data/text being pasted is copied from.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
- Generating insights for Chrome DevTools console warnings and errors
A new Generative AI (GenAI) feature is now available for unmanaged users, generating insights for Chrome DevTools Console warnings and errors.
These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, macOS, Windows
Feature becomes available to unmanaged users globally, except Europe, Russia, and China. - Chrome 127 on ChromeOS, Linux, macOS, Windows
Feature becomes available to managed Chrome Enterprise & Education users in supported regions. - Chrome 131 on ChromeOS, Linux, macOS, Windows
In Chrome 131, a new Generative AI (GenAI) feature becomes available for managed users: a dedicated “AI assistance” panel in Chrome DevTools which assists the human operator investigating & fixing styling challenges and helps debugging the CSS. - Chrome 132 on ChromeOS, Linux, macOS, Windows
The AI assistance panel can now explain resources in the Performance panel, Sources panel, and Network panel, in addition to the previous support for style debugging.
- Chrome 125 on ChromeOS, Linux, macOS, Windows
- Professional Chrome Enterprise Administrator certification
For organizations using Chrome Enterprise Core, we offer a new certification opportunity – the Professional Chrome Enterprise Administrator certification. This certification is designed to validate your expertise in managing Chrome Enterprise browser environments, with a focus on using Chrome Enterprise Core to implement policies, establish controls, and analyze reports.
Designed for Chrome Enterprise Administrators with at least one year of experience with application, policy, and endpoint management, the exam is a two-hour exam consisting of about 70 multiple choice questions. The exam assesses your familiarity with both local and cloud-based solutions to manage, maintain, troubleshoot, secure, and integrate with services related to Chrome.
Google is waiving the exam fee of $125 until March 2025 and admins can now take the Professional Chrome Enterprise Administrator certification exam for free.
- Chrome 132 on Android, iOS, ChromeOS
- Server Root Certificates for Chrome Enterprise
Chrome 132 adds the capability for enterprise customers or partners to deploy custom Server Root Certificates or Trust Anchors into Chrome’s Root Store on fully managed browsers via Chrome Browser Cloud Management or into managed Chrome profiles on managed or unmanaged devices.
- Chrome 132 on Linux, macOS, Windows
- Legacy Technology Report
The Legacy Tech Report allows IT administrators to have visibility on websites (both internal and external) that are using deprecated or soon-to-be deprecated technologies (for example, CSS property changes or older security protocols like TLS 1.0 & 1.1). This launch is available in the Google Admin console to all Chrome Enterprise Core. For more details, see View legacy technology usage details.
This gives an opportunity to IT administrators to have the ability to work with developers to proactively plan technical migrations before a deprecation goes into effect.
- Chrome 132 on Linux, macOS, Windows
- Recommended policies (users can override a policy value)
Chrome is introducing the User override configuration in the Google Admin console for policies that can be set as recommended. This means that IT administrators can apply a policy value and allow users to override the policy value.
On Chrome 132: the following policies are supported: ShowHomeButton, HomepageIsNewTabPage, HomepageLocation, DownloadRestrictions, SafeBrowsingProtectionLevel, AlwaysOpenPdfExternally, BackgroundModeEnabled, MetricsReportingEnabled, WarnBeforeQuitting, PrintPreviewUseSystemDefaultPrinter, BatterySaverModeAvailability
As early as Chrome 133: the following policies will be supported: ImportAutofillFormData, ImportBookmarks, ImportHistory, ImportSavedPasswords, ImportSearchEngine
- Updated managed browser list: Most recent Google Update activity
Chrome Enterprise Core is adding the Most recent Google Update activity column on the managed browser list. The Most recent Google Update activity represents the last recorded time when the GoogleUpdater service interacted with a managed browser.
- Chrome 132 on Linux, macOS, Windows
- Chrome 132 on Linux, macOS, Windows
Chrome Enterprise Premium changes
- File download encryption for DLP Rules
When a file downloaded Data Loss Prevention (DLP) rule is triggered, the file is now encrypted on the fly to ensure that end users cannot access that file when a verdict is being returned. This means that users can no longer bypass the rule by moving or renaming the file.
This feature is gated by the existing policy OnFileDownloadedEnterpriseConnector and is only available to Chrome Enterprise Premium users.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Disallow spaces in non-file:// URL hosts
As stated in the WhatWG.org spec, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.
This causes Chromium to fail several tests included in the Interop2024 'HTTPS URLs for WebSocket' and URL focus areas.
To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows
file://
URLs (see the discussion on Github).This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces for non-file URLs only.
- Chrome 133 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
- Read aloud in Reading mode in Chrome 133
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will include a Read aloud feature which will allow users to hear the text they are reading spoken out loud. Users will be able to choose different natural voices and speeds, and see visual highlights.
- Chrome 133 on Linux, macOS, Windows
- Tab freezing on Energy saver
When Energy saver is active, Chrome will freeze a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- The tab provides audio- or video- conferencing functionality (detected via microphone, camera or screen/window/tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack).
- The tab controls an external device (detected via usage of Web USB, Web Bluetooth, Web HID or Web Serial).
This will extend battery life and speed up Chrome through reduced CPU usage.
The feature can be tested in Chrome 131 via chrome://flags/#freezing-on-energy-saver
. Alternatively, it can be tested withchrome://flags/#freezing-on-energy-saver-testing
, which simulates Energy saver being active and all tabs using a lot of CPU; this allows you to verify whether tabs are eligible for freezing and would be frozen if using a lot of CPU.- Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).
- Chrome 133 on ChromeOS, Linux, macOS, Windows
The feature will start rolling out to 1% of stable in Chrome 133.
- Deprecate getters of Intl Locale Info
Intl Locale Info API is a Stage 3 ECMAScript TC39 proposal to enhance the Intl.Locale object by exposing Locale information, such as week data (first day in a week, weekend start day, weekend end day, minimum day in the first week), and text direction hour cycle used in the locale.
We shipped our implementation in Chrome 99 but later on the proposal made some changes in Stage 3 and moved several getters to functions. We need to remove the deprecated getters and relaunch the renamed functions.
- Chrome 133 on Windows, macOS, Linux, Android
- Popover invoker and anchor positioning improvements
This update represents the following related set of changes, which were resolved and landed
1. add an imperative way to set invoker relationships between popovers:
popover.showPopover({source})
2. invoker relationships create implicit anchor element references.
- Chrome 133 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
- Remove Chrome Welcome page triggering via initial prefs first run tabs
Including
chrome://welcome
in the first_run_tabs property of the initial_preferences file will now have no effect. This is removed because that page is redundant with the First Run Experience that triggers on desktop platforms.For more details about the context of the initial_preferences file, see Configuring Other Preferences.
- Chrome 133 on Windows, macOS, Linux
- Remove nonstandard getUserMedia audio constraints
Blink supports a number of nonstandard goog-prefixed constraints for getUserMedia from some time before constraints were properly standardized.
Usage has gone down significantly ~0.000001% to 0.0009% (depending on the constraint) and some of them do not even have an effect due to changes in the Chromium audio-capture stack. Soon none of them will have any effect due to other upcoming changes.
We do not expect any major regressions due to this change. Applications using these constraints will continue to work, but will get audio with default settings (as if no constraints were passed). They can easily migrate to standard constraints.
- Chrome 133 on Windows, macOS, Linux, Android
- Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation will fail instead of falling back to SwiftShader. This was done for two primary reasons:
- SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
- Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.
To opt-in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.
During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing
--enable-unsafe-swiftshader
will remove this warning message.Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 133 on Windows, macOS, Linux, Android
- Privacy & security panel in Chrome DevTools
Starting in Chrome 133, developers will be able to use the new Privacy & security panel in Chrome DevTools to test how their site will behave when third-party cookies are limited. Developers will be able to temporarily limit third-party cookies, observe how their site behaves, and review the status of third-party cookies on their site.
This feature will not make any permanent changes to existing enterprise policies, but it will let third-party cookie related enterprise policies (that is, BlockThirdPartyCookies and CookiesAllowedForUrls) be temporarily overridden to be more restrictive. If your enterprise policy already blocks third-party cookies using BlockThirdPartyCookies, this feature will be disabled.
The new Privacy & security panel will replace the existing Security panel. TLS connection and certificate information will continue to be available on the Security tab in the Privacy & security panel.
- Chrome 133 on ChromeOS, Linux, macOS, Windows
- Chrome Sync to end support for Chrome versions more than four years old
Starting in February 2025, Chrome Sync (using and saving data in your Google Account) will no longer support Chrome versions that are more than four years old. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows
This change affects only the old versions of Chrome and will be rolled out server-side. Chrome 133 is specified only to reflect the timeline when the change will make an effect.
- V8 Security Setting
Add a setting on
chrome://settings/security
to disable the V8 JIT optimizers, in order to reduce the attack surface of Chrome. This maintains compatibility with Web Assembly. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.- Chrome 122 on ChromeOS, Linux, macOS, Windows, Fuchsia
The setting rolls out in Chrome 121. The enterprise policies have been available since Chrome 93.
- Chrome 133 on Android
The setting is available on Android in Chrome 133, under Site Settings. The enterprise policies are no longer marked experimental.
- Chrome 122 on ChromeOS, Linux, macOS, Windows, Fuchsia
- New option in HttpsOnlyMode policy
Ask Before HTTP (ABH, formerly HTTPS Only/First Modes) is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMod policy allows force-enabling, or force-disabling, ABH.
In Chrome 129, we are adding a new middle-ground variant of ABH called "balanced mode". This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible (such as when connecting to a single-label hostname like internal/).
We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.
To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 133 on Android
- SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.
If admins have any v4-specific URL allowlisting to allow network requests to
https://safebrowsing.googleapis.com/v4*
, these should be modified to allow network requests to the whole domain instead:safebrowsing.googleapis.com
. Otherwise, rejected network requests to the v5 API will cause security regressions for users.- Chrome 134 on Android, iOS, ChromeOS, Linux, macOS, Windows: This will be a gradual rollout.
- Blob URL Partitioning: Fetching or Navigation
As a continuation of Storage Partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and we will pursue spec updates to reflect both of these changes.
This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy, which will be available in Chrome 134. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 134 on Windows, macOS, Linux
- SharedWorker script inherit controller for blob script URL
Service Workers should inherit controllers for the blob URL. However, existing code allows only dedicated workers to inherit the controller, and shared workers do not inherit the controller.
This is the fix to make Chromium behavior adjust to the specification.
An enterprise policy SharedWorkerBlobURLFixEnabled is available to control this feature.
- Chrome 134 on Windows, macOS, Linux
- Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.
Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
To read more, see this blog post. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Admins might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that admins can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise admins may continue to use the UiAutomationProviderEnabled policy to either opt in early to the new behavior, or to temporarily opt out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
- Customizing managed profiles with custom logo and label
New toolbar and profile menu customizations that help users easily identify if their Chrome profile is managed, whether they're on a work or personal device. This is especially useful for scenarios where employees use their own devices with managed accounts.
To help tailor this experience, we're adding three new policies:
- EnterpriseCustomLabel: Customize the text displayed on the toolbar element to match your organization's branding.
- EnterpriseLogoUrl: Add your company logo to the profile menu.
- EnterpriseProfileBadgeToolbarSettings: This policy can disable the default label for a managed profile in the Chrome toolbar.
In Chrome Chrome 133, these policies will be available to customize the logo and label shown on a managed profile.
Starting Chrome 134, there will be updates to the default behavior of the profile label and icon overlaid on the account avatar. Managed profiles will show a work or school label in addition to the profile disk. In the profile menu, there will be a building icon overlaid on the account avatar. The expanded profile disk can be disabled via EnterpriseProfileBadgeToolbarSettings.
- Chrome 133 on macOS, Windows
Policies to customize the toolbar label and icon (in profile menu)
- Chrome 134: Starting rollout of defaults including:
- 1) work or school label shown in toolbar, next to user avatar
- 2) A building icon overlayed on the user's account photo in the profile menu. The label can be turned off via EnterpriseProfileBadgeToolbarSettings. Starting with 1% and gradual slow rollout thereafter.
Upcoming Chrome Enterprise Core changes
-
New Chrome Enterprise Companion App
Chrome Enterprise Companion App (CECA) is a new administrative binary that will be automatically installed with Chrome browsers enrolled into Chrome Enterprise Core or Chrome Enterprise Premium. It is meant to support Enterprise use cases, policies and reporting.
- Chrome 133 on Windows, macOS
Upcoming Chrome Enterprise Premium changes
- Screenshot prevention
We plan to enhance the existing screenshot prevention feature by extending screen-sharing blocking to meeting apps like Google Meet, Zoom, Teams, and Slack. We will build upon the successful release of data protection controls by adding key features and addressing gaps and user feedback.
- Chrome 134 on Windows, macOS
- URL filtering on iOS and Android
We will extend the existing URL filtering capabilities from desktop to mobile platforms, providing organizations with the ability to audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This includes ensuring the functionality works seamlessly with Context-Aware Access (CAA) which allows admins to set access policies based on user context (for example, user role, location) and device state (for example, managed device, security compliance).
- Chrome 135 on Android, iOS
- Reporting connector for mobile
We are working towards feature parity with the desktop version, enabling organizations to monitor and respond to security events on mobile devices, such as unsafe site visits and potential data exfiltration attempts. This helps ensure consistent security and policy enforcement across different platforms.
- Chrome 135 on Android, iOS
- Refactor DLP rules UX
We aim to create a more user-friendly and efficient interface for Chrome-specific DLP rules. This involves redesigning the rule creation workflow in the Admin Console to better accommodate existing and upcoming security features for Chrome Enterprise Premium customers.
- Chrome 134 on Windows, macOS, Linux, ChromeOS
- Connectors API
We plan to simplify the setup process for third-party security connectors and enable providers to manage configurations directly from their own UI. This aims to make it easier for organizations to integrate their preferred security tools and services with Chrome, enhancing security and management across different platforms.
- Chrome 135 on Windows, macOS, Linux, ChromeOS
ChromeOS 132 release summary
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Customized Chrome Web Store for enterprises | ✓ | ||
Native Client (NaCl) support ending on ChromeOS | ✓ | ||
Onboarding refresh | ✓ | ||
Migrate data for graduating students | ✓ | ✓ | |
Rounded corners for Apps | ✓ | ||
ChromeOS Passwordless Authentication | ✓ | ||
Face control on ChromeOS | ✓ | ✓ | |
Turn off the touchpad | ✓ | ||
Password Manager biometric authentication | ✓ | ||
Apps discovery removed from Explore | ✓ | ||
Remote management for idle devices | ✓ | ||
ChromeOS device Bedtime Hours policy | ✓ | ||
Improved management disclosure on locked device | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
AI wallpapers and backgrounds | ✓ | ||
Deprecating Chrome Apps support on ChromeOS | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
ChromeOS updates
-
Customized Chrome Web Store for enterprises
Admins can now use new settings to customize the Chrome Web Store for their managed users, which includes the ability to:
- Add company logos
- Add hero banners and custom announcements
- Curate extension collections
- Implement category-based controls
These settings are configurable using the Admin console and are available to all signed-in managed users (users signed-in to the Chrome Web Store with a managed Google Account). For more details, see Customized Chrome Web Store for enterprises.
Additionally, all managed users who sign in to the Chrome Web Store will see the following changes:
- New tags for items Blocked by their admin when searching for an item
- Private domain item search and advanced filtering capabilities
- Private items and recommended items are relocated to the Extensions tab
Enrolled browsers (without the need to sign in) will be supported later in 2025.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
-
Native Client (NaCl) support ending on ChromeOS
ChromeOS 132 is the last release with NaCl support for unmanaged or consumer devices, followed by ChromeOS 138 in July 2025 for managed devices. For more details, see About ChromeOS device management.
In 2017, we announced the end of support of Native Client (NaCl) in favor of WebAssembly. With most developers and users having migrated away from NaCl, we confirm the following NaCl discontinuation dates:
- January 2025: Native Client (NaCl) will be disabled from ChromeOS 132 onwards.
- For unmanaged and consumer users, ChromeOS 132 will be the last ChromeOS release with support for NaCl.
- For managed environments (including Kiosk sessions), administrators who manage ChromeOS devices for a business or school will have the option of extending the ability to use NaCl with a DeviceNativeClientForceAllowed NaCl allow policy through the ChromeOS 138 release. To enable device policies, please refer to Set ChromeOS device policies in the Chrome Enterprise and Education Help Center.
- July 2025: ChromeOS 138 will be the last version with NaCl support.
- For managed environments, ChromeOS 138 is a Long-term Support (LTS) ChromeOS release available to administrators who manage ChromeOS devices for a business or school.
- For devices that have been switched to the LTS channel and have the NaCl allow policy enabled, NaCl will be available until LTS Last Refresh in April 2026.
- No exceptions will be granted.
For Chrome Apps that use NaCl, migrate to WebAssembly (WASM). To help you with the transition, we've published the WebAssembly Migration Guide.
For more information about this change or if you need assistance, you can refer to any of the following:
- WebAssembly Migration Guide.
- ChromeOS developer community on Discord.
- ChromeOS release schedule for release dates and updates.
To find out more, see Manage policies for ChromeOS devices in the Chrome Enterprise and Education Help Center.
- January 2025: Native Client (NaCl) will be disabled from ChromeOS 132 onwards.
-
There are many different setup items that users might look to change once they've started using their devices, including setting up a printer, connecting Bluetooth devices, changing touchpad direction, and so on. This feature consolidates many of these common setup items into a simple task list, with deep linking to where a user can change a particular setting, to simplify the process of completing many of these steps.
-
Migrate data for graduating students
As early as ChromeOS 132, a new Content transfer tool will guide graduating students or other EDU-managed users who want to migrate their data through the updated Google Takeout Transfer process. This allows them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.
This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use Content transfer.
-
As part of a new UI design, ChromeOS now features rounded corners on all app windows on Chromebook Plus devices.
-
ChromeOS passwordless authentication
The passwordless ChromeOS feature allows users to access their device with PIN or a local password as their primary authentication factor. This means that you will be able to log in to your ChromeOS device with a password you set explicitly for your device, as well as with a PIN no longer tying your gmail password with your device password.
It is not possible to enable the PIN feature on managed devices.
-
ChromeOS now features AI-powered face control; you can now use face and gesture tracking to navigate your Chromebook, open apps, and even compose emails – all without a keyboard or mouse. This built-in technology, inspired by Project Gameface, provides greater accessibility for users with motor disabilities and offers a more efficient way for everyone to interact with their devices. To read more about this feature, see this Google blog post.
-
Chromebook users can now disable their touchpads. This accessibility improvement helps those who rely on screen readers or may experience accidental clicks. To turn it off, go to Settings > Accessibility > Cursor and Touchpad.
-
Password Manager biometric authentication
ChromeOS 132 enables biometrics in Password Manager and autofill on Chrome for ChromeOS devices.
-
Apps discovery removed from Explore
ChromeOS 132 removes the Apps & Games module in the Explore app. To discover new apps for your ChromeOS device, navigate to https://discover.apps.chrome.
.
-
Remote management for idle devices
Chrome Remote Desktop (CRD) is a feature that allows for remote control of ChromeOS devices, primarily for troubleshooting purposes, where a device is idle and unused. Admins can now initiate a CRD connection to a ChromeOS device sitting on the login screen. This enables an admin to sign-in to a managed device with their own set of credentials for troubleshooting or testing.
-
ChromeOS device Bedtime Hours policy
The new DeviceRestrictionSchedule policy allows ChromeOS administrators to disallow users from logging in to specified Chromebooks during certain hours on specified days of the week. During these hours, kiosk apps are also unavailable.
-
Improved management disclosure on locked device
This feature improves the management disclosure on the device's lock screen. To enhance user understanding before using their device for personal tasks or work, we provide a clear explanation of what managed devices entail. This way, users can make informed decisions regarding their device usage. By providing necessary information, users gain the knowledge needed to make choices that align with their privacy and security concerns and preferences.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming ChromeOS changes
-
As early as ChromeOS 134, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.
-
Deprecating Chrome Apps support on ChromeOS
In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that support for Chrome Apps for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome Apps discontinuation dates.
- July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).
- Chrome Apps that are force-installed through the admin console will continue to be supported.
- July 2026: Last ChromeOS release with support for Chrome Apps in Kiosk Mode (scheduled for ChromeOS M150).
- Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
- February 2028: Last ChromeOS release with support for Chrome Apps (scheduled for ChromeOS M168), marking the end of life for all Chrome Apps.
- Devices on the LTS channel can continue to use Chrome Apps until October 2028.
- No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.
While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.
If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.
In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.
- July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).
Chrome 131
Chrome 131 release summary
Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Search with Google Lens on iOS | ✓ | ||
Asynchronous real-time Safe Browsing check | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Choose from Google Drive on iOS | ✓ | ||
Chrome PDF Viewer OCR | ✓ | ||
Chrome on iOS promo on Desktop NTP | ✓ | ||
Cross profile password-reuse detection | ✓ | ||
Chrome on Android now supports 3P autofill and password providers | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Entrust certificate distrust | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
PartitionAlloc with Advanced Checks (PA/AC) | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Tab freezing on Energy saver | ✓ | ||
Update Google Play Services to fix issues with on-device passwords | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Deprecation of CSS Anchor Positioning property inset-area | ✓ | ||
Improvements to styling structure of <details> and <summary> elements | ✓ | ||
Keyboard Lock and Pointer Lock permissions | ✓ | ||
Remove non-standard GPUAdapter requestAdapterInfo() method | ✓ | ||
<select> parser relaxation | ✓ | ||
Support external SVG resources for clip-path, fill, stroke, and marker-* properties | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Translate for Search with Google Lens | ✓ | ||
New policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
Chrome Enterprise Core changes | Security/ Privacy | User productivity/ Apps | Management |
GenAI Defaults policy | ✓ | ||
Chrome extension telemetry integration with SecOps | ✓ | ||
Customized Chrome Web Store for Enterprises | ✓ | ||
DownloadRestrictions policy support on Android | ✓ | ✓ | |
Enterprise Policy to force adaptive buffering for WebAudio Rendering | ✓ | ||
Generating insights for Chrome DevTools Console warnings and errors | ✓ | ||
Recommended policies in the Admin console | ✓ | ||
Chrome Enterprise Premium changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Data Controls: Clipboard | ✓ | ||
Screenshot protections | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Read aloud in Reading mode in Chrome 132 | ✓ | ||
Removal of old Headless from the Chrome binary | ✓ | ||
Capture all screens | ✓ | ||
Remove prefixed HTMLVideoElement fullscreen APIs | ✓ | ||
Remove ThirdPartyBlockingEnabled policy | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Throw exception for popovers or dialogs in non-active documents | ✓ | ||
User Link capturing on PWAs | ✓ | ✓ | |
Network Service on Windows will be sandboxed | ✓ | ||
Remove SwiftShader fallback | ✓ | ||
Privacy & security panel in Chrome DevTools | ✓ | ||
Chrome Sync to end support for Chrome versions more than four years old | ✓ | ||
Disallow spaces in non-file:// URL hosts | ✓ | ||
SafeBrowsing API v4 to v5 migration | ✓ | ||
Blob URL partitioning: Fetching or Navigation | ✓ | ||
Deprecate mutation events | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming Chrome Enterprise Core changes | Security/ Privacy | User productivity/ Apps | Management |
Remove enterprise policy used for legacy same site behavior | ✓ | ||
Upcoming Chrome Enterprise Premium changes | Security/ Privacy | User productivity/ Apps | Management |
DLP file download access prevention | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser changes
- Search with Google Lens on iOS
Since Chrome 126, users can search any images or text they see on their screen with Google Lens. To use this feature, go to a website and click Search with Google Lens on the on-focus omnibox chip and on the right-click menus on desktop, or on the 3-dot menu on both desktop and mobile. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the search box. Admins can control the feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged. We are starting the rollout of this feature gradually on iOS in Chrome 131 and we plan to launch fully in Chrome 132.
- Chrome 126 on ChromeOS, Linux, macOS, Windows: Rollout of the feature at 1% Stable
- Chrome 127 on ChromeOS, Linux, macOS, Windows: Rollout to 100% Stable
- Chrome 131 on iOS: Rollout of the feature starts
- Chrome 132 on iOS: Rollout to 100% Stable
- Asynchronous real-time Safe Browsing check on iOS
Today Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. To improve Chrome's loading speed, real-time Safe Browsing checks will no longer block page loads after Chrome 122, and after Chrome 131 on iOS.
We have evaluated the risk and put mitigations in place:
- For malware and 0-day attacks, local-blocklist checks will still be conducted in synchronous manner so that malicious payloads are still blocked by Safe Browsing.
- For phishing attacks, we've looked at data and it is unlikely the user would have interacted with the page (for example, typed a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, Linux, macOS, Windows
- Chrome 131 on iOS
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures result in each PWA app shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This addresses problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and permits future improvements to handling of user notifications within PWAs on macOS.
Administrators should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be switched on for testing using the
chrome://flags/#use-adhoc-signing-for-web-app-shims
flag. Admins can then install a PWA and ensure that it launches as expected.If there is an incompatibility between the feature and their current security policies, the AdHocCodeSigningForPWAsEnabled policy can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS
This feature is turned on with a flag (chrome://flags/#use-adhoc-signing-for-web-app-shims
) so that enterprises can test for compatibility with their endpoint security tools, such as Santa. If it is not currently compatible, they can control the feature using the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated. - Chrome 131 on macOS: Feature begins to roll out to stable, starting at 1% rollout.
- Chrome 129 on macOS
- Choose from Google Drive
From Chrome 131 onwards, Chrome on iOS users can upload a file from Google Drive directly to a web page, without the need to download it on the device first.
- Chrome 131 on iOS: Includes core functionality for uploading a single file.
- Chrome PDF Viewer OCR
Chrome Desktop now makes scanned PDFs more accessible. Using on-device Optical Character Recognition (OCR) to maintain privacy (no content is sent to Google), Chrome automatically converts scanned PDFs, allowing you to select text, Ctrl+F, copy, and paste. The feature does not bypass secure PDFs. It only uses OCR on PDFs the user has access to. The solution unlocks PDF accessibility to Chrome users without any extra steps, making PDFs as accessible as the rest of the web.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Chrome on iOS promo on Desktop NTP
A Chrome on iOS promo on the Desktop new tab page. This promo aims to increase awareness of Chrome on iOS and present a simple way to install.
You can control this feature using the existing policies PromotionsEnabled and NTPMiddleSlotAnnouncementVisible.
- Chrome 131 on Linux, macOS, Windows
- Cross profile password-reuse detection
Previously, password-reuse detection of corporate credentials was only detectable in the corporate profile. Now, password-reuse detection detects corporate credential reuse across all non-Incognito profiles on the managed browser.
We've updated the cross profile password-reuse detection criteria to more accurately reflect managed enterprise accounts. We’ve also updated the on-screen message to make it clearer to users that their organization is monitoring their corporate password reuse.
- Chrome 123 on Android, iOS, ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows, Fuchsia
We've updated the cross profile password-reuse detection criteria to more accurately reflect managed enterprise accounts, and updated the UX message to make it clearer to users that their organization is monitoring their corporate password reuse.
- Chrome on Android now supports 3P autofill and password providers
Until now, third-party autofill and password providers could be used in Chrome on Android via accessibility APIs.
In Chrome M131, we're adding direct support for Android Autofill, which means these providers will work with Chrome on Android without the need for accessibility APIs. This should improve the performance of Chrome on Android and third-party autofill providers.
To take advantage of this, users will need to configure their third-party provider in Android settings. Then, in Chrome, users select Settings > Autofill services and choose Autofill using another service.
If users do not change both settings, they will continue to use Google to autofill their passwords, payment and address information. Whether users can use a third-party autofill service or not can be controlled by a new policy called ThirdPartyPasswordManagersAllowed.
- Chrome 131 on Android
The new setting will be available from Chrome 131. If users use the new setting, it will take immediate effect. If the new setting is not used, users will continue to use either Google or a third party via accessibility (if installed).
The support for accessibility APIs will be deprecated in early 2025, at which point the new policy settings will apply to all users.
- Chrome 131 on Android
- Deprecate Safe Browsing Extended reporting
We are deprecating the Safe Browsing Extended reporting feature, which previously enhanced the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content.
This feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows
Deprecation of Safe Browsing Extended Reporting. Excluding real-time Client Safe Browsing Report Request - Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows
Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows
- Entrust certificate distrust
In response to sustained compliance failures, Chrome is changing how publicly-trusted TLS server authentication (website) certificates issued by Entrust will be trusted by default in Chrome 131 and greater on Windows, macOS, ChromeOS, Android, and Linux. iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after November 11, 2024, will no longer be trusted by default.
- on or before November 11, 2024, will be unaffected by this change.
Should a Chrome user or enterprise explicitly trust any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, explicit trust is conveyed through a Windows Group Policy Object, the SCT-based constraints described above will be overridden and certificates will function as they do today.
Additional information and testing resources are the Google Security blog.
To learn more, see this FAQ about the Chrome Root Store.
- Chrome 131 on Android, ChromeOS, Linux, macOS, Windows
All versions of Chrome 131 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after November 11, 2024.
- Insecure form warnings on iOS
Since Chrome 125, Chrome browser blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it displays a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without the user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 131 on iOS: InsecureFormsWarningsEnabled policy will be removed
- PartitionAlloc with Advanced Checks (PA/AC)
PartitionAlloc (PA) and its associated memory security projects have an array of advanced safeguards that are deactivated by default (or exclusively in debug builds) due to their potential impact on performance. While enabling the feature for all users might not be immediately possible, there is still an opportunity to partially enable it under specific, limited conditions.
This project seeks to achieve advanced safeguards for the enterprise customers. Enterprise administrators have the option to apply enhanced security measures through Enterprise Policies. Security tends to be prioritized over performance in Enterprise. There's a likelihood that they desire advanced checks, even if it comes at a cost to performance.
PA with Advanced Checks is advanced memory security. The feature is OFF by default due to expected performance regression. Enterprise customers have an option to enable it to achieve advanced security via enterprise policy.
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows, Fuchsia
- Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on now experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync is no longer shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be switched off via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android
- Tab freezing on Energy saver
When Energy saver is active, Chrome freezes a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- The tab provides audio- or video- conferencing functionality, detected via microphone, camera or screen, window, or tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack.
- The tab controls an external device, detected via usage of Web USB, Web Bluetooth, Web HID or Web Serial.
This extends battery life and speeds up Chrome through reduced CPU usage.
- Chrome 130 on ChromeOS, Linux, macOS, Windows
The feature can be tested in Chrome 130 using the#freezing-on-energy-saver
entry inabout:flags
. Alternatively, it can be tested with the#freezing-on-energy-saver-testing
flag, which simulates that Energy saver is active and that all tabs use a lot of CPU; this allows verifying whether a tab is eligible for freezing and would be frozen if it used a lot of CPU. Energy saver availability can be controlled using the BatterySaverModeAvailability policy. This change has no effect when Energy save is inactive. - Chrome 131 on ChromeOS, Linux, macOS, Windows
The feature will start rolling out to 1% of stable in Chrome 131. It will gradually be ramped up to 100% of Stable. Energy saver availability can be controlled via the BatterySaverModeAvailability policy. This change has no effect when Energy saver is inactive.
- Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Google Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 131 on Android
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, macOS, Linux: new post-quantum secure TLS key encapsulation mechanism X25519Kyber768 is enabled
- Chrome 131 on Linux, macOS, Windows: Chrome will switch the key encapsulation mechanism to the final standard version of ML-KEM
- Chrome 141 on Windows, macOS, Linux: Remove enterprise policy
- Deprecation of CSS Anchor Positioning property inset-area
The CSS working group (CSSWG) resolved to rename the inset-area property to position-area. For more details, see the CSSWG discussion on github. The new property name, position-area, as a synonym for inset-area shipped via this feature update described on Chrome Platform Status, describing the deprecation and removal of the inset-area property.
- Chrome 131 on Windows, macOS, Linux, Android
- Improvements to styling structure of <details> and <summary> elements
Support more CSS styling for the structure of
<details>
and<summary>
elements to allow these elements to be used in more cases where disclosure widgets or accordion widgets are built on the web. In particular, this change removes restrictions that prevented setting the display property on these elements, and adds a ::details-content
pseudo-element to style the container for the part that expands and collapses.- Chrome 131 on Windows, macOS, Linux, Android
- Keyboard Lock and Pointer Lock permissions
May show a permission prompt to the user when Keyboard Lock or Pointer Lock is requested by a website, and saves the user preferences as content settings. The settings can be queried for via the Permissions API. This helps mitigate the abusive use of the APIs.
- Chrome 131 on Windows, macOS, Linux
- Remove non-standard GPUAdapter requestAdapterInfo() method
The WebGPU WG decided it was impractical for
requestAdapterInfo()
to trigger a permission prompt so they’ve removed that option and replaced it with the GPUAdapter info attribute so that web developers can get the same GPUAdapterInfo value synchronously this time. To read more, see the previous Intent to Ship: WebGPU: GPUAdapter info attribute .- Chrome 131 on Windows, macOS, Linux, Android
- <select> parser relaxation
This change makes the HTML parser allow additional tags in
<select>
besides<option>,
<optgroup>
, and<hr>
.This change is in support of the customizable
<select>
feature but is being shipped first because it can be done separately and has some compact risks.This feature is gated by the temporary policy, SelectParserRelaxationEnabled. This is a temporary transition period, and the policy will stop working in milestone Chrome 136.
For more details, see the Open UI Customizable <select> explainer and the What Working Group HTML parser changes for customizable <select> article.
- Chrome 131 on Windows, macOS, Linux, Android
- Support external SVG resources for clip-path, fill, stroke and marker-* properties
Allow external references for clip paths, markers, and paint servers (for the fill and stroke properties). For example,
clip-path: url("resources.svg#myPath")
.- Chrome 131 on Windows, macOS, Linux, Android
- Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example, git://example.com/path. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Chrome 131 on Windows, macOS, Linux, Android
- Chrome 134 on Windows, macOS, Linux, Android: Feature flag being removed
- Translate for Search with Google Lens
Augmented reality (AR) translation capabilities are being implemented to the Search with Google Lens feature. An enterprise policy is already in place enabling enterprises to turn the feature on or off using LensOverlaySettings.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- New policies in Chrome browser
Policy Description DownloadRestrictions Allow download restrictions Use user-added TLS certificates from platform trust stores for server authentication SelectParserRelaxationEnabled Controls whether the new HTML parser behavior for the <select> element is enabled EnterpriseProfileBadgeToolbarSettings Controls visibility of enterprise profile badge in the toolbar WebAudioOutputBufferingEnabled Enable adaptive buffering for Web Audio
- Removed policies in Chrome browser
Policy Description ProfileLabel This policy controls a label used to identify a signed in profile. This label will be shown in various locations to help users identify the profile such as next to the toolbar profile icon. ToolbarAvatarLabelSettings Managed toolbar avatar label setting BeforeunloadEventCancelByPreventDefaultEnabled Control new behavior for the cancel dialog produced by the beforeunload event.
Chrome Enterprise Core changes
- GenAI Defaults policy
Starting in 131, Chrome Enterprise Core introduces a policy, GenAiDefaultSettings, to control the default behavior of multiple GenAI policies as part of our Trusted Tester program. You can sign up for our Trusted Tester program here. This policy does not impact any manually-set policy values for generative AI features. This policy controls the default settings for the following policies:
- CreateThemesSettings
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings
- GenAIWallpaperSettings
- HelpMeReadSettings
For more details about the default settings, see Chrome—Generative AI features and policies.
- Only available to Trusted Testers. You can sign up for our Trusted Tester program here.
- Chrome extension telemetry integration with SecOps
We begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps analyzes the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Customized Chrome Web Store for Enterprises
IT admins will be able to customize the Chrome Web Store for their managed end-users using company-specific branding, custom messaging and tailored navigation. Admins can personalize the store with logos, banners, and recommended extensions, while also hiding irrelevant categories and improving extension discovery.
This feature is configurable via the Admin console and this milestone 1 custom configurations will be available to all signed-in managed users (users signed-in to the Chrome Web Store with a managed Google Account). Milestone #2 will support this feature for CEC enrolled browsers (without the need to sign in) and will only be available later in 2025.
Additionally, all managed users who sign in to the Chrome Web Store will see the following changes:
- New tags for items blocked by their admin and filter by private items in the search results
- Private items and recommended items will be relocated to the “Extensions” tab only.
- As early as Chrome 131 on Linux, macOS, Windows and ChromeOS: Milestone #1 rolls out
- DownloadRestrictions policy support on Android
DownloadRestrictions is a universal policy available to Chrome Enterprise Core users on Desktop. DownloadRestrictions policy is now supported on Android. This policy allows admins to block all downloads on mobile Chrome on Android.
- Chrome 131 on Android
- Enterprise policy to force adaptive buffering for WebAudio rendering
Chromium's WebAudio implementation includes an adaptive buffering mechanism, which was added to resolve numerous glitching issues especially on Android with the AAudio backend. While this mechanism reduced glitches significantly, it also increased audio latency. Chrome is running an experiment that will disable the adaptive buffering mechanism and run the rendering synchronously on all platforms besides Android.
Starting Chrome 131, an enterprise policy, WebAudioOutputBufferingEnabled, is available that will force Chrome to default to the previous behavior of using adaptive buffering for WebAudio rendering.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Generating insights for Chrome DevTools Console warnings and errors
A new Generative AI (GenAI) feature is now available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors.
These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, macOS, Windows
Feature becomes available to unmanaged users globally, except Europe, Russia, and China. - Chrome 127 on ChromeOS, Linux, macOS, Windows
Feature becomes available to managed Chrome Enterprise & Education users in supported regions. - Chrome 131 on ChromeOS, Linux, macOS, Windows
In Chrome 131, a new Generative AI (GenAI) feature becomes available for managed users: a dedicated AI assistance panel in Chrome DevTools which assists the human operator investigating and fixing styling challenges and helps debugging the CSS. - Chrome 132 on ChromeOS, Linux, macOS, Windows
The AI assistance panel can now explain resources in the Performance panel, Sources panel, and Network panel, in addition to the previous support for style debugging
- Chrome 125 on ChromeOS, Linux, macOS, Windows
- Recommended policies in the Admin console
As early as November 1st, admins will be able to choose whether some settings are recommended or mandatory using the User override control. This control will gradually roll out for policies that can be recommended, starting with the following policies:
- Warn before quitting
- System Default Printer
- Battery Saver Mode
- Homepage
- Safe Browsing protection
- Download Restrictions- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows
Chrome Enterprise Premium changes
- Chrome Enterprise Data Controls: Clipboard
Admins can set data control rules in the Google Admin console to protect end users from data leakage on Chrome browser. Data Controls are lightweight rules set in the Google Admin console that allow admins to set a Chrome policy to control sensitive user actions, such as, copying and pasting sensitive data and taking screenshots or screen sharing.
This feature can be controlled using the DataControlsRules policy.
This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 128 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out
- Screenshot protections
Admins can prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. Admins create a DLP URL filtering rule to block users taking screenshots or screen sharing specific URLs or categories of URLs. This feature can be controlled using the same EnterpriseRealTimeUrlCheckMode policy that enables all real-time URL lookups.
This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Read aloud in Reading mode in Chrome 132
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will include a Read aloud feature which allows users to hear the text they are reading spoken out loud. Users can choose different natural voices and speeds, and see visual highlights.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
- Removal of old Headless from the Chrome binary
Running Chrome with
`--headless=old`
no longer launches the old Headless mode, and instead prints the following log message:The old Headless mode has been removed from the Chrome binary. You can use the new Headless mode or the
chrome-headless-shell,
which is a standalone implementation of the old Headless mode.- Chrome 132 on Linux, macOS, Windows
- Capture all screens
This feature captures all the screens currently connected to the device using
getAllScreensMedia()
. CallinggetDisplayMedia()
multiple times requires multiple user gestures, burdens the user with choosing the next screen each time, and does not guarantee to the app that all the screens were selected.getAllScreensMedia()
improves on all of these fronts.This feature is only exposed behind the MultiScreenCaptureAllowedForUrls enterprise policy, and users are warned before recording even starts, that recording could start at some point. The API will only work for origins that are specified in the MultiScreenCaptureAllowedForUrls allowlist. Any origin not specified there, will not have access to it.
- Chrome 132 on Windows, macOS, Linux
- Remove prefixed HTMLVideoElement fullscreen APIs
The prefixed HTMLVideoElement-specific fullscreen APIs have been deprecated since approximately M38. They were replaced by the
Element.requestFullscreen()
API, which first shipped un-prefixed in M71, in 2018. As of 2024, most browsers have had support for the un-prefixed APIs for a few years now.This feature tracks removing the following APIs from
HTMLVideoElement
:- readonly attribute boolean
webkitSupportsFullscreen
;- readonly attribute boolean
webkitDisplayingFullscreen
;- void
webkitEnterFullscreen
();- void
webkitExitFullscreen
();// Note the different capitalization of the "S" in FullScreen.
- void
webkitEnterFullScreen
();- void
webkitExitFullScreen
();These methods are now only aliases for the modern API. Their use has declined steadily over the years.
- Chrome 132 on Windows, macOS, Linux, Android
- Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, ThirdPartyBlockingEnabled will be removed in Chrome 135. If you have feedback about this removal, please file a bug here.
- Chrome 132 on Windows: Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows: Removal of ThirdPartyBlockingEnabled policy
- Keyboard-focusable scroll containers
We plan to improve accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using their tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.Note: The previous rollout of this feature (started in Chrome 127) was stopped due to web compatibility issues, which should be fixed in the current implementation shipping in 130.
Note: The previous rollout of this feature (started in 130) was stopped due to an accessibility regression, which should be fixed in the implementation shipping in 132.
- Chrome 132 on Windows, macOS, Linux, Android
- Throw exception for popovers or dialogs in non-active documents
This is a corner case change that hopefully does not impact developers. A corner case is where multiple unique conditions occur simultaneously. Previously, calling `
showPopover()
` or `showModal()
` on a popover or dialog that resides within an inactive document would silently fail, that is, no exception would be thrown. Since the document is inactive, however, no popover or dialog would be shown. As of the https://github.com/whatwg/html/pull/10705 spec pull request (PR), these situations now throw theInvalidStateError
exception.- Chrome 132 on Windows, macOS, Linux, Android
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows
When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:chrome://flags/#enable-user-link-capturing-pwa
.
- Chrome 132 on Linux, macOS, Windows
Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, macOS, Windows
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions.
You can report any issues you encounter.
- Chrome 132 on Windows
Network Service sandboxed on Windows
- Chrome 132 on Windows
- Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation will fail instead of falling back to SwiftShader. This was done for two primary reasons:
- SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
- Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.
To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the
--enable-unsafe-swiftshader
command-line switch.During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing
--enable-unsafe-swiftshader
will remove this warning message.Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 133 on Windows, macOS, Linux, Android
- Privacy & security panel in Chrome DevTools
Starting in Chrome 133, developers will be able to use the new Privacy & security panel in Chrome DevTools to test how their site will behave when third-party cookies are limited. Developers will be able to temporarily limit third-party cookies, observe how their site behaves, and review the status of third-party cookies on their site.
This feature will not make any permanent changes to existing enterprise policies, but it will let third-party cookie related enterprise policies (that is, BlockThirdPartyCookies and CookiesAllowedForUrls) be temporarily overridden to be more restrictive. If your enterprise policy already blocks third-party cookies using BlockThirdPartyCookies, this feature will be disabled.
The new Privacy & security panel will replace the existing Security panel. TLS connection and certificate information will continue to be available on the Security tab in the Privacy & security panel.
- Chrome 133 on ChromeOS, Linux, macOS, Windows
- Chrome Sync to end support for Chrome versions more than four years old
Starting in February 2025, Chrome Sync (using and saving data in your Google Account) will no longer support Chrome versions that are more than four years old. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows
This change affects only the old versions of Chrome and will be rolled out server-side. Chrome 133 is specified only to reflect the timeline when the change will make an effect.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows
- Disallow spaces in non-file:// URL hosts
Per spec URL hosts [1] cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.
This causes Chromium to fail several tests included in the Interop2024 'HTTPS URLs for WebSocket' [2] and 'URL' focus areas [3].
To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github)[4].
This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces for non-file URLs only.
- Chrome 133 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
- SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.
If admins have any v4-specific URL allowlisting to allow network requests to
https://safebrowsing.googleapis.com/v4*
, these should be modified to allow network requests to the whole domain instead:safebrowsing.googleapis.com
. Otherwise, rejected network requests to the v5 API will cause security regressions for users.- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows: This will be a gradual roll-out.
- Blob URL partitioning: Fetching or Navigation
As a continuation of Storage partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the
has-cross-site-ancestor
boolean), with the exception of navigations that will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and we will pursue spec updates to reflect both of these changes.This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning-related enterprise policies are deprecated.
- Chrome 134 on Windows, macOS, Linux
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
To read more, see this blog post. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming Chrome Enterprise Core changes
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy.
Upcoming Chrome Enterprise Premium changes
- DLP file download access prevention
When a file download DLP rule is set by the admin, a scan is triggered after the download is completed, this feature prevents Chrome Enterprise enrolled users from accessing the contents of a downloaded file before a deep scan verdict is returned.
This feature is gated by the existing policy, OnFileDownloadedEnterpriseConnector, and is only available to Chrome Enterprise Premium users.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
ChromeOS 131 release summary
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
ChromeOS Flex auto-enrollment | ✓ | ||
ChromeOS Flex forced re-enrollment | ✓ | ||
Quick Answers styling refresh | ✓ | ||
Split DNS for ChromeOS | ✓ | ||
ChromeOS Back To Safety | ✓ | ✓ | |
Flash notifications | ✓ | ||
Microsoft SCEP SID update reminder | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
AI wallpapers and backgrounds | ✓ | ||
Graduate data migration | ✓ | ✓ | |
Native Client (NaCl) support ending on ChromeOS | ✓ | ✓ | |
Chrome App support ending on ChromeOS | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
ChromeOS updates
-
In ChromeOS 131, ChromeOS Flex auto-enrollment now allows you to deploy ChromeOS Flex devices at scale. Similar to ChromeOS zero-touch enrollment, automatic enrollment embeds an enrollment token created by an organization's administrator into a ChromeOS Flex image. This will determine which customer organization and organizational unit a device will enroll into during initial device setup. For more information, see Enroll ChromeOS devices and the ChromeOS Flex help center.
-
ChromeOS Flex forced re-enrollment
In ChromeOS 131, enrolled ChromeOS Flex devices support manual forced re-enrollment. If the policy is set to enforce either automatic or manual re-enrollment, ChromeOS Flex devices will prompt users to manually re-enroll after a factory reset. For more information, see Force wiped ChromeOS devices to re-enroll and the Forced re-enrollment device setting.
-
Quick Answers is a GenAI-powered reading assistant for ChromeOS, giving users quick insights into web pages and PDF documents. This includes summaries, interactive outlines, and document Q&A. In ChromeOS 131, we introduce an updated styling for Quick Answers. For more information, see Quick Answers—definition. This feature can be controlled using Quick Answers policies.
-
You can now configure Secure DNS to be used on specified domains only. Admins can configure a list of domains to be included or excluded from using Secure DNS. You can configure this feature using these policies: DnsOverHttpsIncludedDomains and DnsOverHttpsExcludedDomains.
-
This feature gives users a way to get back to a good known state by disabling extensions and resetting settings that could hurt their experience. In past releases, in order to get your ChromeOS device to a known good state, you would have to powerwash. Thanks to this feature, there are now ways to non-destructively get your device to a state you feel comfortable with again!
When a user selects Safety reset, this action will:
- Reset Chrome settings and Chrome shortcuts
- Disable extensions
- Delete cookies and other temporary site data
Bookmarks, history, and saved passwords won't be affected. For more details, see Wipe ChromeOS device data.
-
Customers who frequently miss notifications that appear in the corner of the screen can now enable a setting that will flash the screen whenever a new notification arrives. This feature is particularly beneficial for customers who are hard of hearing or who use screen magnification and are often zoomed in, making it difficult to see corner notifications. This new setting can be found under Settings > Accessibility > Audio and captions > Flash notifications.
-
Microsoft SCEP SID update reminder
Only for SCEP deployments using Microsoft NPS for RADIUS. If you are not using SCEP certificates in combination with Microsoft NPS for Radius for Chromebook network connectivity, you may disregard the remainder of these instructions. We expect this to be a setup more common in enterprise rather than in education.
Microsoft has announced a security update that will add a new required field, a Security Identifier (SID), to SCEP certificates in environments utilizing NPS for Radius for network authentication. This addition is due to a security vulnerability on Windows devices where usable certificates with private keys can be exported from one Windows device to be used on any other device. Addition of the SID means that the certificate becomes linked to a device or user in your Active Directory environment so that an unknown device/user cannot use it. This is not a security issue for Chromebooks, as they do not allow the exporting of certificates with private keys in them and they are protected by the TPM. However, any certificate lacking this new field will fail to authenticate against a NPS for Radius server after the hard enforcement deadline of February 11th, 2025.
What do you need to do?
As soon as possible, verify if your deployment relies on both SCEP certificates and NPS for Radius for network authentication. This can be done by going into event viewer on your Domain Controller > System, and searching for event ID #39. If you see this event ID:
Actions to take if you see the event ID #39:
- Create a new object, or reuse an existing one, in your Active Directory environment for SCEP use
- Extract the SID for the AD object, for example, PS> (Get-ADUser username).SID.value
- Create a new SCEP profile with all settings duplicated from your current setup and add in the SID of the newly created, or existing, AD object from step 1.
- Under the Subject Alternative name section select the Custom radio button. Add a new Subject Alternative name using the + button with the type Uniform Resource Identifier from the dropdown. Under string, the value should be similar to:
tag:microsoft.com,2022-09-14:sid:S-1-2-3-4-5-6-8
whereS-1-2-3-4-5-6-8
is the SID of the AD object
- Deploy this new certificate to all potentially affected Chromebooks in your fleet
- Wait, AT LEAST ONE MONTH, to reasonably guarantee that all devices have picked up the new certificate.
- Re-link any and all policies from the old certificate to the new one from Step 2.
- Verify functionality using the new certificate.
- Delete the old profile.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming ChromeOS changes
-
As early as ChromeOS 132, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.
-
As early as ChromeOS 132, a new Content Transfer tool will guide graduate students or other EDU-managed users who want to migrate their data through the updated Google Takeout Transfer process. This allows them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.
This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use the existing Takeout Transfer process.
-
Native Client (NaCl) support ending on ChromeOS
ChromeOS 132, scheduled for release in January 2025, will be the last release with NaCl support for unmanaged or consumer devices, followed by ChromeOS 138 in July 2025 for managed devices.
In 2017, we announced the end of support of Native Client (NaCl) in favor of WebAssembly. With most developers and users having migrated away from NaCl, we confirm the following NaCl discontinuation dates:
- January 2025: Native Client (NaCl) will be disabled from ChromeOS 132 onwards.
- For unmanaged and consumer users, ChromeOS 132 will be the last ChromeOS release with support for NaCl.
- For managed environments (including Kiosk sessions), administrators who manage ChromeOS devices for a business or school, will have the option of extending the ability to use NaCl with a NaCl allow policy (DeviceNativeClientForceAllowed) through the ChromeOS 138 release. This policy will be available in the admin console from late December 2024 to early January 2025 before the release of ChromeOS 132.
- July 2025: ChromeOS 138 will be the last version with NaCl support.
- For managed environments, ChromeOS 138 is a Long-term Support (LTS) ChromeOS release available to administrators who manage ChromeOS devices for a business or school.
- For devices that have been switched to the LTS channel and have the NaCl allow policy enabled, NaCl will be available until LTS Last Refresh in April 2026.
- No exceptions will be granted.
For Chrome Apps that use NaCl, migrate to WebAssembly (WASM). To help you with the transition, we've published the WebAssembly Migration Guide.
For more information about this change or if you need assistance, you can refer to any of the following:
- WebAssembly Migration Guide.
-
Please refer to the Chrome Enterprise and Education Help Center to learn more about managing policies for ChromeOS devices.
- ChromeOS developer community on Discord.
- ChromeOS release schedule for release dates and updates.
- January 2025: Native Client (NaCl) will be disabled from ChromeOS 132 onwards.
-
Chrome App support ending on ChromeOS
In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that Chrome App support for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome App discontinuation dates.
July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).- Chrome Apps that are force-installed through the Admin console will continue to be supported.
- Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
- Devices on the LTS channel can continue to use Chrome Apps until October 2028.
- No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.
While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.
If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.
In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.
Chrome 130
Chrome 130 release summary
Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Desktop toasts | ✓ | ||
Platform picker for screen sharing on macOS | ✓ | ||
New Account menu | ✓ | ||
PDF Viewer on Android | ✓ | ||
Tab freezing on Energy saver | ✓ | ||
Compression dictionary transport with Shared Brotli and Shared Zstandard | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Chrome on Android now supports third-party autofill and password providers | ✓ | ✓ | |
<meter> element fallback styles | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome Enterprise Core changes | Security/ Privacy | User productivity/ Apps | Management |
Default change for GenAI policies | ✓ | ||
Support for user-level settings on Custom configurations | ✓ | ||
Audit-only URL navigation rules | ✓ | ||
Chrome Security Insights | ✓ | ✓ | |
Extension risk score Phase 2 | ✓ | ✓ | |
Chrome Enterprise Premium changes | Security/ Privacy | User productivity/ Apps | Management |
No updates in Chrome 130. | |||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Search and receive answers in your Chrome history with AI | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Asynchronous real-time Safe Browsing check | ✓ | ||
Remove non-standard GPUAdapter requestAdapterInfo() method | ✓ | ||
Deprecate Safe Browsing Extended reporting | ✓ | ||
Update Google Play Services to fix issues with on-device passwords | ✓ | ||
Entrust certificate distrust | ✓ | ||
Simplified sign-in and sync experience | ✓ | ✓ | |
User Link capturing on PWAs | ✓ | ✓ | |
Deprecation of CSS Anchor Positioning property inset-area | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Chrome PDF Viewer OCR | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Read aloud in Reading mode | ✓ | ||
Capture all screens | ✓ | ||
SafeBrowsing API v4 to v5 migration | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Deprecate mutation events | ✓ | ✓ | |
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming Chrome Enterprise Core changes | Security/ Privacy | User productivity/ Apps | Management |
GenAI Defaults policy | ✓ | ||
Chrome extension telemetry integration with Google SecOps | ✓ | ✓ | |
New managed profile list and reporting for signed-in users | |||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
Upcoming Chrome Enterprise Premium changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Data Controls: Clipboard | ✓ | ||
Screenshot protections | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser changes
- Desktop toasts
Chrome 130 introduces a new Toast pattern that will allow features to provide visual confirmation of user actions or a quick way to take a follow up action. For example, when adding something to a reading list, a Toast confirms that the item was added and offers a quick link to the reading list side panel. Toasts appear as a small chip that partially overlaps with the web contents and partially with the top toolbar of the browser.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: This will be enabled for an initial set of features in Chrome 130. Subsequent toasts will be rolled out independently by other teams utilizing the pattern.
- Platform picker for screen sharing on macOS
When screen sharing in Chrome on macOS X Sequoia, users can now select a window or screen to share using the updated platform picker. This new platform picker removes the need for assigning screen recording permission to Chrome and is consistent with screen sharing in other macOS applications.
The new picker will not be activated before the first update of macOS Sequoia, version 15.1 expected a month after the initial version of 15.0. Before that Chrome users might see a warning dialog that Chrome is not using the new picker API yet.
To test the new screen share picker experience:
- Update Chrome to version 129 or later.
- On your macOS, open the Terminal.
- At the prompt, type:
open -b com.google.Chrome --args -enable-features=UseSCContentSharingPicker
- To execute the command, on your keyboard, press Enter.
The feature can also be enabled in
chrome://flags
.- Chrome 130 on macOS
- New Account menu
Some users can now access a new Account menu by tapping on their avatar on the New tab page. The new Account menu allows them to sign out, switch accounts easily and resolve errors related to their account in Chrome. Existing policies like BrowserSignin and RestrictAccountsToPatterns can be used to determine which accounts a user can sign in or switch to.
- Chrome 130 on iOS
- PDF Viewer on Android
This feature provides the ability to view PDFs within Chrome browser UI. Prior to this change, users have to complete many steps to view a PDF document. These steps force them out of Chrome to view the PDF document. With this feature, PDFs will render seamlessly in Chrome. Users will still be able to download PDFs and open with other first- or third-party apps of choice.
- Chrome 130 on Android
- Tab freezing on Energy saver
When Energy saver is active, Chrome now freezes a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- the tab provides audio- or video- conferencing functionality (detected via microphone, camera or screen, window, or tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack).
- the tab controls an external device (detected using Web USB, Web Bluetooth, Web HID or Web Serial).
This will extend battery life and speed up Chrome through reduced CPU usage.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: The feature can be tested in Chrome 130 via the
#freezing-on-energy-saver
entry in about:flags. Alternatively, it can be tested with the#freezing-on-energy-saver-testing
which simulates that Energy saver is active and that all tabs use a lot of CPU (this allows verifying whether a tab is eligible for freezing and would be frozen if it used a lot of CPU). Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive). - Chrome 131 on ChromeOS, Linux, macOS, Windows: The feature will start rolling out to 1% of Stable in Chrome 131. It will gradually be ramped up to 100% of Stable. Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).
- Compression dictionary transport with Shared Brotli and Shared Zstandard
This feature adds support for using designated previous responses as an external dictionary for content encoding compressing responses with Brotli or Zstandard.
Enterprises might experience potential compatibility issues with enterprise network infrastructure that intercepts HTTPS traffic and is sensitive to unknown content encodings. The enterprise policy CompressionDictionaryTransportEnabled is available to turn off the compression dictionary transport feature.
- Chrome 130 on Windows, macOS, Linux, Android
- Keyboard-focusable scroll containers
Chrome 130 improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse can now focus clipped content using tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard-focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.Note: The previous rollout of this feature (started in Chrome 127) was stopped due to web compatibility issues, which should be fixed in the implementation shipping in Chrome 130.
- Chrome 130 on Windows, macOS, Linux, Android
- Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example,
git://example.com/path
. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.- Chrome 130 on Windows, macOS, Linux, Android
- Chrome on Android now supports third-party autofill and password providers
Until now, third-party autofill and password providers could be used in Chrome on Android via accessibility APIs. In Chrome 130, we're adding direct support for Android Autofill which means these providers now work with Chrome on Android without the need for accessibility APIs. This should improve the performance of Chrome on Android. To take advantage of this, users need to ensure they have their third party provider configured in Android settings. Then, in Chrome they'll need to open Settings > Autofill services and choose Autofill using another service. If users do not change both settings, they will continue to use Google to autofill their passwords, payment and address information.
- Chrome 130 on Android: The new setting will be available from Chrome 130. If users use the new setting it will take immediate effect. If the new setting is not used, users will continue to use either Google and a third party via accessibility (if installed). The support for accessibility APIs will be deprecated in early 2025, at which point the new settings will be honored for all users.
- <meter> element fallback styles
In Chrome 130,
<meter>
elements with appearance: none now have a reasonable fallback style that matches Safari and Firefox, instead of just disappearing from the page. Additionally, developers can now custom style the<meter>
elements.A feature flag
MeterAppearanceNoneFallbackStyle
is available inchrome://flags
until Chrome 133 to control this feature.- Chrome 130 on Windows, macOS, Linux, Android
- New policies in Chrome browser
Policy Description DataURLWhitespacePreservationEnabled DataURL Whitespace Preservation for all media types CloudProfileReportingEnabled Enable Google Chrome cloud reporting for managed profile
Chrome Enterprise Core changes
- Default change for GenAI policies
Starting with 130, we are changing the default setting for GenAI policies from switched off to allowed, without improving AI models, for Workspace for Education users. If you have devices enrolled in Chrome Enterprise Core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
For more details about the default settings, see Chrome—Generative AI features and policies.
- Support for user-level settings on Custom configurations
Custom configurations recently launched in Chrome 127 and this feature allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 15, Custom configurations will support applying settings at the user-level, in addition to device-level support. In order words, you will be able to enforce policies when users sign in to a managed Google account using Custom configurations.
- As early as October 15 2024, on Android, iOS, Linux, macOS, Windows: Feature rolls out
To get started, you can navigate to Chrome browser > Custom configurations in the Admin console; the Chrome Enterprise Core SKU is required to access this feature.
- Audit-only URL navigation rules
This feature lets customers create Chrome URL navigation rules with the Audit action. These rules allow admins to dry-run URL navigation rules before starting to show user warnings. They also allow admins to silently audit users’ navigation to restricted or sensitive URLs.
URL auditing is part of the existing real-time URL check connector policy, EnterpriseRealTimeUrlCheckMode, which can be turned on by Organizational Unit or by Group.
- Chrome 130 on ChromeOS, Linux, macOS, Windows
- Chrome Security Insights
You can now enable Chrome Security Insights to monitor insider risk and data loss with enhanced monitoring for Chrome activity. This feature is available for the following licenses:
- Chrome Enterprise Core
- Workspace Enterprise Standard
- Workspace Enterprise Plus.
For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature enabled for Chrome Enterprise Core
- Chrome 130 on ChromeOS, Linux, macOS, Windows: Feature enabled for EDU customers (except K-12)
- Risk score on the Chrome Apps and extensions usage report
This feature adds a new column in the Admin console for browser management that displays the risk assessment for installed extensions in the admin's environment. This new addition allows IT admins to quickly identify extensions with a high, medium or low risk score using the sorting and filtering functionality of the report.
- Currently available to Trusted Testers. You can sign up for our Trusted Tester program here.
- As early as October 15 on Linux, macOS, Windows: Addition of risk assessment to summary view.
Chrome Enterprise Premium changes
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Search and receive answers in your Chrome history with AI
Starting in Chrome 131, users will be able to search their browsing history and receive generated answers based on page contents. Initially, this feature will only be available to users in English in the US. Admins can control this feature by using the HistorySearchSettings policy. You have the following options for your organization:
- 0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models.
- 1 = Enable the feature for users, but do not send data to Google to train or improve AI models.
- 2 = Fully disable feature
For more information, see Search your history in Chrome with AI.
● Chrome 131 on Linux, Mac, Windows: the feature generates answers to your search queries.
- Ad-hoc code signatures for Progressive Web App shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
Administrators should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be enabled for this testing via
chrome://flags/#use-adhoc-signing-for-web-app-shims
. They can then install a Progressive Web Apps and ensure that it launches as expected.If there is an incompatibility between the feature and their current security policies, the enterprise policy, AdHocCodeSigningForPWAsEnabled, can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS: Feature disabled behind a flag (
chrome://flags/#use-adhoc-signing-for-web-app-shims
) so that enterprises can test for compatibility with their endpoint security tools, such as Santa (https://santa.dev/
). If it is not currently compatible they can disable the feature via the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated. - Chrome 131 on macOS: Feature will begin to roll out to Stable, starting at 1% rollout.
- Chrome 129 on macOS: Feature disabled behind a flag (
- Asynchronous real-time Safe Browsing check
Today, Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. In Chrome 122 and later on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, to improve Chrome's loading speed, real-time Safe Browsing checks no longer block page loads. We have evaluated the risk and put mitigations in place:
- For malware and 0-day attacks, local-blocklist checks will still be conducted in a synchronous manner so that malicious payloads are still blocked by Safe Browsing.
- For phishing attacks, we've looked at data and it is unlikely the user would have interacted with the page (for example, type a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows
- Chrome 131 on iOS
- Remove non-standard GPUAdapter requestAdapterInfo() method
The WebGPU working group decided it was impractical for
requestAdapterInfo()
to trigger a permission prompt so they’ve removed that option and replaced it with the GPUAdapter info attribute. This means that web developers can get the sameGPUAdapterInfo
value synchronously. For more information, see the previous Intent to Ship: WebGPU: GPUAdapter info attribute.- Chrome 131 on Windows, macOS, Linux, Android
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecation of Safe Browsing Extended Reporting. Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request
- Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Google Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 131 on Android
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 131 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 131 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after November 11, 2024.
- Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 131 on Linux, macOS, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- Deprecation of CSS Anchor Positioning property inset-area
The CSS working group (CSSWG) resolved to rename the inset-area property to position-area. For more details, see the CSSWG discussion on github. The new property name, position-area, as a synonym for inset-area shipped via this feature update described on Chrome Platform Status, describing the deprecation and removal of the inset-area property.
- Chrome 131 on Windows, macOS, Linux, Android
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, Mac, Linux: new post-quantum secure TLS key encapsulation mechanism X25519Kyber768 is enabled
- Chrome 131 on Windows, Mac, Linux: Switch to standard version of ML-KEM
- Chrome 141 on Windows, Mac, Linux: Remove enterprise policy PostQuantumKeyAgreementEnabled
- Chrome PDF Viewer OCR
Chrome Desktop now makes scanned PDFs more accessible. Using on-device OCR to maintain privacy (no content is sent to Google), Chrome automatically converts scanned PDFs, allowing you to select text, Ctrl+F, copy, and paste. The feature does not bypass secure PDFs. It will only OCR PDFs the user has access to. The solution unlocks PDF accessibility to Chrome users without any extra steps, making PDFs as accessible as the rest of the web.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without the user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 131.
- Chrome 125 on iOS: Feature rolls out
- Chrome 131 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 132 on Windows: Network Service sandboxed on Windows
- Read aloud in Reading mode
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will now include a Read aloud feature which allows users to hear the text they are reading spoken out loud. Users can choose different natural voices and speeds, and see visual highlights.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
- Capture all screens
This feature captures all the screens currently connected to the device using
getAllScreensMedia()
. CallinggetDisplayMedia()
multiple times requires multiple user gestures, burdens the user with choosing the next screen each time, and does not guarantee to the app that all the screens were selected.getAllScreensMedia()
improves on all of these fronts.This feature is only exposed behind the MultiScreenCaptureAllowedForUrls enterprise policy, and users are warned before recording even starts, that recording could start at some point. The API will only work for origins that are specified in the MultiScreenCaptureAllowedForUrls allowlist. Any origin not specified there, will not have access to it.
- Chrome 132 on ChromeOS
- SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.
If admins have any v4-specific URL allowlisting to allow network requests to
https://safebrowsing.googleapis.com/v4*
, these should be modified to allow network requests to the whole domain instead:safebrowsing.googleapis.com
. Otherwise, rejected network requests to the v5 API will cause security regressions for users.- Chrome 133 on Android, iOS, ChromeOS, LaCrOS, Linux, macOS, Windows: This will be a gradual roll-out.
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context.
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.
Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 133 on Windows, macOS, Linux, Android
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming Chrome Enterprise Core changes
- GenAI Defaults policy
Starting in 131, Chrome Enterprise Core will offer a policy to control the default behavior of multiple GenAI policies via our Trusted Tester program. You can sign up for our Trusted Tester program here. This policy will not impact any manually-set policy values for generative AI features. This policy will control the default settings for the following policies:
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- Only available to Trusted Testers. You can sign up for our Trusted Tester program here.
- Chrome extension telemetry integration with SecOps
We will begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps will analyze the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, LaCrOS, Linux, macOS, Windows
- New managed profile list and reporting for signed-in users
Chrome Enterprise Core will introduce a new Managed profile list and reporting in the Admin console. This feature will provide a list of profiles for managed users who sign in to Chrome using a Google Account. IT administrators will need to enable the new Chrome Profile Reporting policy to view more information about a managed profile. The reporting will include details on managed profiles such as the browser versions, policies applied (including conflicts), extensions installed, and more.
- Currently available on Android, Linux, macOS, Windows for the Trusted Tester program. You can sign up for our Trusted Tester program here.
- As early as Chrome 130 on Android, Linux, macOS, Windows
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy.
Upcoming Chrome Enterprise Premium changes
- Chrome Enterprise Data Controls: Clipboard
Admins can set data control rules in the Google Admin console to protect end users from data leakage on Chrome browser. Data Controls are lightweight rules set in the Google Admin console that allow admins to set a Chrome policy to control sensitive user actions such as copying and pasting sensitive data and taking screenshots or screen sharing.
This feature can be controlled via DataControlsRules policy. This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 128 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out
- Screenshot protections
Admins can prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. Admins create a DLP URL filtering rule to block users taking screenshots or screen sharing specific URLs or categories of URLs. This feature can be controlled via the same EnterpriseRealTimeUrlCheckMode policy that enables all real-time URL lookups.
This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out.
ChromeOS 130 release summary
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Quick Insert | ✓ | ||
Settings and shortcuts changes | ✓ | ||
Focus on ChromeOS | ✓ | ||
Enhanced access for Drive files | ✓ | ||
New suggestions in Tote | ✓ | ||
Welcome Recap | ✓ | ||
Studio-style mic | ✓ | ||
AI-powered Recorder app | ✓ | ||
Content scanning for Managed Guest Sessions | ✓ | ✓ | |
Additional URLs allowed in Kiosk mode | ✓ | ✓ | |
Appearance effects | ✓ | ||
More accessible privacy controls | ✓ | ||
Enhanced keyboard brightness controls | ✓ | ||
Enhanced display brightness controls | ✓ | ||
Help me read on ChromeOS | ✓ | ||
Multi-calendar support | ✓ | ||
Picture-in-Picture windows | ✓ | ||
Improved ARC++ user experience | ✓ | ||
New policy to control Access Point Names | ✓ | ||
Microsoft SCEP SID update | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
AI wallpapers and backgrounds | ✓ | ||
ChromeOS Flex auto-enrollment | ✓ | ||
Graduate data migration | ✓ | ✓ | |
Chrome App support ending on ChromeOS | ✓ | ||
Native Client (NaCl) support ending on ChromeOS | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
ChromeOS updates
-
Quick Insert provides a quick way to insert emojis, symbols, GIFs, Google Drive links, and quick calculations and unit conversions with a keyboard key (on select models) or a keyboard shortcut.
In ChromeOS 130, a new shortcut Launcher + f is available on all ChromeOS devices. A new hardware key is initially available on the Samsung Galaxy Chromebook Plus only, but the Quick Insert key will launch on a range of devices in 2025.
-
Settings and shortcuts changes
We’ve updated the shortcut and input device options in Settings to include:
- Quick Insert: Launcher + f
-
We've designed Focus on ChromeOS to help users minimize distractions and create a more productive workspace. With Focus, you can effortlessly set and adjust your focus time, enable or disable Do-not-Disturb (DND) mode, sort through or create new Google Tasks, and immerse yourself in curated playlists that help you focus better with focus sound or YouTube Music Premium (subscription-based). To use Focus, go to Quick Settings > Focus.
-
Enhanced access for Drive files
In addition to files you’ve starred within Tote, access all your starred Drive files directly from the shelf, which is now available to you offline. Enhanced Drive suggestions in Launcher and Tote allow you shortcut access to your most important and frequently used files.
-
Quickly access and pin the files you need the most with local and Drive file suggestions. The new Suggestions section in Tote suggests files to users, up-leveling files that will be useful for them to pin and access offline.
-
The new Welcome Recap features help users resume their work and explore new options at start-up. Once you enable this feature you will be able to preview and restore apps and tabs from your previous session. Welcome Recap also provides helpful information like weather, your next calendar event, recent tabs from other devices and relevant Google Drive suggestions.
To turn on this feature, select Settings > System Preferences > Startup > Welcome Recap, and make sure Ask every time is chosen for your device.
-
Make your Chromebook's built-in microphone sound like a professional studio microphone by activating this feature in the video call controls. Studio-style mic includes the existing noise cancellation and de-reverberation effects, and further enhances them with advanced balancing, reconstruction of fine details, and room adaptation. Users who have enabled noise cancellation will get the Studio-style mic enhancements by default starting with this release. If a user wants to revert to the old noise cancellation-only effect, they can select the appropriate option in Settings > Device > Audio. This feature is only available on Chromebook Plus devices.
-
ChromeOS 130 introduces the new Google AI-powered Recorder app to create transcriptions that can detect and label speakers, and provide a summary of recorded content. Our app goes beyond recording, offering speech-to-text, content summarization, and title suggestions, all powered by Google AI.
-
Content scanning for Managed Guest Sessions
We are now enabling organizations to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files in Managed Guest Sessions on ChromeOS. For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
-
Additional URLs allowed in Kiosk mode
If a Kiosk app uses more than one URL origin, IT Admins can now enter the additional origins. All specified origins will get permissions automatically granted. Permissions will be rejected for any other origins not included in this list.
-
Appearance effects have been popular among the products of cameras, virtual meetings, and short videos for a long time and launched on some Google products. In ChromeOS 130, we integrate this feature into Chromebook for video call controls. Available on Chromebook Plus devices only.
-
More accessible privacy controls
In this launch, we are making OS-level privacy controls more available to users of Chrome browser. This aims to make users more aware that to make the camera or microphone work, they need to enable OS-level privacy controls.
-
Enhanced keyboard brightness controls
Chromebook users can now easily adjust keyboard brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your keyboard brightness to the perfect level and turn the ambient light sensor on or off as needed. These updates make it simpler to use your device and help manage battery life. Meanwhile, if the Chromebook supports RGB, the Settings > Keyboard option now has a direct link to RGB color selection options. For more details, see Using gaming features on your Chromebook.
-
Enhanced display brightness controls
Chromebook users can now easily adjust display brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your screen brightness to the perfect level and turn the ambient light sensor on or off as needed in Settings. These updates make it simpler to use your device and help manage battery life.
-
Help me read on ChromeOS provides an AI-powered solution to help you quickly find the information you need in any text. Easily get to the heart of what you’re reading in the browser and in Gallery by right-clicking on an empty space to reveal the Help me read card above the existing contextual menu. The Help me read panel showcases a summary of the text and a freeform Q&A field where you can ask specific questions about the text. Available on Chromebook Plus devices only.
-
We are launching Multi-calendar support to allow users to view all events from multiple calendars that they have selected within their Google Calendar.
-
ChromeOS users can now enjoy greater flexibility with Picture-in-Picture (PiP) windows. PiP Tuck allows users to temporarily move PiP windows to the side of their screen, freeing up valuable screen space while keeping the video easily accessible. Additionally, you can quickly adjust the size of PiP windows with a quick double-tap, toggling between two sizes for optimal viewing.
-
Improved ARC++ user experience
To improve ChromeOS and ARC++ user experience, we're moving ARC++ non-urgent background and error notifications to the system tray. This prevents these messages from unnecessarily popping up in the foreground and disrupting the user's journey. By moving these notifications to the system tray, we can ensure that users are still notified of potential issues but are not interrupted while using their Chromebook. For more information about ARC++, see this ChromeOS developer blog.
-
New policy to control Access Point Names
For Chromebooks with cellular capability, Access Point Name (APN) policies allow administrators to restrict usage of custom APNs. By setting the AllowAPNModification flag in general network settings to restrict, they can prevent end users from adding or using any custom APNs.
-
Only for SCEP deployments using Microsoft NPS for RADIUS. If you are not using SCEP certificates in combination with Microsoft NPS for Radius for Chromebook network connectivity, you may disregard the remainder of these instructions. We expect this to be a setup more common in enterprise rather than in education.
Microsoft has announced a security update that will add a new required field, a Security Identifier (SID), to SCEP certificates in environments utilizing NPS for Radius for network authentication. This addition is due to a security vulnerability on Windows devices where usable certificates with private keys can be exported from one Windows device to be used on any other device. Addition of the SID means that the certificate becomes linked to a device or user in your Active Directory environment so that an unknown device/user cannot use it. This is not a security issue for Chromebooks, as they do not allow the exporting of certificates with private keys in them and they are protected by the TPM. However, any certificate lacking this new field will fail to authenticate against a NPS for Radius server after the hard enforcement deadline of February 11th, 2025.
What do you need to do?
As soon as possible, verify if your deployment relies on both SCEP certificates and NPS for Radius for network authentication. This can be done by going into event viewer on your Domain Controller -> System, and searching for event ID #39. If you see this event ID:
Actions to take if you see the event ID #39:
- Create a new object, or reuse an existing one, in your Active Directory environment for SCEP use
- Extract the SID for the AD object, for example, PS> (Get-ADUser username).SID.value
- Create a new SCEP profile with all settings duplicated from your current setup and add in the SID of the newly created, or existing, AD object from step 1.
- Under the Subject Alternative name section select the Custom radio button. Add a new Subject Alternative name using the + button with the type Uniform Resource Identifier from the dropdown. Under string, the value should be similar to:
tag:microsoft.com,2022-09-14:sid:S-1-2-3-4-5-6-8
whereS-1-2-3-4-5-6-8
is the SID of the AD object- Deploy this new certificate to all potentially affected Chromebooks in your fleet:
- Wait, AT LEAST ONE MONTH, to reasonably guarantee that all devices have picked up the new certificate.
- Relink any and all policies from the old certificate to the new one from Step 2.
- Verify functionality using the new certificate.
- Delete the old profile.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming ChromeOS changes
-
As early as ChromeOS 131, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.
-
As early as ChromeOS 131, ChromeOS Flex auto-enrollment will allow you to deploy ChromeOS Flex devices at scale. Similar to ChromeOS zero-touch enrollment, automatic enrollment embeds an enrollment token created by an organization's administrator into a ChromeOS Flex image. This will determine which customer organization and organizational unit a device will enroll into during initial device setup.
-
As early as ChromeOS 132, a new Content Transfer tool will guide graduate students or other EDU-managed users who want to migrate their data through the updated Google Takeout Transfer process. This allows them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.
This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use the existing Takeout Transfer process.
-
Chrome App support ending on ChromeOS
In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that Chrome App support for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome App discontinuation dates.
July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).- Chrome Apps that are force-installed through the Admin console will continue to be supported.
- Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
- Devices on the LTS channel can continue to use Chrome Apps until October 2028.
- No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.
While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.
If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.
In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.
-
Native Client (NaCl) support ending on ChromeOS
In 2017, we announced the deprecation of Native Client (NaCl) in favor of WebAssembly. With the majority of our customers having migrated off of NaCl, we can confirm some important changes coming to ChromeOS.
- January 2025: Native Client (NaCl) will be disabled by default from ChromeOS M132 onwards.
- For unmanaged and consumer users, M131 will be the last ChromeOS release with support for NaCl.
- For managed user environments, administrators who manage ChromeOS devices for a business or school already will have the option of extending the ability to use NaCl with a NaCl allow policy through the M138 release. Starting with M132, the policy will also be available for Kiosk sessions.
- July 2025: ChromeOS M138 will mark the end of life for NaCl technology on ChromeOS.
- For managed environments, M138 is a Long-term Support (LTS) ChromeOS release available to administrators who manage ChromeOS devices for a business or school. Devices that have been switched to the LTS channel and have the NaCl allow policy enabled can continue to use NaCl until LTS Last Refresh in April 2026.
If your organization has developed in-house Chrome Apps with NaCl and you need assistance, please refer to Transition from Chrome Apps and WebAssembly Migration guides. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.
In the coming weeks, additional detailed information will be sent to NaCl developers and impacted ChromeOS Administrators.
- January 2025: Native Client (NaCl) will be disabled by default from ChromeOS M132 onwards.
Chrome 129
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Tab compare | ✓ | ||
Chrome no longer support macOS 10.15 | ✓ | ✓ | |
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Certificate Manager on Windows and macOS | ✓ | ||
Chrome Security Insights | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Inactive tabs on Android | ✓ | ||
New option in HttpsOnlyMode policy | ✓ | ✓ | |
Screenshot protections | ✓ | ||
Sync tab group | ✓ | ||
Google Play Services fixes issues with on-device passwords | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Deprecation of non-standard declarative shadow DOM serialization | ✓ | ||
Rename inset-area to position-area | ✓ | ||
Clear local device data on sign out on iOS | ✓ | ||
Toolbar customization | ✓ | ||
Google Password Manager Passkey usage on ChromeOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Premium for file transfers on Managed Guest Sessions | ✓ | ||
Educators Appreciation wallpaper | ✓ | ||
Display brightness controls | ✓ | ||
Peripheral Welcome experience | ✓ | ||
Managed accounts no longer synced as secondary accounts on Android | ✓ | ✓ | |
Live Translate | ✓ | ||
Keyboard brightness controls | ✓ | ||
Keyboard shortcut for Select-to-Speak | ✓ | ||
PIN as an authentication factor | ✓ | ||
Automatic reload of sign-in screen | ✓ | ||
CSE Workspace file types now supported in Google Drive | ✓ | ||
Battery Icon updates | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Extension Risk Score on the Apps and Extensions Usage report | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Entrust certificate distrust | ✓ | ||
Fallback styles for <meter> element | ✓ | ||
Compression dictionary transport with Shared Brotli and Shared Zstandard | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Chrome extension telemetry integration with SecOps | ✓ |
✓ |
|
User Link capturing on PWAs | ✓ | ✓ | |
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Remove policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Generative AI wallpapers and video conference backgrounds | ✓ | ||
ChromeOS XDR window events | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome browser managed profile reporting | ✓ | ||
Default change for GenAI policies | ✓ | ||
GenAI control policy | ✓ | ||
Support for user-level settings on the Custom configurations page | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- Tab compare
Starting in Chrome 129 (US-only), we introduce Tab compare, a new feature that presents an AI-generated overview of products from across multiple tabs, all in one place. This feature is controlled through the TabCompareSettings policy. For more details, see our Tab compare article in the Chrome Enterprise and Education help center.
- Chrome 129 on Linux, macOS, Windows
- Chrome no longer supports macOS 10.15
Chrome 129 no longer supports macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 no longer supports macOS 10.15.
- Chrome 129 on macOS: Chrome no longer supports macOS 10.15
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This addresses problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and permits future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on macOS
- Certificate Manager on Windows and macOS
As early as Chrome 129, there is a new certificate management settings screen accessible from security settings on Windows and macOS. This replaces the link to Windows cert manager and macOS keychain, respectively, although these operating system surfaces are still accessible from the certificate management settings page.
The certificate manager displays certificates that are trusted or distrusted by Chrome, including the contents of the Chrome Root Store, and any certificates that have been imported from the underlying operating system. Users can access the page directly by navigating to chrome://certificate-manager.
A future release will introduce user and enterprise management of certificates added directly to Chrome.
- Chrome 129 on macOS, Windows
- Chrome Security Insights
You can now enable Chrome Security Insights, which allows you to monitor insider risk and data loss enhanced monitoring for Chrome activity if you have Chrome Enterprise Core and Workspace Enterprise Standard or Workspace Enterprise Plus with assigned licenses. For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature enabled for Chrome Enterprise Core
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Feature enabled for EDU customers (except K-12)
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecation of Safe Browsing Extended Reporting — Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request
- Inactive tabs on Android
In Chrome 129, old tabs will be hidden under a new Inactive Tabs section in the tab switcher on Chrome on Android. Chrome users can access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. These tabs will be deleted after being in this section for over 60 days.
- Chrome 129 on Android: Feature rolls out to 1%
- New option in HttpsOnlyMode policy
Ask Before HTTP (ABH), formerly named HTTPS Only/First Modes, is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.
In Chrome 129, we are adding a new middle-ground variant of ABH called balanced mode. This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible, such as when connecting to a single-label hostname like internal/.
We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.
To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia
- Screenshot protections
Screenshot protections allow Admins to prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. This feature is available to Chrome Enterprise Premium users only. This feature can be controlled via the same EnterpriseRealTimeUrlCheckMode Chrome Enterprise policy that enables all real-time URL lookups.
- Chrome 129 on ChromeOS, Linux, macOS, Windows
- Sync tab group
The tab groups on iOS are now saved. Closing a tab group no longer deletes it. For users syncing their tabs across devices, the groups also sync.
- Chrome 129 on iOS
- Google Play Services fixes issues with on-device passwords
Users with old versions of Google Play Services (<24w02) experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users need to update Play Services, otherwise they will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Password Manager.
- Chrome 129 on Android
- Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, macOS, Windows, Android
- Deprecation of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of the declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.
This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, macOS, Linux, Android
- Rename inset-area to position-area
The CSS working group (CSSWG) resolved to rename this property from `inset-area` to `position-area`. For more details, see the CSSWG discussion in Github. Chrome will support both the old and new property names for a few milestones, to help developers migrate to the new position-area name. We are shipping the new property name, `position-area`, as a synonym for `inset-area` in Chrome 129 along with the deprecation DevTrial for `inset-area`.
The `inset-area` property is currently planned for removal in Chrome 131.
- Chrome 129 on Windows, macOS, Linux, Android
- Clear local device data on sign out on iOS
Starting in Chrome 129, signing out from a managed account in an unmanaged browser deletes local browsing data that is saved on the device. Managed users are presented a confirmation dialog on sign-out explaining that unsaved data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.
The data that is deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 129 on iOS
- Toolbar customization
We are introducing a toolbar customization feature in Chrome 129, which allows desktop browser users to pin and unpin icons to their toolbar via a new side panel.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Rolls out gradually
- Google Password Manager Passkey usage on ChromeOS
Passkeys improve user security but until today have been slightly more difficult to use across devices. Now, users can save passkeys to Google Password Manager and use them across devices and platforms. This feature is already available on Windows, macOS, Linux and Android. It is now available on ChromeOS.
- Chrome 127 on Windows, Android and macOS
- Chrome 129 on Windows, Android, macOS and ChromeOS
- New and updated policies in Chrome browser
Policy Description TabCompareSettings Tab Compare settings AdHocCodeSigningForPWAsEnabled Ad-hoc code signing for Progressive Web App shims
ChromeOS updates
-
Chrome Enterprise Premium for file transfers on Managed Guest Sessions
In ChromeOS 129, organizations can extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS on Managed Guest Sessions.
For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
-
Educators Appreciation wallpaper
In ChromeOS 129, we have added a new wallpaper collection to celebrate and share our gratitude and support to educators around the world.
-
Chromebook users can now easily adjust display brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your screen brightness to the perfect level and turn the ambient light sensor on or off as needed in the Settings app. These updates make it simpler to use your device and help manage battery life.
-
Knowing that a peripheral has been successfully connected, configuring it, and finding its companion app are critical steps in the peripheral user journey. This release aims to deliver a high-quality Welcome Experience by letting users know their peripheral is successfully connected and inviting them to configure it and make the most of it.
-
Managed accounts no longer synced as secondary accounts on Android
Starting from ChromeOS version 129, we enhance the data security for Android on ChromeOS. Enterprise accounts that are added as secondary accounts in-session will no longer automatically be added to the Android on ChromeOS environment. This change does not affect consumer accounts, education accounts, or accounts that were previously added.
-
Chromebook Plus devices are getting Live Translate which will allow a user to translate captionable content from Live Captions into a language of their choice. If an English speaking user is having a conversation with a person with whom they don't share the same language, so long as Live Captions is supported for the language of the person they're speaking with, it can be translated into English. This also works for videos as well and can be used on YouTube to Live Translate a video to English.
-
Chromebook users can now easily adjust keyboard brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your keyboard brightness to the perfect level and turn the ambient light sensor on or off as needed. These updates make it simpler to use your device and help manage battery life. Meanwhile, if the Chromebook supports RGB, the Keyboard Settings page will have a direct link to the Personalization Hub's RGB color selection options.
-
Keyboard shortcut for Select-to-Speak
The Select-to-Speak keyboard shortcut (Search + s) now works when it is first pressed. You no longer need to enable it in Settings first. A dialog displays confirming that you want to turn on select to speak the first time you press the keyboard shortcut.
-
PIN as an authentication factor
This launch enables PIN as an authentication factor in all authentication surfaces across ChromeOS.
-
Automatic reload of sign-in screen
Starting from version 129, ChromeOS optimizes the support of 3P identity provider based logins. In the most common scenario, administrators show a permanent 3P identity provider login on the sign in screen. Many identity providers time out after a specific cadence, for example, 15 mins, leading to errors for the user. The new DeviceAuthenticationFlowAutoReloadInterval policy allows for a repeated refresh of 3P identity providers on the login screen, avoids timeouts, and therefore significantly increases the reliability of 3P identity provider logins.
-
CSE Workspace file types now supported in Google Drive
Client side encryption (CSE) is a Google Workspace and Drive feature that allows customers and users to encrypt files with customer provided keys so that data is encrypted and never stored on our servers in the clear. This launch provides basic CSE support in the Files app on ChromeOS. This includes making CSE files visible, opening CSE files in the browser and flagging non Google Workspace CSE files as unsupported.
-
We are launching an update to the battery icon to ensure that the battery state no longer covers the battery level. Now you can easily see how much battery you have left.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 130 on Android, Linux, macOS, Windows
- Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. If you have devices enrolled in Chrome Enterprise core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that will have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
- GenAI control policy
Starting with 130, Chrome Enterprise Core will include a policy to control the behavior of multiple GenAI policies. This will be a convenient feature, allowing Admins to control the default behavior of a set of policies in one place, for example, off by default. This policy will control the following policies:
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings (launching in Chrome 130)
- GenAIWallpaperSettings (launching in Chrome 130)
- Support for user-level settings on the Custom Configurations page
The Custom configurations page was recently launched in Chrome 127 and it allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 1st, Custom configurations will support applying settings at the user-level, in addition to machine-level support. In other words, you will be able to enforce policies when users sign in to a managed Google account using the Custom configurations page.
- As early as October 1st on Android, iOS, Linux, macOS, Windows: Feature rolls out for user policies
To get started, you can find the Custom configurations in the Admin console, under Chrome browser > Reports — you will need the Chrome Enterprise Core SKU:
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser updates
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, website or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- Fallback styles for <meter> elements
As early as Chrome 130, HTML5 <meter> elements with `appearance: none` will have a reasonable fallback style that matches Safari and Firefox instead of just disappearing from the page. In addition, developers will be able to custom style the <meter> elements.
A temporary policy MeterAppearanceNoneFallbackStyle will be available until Chrome 133 to control this feature.
- Chrome 130 on Windows, macOS, Linux, Android
- Compression dictionary transport with Shared Brotli and Shared Zstandard
This feature adds support for using designated previous responses, as an external dictionary for Brotli- or Zstandard-compressing HTTP responses.
Enterprises might experience potential compatibility issues with enterprise network infrastructure. The CompressionDictionaryTransportEnabled policy is available to turn off the compression dictionary transport feature.
- Chrome 130 on Windows, macOS, Linux, Android
- Keyboard-focusable scroll containers
Improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 130 on Windows, macOS, Linux, Android
- Support non-special scheme URLs
Chrome 130 will support non-special scheme URLs, for example, git://example.com/path, correctly. Previously, Chromium's URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL Standard. Now, Chromium's URL parser parses non-special URLs correctly, following the URL Standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android
- Chrome extension telemetry integration with Google SecOps
We will begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps will analyze the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, LaCrOS, Linux, macOS, Windows
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. Clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 131 on Linux, macOS, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- Chrome Third-Party Cookie Deprecation (3PCD)
On July 22nd, we announced a new path forward for Privacy Sandbox on the web. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.
For more details, see this Privacy Sandbox update.
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some enterprise network devices such as firewalls and proxies (TLS middleboxes) might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through at least Chrome 141 in 2025. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
Starting in Chrome 131, Chrome will switch the key encapsulation mechanism from the draft version of Kyber, to the final standard version of ML-KEM. Using any form of post-quantum key exchange (Kyber or ML-KEM) will continue to be controlled by the PostQuantumKeyAgreementEnabled policy.
For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, macOS, Linux
- Chrome 131
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators can use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming ChromeOS changes
-
In ChromeOS 130, window focus events will be available as part of Extended Threat Detection and Response (XDR) on ChromeOS. You will be able to bring windows into focus activities of devices in your managed fleet by simply updating XDR events in the Admin console!
-
Generative AI wallpapers and video conference backgrounds
As early as ChromeOS 130, we plan to introduce high-resolution, generative AI wallpapers and video-conference meeting backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 130 on Android, Linux, macOS, Windows
- Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. If you have devices enrolled in Chrome Enterprise core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that will have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
- GenAI control policy
Starting with 130, Chrome Enterprise Core will include a policy to control the behavior of multiple GenAI policies. This will be a convenient feature, allowing Admins to control the default behavior of a set of policies in one place, for example, off by default. This policy will control the following policies:
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings (launching in Chrome 130)
- GenAIWallpaperSettings (launching in Chrome 130)
- Support for user-level settings on the Custom Configurations page
The Custom configurations page was recently launched in Chrome 127 and it allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 1st, Custom configurations will support applying settings at the user-level, in addition to machine-level support. In other words, you will be able to enforce policies when users sign in to a managed Google account using the Custom configurations page.
- As early as October 1st on Android, iOS, Linux, macOS, Windows: Feature rolls out for user policies
To get started, you can find the Custom configurations in the Admin console, under Chrome browser > Reports — you will need the Chrome Enterprise Core SKU:
Chrome 128
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Search your history in Chrome with AI | ✓ | ||
Admin-configurable site search | ✓ | ✓ | |
Handling undecryptable passwords in Password Manager | ✓ | ||
Inactive Tabs | ✓ | ||
New PromotionsEnabled policy replaces PromotionalTabsEnabled | ✓ | ||
Revamped Chrome Safety Check on Android | ✓ | ||
Rust JSON Parser | ✓ | ||
Tab Groups on iPad | ✓ | ||
Updates for CookiePartitionKey of partitioned cookies | ✓ | ||
Deprecate CHIPS and Relaunch in WebView | ✓ | ||
Isolated Web Apps | ✓ | ||
Rename position-try-options to position-try-fallbacks | ✓ | ||
Google Calendar Card on the New tab page | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Snap groups on ChromeOS | ✓ | ||
Data processor mode: EU-wide rollout | ✓ | ||
Privacy Controls: Geolocation | ✓ | ||
ChromeOS privacy control reminders on app settings page | ✓ | ✓ | |
Store aggregated vitals data with one-year retention | ✓ | ||
OCR in ChromeOS Camera App | ✓ | ||
Magnifier follows Chromevox | ✓ | ||
Auto Gain Control enabled by default | ✓ | ||
APN management | ✓ | ||
Pinned notifications on ChromeOS | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome profile separation - new deployment guide | ✓ | ||
Chrome Enterprise Data Controls: Clipboard | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Tab compare | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Clear device data on sign out on iOS | ✓ | ||
Fallback styles for HTML5 <meter> element | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Certificate Manager on Windows and MacOS | ✓ | ||
New option in HttpsOnlyMode policy | ✓ | ✓ | |
Sync Tab Group | ✓ | ||
Update Google Play Services to fix issues with on-device passwords | ✓ | ||
Deprecate non-standard declarative shadow DOM serialization | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Rename inset-area to position-area | ✓ | ||
Entrust certificate distrust | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
User Link capturing on PWAs | ✓ | ✓ | |
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Chrome extension telemetry integration with Chronicle | ✓ | ✓ | |
Remove policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Update to keyboard shortcut for Select-to-speak | ✓ | ||
Chrome Enterprise Premium for file transfers on Managed Guest Sessions | ✓ | ||
ChromeOS XDR window events | ✓ | ||
Generative AI wallpapers and video conference backgrounds | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome browser managed profile reporting | ✓ | ||
Admin console widget for data controls | ✓ | ||
Default change for GenAI policies | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- Search your history in Chrome with AI
Starting in Chrome 128, users can search their browsing history based on page contents and not just the page title and URL. Initially, this feature is only available to users in English in the US. Admins can control this feature by using the HistorySearchSettings policy. You have the following options for your organization:
- 0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models.
- 1 = Enable the feature for users, but do not send data to Google to train or improve AI models.
- 2 = Fully disable feature
For more information, see Search your history in Chrome with AI.
- Chrome 128 on Linux, Mac, Windows
- Admin-configurable site search
Site search shortcuts are a way to use the address bar (Omnibox) as a search box for a specific site without navigating directly to the site’s URL, similar to how you can use the Omnibox to perform a broad Google search of the web. You can now create site shortcuts on behalf of your managed users, to shortcut to the most critical enterprise sites. You can control this feature using the SiteSearchSettings policy.
- Chrome 128 on ChromeOS, Linux, Mac, Windows: Available for Chrome Browser Core customers signed up for Trusted Tester starting Chrome 128, followed by gradual rollout for all Chrome Browser Enterprise customers a few weeks later
- Handling undecryptable passwords in Password Manager
Users sometimes end up with undecryptable passwords on their device, for example, if they've used third party software to move to a new device. We are launching a new policy called DeletingUndecryptablePasswordsEnabled that helps handle such passwords. When enabled, this policy deletes undecryptable passwords from the user's device, unless the UserDataDir policy is specified. When DeletingUndecryptablePasswordsEnabled is off, undecryptable passwords are untouched, but this will result in broken Password Manager functionality.
- Chrome 128 on iOS, Linux, Mac, Windows
- Inactive tabs
In Chrome 128, we now hide old tabs under a new Inactive Tabs section in the tab switcher on Chrome on Android. Chrome users can access the Inactive Tabs section to view all old tabs or close them using the new bulk tab functionality. These tabs will be deleted if inactive for over 60 days.
- Chrome 128 on Android: Rolls out to 1%
- New PromotionsEnabled policy replaces PromotionalTabsEnabled
In Chrome 128, new promotional OS-level notifications are shown to users. To include a larger number of promotional features under one policy, a new policy PromotionsEnabled has been created to replace PromotionalTabsEnabled, which will be deprecated in the future.
- Chrome 128 on ChromeOS, Linux, Mac, Windows: PromotionsEnabled will begin to roll out with Chrome 128. There is no flag.
- Revamped Chrome Safety Check on Android
Chrome 128 introduces a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a re-designed Safety Check page,
chrome://settings/safetyCheck
, with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online. For more information, see Manage Chrome safety and security.- Chrome 128 on Android
- Rust JSON Parser
As early as Chrome 128, Chrome will parse JSON using Rust, rather than C++. This will remove the risk of memory safety vulnerabilities in the JSON parser, improving security. This change should be transparent to users. There is a small risk of certain invalid JSON, which Chrome currently accepts, no longer being accepted, although the Rust parser remains extremely lenient.
In the event that Chrome doesn't accept the invalid JSON, this will lead to 500s or other application-level errors, not crashes. If Chrome no longer accepts some invalid JSON, the JSON should be aimed to be fixed.
- Chrome 128
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 128 on iOS
- Updates for CookiePartitionKey of partitioned cookies
Chrome 128 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.
If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 128 on Windows, Mac, Linux
- Deprecate CHIPS and relaunch in WebView
The WebViewClient supports a method,
shouldInterceptRequest
, which allows developers to intercept network activity and modify HTTP headers, etc. This API does not have access to the Cookie header and relies on the Android CookieManager API in order to query what cookies are available for a particular request URL. However, partitioned cookies are double-keyed on the top-level site and the site of the URL using the cookies.Currently, the CookieManager API provides no way for developers to query partitioned cookies correctly, and this will cause a mismatch between what the Java API returns and what frames in WebView will actually be in their Cookie header. After discussing this with the WebView team, we believe that the option that will minimize potential app breakage is to disable Cookies Having Independent Partitioned State (CHIPS) on WebView until we are able to ship support for the Cookie header to
shouldInterceptRequest
. We will release the changes toshouldInterceptRequest
in the next target SDK version (API level 36).Enterprise workflows that use WebView to load web content that relies on partitioned cookies will have their state cleared. WebView apps still have access to unpartitioned 3P cookies and cookies set with Partitioned after the change will revert to their legacy pre-CHIPS behavior until we relaunch the feature.
- Chrome 128 on Android
- Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provides stronger protections against server compromise and other tampering, which is necessary for developers of security-sensitive applications.
Rather than being hosted on live web servers and fetched over HTTPS, these IWAs are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the Chromium project explainer.
In this initial release, IWAs are only installable using a new policy, IsolatedWebAppInstallForceList, on enterprise-managed ChromeOS devices.
- Chrome 128 on ChromeOS
- Rename position-try-options to position-try-fallbacks
The CSS working group (CSSWG) resolved to rename this property, because fallbacks more accurately describe what this property controls. The word options is a bit unclear, since the styles outside of `position-try` blocks will be tested first, and if they result in a layout that fits within the containing block, none of the options will get used. So fallbacks is a better word to describe this behavior. For more details, see Github.
- Chrome 128 on Windows, Mac, Linux, Android
- Google Calendar Card on the New tab page
Enterprise users can now access their upcoming meetings directly from the New tab page with the new calendar card. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most. You can control cards on the New tab page with the NTPCardsVisible policy.
- Chrome 128 on Linux, Mac, Windows
- New and updated policies in Chrome browser
Policy Description DataControlsRules Sets a list of Data Controls rules PromotionsEnabled Enable showing promotional content SiteSearchSettings Provides a list of sites that users can quickly search using shortcuts in the address bar LensOverlaySettings Settings for the Lens Overlay feature ExtensionDeveloperModeSettings Control the availability of developer mode on extensions page QRCodeGeneratorEnabled Enable QR Code Generator PrintingLPACSandboxEnabled Enable Printing LPAC Sandbox HistorySearchSettings Settings for AI-powered History Search ChromeForTestingAllowed Allow Chrome for Testing ProvisionManagedClientCertificateForUser Enables the provisioning of client certificates for a managed user or profile StandardizedBrowserZoomEnabled Enable Standardized Browser Zoom Behavior DeletingUndecryptablePasswordsEnabled Enable deleting undecryptable passwords EnterpriseCustomLabel Set a custom enterprise label
- Removed policies in Chrome browser
Policy Description RemoteAccessHostTokenUrl URL where remote access clients should obtain their authentication token RemoteAccessHostTokenValidationUrl URL for validating remote access client authentication token EnterpriseBadgingTemporarySetting Control the visibility of enterprise badging RemoteAccessHostTokenValidationCertificateIssuer Client certificate for connecting to RemoteAccessHostTokenValidationUrl EnforceLocalAnchorConstraintsEnabled Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store. CertificateTransparencyEnforcementDisabledForLegacyCas Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
ChromeOS updates
-
In ChromeOS 128, Snap groups allow you to group windows on ChromeOS. A snap group is formed when you pair two windows for a split-screen. You can bring the windows back together, resize them simultaneously, or move them both as a group.
-
Data processor mode: EU-wide rollout
New data processor mode features and ChromeOS terms are available to the entire EU through the Google Admin console. For more details, see Overview of ChromeOS data processor mode.
As a ChromeOS administrator, you can now activate Data processor mode, which covers a set of ChromeOS features and services referred to as Essential Services.
-
Privacy on ChromeOS devices is now easier to manage by adding the ability to control geolocation access to the Settings > Privacy and security > Privacy controls page. Users can now set geolocation access to Allowed, Only allowed for system services, or Off, depending on their preference.
We allow users to block all apps or websites, or entire systems access to geolocation regardless of previously granted permissions, and provide users easy to use controls to re-enable them whenever it would be helpful.
We’ve added a new policy, GoogleLocationServicesEnabled. This controls the availability of geolocation on the device inside of user sessions. Unlike the now deprecated policy below, it affects the entire system, not just the Android VM (Arc).
Deprecation notice (6 months): ArcGoogleLocationServicesEnabled
This is being deprecated in favor of the added GoogleLocationServicesEnabled policy, as it covers the entire system and not just Android VM (Arc). Additionally, we are modifying the effect of the DefaultGeolocationSetting to no longer affect the system geolocation setting.
-
ChromeOS privacy control reminders on Apps settings page
To use the cameras and microphones on ChromeOS, you need to turn on both privacy controls and app permissions in two separate places.
We are making it easier for users to be aware of the states of the privacy controls and provide actionable reminders on the ChromeOS Apps settings page so that users have a smoother experience. To view the ChromeOS Apps settings page, click Settings >Apps > Manage your Apps, and select the desired app.
-
Store aggregated vitals data with one-year retention
From ChromeOS 128 onwards, we store aggregated vitals data for one-year retention to better track the progress over time. Vitals data includes Android app performance metrics, such as crash rate, and these metrics will help us improve Android app performance on ChromeOS devices.
-
Optical Character Recognition (OCR) enables text extraction from images captured in the ChromeOS Camera App by integrating an ML-powered text extraction service. ChromeOS 128 supports 77 languages; it also supports both horizontal and vertical detection. This allows copying and searching text from images, speaking text from images by screen reader, and creating searchable PDFs from images. By default, text detection in Photo mode is disabled and can be enabled from Settings > Text detection in preview.
-
Magnifier following ChromeVox is designed for people who are blind or have low vision. When you read text aloud using ChromeVox, the screen magnifier now automatically follows the words, so you never lose your place. To try this out, you can enable both Magnifier and ChromeVox in your settings. Zoom in to your preferred zoom level using Ctrl + Alt + Brightness up and Ctrl + Alt + Brightness down. A setting is available under the Magnifier settings to adjust this behavior.
-
Auto Gain Control enabled by default
Auto Gain Control (AGC) allows apps, such as video calling apps, to automatically optimize microphone volume for best audio quality. When auto gain control is enabled and in-use, a message appears in the quick settings panel to inform the user that the microphone gain slider is being overridden. AGC is enabled by default in ChromeOS 128. If you want to manually control the microphone volume even for apps that support AGC, you can go to Settings > Device > Audio and deselect Allow apps to automatically adjust mic volume.
-
For ChromeOS cellular-enabled devices, we have made it easier to view, manage, and add Access Point Names (APNs). We’ve also improved registration failure handling and messaging.
-
Pinned notifications on ChromeOS
ChromeOS notifications help to visually separate pinned notifications from other notifications. ChromeOS 128 significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference - we notify the user of an ongoing process rather than an instantaneous event.
Admin console updates
-
Chrome profile separation - new deployment guide
We have created a detailed deployment guide to help you control profile separation in your organization: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings and ProfileSeparationDomainExceptionList.
- Chrome 128 on Windows, Mac, Linux
-
Chrome Enterprise Data Controls: Clipboard
Data Controls are lightweight rules in the Admin console that set a Chrome policy to control security-sensitive user actions like file attachments, downloads, copy and paste actions, and printing. Chrome blocks or warns the user when these actions happen by applying those rules locally.
Chrome 128 releases the clipboard protection parts of Data Controls, that is, copy and paste actions. Other protections are planned in future releases.
You can control this feature with the DataControlsRules policy.
- Chrome 128 on ChromeOS, Linux, Mac, Windows
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser updates
- Tab compare
Starting in Chrome 129 (US-only), we will introduce Tab compare, a new feature that presents an AI-generated overview of products from across multiple tabs, all in one place. This feature will be controlled through the TabCompareSettings policy.
- Chrome 129 on Linux, Mac, Windows
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on Mac
- Clear device data on sign out on iOS
Starting in Chrome 129, signing out from a managed account in an unmanaged browser will delete browsing data that is saved on the device. Managed users will be presented a confirmation dialog on sign-out explaining that the data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.
The data that will be deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 129 on iOS
- Fallback styles for HTML5 <meter> elements
As early as Chrome 129, HTML5 <meter> elements with `appearance: none` will have a reasonable fallback style that matches Safari and Firefox instead of just disappearing from the page. In addition, developers will be able to custom style the <meter> elements.
A temporary policy MeterAppearanceNoneFallbackStyle will be available until Chrome 133 to control this feature.
- Chrome 129 on Windows, Mac, Linux, Android
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended Reporting
- Certificate Manager on Windows and MacOS
As early as Chrome 129, there is a new certificate management settings screen accessible from security settings on Windows and MacOS. This replaces the link to Windows cert manager and MacOS keychain, respectively, although these operating system surfaces are still accessible from the certificate management settings page.
The certificate manager displays certificates that are trusted or distrusted by Chrome, including the contents of the Chrome Root Store, and any certificates that have been imported from the underlying operating system. Users can access the page directly by navigating to
chrome://certificate-manager
.A future release will introduce user and enterprise management of certificates added directly to Chrome.
- Chrome 129 on Mac, Windows
- New option in HttpsOnlyMode policy
Ask Before HTTP (ABH) , formerly named HTTPS Only/First Modes, is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.
In Chrome 129, we are adding a new middle-ground variant of ABH called balanced mode. This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible, such as when connecting to a single-label hostname like internal/.
We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.
To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on Android, ChromeOS, Linux, Mac, Windows, Fuchsia
- Sync Tab Group
The tab groups on iOS will now be saved. Closing a tab group will no longer delete it. For users syncing their tabs across devices, the groups will also sync.
- Chrome 129 on iOS
- Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Password Manager.
- Chrome 129 on Android
- Deprecate of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `
getInnerHTML()
` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of the declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of thegetInnerHTML
API changed.This feature represents the deprecation of the previously shipped `
getInnerHTML()
` method. The replacement is called `getHTML()
`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.- Chrome 129 on Windows, Mac, Linux, Android
- Deprecate the includeShadowRoots argument on DOMParser
The
includeShadowRoots
argument was a never-standardized argument to theDOMParser.parseFromString()
function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standardincludeShadowRoots
argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android
- Rename inset-area to position-area
The CSS working group (CSSWG) resolved to rename this property from `
inset-area
` to `position-area
`. See the CSSWG discussion in Github.Chrome has decided to release an interoperable solution, by supporting both property names. We will ship the new property name, `
position-area
`, as a synonym for `inset-area
` first. Then after a suitable amount of time, we will remove `inset-area
`. The latter removal will be done under a separate Intent.- Chrome 129 on Windows, Mac, Linux, Android
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- Support non-special scheme URLs
Chrome 130 will support non-special scheme URLs correctly. Previously, Chromium's URL parser doesn't support non-special URLs. The parser parses non-special URLs as if they had an “opaque path”, which is not aligned with the URL Standard. Now, Chromium's URL parser parses non-special URLs correctly, following the URL Standard. For more details, see Support Non-Special Scheme URLs .
- Chrome 130 on Windows, Mac, Linux, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 130 on Windows: Network Service sandboxed on Windows
- Chrome Third-Party Cookie Deprecation (3PCD)
On July 22nd, we announced a new path forward for Privacy Sandbox on the web. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.
For more details, see this Privacy Sandbox update.
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, Mac, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 130 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context.
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.
Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Chrome extension telemetry integration with Chronicle
As early as Chrome 131, we will begin to collect relevant extension telemetry data from within Chrome, for managed profiles and devices, and send it to Chronicle. Chronicle will analyze the data to provide instant analysis and context on risky activity.
- Chrome 131 on ChromeOS, Linux, Mac, Windows
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming ChromeOS changes
-
Update to keyboard shortcut for Select-to-speak
On Chromebooks, the Select-to-speak keyboard shortcut (Search + s) now works when it is first pressed. As early as ChromeOS 129, you will no longer need to enable it first in Settings > Accessibility > Text-to-Speech > Select-to-speak. A dialog appears confirming that you want to turn on Select-to-speak the first time you press the keyboard shortcut.
-
Chrome Enterprise Premium for file transfers on Managed Guest Sessions
As early as ChromeOS 129, organizations will be able to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS on Managed Guest Sessions.
For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
-
In ChromeOS 130, window focus events will be available as part of Extended Threat Detection and Response (XDR) on ChromeOS. You will be able to bring windows into focus activities of devices in your managed fleet by simply updating XDR events in the Admin console!
-
Generative AI wallpapers and video conference backgrounds
As early as ChromeOS 130, we plan to introduce high-resolution, generative AI wallpapers and video-conference meeting backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- Chrome 130 on Android, Linux, Mac, Windows
- Admin console widget for data controls
A new settings widget in the Admin console allows users to configure data controls policies for specific URLs.
- Chrome 128 on ChromeOS, Linux, Mac, Windows
- Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. This doesn't impact age restrictions on access to any relevant GenAI features. The existing policies that will have the updated default setting are:
Chrome 127
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
App-bound encryption for cookies | ✓ | ||
Chrome Profile Separation - policy improvements | ✓ | ||
Enhanced Safe Browsing promos on iOS | ✓ | ||
Entrust certificate distrust | ✓ | ||
Generating insights for DevTools console warnings and errors | ✓ | ||
HTTPS-First Mode in Incognito | ✓ | ||
Migrate extensions to Manifest V3 before June 2025 | ✓ | ✓ | ✓ |
Policy to configure ACG for browser process | ✓ | ||
Simplified sign-in and sync experience on Android | ✓ | ||
Additional Safe Browsing telemetry about pages | ✓ | ||
Updated password management experience on Android | ✓ | ✓ | |
Watermarking | ✓ | ||
Automatic fullscreen content setting | ✓ | ||
Deprecate mutation events | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support for not condition in ServiceWorker static routing API | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Premium for file transfers on ChromeOS | ✓ | ||
ChromeOS video conferencing: DLC states for features | ✓ | ||
Audio Bluetooth telephony | ✓ | ||
OCR on Backlight | ✓ | ||
Firmware update instructions | ✓ | ||
Read Aloud in Reading Mode | ✓ | ||
Classroom Glanceables | ✓ | ||
PDF page deletion and reordering | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Configure ChromeOS User & browser settings with Google groups | ✓ | ||
Add managed browsers to groups for group-based policy management | ✓ | ||
Filter for popular and recently added settings with policy tags | ✓ | ||
Revamped ChromeOS device list and details | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Isolated Web Apps | ✓ | ||
Rust JSON parser | ✓ | ||
Clear device data on sign out on iOS | ✓ | ||
Attribution tags for search engine | ✓ | ||
Tab Groups on iPad | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
Rename position-try-options to position-try-fallbacks | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Deprecation of non-standard declarative shadow DOM serialization | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Third-party cookie access in Chrome | ✓ | ||
User Link capturing on PWAs | ✓ | ✓ | |
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Remove policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Snap Groups | ✓ | ||
Data processor mode: EU-wide rollout | ✓ | ||
Privacy Hub: Geolocation | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome browser managed profile reporting | ✓ | ||
Admin console widget for data controls | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- App-bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware running at the same privilege as Chrome that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
App-bound Encryption strongly binds encryption keys to the local machine so customers who are using Chrome with roaming profiles may want to consider disabling this security feature otherwise cookies will not be portable between workstations.
An enterprise policy, ApplicationBoundEncryptionEnabled, is available to disable application-bound encryption.
- Chrome 127 on Windows
- Chrome Profile Separation - policy improvements
Chrome profiles offer a user-friendly way to keep personal and work browsing data separate, simplifying the experience, preventing data breaches, and ensuring privacy and compliance. We have created three intuitive policies to help you control profile separation in your organization: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings and ProfileSeparationDomainExceptionList. These policies replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 127 on Windows, Mac, Linux
- Enhanced Safe Browsing promos on iOS
In Chrome 127, users who do not already have Enhanced Safe Browsing enabled see an infobar promoting Enhanced Safe Browsing on the Safe Browsing warning page. We also show a promotion for Enhanced Safe Browsing on the Chrome settings page, for users who do not already have Enhanced Safe Browsing enabled. These promos are not shown to users when the SafeBrowsingProtectionLevel enterprise policy is set to any value.
- Chrome 127 on iOS
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, website or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- Generating insights for DevTools Console warnings and errors
In Chrome 127, this Generative AI (GenAI) feature becomes available for managed Chrome Enterprise and Education users in supported regions: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise and Education users in supported regions.
- HTTPS-First Mode in Incognito
Starting in Chrome 127, as part of Chrome's move towards HTTPS by default, HTTPS-First Mode is enabled by default in Incognito mode. Users will see a warning before they navigate to sites over insecure HTTP. This can be controlled using the existing enterprise policies HttpsOnlyMode and HttpAllowlist.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows
- Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. Beginning June 2024, starting with Chrome 127 pre-stable versions, Chrome begins to gradually disable Manifest V2 extensions running in the browser.
You can use the ExtensionManifestV2Availability policy to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 127 on ChromeOS, Windows, Mac, Linux: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Policy to configure ACG for browser process
A new policy called DynamicCodeSettings is available in Chrome 127. Setting this policy to '1' switches on Arbitrary Code Guard (ACG) for the browser process. ACG prevents dynamic code being generated from within the browser process, which can help prevent potentially hostile code making unauthorized changes to the behavior of the browser process.
Switching on ACG might cause compatibility issues with third-party software that must run inside the browser process.
- Chrome 127 on Windows
- Simplified sign-in and sync experience on Android
Chrome 127 launches a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync is no longer shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As in earlier releases, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can still be disabled via BrowserSignin.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android
- Additional Safe Browsing telemetry about pages
When an Enhanced Safe Browsing user visits a page that triggers vibration, keyboard or pointer lock API, attributes of that page are now sent to Safe Browsing. If the telemetry is sent and the page seems to be malicious, users see a Safe Browsing warning and their keyboard or pointer is unlocked, if they were locked. If you'd like your users to avail of this feature, set MetricsReportingEnabled to true and set the SafeBrowsingProtectionLevel policy to 2.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled can now use and save passwords in their Google Account. Relevant policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 127 on Android
- Watermarking
This feature allows admins to overlay a watermark on top of a webpage if navigating to it triggers a specific Data loss Prevention (DLP) rule. It will contain a static string displayed as the watermark. Watermarking is available to Chrome Enterprise Premium customers only.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 127 on Linux, Mac, Windows: Feature rolls out
- Automatic Fullscreen content setting
A new Automatic Fullscreen content setting permits Element.requestFullscreen() without a user gesture, and permits browser dialogs to appear without exiting fullscreen.
The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (chrome://settings/content/automaticFullScreen) and the site info bubble. Users can allow Isolated Web Apps, and admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.
Combined with Window Management permission and unblocked popups (chrome://settings/content/popups), this unlocks valuable fullscreen capabilities:
- Open a fullscreen popup on another display, from one gesture
- Show fullscreen content on multiple displays from one gesture
- Show fullscreen content on a new display, when it's connected
- Swap fullscreen windows between displays with one gesture
- Show fullscreen content after user gesture expiry or consumption
- Chrome 127 on Windows, Mac, Linux
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. In Chrome 124, a temporary enterprise policy, MutationEventsEnabled, was introduced to re-enable deprecated or removed mutation events.Starting in Chrome 127, mutation event support is disabled by default , from around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
For more details, see this post on the Chrome developer blog. You can report any issues on the Chromium issue tracker.
- Chrome 127 on Windows, Mac, Linux, Android
- Keyboard-focusable scroll containers
Chrome 127 improves accessibility by making scroll containers focusable using sequential focus navigation.
In previous releases, the tab key did not focus scrollers unless tabIndex was explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse can now focus clipped content using keyboard tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 127 on Windows, Mac, Linux, Android
- Support for not condition in ServiceWorker static routing API
The ServiceWorker static routing API is an API used for routing the request to the network, the ServiceWorker fetch handler, or directly looking up from cache, and so on. Each route consists of a condition and a source, and the condition is used for matching the request.
For Chromium implementations, the or condition is only the supported condition. However, to write the condition more flexibly, supporting the not condition is expected, which matches the inverted condition inside.
- Chrome 127 on Windows, Mac, Linux, Android
- New and updated policies in Chrome browser
Policy Description Policy controls the dynamic code settings CSSCustomStateDeprecatedSyntaxEnabled Controls whether the deprecated :--foo syntax for CSS custom state is enabled KeyboardFocusableScrollersEnabled Enable keyboard focusable scrollers
- Removed policies in Chrome browser
Policy Description BlockTruncatedCookies Block truncated cookies UserAgentClientHintsGREASEUpdateEnabled Control the User-Agent Client Hints GREASE Update feature
ChromeOS updates
-
Chrome Enterprise Premium for file transfers on ChromeOS
Chrome Enterprise Premium is a zero trust solution that enables secure access to applications and resources, and offers integrated threat and data protection.
We are now allowing organizations to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS.
For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
For more details, see Protect Chrome users with Chrome Enterprise Premium; this article contains detailed guidance for both IT administrators and users.
-
ChromeOS Video Conferencing: DLC States for features
ChromeOS 127 introduces a visual enhancement for Downloadable Content (DLC) in the video control panel. This release now adds status indicators for Noise Cancellation, Live Captions, Relighting, and Blur.
-
ChromeOS now supports call control buttons on compatible Bluetooth headsets, including answering, rejecting or terminating a call, and muting the microphone.
-
ChromeOS is launching a PDF OCR AI reader on Gallery, enabling reading for inaccessible documents, further filling the gap in accessibility for low vision and blind users that use a screen reader. ChromeOS leverages its machine learning models to extract, compartmentalize, and section PDF documents to make them more accessible on the Gallery app for ChromeVox users.
-
Firmware update app: Update Instructions for peripheral devices
The Firmware Updates app on ChromeOS now supports updating peripherals that require user action during the update, for example, unplugging and re-plugging the peripheral. When an update is available for one of these devices, the user will be guided with clear, step-by-step instructions. For most existing peripherals, the update experience remains unchanged.
-
As early as ChromeOS 127, Read Aloud will bring Google's high quality voices to Chrome Reading Mode for users to leverage Text to Speech to read content on the web. The goal of Read Aloud is to help people who have difficulty reading to understand long-form text. The new Read Aloud feature in Reading Mode on Chrome desktop allows users to hear the text they are reading, which improves focus and comprehension.
-
Students can now quickly view and access their upcoming Classroom assignments one click away on their Chromebook home screen. Users can see this new feature if they are logged into a Chromebook with an account where they are enrolled in active courses in Google Classroom. Users can find this feature by clicking on the date chip on the shelf of their Chromebook if they are logged into an account, where they will see the new panel which can view lists of their upcoming, due, missing and completed assignments.
Admin console updates
-
Configure ChromeOS User & browser settings with Google groups
Admins can now use Google groups to manage ChromeOS User & browser settings in the Admin console and API. Admins can use new or existing Google Groups to configure User & browser settings in their organizations. When admins need to configure a policy for a specific set of users–who might belong to different organizational units (OUs)–they can use the flexibility of groups without needing to reconfigure their OUs. To learn more, see Managing group-based policies.
Today, the majority of user settings are configurable by Groups, with most of the remaining settings available in the coming months. Available settings are automatically filtered and displayed when admins select a particular group.
-
Add managed browsers to groups for group-based policy management
Admins can now add managed Chrome browsers to Google groups, thereby allowing them to specify User & browser policies and extension settings for a group of browsers. Managed browsers can be assigned to multiple groups, which allows IT administrators to have more flexibility to manage Chrome browsers using cloud management.
-
Filter for popular and recently added settings with policy tags
The Admin console now provides options to filter settings by recently added and popular. With these new filters, you’ll be able to see our newest settings as well as see some of our most popular and relevant Chrome settings.
-
Revamped ChromeOS device list and details
The Admin console devices page redesigned with a proactive and actionable notification for your fleet of devices.
Notifications module: Easily identify and address device issues with the new Notifications module, providing an overview of ongoing problems in your fleet.
Centralized dashboards: Quickly access all the information and reports you need about your fleet, all in one convenient location – the Dashboards tab.
Revamped device list page: Find more detailed information about your devices with new tabs (General, OS, Hardware, Network, and Policy), device-specific notifications, and a new card design for improved readability.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.
Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.
In this initial release IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 128 on ChromeOS
- Rust JSON parser
As early as Chrome 128, Chrome will parse JSON using Rust, rather than C++. This will remove the risk of memory safety vulnerabilities in the JSON parser, improving security. This change should be transparent to users. There is a small risk that some invalid JSON (which Chrome currently accepts) no longer being accepted, although the Rust parser remains extremely lenient.
- Earliest Chrome 128: Chrome will parse JSON using Rust
- Clear device data on sign out on iOS
Starting in Chrome 128, signing out from a managed account in an unmanaged browser will delete browsing data that is saved on the device. Managed users will be presented a confirmation dialog on sign-out explaining that the data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.
The data that will be deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 128 on iOS
- Attribution tags for Search Engine
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at
chrome://settings/search
.Selections from this screen will have their search URL appended with an attribution tag for use by third party search engines to attribute traffic from selections originating from the search engine choice screen. This change will not be applied for Education-configured organizations or Enterprises with metrics or usage statistics turned off.
For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 128 on Android, iOS, ChromeOS, LaCrOS, Linux, Mac, Windows
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 128 on iOS
- Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 128 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.
If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use
SameSite=None
cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.- Chrome 128 on Windows, Mac, Linux
- Rename position-try-options to position-try-fallbacks
The CSS working group (CSSWG) resolved to rename this property, because fallbacks more accurately describe what this property controls. The word options is a bit unclear, since the styles outside of `position-try` blocks will be tested first, and if they result in a layout that fits within the containing block, none of the options will get used. So fallbacks is a better word to describe this behavior. For more details, see Github.
- Chrome 128 on Windows, Mac, Linux, Android
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on Mac
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended Reporting
- Deprecation of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.
This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, Mac, Linux, Android
- Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);- Chrome 129 on Linux, Mac, Windows, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 130 on Windows: Network Service sandboxed on Windows
-
Third-party cookie access in Chrome
On 22 July 2024, we announced a new path forward for the Privacy Sandbox on the web. Instead of deprecating third-party cookies, we plan to introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing. They would be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.
For more details, see this Privacy Sandbox update.
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, Mac, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 130 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context.
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.
Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming ChromeOS changes
-
As early as ChromeOS 127, Snap groups will allow you to group windows on ChromeOS. A snap group is formed when a user pairs two windows for a split-screen. The windows can then be brought back together, resized simultaneously, or moved as a group.
-
Data processor mode: EU-wide rollout
In ChromeOS 128, new data processor mode features and ChromeOS terms will be made available to the entire EU through the Google Admin console. For more details, see Overview of ChromeOS data processor mode.
As a ChromeOS administrator, you’ll have the option to activate Data processor mode, which covers a set of ChromeOS features and services referred to as Essential Services.
-
As early as ChromeOS 128, we will make privacy on Chromebooks easier to manage by adding the ability to control geolocation access to the privacy controls page. Users will be able to set geolocation access to Allowed, System Only, or Blocked depending on their preference.
We will allow users to block all apps or websites, or entire systems access to geolocation regardless of previously granted permissions, and provide users easy to use controls to re-enable them whenever it would be helpful.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- Chrome 130 on Android, Linux, Mac, Windows
Chrome 126
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Extract text from PDFs for screen reader users | ✓ | ||
Memory Saver aggressiveness | ✓ | ||
Out of process iframe PDF viewer | ✓ | ||
Reactive prefetch on Desktop | ✓ | ||
Tab Groups on iPad | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Removing support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ✓ | |
Align navigator.cookieEnabled with spec | ✓ | ||
Search with Google Lens | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Extended auto-update opt-in | ✓ | ||
Digital zoom with super resolution | ✓ | ||
Set up new Chromebook with Android phone | ✓ | ||
Instant Hotspot | ✓ | ||
Enhanced firmware updates | ✓ | ✓ | |
Web apps to capture multiple surfaces | ✓ | ||
Captive portal for managed networks | ✓ | ✓ | |
Turn off overscroll behavior | ✓ | ||
Turn off cursor blink rate | ✓ | ||
Magnifier can follow Select to Speak focus | ✓ | ||
Supervised user extensions installation flow | ✓ | ||
Multi-calendar support | ✓ | ||
New policy to control Kiosk wake and sleep times | ✓ | ||
Locale expansion for Live Captions and Dictation | ✓ | ||
Show wildcard URLs in Data Controls reporting | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Custom configurations for IT admins | ✓ | ||
Interactive setup guides for Chrome Enterprise Core | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Entrust certificate distrust | ✓ | ||
App-bound encryption for cookies | ✓ | ||
Chrome extension telemetry integration with Chronicle | ✓ | ||
Generating insights for DevTools console warnings and errors | ✓ | ||
Migrate extensions to Manifest V3 before June 2025 | ✓ | ✓ | ✓ |
Network Service on Windows will be sandboxed | ✓ | ||
Simplified sign-in and sync experience on Android | ✓ | ||
Telemetry about pages that trigger keyboard and pointer Lock APIs | ✓ | ||
Updated password management experience on Android | ✓ | ✓ | |
Watermarking | ✓ | ||
Automatic fullscreen content setting | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
Deprecate mutation events | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support for not condition in Service Worker static routing API | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Deprecate Safe Browsing Extended reporting | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
User link capturing on PWAs | ✓ | ✓ | |
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Snap Groups | ✓ | ||
Read Aloud in Reading Mode | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Filter for popular and recently added settings with policy tags | ✓ | ||
Chrome browser managed profile reporting | ✓ | ||
Group based policy for Chrome browser | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
Third party cookies will be restricted in a future release of Chrome. Currently, they are restricted by default for 1% of Chrome users to allow sites to preview the user experience without third-party cookies. Most enterprises are excluded from this group automatically and admins can use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies if needed.
End users can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site when necessary. See this help article for more details on how to toggle these settings for the desired configuration. Bounce tracking protections are enforced when the bouncing site is not permitted to use 3P cookies, and are controllable with the same policies. Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
- Extract text from PDFs for screen reader users
Chrome browser now launches an optical character recognition (OCR) AI reader for PDFs, creating a built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.
This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, Mac, Windows: Already fully launched on ChromeOS. Ramping up from 50% Canary/Dev/Beta to Stable on Linux, Mac, and Windows.
- Memory Saver aggressiveness
Memory Saver is a feature that deactivates unused tabs to free up memory on a user's device. There is an existing policy, HighEfficiencyModeEnabled, which allows administrators to control the Memory Saver feature. A new policy called MemorySaverModeSavings allows you to configure how aggressive the Memory Saver is when deciding to deactivate tabs. Choose the conservative option to deactivate fewer tabs or the aggressive one to get the most memory savings.
- Chrome 126 on ChromeOS, LaCrOS, Linux, Mac, Windows: The feature will roll out gradually to all platforms.
- Out of process iframe PDF viewer
In Chrome 126, some users use an out-of-process iframe (OOPIF) architecture for the PDF viewer. This is the new PDF viewer architecture, as it is simpler and makes adding new features easier. An enterprise policy, PdfViewerOutOfProcessIframeEnabled, is available to revert to using the original PDF viewer architecture.
- Chrome 126 on Linux, Mac, Windows
- Reactive prefetch on Desktop
This feature enables prefetching of subresources during a navigation, to speed up navigations and load new pages faster. The subresources prefetched are predicted by a Google-owned service, and the browser shares the URL of pages being navigated to with this service, to retrieve predictions. You can control this feature using the UrlKeyedAnonymizedDataCollectionEnabled policy.
- Chrome 126 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 126 on iOS
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome starts to directly support accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome using a compatibility shim in Microsoft Windows. This change improves the user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and it improves third-party apps that use Windows's UI Automation accessibility framework. Chrome users now find reduced memory usage and processing overhead when using accessibility tools. It also eases development of software using assistive technologies.
Administrators can use the UiAutomationProviderEnabled enterprise policy, introduced in Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they can fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
- Removing support for UserAgentClientHintsGREASEUpdateEnabled
Chrome 126 removes the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year.
- Chrome 124 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Align navigator.cookieEnabled with spec
navigator.cookieEnabled
currently indicates if the user agent attempts to handle cookies in a given context. A change in Chrome, shipping as part of third-party cookie deprecation (3PCD), would cause it to indicate whether unpartitioned cookie access is possible (causing it to return false in most cross-site iframes). We should restore the prior behavior ofnavigator.cookieEnabled
which indicated only if cookies were enabled or disabled for the site and rely on the cross-vendor functiondocument.hasStorageAccess
to indicate if unpartitioned cookie access is possible.- Chrome 126 on Windows, Mac, Linux, Android
- Search with Google Lens
As early as Chrome 126, users will be able to search any images or text they see on their screen with Google Lens. To use this feature, go to a website and click Search with Google Lens on the on-focus omnibox chip, on the right-click menus, or on the 3-dot menu. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the searchbox. Admins can control the feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged.
We are rolling out this feature gradually in Chrome 126 and we plan to launch fully in Chrome 127.
- Chrome 126 on ChromeOS, Linux, Mac, Windows: Rollout of the feature at 1% Stable and LensOverlaySettings becomes available
- Chrome 127: Rollout to 100% stable
- New and updated policies in Chrome browser
Policy Description LensOverlaySettings Settings for the Lens Overlay feature MemorySaverModeSavings Change Memory Saver Mode Savings ProvisionManagedClientCertificateForUser Enables the provisioning of client certificates for a managed user or profile
PdfViewerOutOfProcessIframeEnabled Use out-of-process iframe PDF Viewer
ChromeOS updates
-
Extended auto-update opt-in and policy
ChromeOS provides 10 years of OS updates for security, stability, and performance improvements. Most devices will receive these updates automatically. For a subset of older devices, users and administrators can now opt in to extended updates to get a full 10 years of support.
For details, see our Help Center article.
-
Digital zoom with super resolution
The built-in Camera app now supports zooming on cameras that do not have optical zoom motors, including the built-in camera. On selected high-performance Chromebooks, AI-based super resolution may be applied to further enhance the images.
-
Set up new Chromebook with Android phone
You can now set up a new Chromebook using your Android phone. By establishing a secure connection between your phone and the Chromebook, you can automatically transfer your Wi-Fi and Google Account login information without needing to manually enter your passwords. This is available for unmanaged users only.
-
ChromeOS 126 supports firmware updates on a wide variety of additional peripherals. This significantly reduces the overhead and time needed to make new firmware updates available.
-
Web apps to capture multiple surfaces
Web apps can now capture multiple surfaces at once. This feature introduces a new API getAllScreensMedia() that allows developers to request several surfaces at once (instead of only one with getDisplayMedia()). This API auto-accepts capture requests, for managed sessions only, guarded by policies that have to be explicitly set by the device owners and with clear usage indicators so that users are aware of capturing at all times. For details, see our Help Center article.
-
Captive portal for managed networks
Given that captive portal detection is always disabled for managed networks, administrators are unable to configure the ChromeOS device to auto connect to captive portal networks or to detect that the captive portal exists. If they do make the captive portal network managed, users have to manually open a browser and connect to an HTTP site that can then be redirected to a portal sign in page. We’ve added a new policy, CaptivePortalAuthenticationIgnoresProxy, which allows admins to force portal detection.
-
A new setting is available to turn on and off the swipe gesture to navigate between pages. This feature is also known as overscroll or overscrolling pages. This setting is found under Settings > Accessibility > Cursor and touchpad > Use a swipe gesture to navigate between pages.
-
A new setting is available to turn off the blinking text cursor under Settings > Accessibility > Keyboard and text input > Text cursor blink rate. Customers with photosensitive seizure triggers and cognitive differences may want to turn off the blinking text cursor.
-
Magnifier to follow Select to Speak
Magnifier following Select to Speak is a feature designed for people who have low vision, but may be beneficial for anyone who enjoys reading text at larger sizes. When you read text aloud using Select to Speak, the screen magnifier will automatically follow the words, so you never lose your place. To try this out you can enable both Magnifier and Select to Speak in your settings. Zoom in to your preferred zoom level using Ctrl + Alt + Brightness up and Ctrl + Alt + Brightness down. Select the text you want to read out and press the Select to Speak play button, or Search + S. A setting is available under the Magnifier settings to adjust this behavior.
-
Supervised user extensions installation
For supervised accounts managed via Family Link, we are separating the parental control for Permissions for sites, extensions, and apps to give parents more granular control. Parents now have two options to choose from: Permissions for apps and Extensions. The impact on supervised accounts is that a parent can now allow extensions installations with or without approval. Previously, parents could block extensions but had no way to allow them without approval.
-
We are launching multi-calendar support to allow users view all events from multiple calendars that they have selected within their Google Calendar.
-
New policy to control Kiosk wake and sleep times
ChromeOS 126 introduces a new kiosk device policy that allows Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.
-
Locale expansion for Live Captions and Dictation
ChromeOS 126 expands support for live captions from 1 to 6 languages and dictation from 1 to 18 locales. We now use a new voice recognition model that provides additional battery savings.
Live captions on ChromeOS can be used on videos played with the Gallery player app, in YouTube, in Google Meet, in Zoom, or social media sites. To see or change your current live captions language, select Settings > Audio and captions > Live Caption > Manage languages. For more information on live captions, see this Help Center article.
Dictation is available on Google Docs, or in any other text input by enabling dictation in the taskbar, clicking the Mic button, and speaking. To see or change your dictation language, select Settings > Accessibility > Keyboard and text input > Dictation > Language. For more information on dictation, see this Help Center article.
-
Show wildcard URLs in Data Controls reporting
ChromeOS Data Control rules allow admins to define source and destination URLs as a wildcard (*) value. ChromeOS data control events are reported under the Chrome audit report and can be viewed in the Admin console or other platforms through the Chrome Reporting Connector. When examining log events, the URL that triggered the rule is now reported, instead of the wildcard.
Admin console updates
-
Custom configurations for IT admins
The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as normal_installed. This feature is available for browsers enrolled at the machine-level.
- As early as Chrome 126 on Android, iOS, Linux, MacOS, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, MacOS, Windows: Feature rolls out
-
Interactive setup guides for Chrome Enterprise Core
The Chrome Enterprise team introduces new interactive setup guides for browser management in the Admin console, where administrators can choose a journey they’re interested in and get hands-on training in related Chrome setup guides. For example, the guides can be used to learn how to:
- Create test organizational units
- Turn on reporting
- Enroll browsers
- Apply browser policies
- Configure extension settings
- Create an admin user
These guides are ideal for new administrators or for administrators who wish to learn new journeys.
- As early as Chrome 126: Feature rolls out
- New policies in Admin console
Policy Name Pages Supported on Category/Field DeviceExtendedAutoUpdateEnabled Device ChromeOS Device update settings LocalUserFilesAllowed Users & Browser ChromeOS User experience ScreenCaptureLocation Users & Browser ChromeOS User experience
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Entrust certificate distrust
In response to sustained compliance failures, Chrome is changing how publicly-trusted TLS server authentication, that is, website, certificates issued by Entrust will be trusted by default in Chrome 127 and greater on Windows, macOS, ChromeOS, Android, and Linux. iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically:
- TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
Should a Chrome user or enterprise explicitly trust any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, explicit trust is conveyed through a Windows Group Policy Object, the SCT-based constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- App-bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
An enterprise policy, ApplicationBoundEncryptionEnabled, is available to disable application-bound encryption.
- Chrome 127 on Windows
- Chrome extension telemetry integration with Chronicle
We plan to collect relevant extension telemetry data from within Chrome, for managed profiles and devices, and send it to Chronicle. Chronicle will analyze the data to provide insight and context on risky activity.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Generating insights for DevTools console warnings and errors
In Chrome 125, a new Generative AI (GenAI) feature became available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise and Education users in supported regions.
- Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. Beginning June 2024, starting with Chrome 127 pre-stable versions, Chrome will gradually disable Manifest V2 extensions running in the browser. An enterprise policy, ExtensionManifestV2Availability , can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year, June 2025, at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can report any issues you encounter.
- Chrome 127 on Windows: Network Service sandboxed on Windows
- Simplified sign-in and sync experience on Android
Chrome will launch a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android
- Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhanced Safe Browsing user visits a page that triggers keyboard or pointer lock API, attributes of that page will be sent to Safe Browsing.
If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.- Chrome 127 on Android
- Watermarking
This feature will allow admins to overlay a watermark on top of a web page if navigating to it triggers a specific DLP rule. It will contain a static string displayed as the watermark. Watermarking will be available to Chrome Enterprise Premium customers.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 127 on Linux, Mac, Windows: Feature rolls out
- Automatic Fullscreen content setting
A new Automatic Fullscreen content setting permits
Element.requestFullscreen()
without a user gesture, and permits browser dialogs to appear without exiting fullscreen.The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (
chrome://settings/content/automaticFullScreen
) and the site info bubble. Users can allow Isolated Web Apps, and enterprise admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.Combined with Window Management permission and unblocked popups (
chrome://settings/content/popups
), this unlocks valuable fullscreen capabilities:- Open a fullscreen popup on another display, from one gesture
- Show fullscreen content on multiple displays from one gesture
- Show fullscreen content on a new display, when it's connected
- Swap fullscreen windows between displays with one gesture
- Show fullscreen content after user gesture expiry or consumption
- Chrome 127 on Windows, Mac, Linux
- Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 127 will add a cross-site ancestor bit to the keying of the partitioned cookie's
CookiePartitionKey
. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use
SameSite=None
cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.- Chrome 127 on Windows, Mac, Linux
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail. Report any issues here.
- Chrome 127 on Windows, Mac, Linux, Android
- Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless
tabIndex
is explicitly set to 0 or more.By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.- Chrome 127 on Windows, MacOS, Linux, Android
- Support for not condition in Service Worker static routing API
The Service Worker static routing API is an API used for routing the request to the network, the Service Worker fetch handler, or directly looking up from cache, and so on. Each route consists of a condition and a source, and the condition is used for matching the request.
For Chromium implementations, the or condition is the only supported condition. However, to write the condition more flexibly, supporting the not condition is expected, which matches the inverted condition inside.
- Chrome 127 on Windows, Mac, Linux, Android
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 128 on Mac
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 128 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended reporting
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15
- User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 129 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- Deprecate the includeShadowRoots argument on DOMParser
The
includeShadowRoots
argument was a never-standardized argument to theDOMParser.parseFromString()
function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 129, the non-standardincludeShadowRoots
argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android
- Insecure form warnings on iOS
Chrome 125 blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it will display a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without user's explicit approval. A policy called InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically.
These checks protect the user's private network. Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the InsecureFormsWarningsEnabled policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
Please see this blog post for more detail.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android
Upcoming ChromeOS changes
-
As early as ChromeOS 127, Snap groups will allow you to group windows on ChromeOS. A snap group is formed when a user pairs two windows for a split-screen. The windows can then be brought back together, resized simultaneously, or moved as a group.
-
As early as ChromeOS 127, Read Aloud will bring Google's high quality voices to Chrome Reading Mode for users to leverage Text to Speech to read content on the web. The goal of Read Aloud is to help people who have difficulty reading to understand long-form text. The new Read Aloud feature in Reading Mode on Chrome desktop allows users to hear the text they are reading, which improves focus and comprehension.
Upcoming Admin console changes
- Filter for popular and recently added settings with policy tags
The Admin console will soon provide options to filter settings by recently added and popular. With these new filters, you’ll be able to see our newest settings as well as see some of our most popular and relevant Chrome settings.
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, Mac, Windows: Feature rolls out
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.- As early as Chrome 127 on Android, Linux, MacOS, Windows: Early Trusted Tester access
- As early as Chrome 130 on Android, iOS, Linux, MacOS, Windows: Feature rolls out
- Group based policy for Chrome browser
As an administrator, you will be able to use Google groups to add managed Chrome browsers to groups and set User & browser policies and Extension settings to a group of browsers. Managed browsers can be assigned to multiple groups, which allows IT administrators to have more flexibility to manage Chrome browsers using cloud management.
- As early as Chrome 126 on Android, Linux, MacOS, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, MacOS, Windows: Feature rolls ou
Chrome 125
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Automatic deep file scanning for Enhanced Safe Browsing users | ✓ | ||
Chrome Desktop support for Windows ARM64 | ✓ | ||
Chrome updater changes | ✓ | ||
Chrome Security Insights | ✓ | ✓ | ✓ |
Chrome bandwidth updates | ✓ | ||
Extensions Safety Check | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Legacy Browser Support for Edge upgraded to Manifest V3 | ✓ | ||
Remove enterprise policy used for Base URL inheritance | ✓ | ||
Send download reports without explicit user decision | ✓ | ✓ | |
Tab Groups on Tab Grid | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Update Google Play Services to fix issues with account passwords | ✓ | ||
Extending Storage Access API (SAA) to non-cookie storage | ✓ | ||
Interoperable mousemove default action | ✓ | ||
Remove window-placement alias for permission and permission policy descriptors | ✓ | ||
Default Search Engine choice screen | ✓ | ✓ | |
Generating insights for Chrome DevTools Console warnings and errors | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
SAML always-on VPN fix | ✓ | ||
ChromeOS Passpoint settings | ✓ | ||
ChromeOS Audio Bluetooth telephony | ✓ | ||
Add PrivateIP to DoH with identifiers | ✓ | ||
Gallery video playback speed control UI | ✓ | ||
Reduce Animations toggle for ChromeOS | ✓ | ||
Captive Portal sign-in window | ✓ | ||
Install dialog for PWAs | ✓ | ||
Warn users before disconnecting Bluetooth HID | ✓ | ✓ | |
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Inactive browser deletion in Chrome Enterprise Core | ✓ | ✓ | |
ChromeOS device enrollment and token generation redesign | ✓ | ||
New ZTE pre-provisioning token features | ✓ | ||
Expanded token management features | ✓ | ✓ | |
URL-keyed anonymized data collection in Managed Guest Session | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Extract text from PDFs for screen reader users | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Removing support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Tab Groups on iPad | ✓ | ||
Telemetry about pages that trigger keyboard and pointer Lock APIs | ✓ | ||
Updated password management experience on Android | ✓ | ✓ | |
Watermarking | ✓ | ||
Align navigator.cookieEnabled with spec | ✓ | ||
Automatic fullscreen content setting | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
App-bound encryption for cookies | ✓ | ||
Chrome extension telemetry integration with Chronicle | ✓ | ||
Migrate extensions to Manifest V3 before June 2025 | ✓ | ✓ | ✓ |
Simplified sign-in and sync experience on Android | ✓ | ||
Deprecate mutation events | ✓ | ||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
User link capturing on PWAs | ✓ | ✓ | |
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
New policy to control Kiosk wake and sleep times | ✓ | ||
Show wildcard URLs in Data Controls Reporting | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Policy parity: Custom Configurations for IT admins | ✓ | ||
Interactive setup guides for Chrome Enterprise Core | ✓ | ||
Legacy Technology report | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
Third party cookies will be restricted in a future release of Chrome. Currently, they are restricted by default for 1% of Chrome users to allow sites to preview the user experience without third-party cookies. Most enterprises are excluded from this group automatically and admins can use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies if needed.
End users can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site when necessary. See this help article for more details on how to toggle these settings for the desired configuration. Bounce tracking protections are enforced when the bouncing site is not permitted to use 3P cookies, and are controllable with the same policies. Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
- Automatic deep file scanning for Enhanced Safe Browsing users
Deep scanning of downloads for Enhanced Safe Browsing users has been launched since Chrome 91. At that time, users had to consent to each file they wanted deep-scanned automatically. Starting in Chrome 125, users no longer have to do that. Deep scanning is performed automatically as part of the improved protections offered by Enhanced Safe Browsing. Admins wishing to disable this feature can ensure their users are not in Enhanced Safe Browsing mode at all with the SafeBrowsingProtectionLevel policy, or disable deep scans with SafeBrowsingDeepScanningEnabled.
- Chrome 125 on LaCrOS, Linux, Mac, Windows: Feature rolls out
- Chrome Desktop support for Windows ARM64
Chrome rolled out support for Windows ARM64. Enterprise installers are coming soon, and the ARM64 version can be downloaded at google.com/chrome. If you encounter any issues, file a bug here. At this time, other versions of Chrome running on ARM64 devices will not be automatically upgraded. Please re-install Chrome if you're running on an ARM64 device.
- Chrome 125 on Windows: New Enterprise installers will be available towards mid-May
- Chrome updater changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for
GoogleUpdate.exe
on Windows changes and it is renamedupdater.exe
. Note that the previous path continues to persist until the transition is fully completed.GoogleUpdate.exe
is also modified to point toupdater.exe
.* Previous:
%PROGRAMFILES(X86)%\Google\Update\GoogleUpdate.exe
* Current:%PROGRAMFILES(X86)%\Google\GoogleUpdater\<VERSION>\updater.exe
- Chrome 125 on Windows: These changes appear on Windows
- Chrome Security Insights
If you have Chrome Enterprise Core (Chrome Browser Cloud Management) and Workspace Enterprise Standard or Workspace Enterprise Plus with assigned licenses, you can now enable Chrome Security Insights. This tool allows you to monitor insider risk and data loss for Chrome activity. For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, Mac, Windows
- Chrome bandwidth updates
Chrome introduces a new mechanism for updating certain Chrome components, which might result in extra bandwidth used within your fleet. You can control this with the GenAILocalFoundationalModelSettings policy.
- Chrome 125 on Linux, Mac, Windows
- Extensions Safety Check
The Extensions Safety Check notifies users about extensions that might contain malware, policy violations, and extensions that have been unpublished long ago. It provides an interface for users to review these extensions and decide to keep or remove each flagged extension.
To expand the usefulness and the scope of this feature, Chrome 125 adds new triggers so that other potentially risky extensions can also be reviewed by users. There are two new extension types that we now flag for the user to review.
- Extensions that are not installed from the Chrome Web Store
- Extensions that violate store policy by using deceptive installation tactics and are considered unwanted software
Any extensions that are force-installed, installed by policy, version-pinned or blocked by policy are ignored and not flagged by these trigger criteria.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: During rollout, the two new triggers will be added to the extension safety check found on the
chrome://extensions/
page
- Chrome 125 on ChromeOS, Linux, Mac, Windows: During rollout, the two new triggers will be added to the extension safety check found on the
- Insecure form warnings on iOS
Chrome 125 blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it displays a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Legacy Browser Support for Edge upgraded to Manifest V3
Legacy Browser Support for Edge is upgraded to Manifest V3. This is a major update with a possibility for bugs, so you can try the Beta version of this extension today. We encourage you to test it in your environment. If you encounter any issues, file a bug here.
- Chrome 125 on Linux, Mac, Windows: Microsoft Edge Add-ons Store doesn't support gradual rollouts, so this will roll out 0%=>100% in one step. Target release date is May 30th, so ~2 weeks into Chrome 125's lifecycle.
- Remove enterprise policy used for Base URL inheritance
In Chrome 114, we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. Chrome 125 removes the temporary NewBaseUrlInheritanceBehaviorAllowed policy.
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Send download reports without explicit user decision
The Client Safe Browsing Report is a telemetry report sent to Safe Browsing when a warning is shown in Chrome. Today, download reports are sent when users discard or bypass a download warning. Based on the learnings from the initial tailored warning experiment, many download warnings are not explicitly discarded or bypassed. Reports are not sent for these warnings, so Safe Browsing doesn't have visibility on the effectiveness of these warnings. This feature aims to close this telemetry gap by sending reports when the download is auto-discarded or the browser is closed.
- Chrome 125 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Tab Groups on Tab Grid
Chrome for iPhone users can create and manage tab groups on their tab grids. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 125 on iOS
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Starting in Chrome 125, administrators can use the UiAutomationProviderEnabled enterprise policy to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
- Update Google Play Services to fix issues with account passwords
Users with old versions of Google Play Services might be unable to access the passwords saved to their Google accounts. These users now see warnings to update Google Play Services in the password management surface to access their account passwords again. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 125 on Android
- Extending Storage Access API (SAA) to non-cookie storage
Chrome extends the Storage Access API to allow access to unpartitioned cookie and non-cookie storage in a third-party context. The current API only provides access to cookies, which have different use-cases than non-cookie storage. The API can be used as follows (JS running in an embedded iframe):
// Request a new storage handle via rSA (this should prompt the user)
let handle = await document.requestStorageAccess({all: true});
// Write some cross-site localstorage
handle.localStorage.setItem("userid", "1234");
// Open or create an indexedDB that is shared with the 1P context
let messageDB = handle.defaultBucket.indexedDB.open("messages");
The same flow would be used by iframes to get a storage handle when their top-level ancestor successfully called
rSAFor
, just that in this case thestorage-access
permission was already granted and thus therSA
call would not require a user gesture or show a prompt, allowing for hidden iframes accessing storage.- Chrome 125 on Windows, Mac, Linux, Android
- Interoperable mousemove default action
Canceling
mousemove
does not prevent text selection or drag-and-drop. Chrome allowed cancelingmousemove
events to prevent other APIs like text selection (and even drag-and-drop in the past). This does not match other major browsers; nor does it conform to the W3 UI Events specification.With this feature, text selection is no longer the default action of
mousemove
. Text selection and drag-and-drop can still be prevented through cancelingselectstart
anddragstart
events respectively, which are spec-compliant and fully interoperable.- Chrome 125 on Windows, Mac, Linux, Android
- Remove window-placement alias for permission and permission policy descriptors
Chrome 125 removes the window-placement alias for permission and permission policy descriptors. All instances of window-placement are replaced with window-management, which better describes the related API functionality. This is a follow-up to Window Management API feature enhancements and renaming from Multi-Screen Window Placement API; for more details, see Chrome Platform Status.
- Chrome 125 on Windows, Mac, Linux
- Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at
chrome://settings/search
.For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Chrome 125 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.
- Generating insights for Chrome DevTools Console warnings and errors
In Chrome 125, a new Generative AI (GenAI) feature becomes available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise & Education users in supported regions.
- New and updated policies in Chrome browser
Policy Description EnterpriseLogoUrl Enterprise Logo URL: URL to an image that is used as an enterprise badge for the profile. EnterpriseBadgingTemporarySetting Control the visibility of enterprise badging. ApplicationBoundEncryptionEnabled Enable Application-bound encryption UiAutomationProviderEnabled Enable the browser's UI Automation accessibility framework provider on Windows ToolbarAvatarLabelSettings Managed toolbar avatar label setting
ChromeOS updates
-
To better support Enterprise customers who use VPN in always-on strict mode, where no user traffic can get to the internet except via the VPN, and SAML authentication, we've added a new policy AlwaysOnVpnPreConnectUrlAllowlist. This policy allows you to specify URLs users are allowed to go to before the VPN has connected, so that your SAML services are reachable to authenticate the user to the VPN via the system browser.
-
You can now view and manage Wi-Fi Passpoint in ChromeOS Settings. You can view and remove your installed passpoint subscription under the passpoint detailed page.
-
ChromeOS Audio Bluetooth telephony
ChromeOS now supports call control buttons on compatible Bluetooth headsets, including answering, rejecting or terminating a call, and muting the microphone.
-
Add PrivateIP to DoH with identifiers
A network identifier was added to the secure DNS URI templates with identifiers policy. Admins can now configure a new placeholder in the DNS URI templates, which is replaced with the device local IP addresses when the users are connected to managed networks.
-
Gallery video playback speed control UI
ChromeOS Gallery video player now has a playback speed menu to control the playback rate.
-
Reduce Animations toggle for ChromeOS
A reduced animations setting is now available on ChromeOS. This setting is available under Accessibility > Display and Magnification > Reduced Animations. Customers who experience motion sickness, distractions or other types of discomfort when seeing animations can benefit from changing this setting.
-
ChromeOS 125 allows easier captive portal sign-in with a dedicated window. The window opens as a tabless popup window; the URL is shown but it is not editable.
-
ChromeOS 125 enables an installation dialog for web apps. This feature unblocks web app installation scenarios and is part of the work to create a more predictable, accessible, and trustworthy install surface for web apps.
-
Warn users before disconnecting Bluetooth HID
In ChromeOS 125 and later, Chromeboxes and Chromebases display a notification to prevent unintended Bluetooth device disconnections. This notification appears when you attempt to disable Bluetooth while only Human Interface Devices (HIDs) like keyboards or mice connected via Bluetooth are active.
Admin console updates
-
Inactive browser deletion in Chrome Enterprise Core
Starting in April 2024 until June 2024, the Inactive period for browser deletion policy has started to roll out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time has a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days are deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period is 730 days and the minimum value is 28 days (learn more).
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
-
ChromeOS device enrollment and token generation redesign
Beginning in April 2024, the zero-touch enrollment experience has been enhanced with a new enrollment entry point, token creation guide, the ability to specify SKU and partner permissions and improved token management
-
New ZTE pre-provisioning token features
Pre-provisioning tokens have gained the following features:- Support for Kiosk & Signage Upgrade by allowing zero-touch enrollment pre-provisioning tokens to be created using either Chrome Enterprise Upgrade or Kiosk & Signage Upgrade
- Ability for pre-provisioning partners to specify custom fields (asset ID, location, and user)
- Multiple tokens per organizational unit
-
Expanded token management features
The Enrollment Tokens page has been updated with the following features:- The page has been added to the left navigation panel for easier access
- Tokens are now filterable based on status, creation user, annotation and upgrade type
- A new button allows admins to copy the token and Customer ID with one click
- Additional columns provide more information about the token
-
URL-keyed anonymized data collection in Managed Guest Session
The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, is available in the Admin console. This policy will be enforced starting June 1st and will remain disabled until then.
- New policies in Admin console
Policy Name Pages Supported on Category/Field DevToolsGenAiSettings Users & Browsers Chrome
ChromeOSGenerative AI UiAutomationProviderEnabled Users & Browsers Chrome Accessibility ContextualGoogleIntegrationsEnabled Users & Browsers ChromeOS User experience ContextualGoogleIntegrationsConfiguration Users & Browsers ChromeOS User experience ApplicationBoundEncryptionEnabled Users & Browsers Chrome Security DeviceExtensionsSystemLogEnabled Device ChromeOS User and device reporting EnterpriseBadgingTemporarySetting Users & Browser Chrome General EnterpriseLogoUrl Users & Browser Chrome General ToolbarAvatarLabelSettings Users & Browser Chrome General DeviceDlcPredownloadList Device ChromeOS Other settings
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 126 on iOS, ChromeOS, Linux, MacOS, Windows: Deprecation of Safe Browsing Extended Reporting
- Extract text from PDFs for screen reader users
Chrome browser is launching an Optical character recognition (OCR) AI reader for PDFs, creating the first browser built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.
This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, MacOS, Windows
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 125 on Windows: Network Service sandboxed on Windows.
- Removing support for UserAgentClientHintsGREASEUpdateEnabled
Deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year and then eventually remove it.
- Chrome 124 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 126 on Android
- Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhances Safe Browsing user visits a page that triggers keyboard or pointer lock API, attributes of that page will be sent to Safe Browsing. If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 126 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.- Chrome 126 on Android
- Watermarking
This feature will allow admins to overlay a watermark on top of a webpage if navigating to it triggers a specific DLP rule. It will contain a static string displayed as the watermark. Watermarking will be available to Chrome Enterprise Premium customers.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 126 on Linux, Mac, Windows: Feature rolls out