For administrators who manage Chrome browser or ChromeOS devices for a business or school.
- For emails about future releases, sign up here.
- To try out new features before they're released, sign up for the trusted tester program.
- Connect with other Chrome Enterprise IT admins through the Chrome Enterprise Customer Forum.
- Sign up to take the ChromeOS administrator credential exam.
- Get help and see additional resources below.
Table updated: November 29, 2023
Open all | Close all
Chrome 119
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome release schedule changes | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Native Client support updates | ✓ | ||
Remove Sanitizer API | ✓ | ||
Tab groups can be saved, recalled, and synced | ✓ | ||
Deprecate non-standard shadowroot attribute for declarative shadow DOM | ✓ | ||
Shifting UI strings in Chrome from Clear to Delete when getting rid of data | ✓ | ||
DevTools internal errors reported to Chrome internal crash reporting | ✓ | ||
Skip unload events | ✓ | ||
SharedImages for PPAPI Video Decode | ✓ | ||
Remove Authorization header upon cross-origin redirect | ✓ | ||
Dedicated setting for Permission Suggestions Service | ✓ | ||
Hash-prefix real-time lookups | ✓ | ||
Remove recommended support from multiple policies | ✓ | ||
Standard-compliant URL host punctuation characters | ✓ | ||
Save images to Google Photos on iOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Privacy Hub | ✓ | ||
ChromeOS Admin templates | ✓ | ||
Using Drive offline on Chromebook Plus | ✓ | ✓ | |
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Default Search Engine choice screen | ✓ | ||
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets | ✓ | ✓ | |
Revamped Safety Check on Desktop | ✓ | ||
Chrome Desktop responsive toolbar | ✓ | ||
Chrome on Android will no longer support Android Nougat | ✓ | ||
Chrome Third-Party Cookie Deprecation | ✓ | ||
Package tracking (iOS only) | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Display banner allowing to resume last tab from other devices | ✓ | ||
Resume the last opened tab on any device | ✓ | ||
Unprefix -webkit-background-clip for text and make it an alias | ✓ | ||
Chrome user policies for iOS | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Migrate away from data URLs in SVGUseElement | ✓ | ✓ | |
Password Manager: password sharing | ✓ | ✓ | |
Permissions prompt for Web MIDI API | ✓ | ||
IP Protection Phase 0 for Chrome | ✓ | ||
Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store | ✓ | ||
Legacy Technology Report | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Chrome Sync ends support for Chrome 81 and earlier | |||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Set the screensaver duration | ✓ | ||
New controls for mouse scroll acceleration | ✓ | ||
Enhanced Alt + click behavior | ✓ | ||
New look for ChromeOS media player | ✓ | ||
Enhanced notifications for pinned apps | ✓ | ||
New ChromeOS sync options | ✓ | ✓ | |
App disablement by Admin in MGS | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be moved forward by one week. For example, Chrome 119 has its early stable release on October 25 instead of Nov 1. Beta releases will also be moved forward by one week starting in Chrome 119.
For more details, see the Chrome Release Schedule.
- Chrome 119 on Android, iOS, ChromeOS, Linux, Mac, Windows
- Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Chrome 123: on Chrome OS, LaCrOS, Linux, Mac, Windows: Starting in Chrome 123, the policy WebSQLAccess, which allows for WebSQL to be available will no longer be available.
- Native Client support updates
Chrome 119 removes a temporary enterprise policy, NativeClientForceAllowed, which allowed Native Client to continue to be used.
- Chrome 117 on Linux, Mac, Windows: Removes Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removes NativeClientForceAllowed policy.
- Remove Sanitizer API
To prevent the current Sanitizer API from becoming entrenched, we plan to remove the current implementation. We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.
The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the standards discussion has meanwhile moved on and the proposed API shape has changed substantially.
- Chrome 119 on Windows, Mac, Linux, Android
- Tab Groups can be saved, recalled, and synced
Users can now save tab groups, which allows them to close and re-open the tabs in the group, as well as sync them across devices. You can disable syncing Tab Groups using the SyncTypesListDisabled policy.
- Chrome 119 on ChromeOS, Linux, Mac, Windows
- Deprecate non-standard shadowroot attribute for declarative Shadow DOM
The standards-trackshadowrootmode
attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 (ChromeStatus). The older, non-standardshadowroot
attribute is now deprecated. During the deprecation period, both attributes are functional, however the shadowroot attribute does not enable the new streaming behavior, whereasshadowrootmode
allows streaming of content. There is a straightforward migration path: replaceshadowroot
withshadowrootmode
.
The oldshadowroot
attribute is deprecated as of Chrome 112, and it will be removed (no longer supported) in Chrome 119. Chrome 119 goes to Stable on October 31, 2023.
- Chrome 119 on Windows, Mac, Linux, Android
- Shifting UI strings in Chrome from Clear to Delete when getting rid of data
Chrome is updating settings text to reflect delete instead of clear when referring to the destruction of data. We expect this change to improve users’ understanding of the associated effect on data. Users who intend to get rid of data should feel reassured that the data is actually deleted, not just cleared from one view but possibly accessible elsewhere.
- Chrome 119 on Android, iOS, ChromeOS, Mac, Windows: The earliest milestone that users may see these changes is 119.
- DevTools internal errors reported to Chrome internal crash reporting
To improve Chrome's stability, DevTools internal errors are now reported through Chrome's existing crash reporting pipeline. This provides visibility of the stability of Chrome DevTools. Admins can control all crash reporting, including these errors, using the MetricsReportingEnabled enterprise policy.
- Chrome 119 on ChromeOS, Linux
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.
In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which will allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, Mac, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 120-131 on Chrome OS, Linux, Mac, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)
- SharedImages for PPAPI Video Decode
Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
-
Remove Authorization header upon cross-origin redirect
The Fetch standard has been updated to remove Authorization header on cross origin redirects. Chrome 119 implements this change to the specification. Prior to Chrome 119, when a cross origin redirect, such as fromfoo.test
tobar.test
, happened with an Authorization header, Chrome preserved the Authorization header andbar.test
could receive the header. Starting Chrome 119, Chrome removes Authorization headers when cross origin redirects happen, meaning thatbar.test
no longer receives the Authorization header.- Chrome 119 on ChromeOS, Windows, Mac, Linux, Android
- Dedicated setting for Permission Suggestions Service
The settings page for notification and geolocation permissions now has an additional option to explicitly enable the Permission Suggestions Service. Permission Suggestions Service is an already existing feature, but it didn’t have its dedicated setting. It was tied to standard Safe Browsing settings being enabled. Now the users can choose between four different states:- Always show the notification/geolocation permission prompt
- Let Permission Suggestion Service quieten unwanted notification/geolocation requests (new)
- Always quieten notification permission requests
- Always block notifications/geolocation permission requests
- DefaultNotificationsSetting
- NotificationsAllowedForUrls and NotificationsBlockedForUrls
- DefaultGeolocationSetting
- Chrome 119 on Linux, Mac, Windows
- Hash-prefix real-time lookups
For standard Safe Browsing protection users, visited URLs now have their safety checked in real time instead of against a less frequently updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, the feature can be disabled through the policy SafeBrowsingProxiedRealTimeChecksAllowed.
- Chrome 119 on Android, iOS, Chrome OS, LaCrOS, Linux, Mac, Windows
- Remove recommended support from multiple policies
Some policies can be applied as recommended, allowing administrators to set an initial value which end-users can later change. Beginning in Chrome 119, recommended support will be removed from multiple policies which end-users currently have no way of configuring.
Any affected policies that were previously set as recommended will need to be set as mandatory to ensure they continue to take effect.
- Chrome 119 on Linux, Mac, Windows: Recommended support is being removed from the PrintPdfAsImageDefault enterprise policy.
- Chrome 120 on Android, Linux, Mac, Windows: Recommended support is being removed from the following enterprise policies:
- Standard-compliant URL host punctuation characters
Chrome 119 continues our efforts to make Chrome's handling of URL host punctuation characters standard-compliant. Here is a summary of changes in Chrome 119:
Notation:
- 'ESC': Allowed, but Chrome escapes it, which is non-compliant.
- '-': Allowed.
- '0': Forbidden. URL will be invalid if the host contains a forbidden character.
Warning:
- SPACE and ASTERISK are still non-compliant.
- Chrome 119 on Windows, Mac, Linux, Android
- Save images to Google Photos on iOS
When a signed-in user long-presses on an image in Chrome, they can save it directly to Google Photos. They have the option to save it to any account logged in on the device.
- Chrome 119 on iOS: Users can directly save images to Google photos
- Chrome 120 on iOS: A policy is introduced to control this functionality
- New and updated policies in Chrome browser
Policy Description SafeBrowsingDeepScanningEnabled Allow download deep scanning for Safe Browsing-enabled users SafeBrowsingProxiedRealTimeChecksAllowed Allow Safe Browsing Proxied Real Time Checks (now also available on Android)
ChromeOS updates
- Privacy Hub
Users can now manage their camera and microphone settings across the operating system from one place in Settings>Security and Privacy>Privacy controls. Now it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.
- ChromeOS Admin templates
With App Launch Automation, admins can now configure groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.
You can turn on this feature using the#app-launch-automation
flag, and then create templates in the Admin console.
- Using Drive offline on Chromebook Plus devices
Enterprise users on Chromebook Plus devices can now easily make all of their files in the My Drive section of Google Drive available offline. You can control this using the DriveFileSyncAvailable enterprise policy.
Admin console updates
- New policies in Admin console
Policy Name Pages Supported on Category/Field PPAPISharedImagesForVideoDecoderAllowed User & Browser, MGS ChromeOS Content SafeBrowsingDeepScanningEnabled User & Browser Chrome (Linux, Mac, Windows), ChromeOS Chrome Safe Browsing
DriveFileSyncAvailable User & Browser ChromeOS Content ProfileSeparationDataMigrationSettings User & Browser Chrome (Linux, Mac, Windows) Sign-In Settings ProfileSeparationDomainExceptionList User & Browser Chrome (Linux, Mac, Windows) Sign-In Settings ProfileSeparationSettings User & Browser Chrome (Linux, Mac, Windows) Sign-In Settings ShowDisplaySizeScreenEnabled User & Browser ChromeOS Sign-In Settings ShowTouchpadScrollScreenEnabled User & Browser ChromeOS Sign-In Settings DeviceEphemeralNetworkPoliciesEnabled Device ChromeOS Other Settings
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Default Search Engine choice screen
As early as Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.
As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: 1% users will start getting the choice screen with Chrome 120. 100% by Chrome 122.
- Rename FirstPartySets enterprise policies to RelatedWebsiteSets
The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in the policies’ behavior. The new policies become available from Chrome 120. Administrators should use them going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/
- Chrome 120 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Revamped Safety Check on Desktop
We plan to introduce a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome Desktop responsive toolbar
As early as Chrome 120, Chrome Desktop customers across devices and input modes (for example, Mouse or Touch) will experience a toolbar that seamlessly responds to changing window sizes, when users manually select and resize a window or use OS-specific window management tools.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome on Android will no longer support Android Nougat
The last version of Chrome that supports Android Nougat is Chrome 119, and it includes a message to affected users informing them to upgrade their operating system.
Chrome 120 will not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Chrome Third-Party Cookie deprecation
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA. This will allow sites to meaningfully preview what it's like to operate in a world without third-party cookies. Most enterprise users will be excluded from this experiment group automatically. But for the few that might be affected, admins will be able to use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This will give enterprises time to make the changes required to not rely on this policy or third-party cookies.
We plan to provide more tooling to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.
For more details on how to prepare, provide feedback and report potential site issues, refer to the Mode B: 1% third-party cookie deprecation blog section and the Preparing for the end of third-party cookies blog.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
- Package tracking (iOS only)
Users will be able to enable a new package tracking feature that results in estimated delivery dates and package status appearing in a new card on the New tab page. This feature is only supported for en-US users and only for packages fulfilled via FedEx and USPS. If needed, you will be able to turn off the feature using a new policy called ParcelTrackingEnabled.
- Chrome 120 on iOS: feature launches
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 120 on Windows: Network Service sandboxed on Windows
- Display banner allowing to resume last tab from other devices
To help signed-in users resume tasks when they have to switch devices immediately, Chrome will offer to pick up tabs recently used on the previous device. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 120 on iOS: Feature launches
- Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 120 on iOS: Feature launches
- Unprefix -webkit-background-clip for text and make it an alias
Chrome will allow the use of the unprefixed version forbackground-clip: text
and will make-webkit-background-clip
an alias forbackground-clip
. Also, it drops support for non-suffixed keywords (content, padding and border) for better round-trip with alias.
- Chrome 120 on Windows, Mac, Linux, Android
- Chrome user policies for iOS
Admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device. This functionality already exists on Windows, Mac, Linux, ChromeOS and Android. We are in the process of bringing this functionality to iOS.
- Chrome 120 on iOS: The earliest milestone for this capability is 120.
- Chrome profile separation: new policies
Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will be simpler to use and will replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 120 on Linux, Mac, Windows
- Migrate away from data URLs in SVGUseElement
The SVG spec was recently updated to remove support for data: URLs inSVGUseElement
. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs inSVGUseElement
. You can read more in this blog post.
Assigning a data: URL inSVGUseElement
can cause XSS. And this also led to a Trusted Types bypass.
For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable Data URL support forSVGUseElement
.
- Chrome 120 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVGUseElement
- Password Manager: password sharing
Password Manager allows users to share their passwords with members of their Google Family Group (as configured in their Google Account). Users can only share one password at a time. It is not possible to share passwords in bulk. The shared password cannot be updated or revoked by the sender.
Enterprise admins can use the PasswordSharingEnabled policy to switch off the share feature for all their employees.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Permissions prompt for Web MIDI API
There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for the advanced MIDI usage, for example, system exclusive (SysEx) message in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.
Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 121 on Windows, Mac, Linux, Android
- IP Protection Phase 0 for Chrome
As early as Chrome 122, Chrome might route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information is available in this explainer on GitHub. Enterprise policies will be in place to allow admins to turn off the feature before it’s launched.
- Chrome 122 on ChromeOS, Linux, Mac, Windows, Android
- Apps & Extensions Usage report: Highlight extensions removed from the Chrome Web Store
As early as 122, Chrome is adding new information on the Apps & Extensions Usage Report to help you identify if an extension was recently removed from the Chrome Web Store. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.
- Chrome 122 on LaCrOS, Linux, Mac, Windows
- Legacy Technology report
As early as Chrome 122, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated e.g. SameSite cookie changes, or older security protocols like TLS 1.1/1.1. This gives admins the ability to work with developers to plan required tech migrations before the deprecation goes into effect. If you’re interested in helping us test this feature, you can sign up for our Trusted Tester program here.
- Chrome 122 on LaCrOS, Linux, Mac, Windows
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, Mac, Windows: The change will be implemented.
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, includingDOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post , the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 98 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Future milestone on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- Set the screensaver duration
As early as ChromeOS 120, you will be able to set the duration for screensaver while charging. Users can now choose how long their screensaver runs while their device is charging (not on battery). You can control this using a new enterprise policy. The default setting is Forever, and can be reduced using drop-down options.
- New controls for mouse scroll acceleration
ChromeOS 120 will add new controls to let users disable mouse scroll acceleration and adjust the speed of the scrolling.
- Enhanced Alt + click behavior
In ChromeOS 120, you will be able to configure right-click behavior using the keyboard and touchpad. You can also configure settings for actions such as Home, End, and Page Up, in the Customize keyboard keys subpage.
- New look for ChromeOS media player
As early as ChromeOS 121, the media player will have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.
- Enhanced notifications for pinned apps
As early as ChromeOS 121, you will be able to visually separate pinned notifications from other notifications. We will change the visual specs, buttons, and notification text to fit within fixed size bubbles. This significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference in purpose (notifying the user of an ongoing process rather than an instantaneous event).
- New ChromeOS sync options
ChromeOS will soon deliver an updated device setup experience that lets users customize sync settings for apps, settings, wi-fi networks, and wallpaper.
- App disablement by Admin in MGS
Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.
Chrome 118
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Remove ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Remotely disable malicious off-store extensions | ✓ | ||
Remove RendererCodeIntegrityEnabled policy | ✓ | ||
Support for passkeys in iCloud Keychain on macOS | ✓ | ✓ | |
Hash-prefix real-time lookups | ✓ | ||
Updates to the red Safe Browsing interstitials | ✓ | ✓ | |
Form controls support vertical writing mode | ✓ | ||
Block all cookies set via JavaScript that contain control characters | ✓ | ||
Clearer Safe Browsing protection level settings text and images | ✓ | ||
WebUSB in Extension Service Workers | ✓ | ||
Include chrome.tabs API calls in extension telemetry reports | ✓ | ||
Remove non-standard appearance keywords | ✓ | ||
Enrollment for Privacy Sandbox | ✓ | ||
Discounts shown on product pages and on Quests on the New Tab Page | ✓ | ||
Encrypted archive deep scanning for Enhanced Safe Browsing users | ✓ | ||
Flag for enabling the chrome://policy/test page | ✓ | ||
TLS Encrypted Client Hello (ECH) | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Password recovery | ✓ | ||
Tabbed PWAs | ✓ | ||
Printer setup assistance | ✓ | ||
Imprivata integration v4 | ✓ | ✓ | |
Touch text editing redesign | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome release schedule changes | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Native Client support updates | ✓ | ||
Migrate away from data URLs in SVG <use> element | ✓ | ✓ | |
Network Service on Windows will be sandboxed | ✓ | ||
Display banner allowing to resume last tab from other devices | ✓ | ||
Remove Sanitizer API | ✓ | ||
Tab groups can be saved, recalled, and synced | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Private Network Access restrictions for automotive | ✓ | ||
Deprecate non-standard shadowroot attribute for declarative shadow DOM | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Default Search Engine choice screen | ✓ | ||
Shifting UI strings in Chrome from Clear to Delete when getting rid of data | ✓ | ||
DevTools internal errors will be reported to Chrome internal crash reporting | ✓ | ||
SharedImages for PPAPI Video Decode | ✓ | ||
Private Aggregation API bundled enhancements | ✓ | ✓ | |
Remove Authorization header upon cross-origin redirect | ✓ | ||
Revamped Safety Check on Desktop | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Desktop Responsive Toolbar | ✓ | ||
Chrome on Android will no longer support Android Nougat | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
IP Protection Phase 0 for Chrome | ✓ | ||
Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Privacy Hub | ✓ | ||
ChromeOS Admin templates | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
URL-keyed anonymized data collection in Kiosk mode | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Remove ForceMajorVersionToMinorPositionInUserAgent policy
Chrome 118 removes the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we can now remove this policy. If you have any feedback about this policy removal, or are aware of intranet functionality that depends on the policy, comment on this bug.- Chrome 118 on Android, ChromeOS, Linux, Mac, Windows: Remove ForceMajorVersionToMinorPositionInUserAgent policy
- Remotely disable malicious off-store extensions
When Enhanced Safe Browsing is enabled, where users have a malicious off-store extension installed, the extension is disabled when the decision is entered on the Safe Browsing servers via either manually or by an automated detection system.- Chrome 118 on ChromeOS, Linux, Mac, Windows: Feature launches
- Remove RendererCodeIntegrityEnabled policy
The Renderer Code Integrity security feature is no longer controlled by the RendererCodeIntegrityEnabled policy; it is now switched on by default. We recommend that you verify any potential incompatibilities with third party software by no longer using the policy in advance of this release. To report any issues you encounter, submit a bug here.- Chrome 118 on Windows: This policy is deprecated and will no longer take effect
- Support for passkeys in iCloud Keychain on macOS
Chrome on macOS ≥ 13.5 now supports creating and using passkeys from iCloud Keychain. When signing in using WebAuthn, passkeys from iCloud Keychain are listed as options once the user has granted Chrome the needed permission. If permission has not been granted, a generic iCloud Keychain option appears that prompts for permission before showing iCloud Keychain passkeys. If permission is denied, the iCloud Keychain can still be used, but it has to be manually selected each time.
When a site asks to create a platform passkey, Chrome might default to creating the passkey in iCloud Keychain based on whether iCloud Drive is in use and whether WebAuthn credentials from the current profile have been recently used. This can be controlled with a setting on chrome://password-manager/settings, and with the enterprise policy CreatePasskeysInICloudKeychain.- Chrome 118 on Mac: Chrome 118 supports iCloud Keychain. Whether Chrome defaults to creating platform passkeys in iCloud Keychain can be altered by Chrome Variations during the lifetime of 118.
- Hash-prefix real-time lookups
For standard Safe Browsing protection users, visited URLs now have their safety checked in real time, instead of less frequently using an updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, you can control this feature using the SafeBrowsingProxiedRealTimeChecksAllowed policy.- Chrome 118 on iOS, ChromeOS, LaCrOS, Linux, Mac, Windows
- Updates to the red Safe Browsing interstitials
In Chrome 118, users see minor updates to the red Safe Browsing interstitials. The main body text now includes an explicit recommendation from Chrome and site ID is specified in the details section instead of the main body. The danger icon replaces the previous warning icon, and styling is now consistent with the latest product standards. These changes improve user comprehension of warnings.- Chrome 118 on Android, iOS, ChromeOS, LaCrOS, Linux, Mac, Windows
- Form controls support vertical writing mode
The CSS property writing-mode should be enabled for form controls elements as it allows lines of text to be laid out horizontally or vertically and it sets the direction in which blocks progress.
With this feature, we are allowing the form control elements select, meter, progress, button, textarea and input to have vertical-rl or vertical-lr writing mode. As needed for Web compatibility, we now begin to slowly roll out the change for a number of form controls in 118, and we will continue in future milestones.
You can control this feature with the following command line flags:
--enable-features= FormControlsVerticalWritingModeSupport
--enable-features= FormControlsVerticalWritingModeTextSupport- Chrome 118 on Windows, Mac, Linux, Android
- Block all cookies set via JavaScript that contain control characters
Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis.
You can control this feature using the --disable-features=BlockTruncatedCookies or the BlockTruncatedCookies enterprise policy, which will be available for several milestones in case this change causes any breakage.- Chrome 118 on Windows, Mac, Linux, Android
- Clearer Safe Browsing protection level settings text and images
In Chrome 118, some users see new text describing the Safe Browsing protection level on both the Security Settings page and the Privacy Guide. The update clarifies the Enhanced Protection level by adding a table and linking to a help center article where users can learn more. The new table helps users understand the trade-offs when selecting that option versus choosing the other options. The descriptions for Standard Protection, No Protection and the password compromise warnings toggle have been simplified to make the options clearer. The Safe Browsing protection level is an existing feature, still controlled by the SafeBrowsingProtectionLevel policy.- Chrome 118: Some users see the updated text and images on the Chrome Security Settings page and on the Privacy Guide.
- WebUSB in Extension Service Workers
Web developers can use the WebUSB API when responding to extension events by exposing WebUSB API to Service Workers registered by browser extensions. This API is not yet exposed to Service Workers registered by sites but the implementation experience gained by supporting the API for extensions will be valuable for such a future project.- Chrome 118 on Windows, Mac, Linux, ChromeOS
- Include chrome.tabs API calls in extension telemetry reports
When you switch on Enhanced Safe Browsing, Chrome now collects telemetry information about chrome.tabs API calls made by extensions. This information is analyzed on Google servers and further improves the detection of malicious and policy violating extensions. It also allows better protection for all Chrome extension users. You can turn off this functionality along with the extension telemetry feature by setting SafeBrowsingProtectionLevel to any value other than 2, which turns off Enhanced Safe Browsing.- Chrome 118 on ChromeOS, Linux, Mac, Windows: Feature launches
- Remove non-standard appearance keywords
Since only standard appearance keywords should be supported, Chrome 118 removes appearance (and -webkit-appearance) keywords, including:
* inner-spin-button
* media-slider
* media-sliderthumb
* media-volume-slider
* media-volume-sliderthumb
* push-button
* searchfield-cancel-button
* slider-horizontal
* sliderthumb-horizontal
* sliderthumb-vertical
* square-button
Note that value slider-vertical will not be removed as part of this patch; it is used for allowing <input type=range> vertical. It will be removed once feature FormControlsVerticalWritingModeSupport is enabled in Stable.
Previously, if using any of the above keywords, a console warning appeared, but the keyword was recognized as a valid value. With the feature enabled, the appearance property will be ignored and set to the empty string. As needed for Web compatibility, we will progressively remove the appearance keywords based on their counter usages on Chrome Status Metrics.
For Chrome 118, we start with the following keywords, currently at page load usage below 0.001%:
* media-slider at 0.000361
* media-sliderthumb at 0.000187%
* media-volume-slider at 0.000143%
* media-volume-sliderthumb at 0.000109%
* sliderthumb-horizontal at 0.000182%
* sliderthumb-vertical at 0.000014%
- Chrome 118 on Windows, Mac, Linux, Android
- Enrollment for Privacy Sandbox
As the Privacy Sandbox relevance and measurement APIs start ramping up for general availability, we want to make sure these technologies are used as intended and with transparency. The APIs include Attribution Reporting, the Protected Audience API, Topics, Private Aggregation and Shared Storage. Privacy Sandbox is introducing a new Developer Enrollment process for Privacy Sandbox relevance and measurement APIs. Chrome will fetch the enrolled-sites list from the enrollment server (via component updater) and use it to gate access to the Privacy Sandbox APIs.- Chrome 118 on Windows, Mac, Linux, Android
- Discounts shown on product pages and on Quests on the New tab page
Starting in Chrome 118, users sometimes see discounts, shown as annotations on page visits, in the Quests cards shown on the New tab page. Clicking through on the discount shows the relevant information on the product page. Quests as a whole are controlled by the NTPCardsVisible policy. Users also sometimes see discounts directly on the product page, available through an icon in the Omnibox.- Chrome 118 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Encrypted archive deep scanning for Enhanced Safe Browsing users
Google Chrome offers deep scanning of some suspicious downloads to users who have opted in to Enhanced Safe Browsing. This sends the file content to Safe Browsing for a real-time evaluation of the file's safety. Starting in Chrome 118, deep scans of encrypted archives, for example, ZIP and RAR files, prompt the user to provide the archive password along with the file content. This is necessary for Safe Browsing to provide a useful verdict about the contents of the archive. Enterprises who do not want to see this prompt can prevent users from enabling Enhanced Safe Browsing with the SafeBrowsingProtectionLevel policy. Starting in Chrome 119, enterprises who want to switch off file deep scans while still enabling Enhanced Safe Browsing can do so with the SafeBrowsingDeepScanningEnabled policy.- Chrome 118 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Flag for enabling the chrome://policy/test page
The#enable-policy-test-page
flag allows admins and developers to use thechrome://policy/test
page to more easily test policies on the Beta, Dev, Canary channels.- Chrome 118 on Android, iOS, ChromeOS, Linux, Mac, Windows
- TLS Encrypted Client Hello (ECH)
The TLS Encrypted ClientHello (ECH) extension allows clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating tochrome://flags
and enabling the#encrypted-client-hello
flag. If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.- Chrome 118 on Chrome OS, Linux, Mac, Windows: Rolled out to 100% of users
- New and updated policies in Chrome browser
Policy Description BlockTruncatedCookies Block truncated cookies CompressionDictionaryTransportEnabled Enable compression dictionary transport support CreatePasskeysInICloudKeychain Control whether passkey creation will default to iCloud Keychain. LegacyTechReportAllowlist Specifies URLs that allow legacy technology report SafeBrowsingProxiedRealTimeChecksAllowed Allow Safe Browsing Proxied Real Time Checks
ChromeOS updates
- Password recovery
ChromeOS users who have forgotten their password can now recover their account along with all associated local data. Gone are the days where all local data is lost when a password has been forgotten! You can control this feature with the RecoveryFactorBehavior policy.
- Tabbed PWAs
Developers can now choose to display their Progressive Web App (PWA) in tabbed mode, allowing users to manage and navigate multiple documents within a single window using a familiar tab strip. Developers should also specify a home tab where appropriate, which provides a consistent place for users to access documents and settings.
- Printer setup assistance
To simplify a user's printing journey, ChromeOS provides more in context help when it comes to using their printer: an easier way to save printers, new set up instructions and help content, printer status directly integrated on the settings page. Moreover, we now also provide users an easy route to manage their printer when they face issues with it while trying to print.
- Imprivata integration v4
For caregivers, Imprivata OneSign compatibility with Google ChromeOS devices and the Chrome browser means fast, secure access, and better cost efficiency. This fourth version of Imprivata integration, Imprivata v4, adds deployment, stability, and workflow improvements. It improves support for assigned devices by allowing for Imprivata sign-in to ChromeOS user sessions. In addition, ChromeOS 118 now supports all 12 languages of Imprivata and SPINE workflows.
Admin console updates
- New policies in Admin console
Policy Name Pages Supported on Category/Field ForcePermissionPolicyUnloadDefaultEnabled User, Managed Guest Session Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOS
Legacy site compatibility SafeBrowsingSurveysEnabled User, MGS Chrome (Linux, Mac, Windows)
ChromeOS
Chrome safe browsing EmojiPickerGifSupportEnabled User, MGS Chrome (Linux, Mac, Windows)
ChromeOSUser experience ColorCorrectionEnabled User, MGS ChromeOS User accessibility CreatePasskeysInICloudKeychain User, MGS Chrome (Mac) Content SafeBrowsingProxiedRealTimeChecksAllowed User, MGS Chrome (Linux, Mac, Windows)
ChromeOS,
Chrome (iOS and iPadOS)
Chrome safe browsing
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.- Chrome 119 on Android, iOS, ChromeOS, Linux, Mac, Windows
- Deprecate and remove WebSQL
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebsQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team. With SQLite over WASM as its official replacement, we want to remove WebSQL entirely.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117, the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting with Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Native Client support updates
Native Client NaCl support was removed from extensions on Windows, macOS, and Linux. A temporary enterprise policy is available, NativeClientForceAllowed, which allows Native Client to continue to be used.- Chrome 117 on Linux, Mac, Windows: Removal of Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removal of NativeClientForceAllowed policy
- Migrate away from data URLs in SVG <use> element
The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. You can read more in this blog post.
For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable Data URL support for SVG <use> element.
- Chrome 119 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVG <use> element
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.- Chrome 119 on Windows: Network Service sandboxed on Windows
- Display banner allowing to resume last tab from other devices
Help signed in users resume tasks when they have to switch devices immediately by offering to pick up tabs recently used on the previous device. Admins can control this feature via the existing enterprise policy called SyncTypesListDisabled.- Chrome 119 on iOS: Feature launches
- Remove Sanitizer API
The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the standards discussion has meanwhile moved on and the proposed API shape has changed substantially. To prevent the current API from becoming entrenched, we plan to remove the current implementation. We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.- Chrome 119 on Windows, Mac, Linux, Android
- Tab Groups can be saved, recalled, and synced
Users will be able to save tab groups, which will allow them to close and re-open the tabs in the group, as well as sync them across devices. You can disable syncing Tab Groups using the SyncTypesListDisabled policy.- Chrome 119 on ChromeOS, Linux, Mac, Windows
- Chrome profile separation: new policies
Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will be simpler to use and will replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.- Chrome 119 on Linux, Mac, Windows: New profile separation policies available: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.
- Private Network Access restrictions for automotive
This ships Private Network Access restrictions to Android Automotive (if BuildInfo::is_automotive), including: Private Network Access preflight requests for subresources and Private Network Access for Workers. Note that the two above features were shipped in warning only mode, but these features will enforce the restriction, that is, failing the main request if restrictions are not satisfied.- Chrome 119 on Android
- Deprecate non-standard shadowroot attribute for declarative shadow DOM
The standards-trackshadowrootmode
attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 (ChromeStatus). The older, non-standardshadowroot
attribute is now deprecated. During the deprecation period, both attributes are functional, however theshadowroot
attribute does not enable the new streaming behavior, whereasshadowrootmode
allows streaming of content. There is a straightforward migration path: replaceshadowroot
withshadowrootmode
.The old
shadowroot
attribute is deprecated as of Chrome 112, and it will be removed (no longer supported) in Chrome 119, which goes to Stable on November 1, 2023.- Chrome 119 on Windows, Mac, Linux, Android
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
Deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year and then eventually remove it.- Chrome 119 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Default Search Engine choice screen
As early as Chrome 119, enterprise end-users may be prompted to choose their default search engine within Chrome.
As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.- Chrome 119 on iOS, ChromeOS, LaCrOS, Linux, Mac, Windows: 1% users will start getting the choice screen with Chrome 119. 100% by Chrome 122
- Shifting UI strings in Chrome from Clear to Delete when getting rid of data
Chrome is updating settings text to reflect delete instead of clear when referring to the destruction of data. We expect the change will improve user comprehension. Users who intend to get rid of data should feel reassured that the data is actually deleted and not just cleared from one view but accessible elsewhere.- Chrome 119 on Android, iOS, ChromeOS, Mac, Windows: The earliest milestone that users may see these changes is 119.
- DevTools internal errors will be reported to Chrome internal crash reporting
To improve Chrome's stability, DevTools internal errors will be reported through Chrome's existing crash reporting pipeline. This will provide visibility into the stability of the Chrome DevTools. Admins can control all crash reporting, including these errors, using the MetricsReportingEnabled enterprise policy.- Chrome 119 on ChromeOS, Linux, Mac, Windows
- SharedImages for PPAPI Video Decode
The PPAPISharedImagesForVideoDecoderAllowed policy controls the recent refactor for VideoDecoder APIs in PPAPI plugin. The migration only affects internal implementation details and should not change any behavior. However, this policy can be used in case any PPAPI applications do not work as expected.When the policy is left unset or set to Enabled, the browser will decide which implementation is used.
When the policy is set to Disabled, Chrome will use the old implementation until the policy expires.
NOTE: Only newly-started renderer processes will reflect changes to this policy while the browser is running.
- Chrome 119 on ChromeOS, LaCrOS: Escape hatch policy introduced.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
- Private Aggregation API bundled enhancements
We're planning a few bundled changes to Private Aggregation:
- Null report fixes: Currently reports with no contributions are inadvertently dropped. This change ensures that, when a context ID is specified, a null report is sent even if budget is denied. Separately, it fixes a bug causing budget to always be denied for null reports.
- Debug mode eligibility changes: Currently, debug mode is always available. This change only allows debug mode for callers that are allowed access to third-party cookies, silently dropping the debug mode otherwise. Note that this will allow debug mode to automatically sunset when third-party cookies are deprecated.
- Padding report payloads: To avoid the payload size being dependent on the number of contributions, we will pad it with 'null' contributions to a fixed length. Note that this change will also affect Attribution Reporting reports.
- Reducing delay: When a context ID is specified, we remove the randomized 10-60 minute delay, which is superfluous as a report is always sent in this case. Instead, we just wait until the Shared Storage operation timeout.
- Chrome 119 on Windows, Mac, Linux, Android
- Remove Authorization header upon cross-origin redirect
The Fetch standard has been updated to remove Authorization header on cross origin redirects. Chrome should follow the spec change.- Chrome 119 on Windows, Mac, Linux, Android
- Revamped Safety Check on Desktop
We plan to introduce a new proactive Safety Check that regularly checks the browser for safety related issues and informs users when there's anything that needs their attention. Our Safety Check launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Permissions prompt for Web MIDI API
This feature gates the Web MIDI API access behind a permissions prompt. Today, the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.- Chrome 120 on Windows, Mac, Linux, Android
- Desktop Responsive Toolbar
As early as Chrome 120, Chrome Desktop customers across form factors and input modalities (e.g. Mouse, Touch) will experience a toolbar that seamlessly responds to changing window sizes albeit by manually selecting and dragging a window smaller/larger or using operating system specific window management tools.- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome on Android will no longer support Android Nougat
The last version of Chrome that will support Android Nougat will be Chrome 119, and it includes a message to affected users informing them to upgrade their operating system. Chrome 120 will not support nor ship to users running Android Nougat.- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Chrome Third-Party Cookie Deprecation (3PCD)
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA, to allow sites to meaningfully preview what it's like to operate in a world without third-party cookies (3PCs). Most enterprise end users will be excluded from this experiment group automatically. But for the few that may be affected, enterprise admins will be able to utilize an enterprise policy to opt out their managed browsers ahead of the experiment and give enterprises time to make necessary changes to not rely on this policy or third party cookies.
We plan to provide more details about this policy and provide more tooling to help identify 3PC use cases. In the meantime, refer to the Mode B: 1% third-party cookie deprecation blog section for more details on how to prepare, provide feedback and report potential site issues.- Chrome 120 on ChromeOS, Linux, Mac, Windows
1% of global traffic has third party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
- IP Protection Phase 0 for Chrome
As early as Chrome 122, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) can be found in the explainer. Enterprise policies will be in place to allow admins to disable the feature before it’s launched.- Chrome 122 on ChromeOS, Linux, Mac, Windows, Android
- Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store
Chrome is adding new information on the Apps & Extensions Usage Report to help you identify if an extension was recently removed from the Chrome Web Store. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.- Chrome 122 on LaCrOS, Linux, Mac, Windows
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post , the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:- Chrome 98 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
Future milestone on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- Privacy Hub
Later this year, users will be able to manage their camera and microphone settings across the operating system from one place in Settings. This way it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.
- ChromeOS Admin templates
App Launch Automation can be configured by Administrators in the Admin console to contain groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can: get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.
Upcoming Admin console changes
- URL-keyed anonymized data collection in Kiosk mode
The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, will soon be supported in the Admin console. This policy will be enforced starting October 1st and will remain disabled until then.
Chrome 117
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Skip unload events | ✓ | ||
Chrome no longer supports macOS 10.13 and macOS 10.14 | ✓ | ||
Update to lock icon | ✓ | ||
Network service is sandboxed on Linux and ChromeOS | ✓ | ||
TLS Encrypted Client Hello (ECH) | ✓ | ||
User surveys related to SafeBrowsing warnings | ✓ | ||
Simplified onboarding experience | ✓ | ||
Warnings on insecure downloads | ✓ | ||
Service Worker static routing API | ✓ | ||
Chrome browser integration with Symantec Endpoint DLP | ✓ | ||
Require X.509 key usage extension for RSA certificates chaining to local roots | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Updates to Clear Browsing Data on Android | ✓ | ||
Allow users to review and optionally remove potentially unsafe extensions | ✓ | ||
New Chrome Desktop visual refresh in Chrome 117 | ✓ | ||
Native Client support updates | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Revamp permission usage or lockage indicators | ✓ | ||
Price tracking | ✓ | ||
Price insights on Chrome desktop | ✓ | ||
Auth on entry to Password Manager on iOS | ✓ | ||
Improved download warnings | ✓ | ||
Storage Access API with prompts | ✓ | ||
Chrome on Android trackpad support | ✓ | ||
Port overflow check in URL setters | ✓ | ||
Deprecate TLS SHA-1 server signatures | ✓ | ||
URL standard-compatible IPv4 embedded IPv6 host parser | ✓ | ||
Form-filler accessibility mode | ✓ | ||
Clear client hints via Clear-Site-Data header | ✓ | ||
Remove WebRTC getStats datachannelIdentifier -1 | ✓ | ||
Remove WebRTC getStats encoderImplementation/decoderImplementation unknown | ✓ | ||
Unship callback-based legacy getStats() in WebRTC | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS battery state sounds | ✓ | ||
Avoid content control escapes on the login or lock screen | ✓ | ||
Emoji Picker with GIF support | ✓ | ||
ChromeOS gets a makeover | ✓ | ||
ChromeOS Personalization App | ✓ | ||
Color correction settings on ChromeOS | ✓ | ||
Tabbed PWAs on ChromeOS | ✓ | ||
System answer cards in Launcher search | ✓ | ||
Nudge managed users towards enrolling non-ZTE devices | ✓ | ✓ | |
Replacing the Bluetooth stack on ChromeOS | ✓ | ||
Time-lapse recording | ✓ | ||
Enhanced options in clipboard history | ✓ | ||
ChromeVox dialog changes | ✓ | ||
Steam enabled on all capable devices | ✓ | ||
Up Next Calendar view with Join video call integration | ✓ | ||
Adaptive Charging | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Printing reports now available in Chrome Management Reports API | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome will introduce a chrome://policy/test page | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Remove ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Remotely disable malicious off-store extensions | ✓ | ||
Remove RendererCodeIntegrityEnabled policy | ✓ | ||
Support for passkeys in iCloud Keychain on macOS | ✓ | ✓ | |
Hash-prefix real-time lookups | ✓ | ||
Red interstitial facelift | ✓ | ✓ | |
Form controls support vertical writing mode | ✓ | ||
Block all cookies set via JavaScript that contain control characters | ✓ | ||
Clearer Safe Browsing protection level settings text and images | ✓ | ||
WebUSB in Extension Service Workers | ✓ | ||
Include chrome.tabs API calls in extension telemetry reports | ✓ | ||
Remove non-standard appearance keywords | ✓ | ||
Chrome release schedule changes | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Migrate away from data URLs in SVG <use> element | ✓ | ✓ | |
Chrome Browser Cloud Management: Crash report | ✓ | ||
IP protection Phase 0 for Chrome | ✓ | ||
Display banner to allow resume last tab from other devices | ✓ | ||
Remove Sanitizer API | ✓ | ||
Tab groups can be saved, recalled, and synced | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Chrome on Android will no longer support Android Nougat | ✓ | ||
Replace dangling markup in target name to _blank | ✓ | ||
Private Network Access restrictions for automotive | ✓ | ||
Deprecate non-standard shadowroot attribute for declarative shadow DOM | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation events | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Privacy Hub | ✓ | ||
ChromeOS Admin templates | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
URL-keyed anonymized data collection in Kiosk mode | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy, which will allow you to selectively keep the behavior unchanged.- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial.
- Chrome no longer supports macOS 10.13 and macOS 10.14
Chrome will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.- Chrome 117 on Mac: Chrome no longer supports macOS 10.13 and macOS 10.14.
- Update to lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can enable the tune icon pre-release in Chrome for Desktop if you enable Chrome Refresh 2023 atchrome://flags#chrome-refresh-2023
, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
We will also replace the icon on Android. On iOS, the lock icon is not tappable, so we will be removing the icon. You can read more in this blog post.- Chrome 117 on Linux, Mac, Windows: The new icon is scheduled to launch in Chrome 117.
- Network service is sandboxed on Linux and ChromeOS
The network service is sandboxed on Linux and ChromeOS to improve security. On Linux, it's possible that third party software (likely data loss prevention or antivirus software) is injecting code into Chrome's processes and will be blocked by this change. This may result in Chrome crashing for your users.
If this happens, you should work with the vendor of the third party software to stop it from injecting code into Chrome's processes. In the meantime, you will be able to use the NetworkServiceSandboxEnabled policy to defer the sandboxing. This is a temporary measure intended to help enterprises surprised by the change; the policy will be removed in a future version of Chrome.- Chrome 117 on Chrome OS, Linux: The network service sandboxed on Linux and ChromeOS to improve security.
- TLS Encrypted Client Hello (ECH)
The TLS Encrypted ClientHello (ECH) extension enables clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating tochrome://flags
and enabling the#encrypted-client-hello
flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- User surveys related to SafeBrowsing warnings
After a user adheres to or bypasses a SafeBrowsing warning, Chrome may ask them about their satisfaction with the experience. You can control this with the SafeBrowsingSurveysEnabled policy.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Simplified onboarding experience
Some users may see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, EnableSyncConsent, RestrictSigninToPattern and SyncTypesListDisabled will continue to be available as before to control whether the user can sign into Chrome and turn on sync. The PromotionalTabsEnabled policy can be used to skip the onboarding altogether. DefaultBrowserSettingEnabled is respected in the same way as before.- Chrome 117 on Linux, Mac, Windows
- Warnings on insecure downloads
Chrome will begin showing warnings on some downloads if those files were downloaded over an insecure (i.e. not HTTPS) connection. These warnings do not prevent downloading and can be bypassed by the user. Enterprises can test their downloads by enabling warnings viachrome://flags/#insecure-download-warnings
. Enterprises can also disable warnings for sites that can not deliver files securely by adding the downloading site to InsecureContentAllowedForUrls.- Chrome 117 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia: Chrome shows warnings on some downloads.
- Service Worker static routing API
Chrome releases the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: Origin Trial for Service Worker static routing API.
- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Release of the Service Worker static routing API.
- Chrome browser integration with Symantec Endpoint DLP
This feature provides a secure native integration that transfers content (file or text) between Chrome and Broadcom’s Symantec DLP agent without the need for deploying an extension. When a CBCM or CDM managed user performs an action that sends data via Chrome, Symantec Endpoint DLP can monitor for data exfiltration and apply allow/block controls based on customer's DLP policies.- Chrome 117 on Windows
- Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: The RSAKeyUsageForLocalAnchorsEnabled policy is added.
- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Chrome begins enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates.
- Simplified sign-in and sync experience
Chrome launches a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies. As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.- Chrome 117 on iOS: Simplified sign-in and sync experience launches on iOS.
- Updates to Clear browsing data on Android
Chrome enhances the browser data deletion controls by making it easier and quicker for users to complete their ‘Clear browsing data’ journeys, while maintaining the granular controls for advanced data deletion needs.- Chrome 117 on Android
- Allow users to review and optionally remove potentially unsafe extensions
A new review panel will be added inchrome://extensions
, which appears whenever there are potentially unsafe extensions that need the user's attention, such as extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There is also a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page. As an administrator, you can preemptively control the availability of potentially unsafe extensions using the ExtensionUnpublishedAvailability policy.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- New Chrome Desktop visual refresh in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale personalization and customization experiences in Chrome by enabling customers proximate access to tools and actions.. The menu will be updated in phases starting in Chrome 117.- Chrome 117 on Linux, Mac, Windows: Rollout starts for all users.
- Native Client support updates
We will remove Native Client NaCl support from extensions on Windows, macOS, Linux. An enterprise policy will be available, NativeClientForceAllowed, which will allow Native Client to continue to be used.- Chrome 117 on Linux, Mac, Windows: Removal of Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removal of NativeClientForceAllowed policy.
- Deprecate and remove WebSQL
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database. Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebsQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team. With SQLite over WASM as its official replacement, we want to remove WebSQL entirely.- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Revamp permission usage or blockage indicators
In-use activity indicators are visual cues that let users know that an origin is actively using a permission-gated feature. They can be used to indicate things like whether geolocation is accessed, or video and audio are being captured. Chrome is changing the life cycle of the activity indicators, updating how long they appear in the address bar.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Price tracking
Starting in Chrome 117, when users bookmark a price-trackable product, price tracking will be enabled by default when available. Users will be able to disable price tracking per item, and administrators can disable the feature entirely with the ShoppingListEnabled policy.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Price insights on Chrome desktop
Some users will see a chip in the address bar which enables them to see price information about a product they're shopping for.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Auth on entry to Password Manager on iOS
To improve security, re-auth is now required when entering Google Password Manager on Chrome on iOS. Previously, re-auth was required only when viewing password details or notes. The device unlock method will be offered, i.e. FaceID, TouchID, or Passcode. If a Passcode is not set-up, the user will be prompted to do so.- Chrome 117 on iOS: Re-auth required anytime when entering Google Password Manager on Chrome on iOS.
- Improved download warnings
To help reduce cookie theft and other consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.- Chrome 117 on LaCrOS, Linux, Mac, Windows: Strings, icons, and colors, as well as warning messages for some downloads, will be updated.
- Storage Access API with prompts
Allow frames to request access to third-party cookies through the Storage Access API (SAA) when third-party cookies are blocked.- Chrome 117 on Chrome OS, LaCrOS, Linux, Mac, Windows: Support the Storage Access API by implementing all the behaviors listed in the specification, i.e. with user prompts, and additionally having its own user-agent-specific behaviors.
- Chrome on Android trackpad support
Chrome on Android now has advanced keyboard and trackpad or mouse support, similar to desktop Chrome.- Chrome 117 on Android: Enabled shortcuts for web content edit, cursor movements and media.
- Port overflow check in URL setters
The port value is now checked when setting url.port. All the values that overflow the 16-bit numeric limit are no longer valid. For instance the following script behaves differently after the change:``` u = new URL("http://test.com"); u.port = 65536; console.log(u.port); ```
Before the change, the output is 65536. After the change, the output will be 80.- Chrome 117 on Windows, Mac, Linux, Android
- Deprecate TLS SHA-1 server signatures
Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. SHA-1 can be temporarily re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled enterprise policy. This policy will be removed in Chrome 123.- Chrome 117 on Windows, Mac, Linux, Android
- URL standard-compatible IPv4 embedded IPv6 host parser
The behavior of parsing IPv4 embedded IPv6 host parser will be updated to strictly follow the web URL standard: https://url.spec.whatwg.org/#concept-ipv6-parser The introduced restrictions on the IPv6 address are: * The embedded IPv4 address shall always consist of 4 parts. Addresses with less than 4 parts like http://[::1.2] will be no longer valid. The feature is a part of the URL interop 2023.- Chrome 117 on Windows, Mac, Linux, Android
- Form-Filler Accessibility Mode
This feature improves performance by providing a subset of the full accessibility API to form-filler apps.- Chrome 117 on Android: A subset of the full accessibility API is provided to form-filler apps.
- Clear client hints via Clear-Site-Data header
Websites will now be able to clear the client hints cache using `Clear-Site-Data: “clientHints
”`. Client hints will also now be cleared when cookies, cache, or * are targeted by the same header. This is because if the user clears cookies in the UI client hints are already cleared as well, the client hints cache is a cache, and to be consistent with wildcard targets respectively.- Chrome 117 on Windows, Mac, Linux, Android
- Remove WebRTC getStats datachannelIdentifier -1
The WebRTC getStats API exposes a dataChannelIdentifier property. It will no longer provide the value "-1" in cases where statistics are queried before the datachannel connection is established. Instead, the dictionary member will be omitted. This follows the general pattern not to return meaningless information described in this article.- Chrome 117 on Windows, Mac, Linux, Android
- Remove WebRTC getStats encoderImplementation or decoderImplementation unknown
The WebRTC getStats API exposes the encoder and decoder implementation names for outbound and inbound video:https://w3c.github.io/webrtc-stats/#dom-rtcoutboundrtpstreamstats-encoderimplementation
It will no longer provide the value unknown in cases where statistics are queried before a video frame was encoded or decoded. Instead, the dictionary member will be omitted. This follows the general pattern not to return meaningless information described in this article.- Chrome 117 on Windows, Mac, Linux, Android
- Unship callback-based legacy getStats() for WebRTC
RTCPeerConnection has two versions ofgetStats()
, one that is spec-compliant returning the report via resolving a promise, and one that is non-standard returning a very different report via a callback as the first argument. The callback-based one will soon be removed. Removal target: Chrome 117. A deprecation trial is available Chrome 113- Chrome 121 for apps that need more time. In the Chrome 114+ the method will throw an exception in Canary/Beta unless using the trial.- Chrome 117 on Windows, Mac, Linux, Android
- New and updated policies in Chrome browser
Policy
Description
Enable the network service sandbox (now available on Linux).
Control new behavior for the cancel dialog produced by the
beforeunload
event.Controls whether
unload
eventhandlers can be disabled.
Allow accessibility performance filtering.
Allow Safe Browsing surveys.
ChromeOS updates
- ChromeOS battery state sounds
In Chrome 117, audible sounds now indicate battery status. Users can turn on and off these sounds and Admins can control them using the DeviceLowBatterySoundEnabled policy.When the device is not plugged in, you hear warning sounds if:
- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you hear an information beep when:
- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level - 80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.
- Avoid content control escapes on the login or lock screen
Administrators can now control and limit the available content on end-users login and lock screens when identity federation is used with a third party identity provider (using SAML or OIDC). This is achieved by introducing two new policies to block or allow external URLs on login and lock screens, DeviceAuthenticationURLAllowlist and DeviceAuthenticationURLBlocklist. As a result, you can prevent content control escapes.
- Emoji Picker with GIF support
The emoji picker now supports GIFs. Search and find the perfect GIF to express yourself.For managed devices, this feature is switched off by default.
- ChromeOS gets a makeover
Thanks to Google Material 3, Google’s new design platform, ChromeOS 117 brings with it:- A new set of themes which dynamically update to reflect your wallpaper and style.
- A new look for almost all system surfaces with updated text, menus, icons or elements.
You can control the new look using the ChromeOS Personalization App.
- ChromeOS Personalization App
With this launch, your ChromeOS now has accent colors that match your wallpapers, creating a unique theme for your device. The accent colors also adapt to the light and dark modes.
- Color correction settings on ChromeOS
ChromeOS now has built-in color correction settings that make it easier for users to see colors on their screens. In ChromeOS Accessibility settings, under Display and Magnification, you can enable color filters for protanopia, deuteranopia or tritanopia, or to view the display in grayscale. Users can use a slider to customize the filters' intensity to meet their needs.
- System answer cards in Launcher search
When users search for the status of their OS version, battery, RAM, storage, or CPU, in Launcher, they can now see that information previewed in the search results.
- Nudge managed users towards enrolling non-ZTE devices
This feature enables administrators to demand managed users to enroll their non-zero touch devices by introducing a new user policy, UserEnrollmentNudging, which can be configured to require enrollment of the given user. If the policy is enabled and the managed user misses the enrollment step and performs first sign in on the device, a pop-up is shown suggesting to either switch to enrollment flow or use another email for sign-in, essentially preventing the managed user from signing in without enrollment.
- Replacing the Bluetooth stack on ChromeOS
Starting in ChromeOS 117, and gradually applying to all ChromeOS devices, this Bluetooth software change brings the Android Bluetooth stack, Fluoride, to ChromeOS. The transition happens seamlessly on login, preserving existing paired devices, and should work with Bluetooth devices today with no interruptions. If you experience issues, please file feedback and, if necessary, disable the new stack via chrome://flags/#bluetooth-use-floss.
- Time-lapse recording
The built-in Camera App now supports Time-Lapse recording. To use the feature, open the Camera App, select Video, then Time-Lapse. Recording can continue for as long as there is available storage space. Camera app determines the right speed for the time-lapse video based on duration recorded, to ensure your video always looks great.
- Enhanced options in clipboard history
Enhancements to Clipboard History menu including introducing new entry points, ways to discover the feature and simplifying feature comprehension making it easier to discover and use. You can now see more detail for items in your clipboard history and can access clipboard history items nested directly in context menus. For users discovering Clipboard History for the first time, we are also introducing educational information to help with understanding this feature.
- ChromeVox dialog changes
We’ve made some changes to the initial out-of-the-box experience (OOBE) dialog that explains what ChromeVox is, who might benefit from activating ChromeVox and requires pressing space instead of offering an on-screen button. With this update, we hope to reduce the number of users who inadvertently activate ChromeVox.
- Up Next Calendar view with Join video call integration
See your upcoming events directly from the calendar view and join any digital meetings directly with the new Join button.
- Adaptive Charging
Adaptive Charging is a new ChromeOS power management feature. Devices with Adaptive Charging enabled via Settings charge to 80% and then complete charging to 100% based on an ML model’s prediction for when the user will unplug their device. Reducing the time a device spends at 100% charge helps preserve the battery's health and ability to hold a charge over the lifetime of the device.
Admin console updates
- Printing reports now available in Chrome Management Reports API
Chrome 117 includes additional endpoints to Chrome Management Reports API that allow access to printing reports. The new endpoints provide per-user and per-printer summary printing reports, as well as a listing of all print jobs submitted to managed printers. The data provided by the new endpoints corresponds to the data in the Print Usage page of the Admin console. This update exposes the same data in the third-party Reports API.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Chrome will introduce a chrome://policy/test page
chrome://policy/test
will allow customers to test out policies on the Beta, Dev, Canary channels. If there is enough customer demand, we will consider bringing this functionality to the Stable channel.- Chrome 118 on Android, iOS, Chrome OS, Linux, Mac, Windows
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.- Chrome 118 on Windows: Network Service sandboxed on Windows
- Remove ForceMajorVersionToMinorPositionInUserAgent policy
Chrome plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy. If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.- Chrome 118 on Android, Chrome OS, Linux, Mac, Windows: Removal of ForceMajorVersionToMinorPositionInUserAgent policy
- Remotely disable malicious off-store extensions
When Enhanced Safe Browsing is enabled, users found to have a malicious off-store extension installed will have it disabled when the decision is entered on the Safe Browsing servers via either manually or by an automated detection system.- Chrome 118 on Chrome OS, Linux, Mac, Windows: Feature launches
- Remove RendererCodeIntegrityEnabled policy
The RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.- Chrome 118 on Windows: This policy is deprecated and will no longer take effect
- Support for passkeys in iCloud Keychain on macOS
Chrome on macOS ≥ 13.5 will gain support for creating and using passkeys from iCloud Keychain. When signing in using WebAuthn, passkeys from iCloud Keychain will be listed as options once the user has granted Chrome the needed permission. If permission has not been granted then a generic "iCloud Keychain" option will appear that will prompt for permission before showing iCloud Keychain passkeys. If permission is denied then iCloud Keychain can still be used, but will have to be manually selected each time. When a site asks to create a platform passkey, Chrome might default to creating the passkey in iCloud Keychain based on whether iCloud Drive is in use and whether WebAuthn credentials from the current profile have been recently used. This can be controlled with a setting on chrome://password-manager/settings, and with the enterprise policy CreatePasskeysInICloudKeychain.- Chrome 118 on Mac: The ability to use iCloud Keychain will be enabled in Chrome 118. Whether Chrome defaults to creating platform passkeys in iCloud Keychain may be altered by Finch during the lifetime of 118.
- Hash-prefix real-time lookups
For standard Safe Browsing protection users, visited URLs now have their safety checked in real time instead of against a less frequently updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, the feature can be disabled through the policy SafeBrowsingProxiedRealTimeChecksAllowed.- Chrome 118 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: This will start with a 1% rollout and then proceed to 100% of users.
- Red interstitial facelift
In Chrome 118, users will see minor updates to the red Safe Browsing interstitials. The main body text will include an explicit recommendation from Chrome and site ID will be specified in the details section instead of the main body. The warning icon will be replaced by the danger icon and styling will be updated to be consistent with the latest product standards. These changes will improve user comprehension of warnings.- Chrome 118 on Android, iOS, Chrome OS, LaCrOS, Linux, Mac, Windows
- Form Controls support vertical writing mode
CSS property writing-mode should be enabled for form controls elements as it will allow lines of text to be laid out horizontally or vertically and it sets the direction in which blocks progress. With this feature, we are allowing the form control elements select, meter, progress, button, textarea and input to have vertical-rl or vertical-lr writing mode. As needed for Web compatibility, we will slowly rollout the change for a number of form controls in 118 and continue in future milestones.- Chrome 118 on Windows, Mac, Linux, Android
- Block all cookies set via JavaScript that contain control characters
Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis. This change can be disabled using the `--disable-features=BlockTruncatedCookies` or the BlockTruncatedCookies enterprise policy, which will exist for several milestones in case this change causes any breakage.- Chrome 118 on Windows, Mac, Linux, Android
- Clearer Safe Browsing protection level settings text and images
In Chrome 118, some users will see new text describing the Safe Browsing protection level on both the Security Settings page and the Privacy Guide. The update clarifies the Enhanced Protection level by adding a table and linking to a help center article where users can learn more. The new table helps users understand the trade-offs when selecting that option versus choosing the other options. The descriptions for Standard Protection, No Protection and the password compromise warnings toggle have been simplified to make the options clearer. The Safe Browsing protection level is an existing setting and continues to be controlled by the SafeBrowsingProtectionLevel policy value.- Chrome 118: Some users will see the updated text and images on the Chrome Security Settings page and on the Privacy Guide.
- WebUSB in Extension Service Workers
Allows web developers to use WebUSB API when responding to extension events by exposing WebUSB API to Service Workers registered by browser extensions. This API will not yet be exposed to Service Workers registered by sites but the implementation experience gained by supporting the API for extensions will be valuable for such a future project.- Chrome 118 on Windows, Mac, Linux
- IP Protection Phase 0 for Chrome
As early as Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) will be provided in the near future.
- Include chrome.tabs API calls in extension telemetry reports
When you enable Enhanced Safe Browsing, Chrome will now collect telemetry information about chrome.tabs API calls made by extensions. This information is analyzed on Google servers and further improves the detection of malicious and policy violating extensions. It will also allow better protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2 (ie. disable Enhanced Safe Browsing).- Chrome 118 on Chrome OS, Linux, Mac, Windows: Feature launches
- Remove non-standard appearance keywords
Since only standard appearance keywords should be supported, we are removing the appearance (and -webkit-appearance) keywords that shouldn't be supported anymore:* inner-spin-button
* media-slider
* media-sliderthumb
* media-volume-slider
* media-volume-sliderthumb
* push-button * searchfield-cancel-button
* slider-horizontal * sliderthumb-horizontal
* sliderthumb-vertical
* square-button
Note that value slider-vertical will not be removed as part of this patch; it is used for allowing <input type=range> vertical. It will be removed once feature FormControlsVerticalWritingModeSupport is enabled in Stable.
Previously, if using any of the above keywords, a console warning will be shown, but the keyword will be recognized as a valid value. With the feature enabled, the appearance property will be ignored and set to the empty string. As needed for Web compatibility, we will progressively remove the appearance keywords based on their counter usages on Chrome Status Metrics. For release 118, we will start with the following keywords, currently at page load usage below 0.001%:
* media-slider at 0.000361
* media-sliderthumb at 0.000187%
* media-volume-slider at 0.000143%
* media-volume-sliderthumb at 0.000109%
* sliderthumb-horizontal at 0.000182%
* sliderthumb-vertical at 0.000014%
- Chrome 118 on Windows, Mac, Linux, Android
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.- Chrome 119 on Android, iOS, Chrome OS, Linux, Mac, Windows
- Permissions Prompt for Web MIDI API
This feature gates the Web MIDI API access behind a permissions prompt. Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.- Chrome 119 on Windows, Mac, Linux, Android
- Migrate away from data URLs in SVG <use> element
The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. You can read more in this blog post.For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available temporarily to re-enable Data URL support for SVG <use> element.
- Chrome 119 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVG <use> element
- Chrome Browser Cloud Management: Crash report
The Crash Report is a new Chrome Browser Cloud Management report in the Admin console where IT admins can find a chart to easily visualize the number of crash events over time, based on the versions of Chrome that are running.- Chrome 119 on Android, iOS, Linux, Mac, Windows: Crash Report launched in Chrome Browser Cloud Management
- Display banner to allow resume last tab from other devices
Help signed in users resume tasks when they have to switch devices during an immediate transition by offering to pick up tabs recently used on the previous device. Admins can control this feature via the existing enterprise policy called SyncTypesListDisabled.- Chrome 119 on iOS: Feature launches
- Remove Sanitizer API
The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. It is a cross-browser standardization effort starting in Q2/2020. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the discussion has meanwhile moved on and the proposed API shape has changed substantially. In order to prevent the current API from becoming entrenched we would like to remove the current implementation.We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.
- Use counters: The Sanitizer API is currently used on 0.000000492% of page visits.
- Old vs new API: * Old explainer, API as implemented in "MVP" since Chrome 105:
https://github.com/WICG/sanitizer-api/blob/e72b56b361a31b722b4e14491a83e2d25943ba58/explainer.md *
- New explainer (still in progress):
https://github.com/WICG/sanitizer-api/blob/main/explainer.md
- Chrome 119 on Windows, Mac, Linux, Android
- Tab Groups can be saved, recalled, and synced
Users will be able to save tab groups, which will allow them to close and re-open the tabs in the group, as well as sync them across devices.- Chrome 119 on Chrome OS, Linux, Mac, Windows
- Chrome profile separation: new policies
Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will basically be replacements for ManagedAccountsSigninRestriction, EnterpriseProfileCreationKeepBrowsingData.- Chrome 119 on Linux, Mac, Windows: New profile separation policies available: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.
- Replace dangling markup in target name to `_blank`
This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation.- Chrome 119 on Windows, Mac, Linux, Android
- Private Network Access restrictions for automotive
This ships Private Network Access restrictions to Android Automotive (if BuildInfo::is_automotive), including: - Private Network Access preflight requests for subresources and Private Network Access for Workers. See Note that the two above features were shipped in warning only mode, but this features will enforce the restriction, i.e. failing the main request if restrictions are not satisfied.- Chrome 5 on Windows, Mac, Linux
- Chrome 119 on Android
- Deprecate non-standard `shadowroot` attribute for declarative shadow DOM
The standards-track `shadowrootmode` attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 [1]. The older, non-standard `shadowroot` attribute is now deprecated. During the deprecation period, both attributes are functional, however the `shadowroot` attribute does not enable the new streaming behavior, whereas `shadowrootmode` allows streaming of content. There is a straightforward migration path: replace `shadowroot` with `shadowrootmode`. The old `shadowroot` attribute is deprecated as of Chrome Chrome 112, and it will be removed (no longer supported) in Chrome 119, which goes to Stable on November 1, 2023. [1] https://chromestatus.com/feature/5161240576393216- Chrome 119 on Windows, Mac, Linux, Android
- Chrome on Android will no longer support Android Nougat
The last version of Chrome that will support Android Nougat will be Chrome 119, and it includes a message to affected users informing them to upgrade their operating system. Chrome 120 will not support nor ship to users running Android Nougat.- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Chrome Third-Party Cookie Deprecation (3PCD)
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA, to allow sites to meaningfully preview what it's like to operate in a world without third-party cookies (3PCs). Most enterprise end users will be excluded from this experiment group automatically. But for the few that may be affected, enterprise admins will be able to utilize an enterprise policy to opt out their managed browsers ahead of the experiment and give enterprises time to make necessary changes to not rely on this policy or third party cookies. We plan to provide more details about this policy and provide more tooling to help identify 3PC use cases. In the meantime, refer to the 'Mode B: 1% third-party cookie deprecation' blog section for more details on how to prepare, provide feedback and report potential site issues.- Chrome 120 on Chrome OS, Linux, Mac, Windows
1% of global traffic has third party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on Chrome OS, Linux, Mac, Windows
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.- Chrome 127 on Android, Chrome OS, Linux, Mac, Windows: Removal of LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation events
Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.- Chrome 127 on Android, Chrome OS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3
Extensions must be updated to leverage Manifest V3 back to top Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post (https://developer.chrome.com/blog/more-mv2-transition/) the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. For more information on the Manifest timeline: https://developer.chrome.com/docs/extensions/migrating/mv2-sunset/- Chrome 98 on Chrome OS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on Chrome OS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on Chrome OS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
Future milestone on Chrome OS, LaCrOS, Linux, Mac, Windows: Removal of ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- Privacy Hub
Later this year, users will be able to manage their camera and microphone settings across the operating system from one place in Settings. This way it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.
- ChromeOS Admin templates
App Launch Automation can be configured by Administrators in the Admin console to contain groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can: get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.
Upcoming Admin console changes
- URL-keyed anonymized data collection in Kiosk mode
The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, will soon be supported in the Admin console. This policy will be enforced starting October 1st and will remain disabled until then.
Chrome 116
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Enterprises can sign up for security fix notifications | ✓ | ||
Chrome increases release velocity with security improvements planned for each week | ✓ | ||
Share Sheet migration | ✓ | ||
Google Search side panel | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Improving performance: Memory Saver and Energy Saver modes | ✓ |
✓ |
|
Anti-phishing telemetry expansion | ✓ | ||
Enabling BFCache for pages that set Cache-Control: no-store | ✓ | ||
Idle Timeout policies on Desktop | ✓ | ||
OS-native Passkey changes on Windows 11 | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Data processor mode on ChromeOS (including Chrome browser running on managed ChromeOS) | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
ChromeOS OCR in PDFs for screen reader users | ✓ | ||
Move ChromeVox settings pages to ChromeOS settings | ✓ | ||
Customizing input peripherals per device settings | ✓ | ||
Managing Android App permissions | ✓ | ||
ChromeOS Kerberos integration enhancements | ✓ | ||
Commercial launch of screensaver | ✓ | ||
Enhanced autocorrect features | ✓ | ||
Additional input method support for Linux apps | ✓ | ||
URL-keyed anonymized data collection in Kiosk mode | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Extensions Review panel | ✓ | ||
Native Client Support updates | ✓ | ||
Updates to Clear Browsing Data on Android | ✓ | ||
Skip unload events | ✓ | ||
Require X.509 key usage extension for RSA certificates chaining to local roots | ✓ | ||
Network service will be sandboxed on Linux and ChromeOS | ✓ | ||
Bounce Tracking mitigations | ✓ | ||
Restricting the use of --load-extension | ✓ | ||
Service Worker static routing API | ✓ | ||
Enable access to WebUSB API from extension service workers | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
IP Protection Phase 0 for Chrome | ✓ | ||
Web MIDI permission prompt | ✓ | ||
Network service will be sandboxed on Windows | ✓ | ||
Removal of the RendererCodeIntegrityEnabled policy | ✓ | ||
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ||
New Chrome Desktop visual refresh in Chrome 117 | ✓ | ||
Update to the lock icon | ✓ | ||
Storage Access API with Prompts | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Removal ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Chrome release schedule changes | ✓ | ||
Chrome 119 to phase out support for Web SQL | ✓ | ||
Migrate away from data URLs in SVG <use> element | ✓ | ✓ | |
Chrome profile separation | ✓ | ✓ | |
Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Warnings on insecure downloads | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS battery state sounds | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Enterprises can sign up for security fix notifications
Using this sign-up form, you can opt in to receive email notifications whenever there's a Chrome release that contains high or critical security fixes, including zero-day fixes. Chrome uses a fast release cycle to keep you ahead of bad actors, and so you can expect such a release approximately every week. By default, Chrome applies updates automatically when they're made available, so no action is required from admins who keep Chrome's default update behavior. You can read more about Chrome updates strategies for enterprises here.
- Chrome increases release velocity with security improvements planned for each week
In Chrome 115 and previous releases, Chrome maintained a four-week release cycle with a minor release halfway between each major release containing security improvements and minor bug fixes. Major releases continue to be planned for approximately every four weeks, but starting in Chrome 116, minor releases are now planned every week. This allows us to deliver security improvements even faster. If you have auto-updates turned on (the default behavior of Chrome, and our recommendation), then no action is required. Chrome might still release some unplanned updates in response to critical fixes, zero-day fixes, or other unforeseen circumstances. If you want to be notified of the security fixes contained in each release of Chrome, you can sign up for notifications here. Read more about Chrome Security and why we're making this change in our blog post.
- Share Sheet migration
Chrome is migrating Share functionality from its custom share sheet to the Android system share sheet for Android U+ users. In this migration, we’ve deprecated some functionality such as stylized cards for shared highlights and a redundant button for short (non full-page) screenshots. On Pre-U Android, Chrome still shows the custom share sheet and users can navigate to the system share sheet using the More (...) button.
- Google Search side panel
Chrome is introducing the Search side panel, a new contextual side panel experience that allows users to delve into the content of the page they're currently viewing. The new side panel gives users new tools to get more context about the page they're viewing. We launched the Search side panel to some users in Chrome 115 and subsequently plan to roll out to all users in Chrome 116. You can control access to the Search side panel using the GoogleSearchSidePanelEnabled policy.
- X25519Kyber768 key encapsulation for TLS
As early as Chrome 116, Chrome introduces a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. This cipher will be used for both TLS and QUIC connections.
- Improving performance: Memory Saver and Energy Saver modes
In Chrome 108, we introduced features designed to improve the performance of Chrome and extend battery life under the following enterprise policies: TabDiscardingExceptions, BatterySaverModeAvailability and HighEfficiencyModeEnabled. In Chrome 116, we expand the capabilities of the Memory Saver feature to help users further understand and use tab discarding to their benefit.Users with Memory Saver enabled (policy HighEfficiencyModeEnabled) now have increased visibility of discarded tabs in the tab strip and more insight into memory usage of active and inactive tabs.
Additionally, this release makes the management of exceptions (policy TabDiscardingExceptions) more intuitive for users who have access to manage their own exceptions:
1. In settings, users can add exceptions based on currently open tabs (in addition to manual entry which exists today)
2. In the page action chip of a discarded tab, users can opt the site out from future discarding.
- Anti-phishing telemetry expansion
In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers, which will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishing pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.
- Enabling BFCache for pages that set Cache-Control: no-store
Documents with a Cache-Control: no-store header (CCNS) are blocked from entering BFCache. Chrome 116 will start BFCaching these documents, except for the ones with sensitive information (Github).The AllowBackForwardCacheForCacheControlNoStorePageEnabled policy controls if a page with
Cache-Control: no-store
header can be stored in back/forward cache. The website setting this header might not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.If the policy is enabled or unset, the page with
Cache-Control: no-store
header might be restored from back/forward cache unless the cache eviction is triggered, for example, when there is HTTP-only cookie change to the site.If the policy is disabled, the page with
Cache-Control: no-store
header will not be stored in back/forward cache.
- Idle Timeout policies on Desktop
In Chrome 116, admins can now enforce taking an action, for example, closing the browser, clearing cookies or moving to the profile picker, after Chrome has been idle for some amount of time. You can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout.
- OS-native Passkey changes on Windows 11
An update to Windows 11 later in 2023 adds support for cross-device passkeys flows in Windows webauthn.dll v6. Chrome 116 recognizes this version of Windows and stops offering its own cross-device support in Chrome UI, deferring to Windows instead. This results in users seeing a different UI, as shown below. This can be tested with Chrome 116 running on Windows Insider Dev Build 23486 or later.
- New and updated policies in Chrome browser
Policy Description NativeClientForceAllowed Forces Native Client (NaCl) to be allowed to run. SafeSitesFilterBehavior Control SafeSites adult content filtering (now on Android) PostQuantumKeyAgreementEnabled Enable post-quantum key agreement for TLS UserContextAwareAccessSignalsAllowlist Enable the Chrome Enterprise Device Trust Connector attestation flow for a list of URLs on Managed Profiles RSAKeyUsageForLocalAnchorsEnabled Check RSA key usage for server certificates issued by local trust anchors AllowBackForwardCacheForCacheControlNoStorePageEnabled Allow pages with Cache-Control: no-store header to enter back/forward cache
ChromeOS updates
- Data processor mode on ChromeOS (including Chrome browser running on managed ChromeOS)
In ChromeOS 116, ChromeOS is releasing a data processor mode for a suite of ChromeOS features and services called Essential Services, switching Google’s role from that of a data controller over personal data, to primarily that of a data processor. Features and services for which Google remains solely a data controller are called “Optional Services”. IT admins who manage ChromeOS devices used by managed Dutch Education accounts will see these new terms and features available to select from August 18, 2023.
These are the new tools available in data processor mode for ChromeOS:- Data processor mode landing page in the Admin console
- The ability to turn-on/off individual Optional Services
- Tools to assist customers with Data Subject Access Requests (DSARs)
- A tool to assist customers with data subject deletion requests
- Removal of permissive Chrome Apps webview behaviors
As early as Chrome 116, Chrome Apps webview usage have the following restrictions:- Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
window.open
call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed is available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, you can restore the previous behavior from Chrome 112 and earlier by navigating tochrome://flags
and disablingchrome://flags/#enable-webview-tag-mparch-behavior
.
This change was originally scheduled for Chrome 113, but was postponed. Previous release notes mentioned a change to the handling of SSL errors within webviews, but this is no longer part of this change. - Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
- ChromeOS OCR in PDFs for screen reader users
Through Optical Character Recognition (OCR), users can convert images to text, so that they can access and read them.
- ChromeVox settings move to ChromeOS setting
In Chrome 116, you now access the existing settings for ChromeVox under the ChromeOS Accessibility settings pages.
- Customizing input peripherals per device settings
Users can now manage settings for their input peripherals, such as their mouse and keyboard, at the device level and apply different values for different devices. This provides more control over the peripheral experience on ChromeOS.
- Managing Android App permissions
In Chrome 116, users have a better view of what data Android apps can access by reviewing allowed app permissions on the Apps page in ChromeOS Settings. Now, users can see a detailed view of the data an Android app can access on the Apps page in Settings, and they can easily manage those permissions.
- ChromeOS Kerberos integration enhancements
Starting with M116, we streamline the end user configuration flows for ChromeOS Kerberos customers. Many users use Kerberos on ChromeOS to access corporate resources. The new UI enhancements guide users through the configuration of their Kerberos accounts in a guided flow, similar to Password Manager. For details, see this help center article.
- Commercial launch of screensaver
With M116, ChromeOS represents your organization even better. The commercial launch of screensaver for the login screen or MGS lock screen allows admins to customize the appearance of idle devices. Newly added admin settings include the abilities to turn on/off the screensaver, to provide a list of screensaver images, and to customize idle times.
- Enhanced autocorrect features
We've enhanced Autocorrect in ChromeOS! Autocorrect is now enabled by default for English in compatible apps, automatically fixing typos, spelling, and other errors. In addition to the new Autocorrect for physical keyboards, this update also enhances the performance of the virtual keyboard's Autocorrect and other Assistive features.
- Additional input method support for Linux apps
Linux on ChromeOS now supports complex input methods, such as Japanese and Korean. This means that you can now use the same input methods that you're already using in Chrome to type in your Linux applications. Not all applications are supported yet, but support for additional applications is coming soon.
Admin console updates
- New policies in Admin console
RSAKeyUsageForLocalAnchorsEnabled User, MGS CrOS, Chrome, Android Legacy Site Compatibility AllowBackForwardCacheForCacheControlNoStorePageEnabled User, MGS CrOS, Chrome, Android Security PostQuantumKeyAgreementEnabled User, MGS CrOS, Chrome, Android Security PhysicalKeyboardPredictiveWriting User, MGS CrOS User Experience PhysicalKeyboardAutocorrect User, MGS CrOS User Experience
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Extensions Review panel
A new review panel will be added in chrome://extensions, which will appear whenever there are potentially unsafe extensions that need the user's attention. The initial launch will highlight extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There will also be a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page.
The ExtensionsUnpublishedAvailability policy will disable extensions that have been unpublished by the developer or violate Chrome Web Store policy. Note that these extensions might also appear in the Extensions Module's review panel but only if they are not installed by policy. The user can choose to remove or keep them.
- Native Client Support updates
As early as Chrome 117, we will remove Native Client NaCl support from extensions on Windows, macOS, Linux. An enterprise policy will be available, NativeClientForceAllowed, which will allow Native Client to continue to be used until Chrome 119.
- Updates to Clear Browsing Data on Android
We’re making it easier to find and use the browsing data deletion tools that Chrome offers.
We’re adding more entry points to Clear Browsing Data, including on the main Chrome menu. We’re also introducing a new quick deletion affordance to enable users to quickly delete their recent history. We’ll maintain and further enhance the more granular ‘Advanced’ Clear Browsing Data page on Privacy Settings.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years.
As early as Chrome 117, to further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).
- Network service will be sandboxed on Linux and ChromeOS
As early as Chrome 117, the network service will be sandboxed on Linux and ChromeOS to improve security. On Linux, it's possible that third party software (likely data loss prevention or antivirus software) is injecting code into Chrome's processes and will be blocked by this change. This may result in Chrome crashing for your users.
If this happens, you should work with the vendor of the third party software to stop it from injecting code into Chrome's processes. In the meantime, you will be able to use the NetworkServiceSandboxEnabled policy to defer the sandboxing. This is a temporary measure intended to help enterprises surprised by the change; the policy will be removed in a future version of Chrome.
- Bounce Tracking mitigations
As early as Chrome 116, Chrome will launch bounce tracking mitigations. Bounce tracking mitigations will only take effect when the policy is set to true (Block 3rd party cookies). You can use the BlockThirdPartyCookies policy to control this feature. Alternatively, if 3rd party cookies are blocked by default you can exempt specific sites by using the CookiesAllowedForUrls policy.
- Restricting the use of --load-extension
The--load-extension
command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116,--load-extension
will be ignored for users that have enabled Enhanced Safe Browsing.
- Service Worker static routing API
Chrome 116 will release the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Enable access to WebUSB API from extension service workers
As early as Chrome 117, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Simplified sign-in and sync experience
Starting in Chrome 117, some users may experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- IP Protection Phase 0 for Chrome
Beginning in Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) will be provided in the near future.
- Web MIDI permission prompt
Starting in Chrome 118, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.
Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure user access to the API.
- Network Service on Windows will be sandboxed on Windows
As early as Chrome 118, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Removal of the RendererCodeIntegrityEnabled policy
As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- New Chrome Desktop visual refresh in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale personalization and customization experiences in Chrome by enabling customers proximate access to tools and actions. The menu will be updated in phases starting in Chrome 117.
- Update to the lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch in Chrome 117 as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary for Desktop if you enable Chrome Refresh 2023 atchrome://flags#chrome-refresh-2023
, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
We will also replace the icon on Android. On iOS, the lock icon is not tappable, so we will be removing the icon.
You can read more in this blog post.
- Storage Access API with Prompts
The Storage Access API provides a means for authenticated cross-site embeds to check their blocking status and request access to storage if they are blocked. Targeting Chrome 117 for Desktop, we will support the Storage Access API by implementing all the behaviors listed in the specification, i.e. with user prompts, and additionally having its own user-agent-specific behaviors.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Removal ForceMajorVersionToMinorPositionInUserAgent policy
Chrome 118 plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy.
If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.
- Chrome 119 to phase out support for Web SQL
Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.
The timeline for the deprecation will be:
- Chrome 115 - Deprecation message added
- Chrome 117 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.
An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.
- Migrate away from data URLs in SVG <use> element
The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. We expect to remove support for data: URLs in SVG <use> element in Chrome 119, scheduled to ship in November 2023. You can read more in this blog post. For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available temporarily to re-enable Data URL support for SVG <use> element.
- Chrome profile separation
As early as Chrome 119, three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.
- Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will now be removed in Chrome 127.
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, including `DOMSubtreeModified`, `DOMNodeInserted`, `DOMNodeRemoved`, `DOMNodeRemovedFromDocument`, `DOMNodeInsertedIntoDocument`, and `DOMCharacterDataModified`, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer. Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Warnings on insecure downloads
Chrome will begin showing warnings on some downloads if those files were downloaded over an insecure connection, that is, not HTTPS. These warnings do not prevent downloading and can be bypassed by the user. Enterprises can test their downloads by enabling warnings viachrome://flags/#insecure-download-warnings
. Enterprises can also disable warnings for sites that can not deliver files securely by adding the download site to InsecureContentAllowedForUrls.
Upcoming ChromeOS changes
- ChromeOS battery state sounds
As early as Chrome 117, we will add audible sounds to indicate battery status. Users will be able to turn on and off these sounds and Admins will be able to control them through policies.
When the device is not plugged in, you will hear warning sounds if:- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you will hear an information beep when:- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level - 80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.
Chrome 115
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Google Search side panel | ✓ | ||
Secure DNS auto-upgrade for some Quad9Secure DNS users | ✓ | ||
HTTP requests upgraded to HTTPS | ✓ | ||
Support for Encrypted Client Hello (ECH) | ✓ | ||
Disable extensions unpublished from Chrome Web Store | ✓ | ||
Updates to initial_preferences | ✓ | ||
Bookmarks and reading list improvements on iOS | ✓ | ||
Update for secure DNS queries on Cox ISP servers | ✓ | ||
Reading mode | ✓ | ||
Removal of SHA1 in server signatures in TLS | ✓ | ||
Policy Sync dependency handling | ✓ | ||
Skia renderer for PDF rendering | ✓ | ✓ | |
One Time Permissions desktop | ✓ | ||
Privacy Sandbox Developer enrollment form | ✓ | ||
Update on BrowsingDataLifetime policy | ✓ | ||
Set Up Chrome module for iOS | ✓ | ||
Carousel on the new tab page | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
App Streaming on ChromeOS | ✓ | ||
Floating windows on ChromeOS | ✓ | ||
Pause cast for cast moderator | ✓ | ||
Enhanced signature options for PDF toolkit | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ||
Expand Language Packs to Text-to-Speech | ✓ | ||
New keyboard Shortcut app | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New Chrome Browser Cloud Management card | ✓ | ||
ChromeOS Settings page redesign | ✓ | ||
Chrome Setup Guides | ✓ | ||
Printing reports now available in Chrome Management Reports API | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Improving performance: Memory Saver and Energy Saver modes | ✓ | ||
Anti-phishing telemetry expansion | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Enabling BFCache for pages that set Cache-Control: no-store | ✓ | ||
Idle Timeout policies | ✓ | ||
Windows 11 changes affecting Chrome in ~September | ✓ | ||
Native Client Support updates | ✓ | ||
Skip unload events | ✓ | ||
Extensions Review panel | ✓ | ||
Require X.509 key usage extension for RSA certificates chaining to local roots | |||
Bounce Tracking mitigations | ✓ | ✓ | |
Restricting the use of --load-extension | ✓ | ||
Service Worker static routing API | ✓ | ||
Enable access to WebUSB API from extension service workers | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Web MIDI permission prompt | ✓ | ||
Removal of the RendererCodeIntegrityEnabled policy | ✓ | ||
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ✓ | |
New Chrome Desktop refresh and Chrome menu in Chrome 117 | ✓ | ||
Update for lock icon | ✓ | ✓ | |
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
Removal ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Chrome 119 to phase out support for Web SQL | ✓ | ||
Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS battery state sounds | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Google Search side panel
In Chrome 115, Google introduces the Search side panel, a new contextual side panel experience that allows users to delve into the content of the page they're currently viewing. The new side panel features a search box that allows text-based and visual queries, questions related to the page, and links to more details about the current site. We launch the Search side panel to some users in Chrome 115 and subsequently plan to roll out to all users in Chrome 116. You can control access to the Search side panel using the GoogleSearchSidePanelEnabled policy.
- Secure DNS auto-upgrade for some Quad9Secure DNS users
Starting in Chrome 115, for a small subset of Chrome users, secure DNS queries are used instead of insecure DNS queries to perform host name resolution using Quad9 Secure (9.9.9.9) DNS servers. This change affects behavior for a given client under the following conditions only:- The client is running on a system that has been configured to use the Quad9 Secure (9.9.9.9) DNS servers.
- The DnsOverHttpsMode enterprise policy is set to “Automatic” (the default value is “Off”).
- The ChromeVariations policy is set to enable all variations.
- The client is randomly selected to be part of the 1% of clients where this behavior is enabled.
- HTTP requests upgraded to HTTPS
As early as Chrome 115, some users might see HTTP requests automatically upgraded to HTTPs. Any page that can't load via HTTPS is automatically reverted back to HTTP. For standard server configurations, this shouldn't have any visible effect, but it improves your users' security.
Some server configurations might cause issues, for example, if different content is served via HTTP and HTTPS. Users can bypass the automatic upgrading by explicitly navigating to an
http://
URL in the Omnibox, or by changing the Insecure Content site setting to enabled, accessible via Page Info andchrome://settings/content
. You can control this behavior with the HttpsUpgradesEnabled policy, and allowlist specific sites with the HttpAllowlist policy.In the long term, you should ensure that your organization's servers support HTTPS and serve the same content on both HTTP and HTTPS. If you don't intend to support HTTPS (for example, on an intranet behind a firewall), servers shouldn't respond to port 443, and firewalls should close the connection rather than leave it hanging. You can test HTTPS upgrading in your environment by enabling
chrome://flags#https-upgrades
. If you come across any issues, you can report them to us.Starting in Chrome 115, Chrome automatically enables HTTPS-First Mode based on the user's browsing history. It automatically enables the HTTPS-First Mode interstitial on sites that regularly load over HTTPS. Sites that regularly use plaintext HTTP are unaffected. In practice, this change protects users from downgrade attacks, but is invisible to users.
- Support for Encrypted Client Hello (ECH)
Chrome 115 starts rolling out support for ECH on sites that opt in, as a continuation of our network-related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS. This change was originally planned for Chrome 107, but had to be postponed.
If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag.
On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- Disable extensions unpublished from Chrome Web Store
In Chrome 115, we release the Enterprise policy ExtensionUnpublishedAvailability to allow you to disable extensions that have been unpublished from the Chrome Web Store.
- Updates to initial_preferences
We’ve removed the following fields from the initial_preferences sample file:
- Removed from example because they're no longer valid:
sync_promo.show_on_first_run_allowed
suppress_first_run_bubble
suppress_first_run_Default_browser_prompt
- Removed from example because they can be controlled by a recommended policy:
homepage
homepage_is_newtabpage
show_home_button
session
bookmark_bar
import_* except for import_bookmarks_from_file
make_chrome_default_*
- Removed from example because they're not applicable to enterprise usage, or only applicable for user-level install:
ping_delay
do_not_launch_chrome
do_no_register_for_update_launch
- Removed from example because they're no longer valid:
- Bookmarks and reading list improvements on iOS
On Chrome 115 on iOS, some users who sign in to Chrome from bookmark manager or reading list surfaces can now use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncDisabled, SyncTypesListDisabled, EditBookmarksEnabled and ManagedBookmarks continue to work as before, to configure whether users can use and save items in their Google Account.
- Update for secure DNS queries on Cox ISP servers
For clients running on systems that use the Cox ISP DNS servers, if the DnsOverHttpsMode policy is set to Automatic, Chrome uses secure DNS queries instead of insecure DNS queries, starting in Chrome 115 (and in earlier versions, starting on May 16, 2023, if the ChromeVariations policy is set to enable all variations).
- Reading mode
As more content is read online, Chrome 115 adds a new feature to help improve the online reading experience. Introducing reading mode, a new feature on Chrome browser, which enhances the reading experience on the web for everyone. Reading mode reduces distracting elements through a resizable and customizable reader view in the Chrome browser side panel, enabling readers to focus on the primary content. Users can also customize the font, text size, spacing, theme or background color, and more, making for a more cohesive, intuitive, and comfortable reading experience.
- Removal of SHA1 in server signatures in TLS
Chrome 115 removes support for signature algorithms using SHA-1 for server signatures during the TLS handshake. SHA1, which has known collisions, has been deprecated by the IETF, and should be avoided, where possible.
This does not affect SHA-1 support in server certificates, which was already removed. SHA-1 in client certificates continues to be supported. Enterprises that rely on SHA1 signature schemes in TLS can use the InsecureHashesInTLSHandshakesEnabled policy to continue to accept SHA1 in server signatures.
- Policy Sync dependency handling
Currently, we require admins to set SyncDisabled for any data-deletion policy (BrowsingDataLifetime, ClearBrowsingDataOnExitList). In Chrome 115, we automatically disable sync for the respective data types and no longer require admins to additionally set the SyncDisabled policy. We will gradually roll out this feature behind a flag. You can enable this behavior atchrome://flags#data-retention-policies-disable-sync-types-needed
.
- Skia renderer for PDF rendering
Chrome 115 adds a new enterprise policy, PdfUseSkiaRendererEnabled, to override user choice on whether to enable Skia renderer. When Skia renderer is enabled, it switches the PDF render device from AGG (Anti-Grain Geometry) to Skia. Skia renderer provides enhanced technical support and uses different algorithms for drawing graphics. Any resulting visual differences are expected to be very minor.
- One Time Permissions desktop
When users are prompted for a permission they can currently select Allow or Deny, both options are stored permanently. This feature adds an Allow this time option for geolocation, camera and microphone permissions. This fine-tunes the permission granted to a newly introduced session, which we believe more accurately represents a one-time permission session, without affecting any common scenarios. In Chrome 115, we start slowly rolling out this feature to a subset of users.
- Privacy Sandbox Developer enrollment form
To access the Privacy Sandbox relevance and measurement APIs on Chrome and Android, developers need to enroll with the Privacy Sandbox. The developer enrollment process verifies companies before they can use the APIs, as an additional layer of protection for user privacy. As part of this enrollment process, we require developers to agree to restrictions around the usage of these services to prevent re-identification of users across sites.
- Update on BrowsingDataLifetime policy
We have updated the documentation for BrowsingDataLifetime to state that download_history and hosted_app_data are not supported on Android.
- Set Up Chrome module for iOS
On iOS, some new users in Chrome 115 see the new Set Up Chrome module. This module provides options, in the center of the new tab page, to allow new users to view and complete items that help them set up and get the most out of Chrome, on their own time. The items listed in the module are optional, and the module displays temporarily for up to a few weeks after installing the app. At this time, this is only available for iOS.
- Carousel on the Google New tab page
A new carousel on the Google New tab page allows users to swipe between certain modules. This is a limited-availability feature for some new users. The carousel can display in two ways:
- With the Most Visited Sites and Shortcuts module, or
- With the Shortcuts module.
For example, a user might see Most Visited Sites but can swipe to see Shortcuts.
- New and updated policies in Chrome browser
Policy Description ExtensionUnpublishedAvailability Control availability of extensions unpublished on the Chrome Web Store. SafeSitesFilterBehavior Filter top level sites (but not embedded iframes) for adult content (now available on Android). PdfUseSkiaRendererEnabled Use the default renderer based on the field trial configuration. GoogleSearchSidePanelEnabled Enable Google Search Side Panel on all web pages.
- Removed policies in Chrome browser
Policy Description ForceEnablePepperVideoDecoderDevAPI Enable support for the PPB_VideoDecoder(Dev) API. PPAPISharedImagesSwapChainAllowed Allow modern buffer allocation for Graphics3D APIs PPAPI plugin. UseMojoVideoDecoderForPepperAllowed Allow Pepper to use a new decoder for hardware accelerated video decoding.
ChromeOS updates
- App Streaming on ChromeOS
As early as ChromeOS 115, App Streaming enhances the Phone Hub experience, by allowing users to see and interact with streamed apps running on their Pixel phone. When a user receives a mirrored conversation notification from their Pixel phone, a simple tap on that notification kicks off an app stream directly to the user's ChromeOS desktop. This is part of a Google-wide ambient computing effort.
- Pause cast for cast moderator
While using cast moderator, sometimes users need a quick way to pause what they are casting. In ChromeOS 115, with Pause cast, you can now pause what you cast to the shared screen on a still image, while you do something else on your computer.
In ChromeOS Quick Settings or from Chrome browser Cast menu, select Pause to display the last casted screen on the cast receiver. While paused, other actions you perform on your computer are NOT cast to the cast receiver. When cast is resumed, your computer starts mirroring to the cast receiver again.
- Enhanced signature options for PDF toolkit
In ChromeOS 115, the Gallery PDF toolkit makes it easier for users to sign their documents, allowing for the creation of a free-hand signature that is saved in the app for subsequent use. Gallery is the ChromeOS media multi-tool that provides users with fast, consistent, and discoverable ways to view, tweak, and route various media types.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Passpoint streamlines Wi-Fi access and eliminates the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits. Wi-Fi Passpoint is now supported on ChromeOS through supported Android applications. Wi-Fi Passpoint is a set of Wi-Fi mechanisms defined by the Wi-Fi Alliance that facilitate and automate the provisioning and configuration of secure Wi-Fi networks while also minimizing user intervention. Once provisioned, whenever a compatible and secured Wi-Fi network is in range, ChromeOS can automatically connect to it without the need for user interaction.
- Expand Language Packs to Text-to-Speech
Some Google Text-to-Speech voices that were previously preinstalled are now downloaded over the network when they are needed. This frees up some space on the ChromeOS device.
- New keyboard Shortcut app
The new Shortcut App offers a new navigation and taxonomy, easier in-app search functionalities and a refreshed shortcut visualization.
Admin console updates
- Chrome Settings page redesign
We’ve heard your feedback, and we’re excited to share that all admins now see a redesigned experience across Users & browsers, Device, and Managed guest session settings pages to make it easier to manage policies. Look out for:
- A more scannable, read-only table to view setting configurations across your organization.
- Dedicated policy views for admins to focus on individual settings.
- Updated policy descriptions that pull directly from live Help Center content; no more toggling between windows to learn more about a policy. This includes supported-on information for platform and version for all policies.
- Chrome Setup Guides
The Chrome Setup Guides section now includes new, interactive content to help with performing common ChromeOS journeys in the Admin console. These new journeys include:
- Creating test organizational units
- Adding users for testing
- Turning on ChromeOS reporting
- Enrolling a test device
- Setting device policies
- Setting user policies
- Installing apps and extensions
- Adding a Wi-Fi network
To access the new Chrome Setup Guides:- Log in to the Admin console.
- On the left, select Devices>Chrome>Setup Guides.
- Printing reports now available in Chrome Management Reports API
We have added additional endpoints to Chrome Management Reports API that allow access to printing reports. The new endpoints provide per-user and per-printer summary printing reports, as well as a listing of all print jobs submitted to managed printers. The data provided by the new endpoints corresponds to the data in the Print Usage page of the Admin console. This update exposes the same data in the third-party Reports API.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- X25519Kyber768 key encapsulation for TLS
As early as Chrome 116, Chrome will introduce a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This will be exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed.
- Improving performance: Memory Saver and Energy Saver modes
In Chrome 108, we introduced features designed to improve the performance of Chrome and extend battery life under the following enterprise policies: TabDiscardingExceptions, BatterySaverModeAvailability and HighEfficiencyModeEnabled. In Chrome 116, we will expand the capabilities of the Memory Saver feature to help users further understand and use tab discarding to their benefit.
Users with Memory Saver enabled (policy HighEfficiencyModeEnabled) will have increased visibility of discarded tabs in the tab strip and more insight into memory usage of active and inactive tabs.
Additionally, this release will make the management of exceptions (policy TabDiscardingExceptions) more intuitive for users who have access to manage their own exceptions:
- In settings, users will be able to add exceptions based on currently open tabs (in addition to manual entry which exists today)
- In the page action chip of a discarded tab, users will have the option to opt the site out from future discarding.
- Anti-phishing telemetry expansion
In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers, which will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishy pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.
- Network Service on Windows will be sandboxed
As early as Chrome 116, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enabling BFCache for pages that set Cache-Control: no-store
Documents with a
Cache-Control: no-store
header (CCNS) are blocked from entering BFCache. Chrome 116 will start BFCaching these documents, except for the ones with sensitive information (Github).The AllowBackForwardCacheForCacheControlNoStorePageEnabled policy controls if a page with
Cache-Control: no-store
header can be stored in back/forward cache. The website setting this header might not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.If the policy is enabled or unset, the page with
If the policy is disabled, the page withCache-Control: no-store
header might be restored from back/forward cache unless the cache eviction is triggered, for example, when there is HTTP-only cookie change to the site.Cache-Control: no-store
header will not be stored in back/forward cache.
- Idle Timeout policies
In Chrome 116, admins will be able to enforce taking an action, for example closing the browser, or moving to the profile picker, after Chrome has been idle for some amount of time. You will be able to use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout.
- Windows 11 changes affecting Chrome in ~September
An update to Windows 11 later in 2023 will add support for cross-device passkeys flows in Windows webauthn.dll v6. Chrome 116 will recognize this version of Windows and stop offering its own cross-device support in Chrome UI, deferring to Windows instead. This will result in users seeing a different UI, as shown below. This can be tested with Chrome 116 running on Windows Insider Dev Build 23486 or later.
Before:
After:
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years.
As early as Chrome 117, to further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- Extensions Review panel
A new review panel will be added in chrome://extensions which will appear whenever there are potentially unsafe extensions that need the user's attention. The initial launch will highlight extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There will also be a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page.
The ExtensionsUnpublishedAvailability policy will disable extensions that have been unpublished by the developer or violate Chrome Web Store policy. Note that these extensions might also appear in the Extensions Module's review panel but only if they are not installed by policy. The user can choose to remove or keep them.
- Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).
- Bounce Tracking mitigations
As early as Chrome 116, Chrome will launch bounce tracking mitigations. Bounce tracking mitigations will only take effect when the policy is set to true (Block 3rd party cookies). You can use the BlockThirdPartyCookies policy to control this feature. Alternatively, if 3rd party cookies are blocked by default you can exempt specific sites by using the CookiesAllowedForUrls policy.
- Restricting the use of --load-extension
The--load-extension
command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116, --load-extension
will be ignored for users that have enabled Enhanced Safe Browsing.
- Service Worker static routing API
Chrome 116 will release the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Enable access to WebUSB API from extension service workers
As early as Chrome 117, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Simplified sign-in and sync experience
Starting in Chrome 117, some users may experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome Sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome Sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Web MIDI permission prompt
Starting in Chrome 117, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.
Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure user access to the API.
- Removal of the RendererCodeIntegrityEnabled policy
As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- New Chrome Desktop refresh and Chrome menu in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale desktop Chrome UI, communications, and personalization. The menu will be updated in phases starting in Chrome 117 with the Desktop Refresh.
- Update for lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch in Chrome 117 as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary if you enable Chrome Refresh 2023 at chrome://flags#chrome-refresh-2023, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
On iOS, the lock icon is not tappable, so we will be removing the icon.
You can read more in this blog post.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Removal ForceMajorVersionToMinorPositionInUserAgent policy
Chrome 118 plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy.
If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.
- Chrome 119 to phase out support for Web SQL
Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.
The timeline for the deprecation will be:
- Chrome 115 - Add deprecation message
- Chrome 118 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.
An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.
- Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. LegacySameSiteCookieBehaviorEnabledForDomainList policy will be removed in Chrome 121.
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, including `DOMSubtreeModified
`, `DOMNodeInserted
`, `DOMNodeRemoved
`, `DOMNodeRemovedFromDocument
`, `DOMNodeInsertedIntoDocument
`, and `DOMCharacterDataModified
`, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer. Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
Upcoming ChromeOS changes
- Removal of permissive Chrome Apps webview behaviors
As early as Chrome 116, Chrome Apps webview usage have the following restrictions:- SSL errors within webview show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the window.open call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, the previous behavior from Chrome 112 and earlier can also be restored by navigating tochrome://flags
and disablingchrome://flags/#enable-webview-tag-mparch-behavior.
This change was originally scheduled for Chrome 113, but was postponed.
- ChromeOS battery state sounds
As early as Chrome 117, we will add audible sounds to indicate battery status. Users will be able to turn on and off these sounds and Admins will be able to control them through policies.
When the device is not plugged in, you will hear warning sounds if:
- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you will hear an information beep when:
- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level -80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.
Chrome 114
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Root Store updates
As early as Chrome 114, to improve user security and provide a consistent experience across different platforms, Chrome switches to its own default root store and built-in certificate verifier on:- Android
- Linux
- ChromeOS
The ChromeRootStoreEnabled policy allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be made available on Android, Linux, and ChromeOS until Chrome 120.
The Chrome Root Store is already enabled by default on:- Windows
- MacOS
The ChromeRootStoreEnabled policy has been removed from Windows and Mac in Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. Support for name constraints on local trust anchors was added back in Chrome 112.
Chrome continues to use custom local roots installed to the operating system’s trust store. See our article about the Chrome Root Program for more information. We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
- Support for Private State Tokens
Chrome 114 makes the Private State Tokens API available for use by websites. Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without the exchange of user identifying information. Availability of Private State Tokens is controlled using a new setting in Chrome settings called Auto-verify. Read more in this developer blog post.
- Inactive Tabs in Chrome app on iPhone and iPad
In Chrome 114, old tabs are now grouped under a new Inactive Tabs section in the Tab grid view. Chrome users can access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. Alternatively, users can simply click to bring back an inactive tab.
- Lock profile cookie files on disk
To help protect Chrome users against malware attempting to steal cookie information, Chrome 114 on Windows holds an exclusive lock on the profile cookie files on disk. To ensure this behavior does not interfere with any sanctioned software on your system, you can run Chrome with the-enable-features=LockProfileCookieDatabase
command-line flag on the Dev or Beta channel of Chrome 114.
- Rebranding and updates in Google Password Manager
In Chrome 114, the password manager is rebranded as Google Password Manager.
Google Password Manager offers more functionality and is easier to access using the three dot menu. The upgraded Google Password Manager:- groups similar passwords together
- has an improved checkup flow
- and you can add the password manager shortcut to your desktop.
- Saving and retrieving notes in Password Manager now easier
Chrome 114 revamps the password management user journey, triggered from the key icon in the omnibox. It replaces the current list of passwords with a new list that allows navigating to the password details view. In the password details view, users can copy the username or password, unmask the password and edit the stored note.
- Password manager policy disables password import
We recently fixed an issue that previously allowed users to import passwords even though the Password Manager was disabled by Enterprise policy. Users can no longer import passwords when the PasswordManagerEnabled policy is set to false.
- Unpacking nested archives for download protection
Starting in Chrome 114, users with Safe Browsing set to Standard or Enhanced protection now begin recursively unpacking downloads of nested archives. This extends the long-standing protections Chrome offers against malware and unwanted software, and specifically combats techniques abused by distributors of cookie theft malware. The SafeBrowsingProtectionLevel policy allows you to enable or disable Safe Browsing, including this feature.
- Separate storage of settings synced to account
For Chrome users on iOS and Android who have Sync enabled, settings synced to their Google account are now kept separate from the local Chrome settings, which were set when Sync was off. This allows for strictly less data sharing than previously: local settings don’t get automatically uploaded when turning on Sync, and no settings from the account are left behind on the device when Sync is turned off. This feature is still disabled by default and you can enable it using the flagchrome://flags#enable-preferences-account-storage
.
As an admin, you can control who can save and sync data related to managed Google accounts.There are two existing policies to disable Sync functionality, which continue to apply:
- SyncDisabled: Disables the entire Chrome Sync infrastructure, including settings.
- SyncTypesListDisabled: Disables specified individual Sync data types. The existing value preferences covers settings.
- Side Panel API
Manifest V3 extensions can now add their own side panel to Chrome’s built-in side panel UI. See the SidePanel API Chrome developers article for usage and examples.
- New and updated policies in Chrome browser
Policy Description ChromeRootStoreEnabled Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates.
Now available on Mac, Linux and ChromeOS.
InsecureHashesInTLSHandshakesEnabled Insecure Hashes in TLS Handshakes Enabled
ChromeOS updates
- Cursive pre-installed for Enterprise and Education accounts
Cursive, a stylus-first notes app, is now available for Chromebook. It will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Mandatory extensions for Incognito navigation
In Chrome OS 114, Extensions allow admins to enforce security features and customizations in their OU but they cannot be enforced in Incognito mode without user consent. This can be a problem as users can bypass extension-set features, for example, proxies by using Incognito mode for navigation.
The MandatoryExtensionsForIncognitoNavigation policy allows you to configure a list of extensions that users need to explicitly allow to run in Incognito, to use Incognito mode for navigation.
- ChromeVox earcons
ChromeVox is the built-in screen reader on Chromebooks. In ChromeOS 114, an audio indicator (an earcon) now plays when a user with ChromeVox enabled uses the ChromeVox keyboard shortcut to toggle selection on or off.
Admin console updates
- Chrome Browser Cloud Management (CBCM) subscription
In Chrome 114, the Chrome Browser Cloud Management subscription is automatically added to all organizations previously using CBCM without the subscription. This change does not add any new cost to your existing account and you don’t need to do anything. There is no action required on your end (learn more).
- New policies in the Admin console
Policy Name Pages Supported on Category/Field WebRtcTextLogCollectionAllowed User Chrome (Linux, Mac, Windows)
ChromeOSUser experience InsecureHashesInTLSHandshakesEnabled User, Managed Guest Session Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOSSecurity CalendarIntegrationEnabled User ChromeOS Content ChromeAppsWebViewPermissiveBehaviorAllowed User Chrome (Linux, Mac, Windows) ChromeOS Legacy Site Compatibility WallpaperGooglePhotosIntegrationEnabled User ChromeOS Sign-in settings
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- HTTP requests upgraded to HTTPS in Chrome 115
As early as Chrome 115, some users may see HTTP requests automatically upgraded to HTTPs. Any page that can't load via HTTPS is automatically reverted back to HTTP. For standard server configurations, this shouldn't have any visible effect, but improves your users' security.
Some server configurations may cause issues, for example if different content is served via HTTP and HTTPS. Users can disable automatic upgrading for a specific site by changing the Insecure Content site setting to enabled, accessible via Page Info orchrome://settings/content
. You can control this behavior with the HttpsUpgradesEnabled policy, and allowlist specific sites with the HttpAllowlist policy.
In the long term, you should ensure that your organization's servers support HTTPS and serve the same content on both HTTP and HTTPS. If you don't intend to support HTTPS (e.g. on an internal intranet behind a firewall), servers shouldn't respond to port 443, and firewalls should close the connection rather than leave it hanging. You can test HTTPS upgrading in your environment by enablingchrome://flags#https-upgrades
. Please report any issues you encounter.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events, as early as Chrome 115. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- master_preferences to initial_preferences migration
As part of Chrome's ongoing transition to use more inclusive naming, the example in the Enterprise bundle has been renamed frommaster_preferences
toinitial_prefereces
. While there are no changes in Chrome's interpretation of the file, the following fields are no longer present in theinitial_preferences
example file:
- Removed from example because they're no longer valid:
sync_promo.show_on_first_run_allowed
suppress_first_run_bubble
suppress_first_run_Default_browser_prompt
- Removed from example because they can be controlled by a recommended policy:
homepage
homepage_is_newtabpage
show_home_button
session
bookmark_bar
import_* except for import_bookmarks_from_file
make_chrome_default_*
- Removed from example because they're not applicable to enterprise usage, or only applicable to for user-level install:
ping_delay
do_not_launch_chrome
do_no_register_for_update_launch
- Removed from example because they're no longer valid:
- Release cycle changes
Chrome 115 stable release will be moved from June 27 to July 18. All dates after this have been adjusted to account for this delay. Please see the Chromium Dash Schedule for updated dates.
- Bookmarks and Reading List improvements on iOS
On Chrome 115 on iOS, some users who sign in to Chrome from bookmark manager or reading list surfaces will be able to use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncDisabled, SyncTypesListDisabled, EditBookmarksEnabled and ManagedBookmarks will continue to work as before and can be used to configure whether users use and save items in their Google Account.
- Update for Secure DNS / Cox ISP users
For clients running on systems that use the Cox ISP DNS servers, if the DnsOverHttpsMode policy is set to Automatic, then secure DNS queries will be used by Chrome instead of insecure DNS queries starting in Chrome 115 (and in earlier versions, starting on May 16, 2023, if the ChromeVariations policy is set to enable all variations).
- Reading mode
As more content is read online, we’re adding a new feature to help improve the online reading experience. Introducing reading mode, a new feature on Chrome browser, enhances the reading experience on the web for everyone. Reading mode reduces distracting elements through a resizable and customizable reader view in the Chrome browser side panel, enabling readers to focus on the primary content. Users can also customize the font, text size, spacing, theme/background color, and more, making for a more cohesive, intuitive, and comfortable reading experience.
- Anti-phishing telemetry expansion
In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers that will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishy pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.
- Deprecating the use of SHA1 in server signatures in TLS
Chrome 115 is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. SHA1 has known collisions, has been deprecated by the IETF, and should be avoided.
Enterprises that rely on SHA1 signature schemes in TLS can use the InsecureHashesInTLSHandshakesEnabled policy to continue to accept SHA1 in server signatures.
- Policy Sync dependency handling
Currently, we require admins to set SyncDisabled for any data-deletion policy (BrowsingDataLifetime, ClearBrowsingDataOnExitList). Starting in Chrome 115, we will automatically disable sync for the respective data types and will no longer require admins to set the dependent policy.
- Web MIDI permission prompt
Starting in Chrome 116, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires an explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.
Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure users’ access to the API.
- X25519Kyber768 key encapsulation for TLS
As early as Chrome 116, Chrome is introducing a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes may be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS.
- Network Service on Windows will be sandboxed
As early as Chrome 116, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Restricting the use of --load-extension
The--load-extension
command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116,--load-extension
will be ignored for users that have enabled Enhanced Safe Browsing.
- Enable access to WebUSB API from extension service workers in Chrome 116
As early as Chrome 116, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Removal of the RendererCodeIntegrityEnabled policy
As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. You can verify whether your third party software works by no longer applying the policy. You can report any issues you encounter by submitting a bug here.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. Starting in Chrome 114, you'll see an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- New Chrome Desktop refresh and Chrome menu in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale desktop Chrome UI, communications, and personalization. The menu will be updated in phases starting in Chrome 117 with the Desktop Refresh.
- Update for lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary if you enable Chrome Refresh 2023 atchrome://flags#chrome-refresh-2023
, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
You can read more in this blog post.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Chrome 119 to phase out support for Web SQL
Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.
The timeline for the deprecation will be:- Chrome 115 - Add deprecation message
- Chrome 118 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.
An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.
Upcoming ChromeOS changes
- App Streaming on ChromeOS
As early as ChromeOS 115, App Streaming will enhance the Phone Hub experience, by allowing users to see and interact with streamed apps running on their Pixel phone. When a user receives a mirrored conversation notification from their Pixel phone, a simple tap on that notification will kick off an app stream directly to the user's ChromeOS desktop. This is part of a Google-wide ambient computing effort.
- Google Photos Shared Albums
In ChromeOS 104, we let users use Google Photos for Wallpapers and Screensavers, but we restricted access to Shared Albums due to privacy concerns. In Chrome 115, we will address these privacy concerns to allow users to select photos from Shared Albums.
- Removal of permissive Chrome Apps webview behaviors
As early as Chrome 116, Chrome Apps webview usage have the following restrictions:- SSL errors within webview show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
window.open
call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, the previous behavior from Chrome 112 and earlier can also be restored by navigating to chrome://flags and disablingchrome://flags/#enable-webview-tag-mparch-behavior
.
This change was originally scheduled for Chrome 113, but was postponed.
Upcoming Admin console changes
Chrome 113
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 introduces user controls for these First-Party Sets. Two enterprise policies are available to manage First-Party Sets: FirstPartySetsEnabled to enable or disable First-Party Sets, and FirstPartySetsOverrides to apply your own sets.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 113 starts collecting additional telemetry on off-store extensions, such as file hashes and themanifest.json
file. Google servers analyze the data collected to detect malicious off-store extensions (including self-hosted extensions) and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Launching FastCheckout for Checkout experiences
In Chrome 113, some users see updated Autofill options targeting checkout pages on some shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Updated Password Management Experience on iOS in Chrome 113
On Chrome on iOS, some users who are signed-in to Chrome but don't have Chrome sync enabled can now use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncDisabled, SyncTypesListDisabled and PasswordManagerEnabled continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Image-set css changes
Chrome 113 implements standard syntax support for image-set and now treats the previously supported-webkit- vendor
prefix syntax as a parse time alias for the standard. This means that values set with the vendor prefix serialize as standard.
Example:
-webkit-image-set(url(example.png) 1x)
Serializes to:
image-set(url(""example.png"") 1x) for specified value (as returned via getPropertyValue() like: testDiv.style.getPropertyValue(""background-image"");)
and to
image-set(url(""example.png"") 1dppx) for computed value (as returned via getComputedStyle() like window.getComputedStyle(testDiv)[""background-image""]).
If needed, the new behavior can be turned off via theCSSImageSet
runtime flag. The rendering and image-selection behavior is the same for both the prefixed and standard syntax (Chrome Status).
- Chrome Desktop New tab page: Journeys card
Chrome assists with complex, multi-session task completion through Journeys resumption and next step suggestions on the New tab page. You can control the visibility of cards on the New tab page using the NTPCardsVisible policy.
- Discover Feed on iOS and Android
In Chrome 113, Chrome might prompt some users to see more personalized content in their Discover Feed.
The Discover Feed also allows non-signed-in users to control the types of content they see, using updated personalization options. For example, they may choose to hide content from a certain source.
When users who are not signed in want to make a change to their feed content, Chrome prompts them to sign in or sync. As an admin, you still control user sign-in and sync with the BrowserSignin, SyncDisabled, and SyncTypesListDisabled policies. So, if an enterprise policy prevents sign-in or sync, users see Not available on your device.
- New and updated policies in Chrome browser
Policy
Description
Allow WebRTC text logs collection from Google Services
Override First-Party Sets
Enable First-Party Sets.
Default third-party storage partitioning setting
Block third-party storage partitioning for these origins
Allow Google Lens camera assisted search (now available on iOS)
Allow screen capture without prior user gesture
Restore permissive Chrome Apps webview behavior
Allow file or directory picker APIs to be called without prior user gesture
- Removed policies in Chrome browser
Policy
Description
ChromeRootStoreEnabled
Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates (removed on Windows and Mac)
WebSQLNonSecureContextEnabled
Force WebSQL in non-secure contexts to be enabled
PrefixedStorageInfoEnabled
Re-enable the deprecated window.webkitStorageInfo API
ChromeOS updates
- Report USB firmware version
Whenever a USB device is plugged or unplugged from a managed ChromeOS device, the USB firmware version is reported alongside existing USB events and telemetry. You can control this using the ReportDevicePeripherals policy, which controls reporting of existing USB events and telemetry.
- Allow policy-provided custom trust anchors at the lock screen
Enterprise and EDU deployments might have proxies that intercept, decrypt and inspect user traffic. This requires the client device to have a CA certificate configured to allow it to trust the proxy server certificate for all web hosts, which is usually issued on the fly. For ChromeOS, enterprise deployments configure such trusted CA certificates through enterprise policy.
These custom policy-provided CA certificates are currently only honored for user traffic and inside the user session, but not at the lock screen. This is an issue for customers who have to do re-authentication at the lock screen, which is enforced by policy, since the proxy set in the user session is enforced at the lock screen but the CA certificate is not accessible.
- Files app inline sync status
This feature moves the existing syncing notification and visual signal to a more granular inline sync status. The status appears adjacent to files in Google Drive that are actively syncing. The status also displays for folders within a hierarchy that have syncing descendants.
- ChromeOS administrator instant reboot
With ChromeOS 113, we give admins the option to trigger ChromeOS reboots via the Admin console to facilitate support flows and apply policies instantly when required. With this option, admins can now instantly apply settings across their fleet, or on a subset of devices. For example, in a cyber attack scenario, admins can now mitigate a current attack by limiting extension permissions and forcing an instant reboot to all affected devices.
A message displays to notify users of the reboot, so they can save any work or manage their time before the reboot occurs.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage have the following restrictions:
- SSL errors within webview show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
window.open
call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed is available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, the previous behavior from Chrome 112 and earlier can also be restored by navigating tochrome://flags
and disablingchrome://flags/#enable-webview-tag-mparch-behavior
.
Admin console updates
- Risk Assessment card
In the Extension details page, we have created a new Risk assessment card to show third-party risk scores for public extensions. Learn more.
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
User, Managed Guest Session
Chrome (Linux, Mac, Windows)
ChromeOS
Additional app settings
User, Managed Guest Session
Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOS
Content
User, MManaged Guest Session
GS
Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOS
Content
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Chrome Root Store updates and removal of the ChromeRootStoreEnabled policy
As early as Chrome 114, to improve user security and provide a consistent experience across different platforms, Chrome will switch to its own default root store and built-in certificate verifier on Android, Linux, and ChromeOS. Chrome continues to use custom local roots installed to the operating system’s trust store. See our article about the Chrome Root Program for more information. The Chrome Root Store is already default enabled on Windows and Mac.
We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
The ChromeRootStoreEnabled policy allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be made available on Android, Linux, and ChromeOS until Chrome 120.
The ChromeRootStoreEnabled policy has been removed from Windows and Mac in Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. Support for name constraints on local trust anchors was added back in Chrome 112.
- Support for Private State Tokens
Starting in Chrome 113, the Private State Tokens API will be available for use by websites. Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without the exchange of user identifying information. Availability of Private State Tokens will be controlled using a new setting in Chrome settings called Auto-verify. For more information, see this developer blog post.
- New inactive tabs section in the Chrome app on iPhone and iPad
In Chrome 114, old tabs will be hidden under a new Inactive Tabs section in the Tab grid view. Chrome users will be able to access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. Alternatively, users can bring back an inactive tab by clicking on it.
- Lock profile cookie files on disk
To help protect Chrome users against malware attempting to steal cookie information, Chrome 114 on Windows holds an exclusive lock on the profile cookie files on disk. You can test this behavior to ensure this doesn't interfere with any sanctioned software on your systems by running Chrome with the-enable-features=LockProfileCookieDatabase
command line flag on Dev and Beta channel of Chrome 114.
- Changes to Google Password Manager in Chrome 114
In Chrome 114, the password manager will be rebranded as Google Password Manager.
Google Password Manager will offer more functionality and be easier to access. You will be able to access the new look password manager via the three dot menu (previously located in Settings>Autofill). The upgraded Google Password Manager groups similar passwords together, has an improved checkup flow and users will be able to add the password manager to their desktop, for easy access.
- Password management: save and retrieve notes
Chrome 114 will revamp the password management native bubble triggered from the key icon in the omnibox. It will replace the current list of passwords with a new list that allows navigating to the password details view. In the password details view, shown on the right below, users can copy the username or password, unmask the password, and edit the stored note.
- Unpacking Nested Archives in Download Protection
Starting in Chrome 114, users with Safe Browsing enabled will begin recursively unpacking downloads of archives. This extends the long-standing protections Chrome offers against malware and unwanted software to combat techniques being abused by distributors of cookie theft malware. The SafeBrowsingProtectionLevel policy can be used to enable or disable Safe Browsing, including this feature.
- Separate storage of settings synced to account in Chrome 114
For Chrome users on iOS and Android who have Sync enabled, settings synced to their Google account will be be kept separate from the local Chrome settings, which were set when Sync was turned-off. This will allow for strictly less data sharing than previously: local settings don’t get automatically uploaded when turning on Sync, and no settings from the account are left behind on the device when Sync is turned off. This feature is still disabled by default and can be enabled viachrome://flags#enable-preferences-account-storage
.
There are two existing policies to disable Sync functionality, which will continue to apply:- SyncDisabled: Disables the entire Chrome Sync infrastructure, including settings.
- SyncTypesListDisabled: Disables specified individual Sync data types. The existing value preferences covers settings.
- Network Service on Windows will be sandboxed
As early as Chrome 115, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enable access to WebUSB API from extension service workers in Chrome 115
As early as Chrome 115, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events, as early as Chrome 115. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- Release cycle changes
Chrome 115 stable release will be moved from June 27 to July 18. All dates after this have been adjusted to account for this delay. Please see the Chromium Dash Schedule for updated dates.
- Read mode
As more content is read online, we’re adding a new feature to help boost the reading experience. Introducing reading mode, a new feature on Chrome browser, enhances the reading experience on the web for everyone. Reading mode reduces distracting elements through a resizable and customizable reader view in the Chrome browser side panel, enabling readers to focus on the primary content. Users can also customize the font, text size, spacing, theme/background color, and more, making for a more cohesive, intuitive, and comfortable reading experience.
- HTTP requests upgraded to HTTPS in Chrome 115
As early as Chrome 115, some users may see HTTP requests automatically upgraded to HTTPs. Any page that can't load via HTTPS is automatically reverted back to HTTP. For standard server configurations, this shouldn't have any visible effect, but improves your users' security.
Some server configurations may cause issues, for example if different content is served via HTTP and HTTPS. Users can disable automatic upgrading for a specific site by changing "Insecure Content" site setting to enabled, accessible via Page Info orchrome://settings/content
. You can control this behavior with the HttpsUpgradesEnabled policy, and allowlist specific sites with the HttpAllowlist policy.
In the long term, you should ensure that your organization's servers support HTTPS and serve the same content on both HTTP and HTTPS. If you don't intend to support HTTPS (e.g. on an internal intranet behind a firewall), servers shouldn't respond to port 443, and firewalls should close the connection rather than leave it hanging.
- Deprecation Trial for unpartitioned third-party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 115, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts will also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial. During the trial, sites can temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 113 also adds the DefaultThirdPartyStoragePartitioningSetting enterprise policy, which unpartitions APIs in all third-party contexts, as well as ThirdPartyStoragePartitioningBlockedForOrigins, which unpartitions APIs for third-party contexts when the first-party context’s origin matches the list. Both will be supported for at least 12 milestones. You can read more in this blog post.
- Changes to phishing protection on Android as early as Chrome 115
When a user authenticates to Android with their Google password, for example, during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Extensions must be updated to leverage Manifest V3
Chrome 112 enables access to the WebHID API from extension service workers, as a migration path for Manifest V2 extensions that currently access the API from a background page.Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 114, Cursive, a stylus-first notes app, will be available for Chromebook. It will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Mandatory extensions for Incognito navigation
In Chrome OS 114, Extensions allow admins to enforce security features and customizations in their OU but they cannot be enforced in Incognito mode without user consent. This can be a problem as users can bypass extension-set features, for example, proxies by using Incognito mode for navigation.
The MandatoryExtensionsForIncognitoNavigation policy will allow administrators to configure a list of extensions, which users need to explicitly allow to run in Incognito, to use Incognito mode for navigation.
- App Streaming on Chrome OS
In Chrome OS 114, App Streaming will enhance the Phone Hub experience, by allowing users to see and interact with streamed apps running on their Pixel phone. When a user receives a mirrored conversation notification from their Pixel phone, a simple tap on that notification will kick off an app stream directly to the user's Chrome OS desktop. This is part of a Google-wide ambient computing effort.
Chrome 112
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Unused site permissions module in safety check
Chrome’s safety check can confirm the overall security and privacy of the browsing experience. It tells you if any passwords saved in Chrome have been compromised, flags dangerous extensions, and helps you ensure that your security protections are up to date.
Starting with Chrome 112, safety check includes auto-revocation of unused site permissions on Chrome. Chrome resets permissions from sites that users have not visited for a while. Chrome revokes permissions automatically and offers options to opt out or re-grant. Permissions granted by enterprise policies are not affected.
- Default to origin-keyed agent clustering
Starting in Chrome 112, websites can no longer setdocument.domain
. Websites now need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it now needs to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior. You can read more in this blog post.
Note:
The OriginAgentClusterDefaultEnabled enterprise policy allows you to extend the current behavior.document.domain
has no effect if only one document sets it.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, we are phasing out support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome apps are still launchable.
Starting with Chrome 112, Chrome apps on Windows, Mac and Linux no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome app) install_url (PWA / Web app) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/
notifications/manifest/cr_install.html
- Auto-upgrade mixed content to HTTPS on iOS
Chrome 112 on iOS starts automatically upgrading passive mixed content (HTTP image, audio and video on HTTPS pages) to HTTPS, when possible. Previously, Chrome on iOS blocked passive mixed content. All other Chrome platforms auto-upgrade passive mixed content, when possible. An enterprise policy, MixedContentAutoupgradeEnabled, is available to disable mixed content auto-upgrading on HTTPS sites on iOS. The policy will be removed in Chrome 116.
- Chrome Root Store updates and removal of the ChromeRootStoreEnabled policy
Chrome 112 now enforces name constraints on root certificates. This matches the behavior prior to the launch of the Chrome Root Store in Chrome 106. If you previously disabled the Chrome Root Store to work around this issue, you can test again with Chrome 112. If you relied on Chrome not enforcing name constraints, we have provided a temporary EnforceLocalAnchorConstraintsEnabled policy to disable this behavior. This policy will be removed in the future.
As early as Chrome 113, to improve user security and provide a consistent experience across different platforms, Chrome will switch to its own default root store and built-in certificate verifier on Android, Linux, and ChromeOS. Chrome continues to use custom local roots installed to the operating system’s trust store. The Chrome Root Store is already default enabled on Windows and Mac.
We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
The ChromeRootStoreEnabled policy allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be made available on Android, Linux, and ChromeOS until Chrome 120.
The ChromeRootStoreEnabled policy will be removed from Windows and Mac on Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. If you previously disabled the Chrome Root Store to work around either of these issues, you can test again with Chrome 112.
- Updated onboarding experience
In Chrome 112, some users see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, RestrictSigninToPattern and SyncTypesListDisabled continue to be available as before to control whether the user can sign into Chrome and turn on sync. You can use the PromotionalTabsEnabled policy to skip onboarding altogether.
- Changes to HTTPS policies
The HttpsOnlyMode policy now supports force_enabled. This enables the Always use secure connections setting onchrome://settings/security
and prevents the user from disabling it. The setting causes a bypassable error interstitial to be displayed before any navigation to a non-HTTPS site. Users can always bypass the error interstitial, and the decision to bypass is remembered for one week. We’ve also added the HttpAllowlist policy, which you can use to define a list of hosts or hostname patterns that are allowed to be non-HTTPS without an error interstitial. For example, you can use the HttpAllowlist policy to allowlist internal sites that might be HTTP-only.
- Add websites and PWAs to the home screen on iOS
Starting in Chrome 112, you can bookmark a website on the iOS device's home screen. If the website offers a Progressive Web Apps (PWAs), then this action adds the app to the home screen. Otherwise, the bookmark opens in the default browser when you tap it. This feature is available to iOS16.4 and above.
- New Chrome Sync data types available in Takeout
In Chrome 112, additional Chrome data is available to export in Takeout and Domain Wide Takeout (DWT). The following data types are available: AUTOFILL, PRIORITY_PREFERENCE, WEB_APP, DEVICE_INFO, TYPED_URL, ARC_PACKAGE, OS_PREFERENCE, OS_PRIORITY_PREFERENCE, PRINTER.
You can control which data types are synced to Chrome Sync using the SyncTypesListDisabled enterprise policy. Instructions on allowing or blocking Takeout can be found in this help center article.
- Autofill on iOS
In Chrome 112, some iOS users see a prompt to choose Chrome for Autofill in their iOS settings. The user can choose to learn more, dismiss the prompt forever, or be reminded again later. The prompt can appear after the user has copied a password from the Chrome password manager, saved a password, or logged into a website using an existing saved password. An enterprise policy, CredentialProviderPromoEnabled, is available to disable any appearance of the prompt.
- Android WebView phases out the X-Requested-Header starting from version 112
To improve privacy, Android WebView begins phasing out the X-Requested-With HTTP request header. Sites that currently rely on this header can sign up for the Deprecation Origin Trial, which will allow them to continue to receive the header. The deprecation trial is planned to run for at least one year, but will continue until replacement APIs have been launched to address the current use cases for the header. Apps can also enable the header for individual destination origins by using a newly introduced AndroidX API. Using this API will continue to provide the header to sites past the end of the deprecation trial.
- Web auth flow to use browser tab instead of App window
In Chrome 112, the authorization page for web auth flow in Chrome extensions now displays either in a new tab or a popup window. This change concerns two API methods: launchWebAuthFlow and getAuthToken. It resolves several existing UX problems:
- the authorization page now displays a URL which protects against phishing attacks.
- sign-in state is now shared with all browser tabs; no need to sign-in into extension separately.
- sign-in state is persisted on Chrome restart.
- fixed accessibility issues of App window.
- Chrome for Testing
In Chrome 112, Puppeteer, Chrome's browser automation library, uses the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you can allowlist the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- Price tracking on iOS
Chrome 112 on iOS enables users to track the prices of products across the web, and receive notifications when the price drops. An enterprise policy, ShoppingListEnabled, is available to control this shopping feature.
- New and updated policies in Chrome browser
Policy
Description
Determine the availability of variations (now available on Android).
Disable HTTPS upgrades for some hostnames, potentially decreasing user security.
Enable automatic HTTPS upgrades.
Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store.
ExtensionExtendedBackgroundLifetime
ForPortConnectionsToUrlsConfigure a list of origins that grant extended background lifetime to the connecting extensions.
Allow the shopping list feature to be enabled (now available on iOS).
Allows users to be shown the Credential Provider Extension promo.
ChromeOS updates
- Screencast supports multi-language transcription in recordings
ChromeOS 112 dramatically expands Screencast recording capabilities by including a wide range of languages by integrating with Google's S3 transcription API.
The Screencast app for ChromeOS lets users record transcribed screencasts on their Chromebook. In previous versions, this feature was available in EN-US only, which meant that only English speaking users in the US could record screencasts. Soon, it will be possible to record and transcribe screencasts in a wide range of languages including Spanish, Japanese, French, Italian, and German.
- Fast Pair saved devices
ChromeOS 112 adds a subpage to Fast Pair settings for saved devices, where users can view their device associations, remove any that may be unwanted, and configure whether they want Fast Pair-paired devices to automatically save to their account. This experience mirrors the management capabilities already available for Fast Pair on Android today, and was explicitly requested as a fast-follow improvement by the ChromeOS Privacy team.
- Introducing the Rupee symbol on US-English keyboards in India
ChromeOS 112 adds the Rupee symbol ₹ to both the virtual keyboard and the physical keyboard, where AltGr+4 is the rupee symbol (hold right-alt + 4).
The compact virtual keyboard just moves some currency keys around so that you can access the Rupee symbol in the more symbols menu. For accessibility, the virtual keyboard has the AltGr layer toggle available, which lets you type AltGr+4 and get the rupee symbol.
Admin console updates
- Device Token Management policy for device token deletion
A new policy allows Chrome Browser Cloud Management administrators to delete the device token on the end-point devices when deleting a browser from the managed browsers list in the Admin console.
When the new Delete token value is selected and a browser is deleted from the Managed browser list, the browser automatically re-enrolls in Chrome Browser Cloud Management the next time it is online, if the enrollment token was not deleted on the device and the enrollment token is still active. The default value remains to invalidate the device token.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field PrivacySandboxSiteEnabledAdsEnabled User & Browser Settings Chrome (Linux, Mac, Windows)
ChromeOS, AndroidSecurity > Privacy Sandbox>Control whether privacy sandbox prompts. PrivacySandboxPromptEnabled User & Browser Settings Chrome (Linux, Mac, Windows)
ChromeOS, AndroidSecurity > Controls whether the Privacy Sandbox Site-suggested ads setting can be disabled for your users. PrivacySandboxAdTopicsEnabled User & Browser Settings Chrome (Linux, Mac, Windows)
ChromeOS, AndroidSecurity >Controls whether your users see the Privacy Sandbox prompt. PrivacySandboxAdMeasurementEnabled User & Browser Settings Chrome (Linux, Mac, Windows) ChromeOS, Android Security >Controls whether the Privacy Sandbox Ad measurement setting can be disabled for your users.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Changes to phishing protection on Android as early as Chrome 113
When a user authenticates to Android with their Google password, for example, during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Deprecation Trial for Unpartitioned third-party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 113, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts would also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs will remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 113 will also add the DefaultThirdPartyStoragePartitioningSetting enterprise policy, which will unpartition APIs in all third-party contexts, as well as ThirdPartyStoragePartitioningBlockedForOrigins, which will unpartition APIs for third-party contexts when the first-party context’s origin matches the list. Both will be supported for at least 12 milestones. You can read more in the blog post.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 will introduce user controls for these First-Party Sets. Two enterprise policies will be made available to manage First-Party sets: one to disable First-Party Sets and one to provide your own sets.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage will have the following restrictions:
- SSL errors within webview will show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window will cause the window reference returned by the
window.open
call in the originating webview to be invalidated.
In Chrome 112, you’ll be able to test out this new behavior by navigating tochrome://flags
and enabling thechrome://flags/#enable-webview-tag-mparch-behavior.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 113 will start collecting additional telemetry on off-store extensions, such as file hashes and themanifest.json
file. The data collected are analyzed on Google servers to detect malicious off-store extensions (including self-hosted extensions) and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Launching FastCheckout for Checkout experiences
In Chrome 113, some users will see an updated Autofill UI targeting checkout pages on shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Updated Password Management Experience on iOS in Chrome 113
On Chrome on iOS, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncDisabled, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Image-set css changes
Chrome 113 implements standard syntax support for image-set and will treat the previously supported -webkit- vendor prefix syntax as a parse time alias for the standard. As a result of this, values set with the vendor prefix will serialize as standard.
Example:
-webkit-image-set(url(example.png) 1x)
Will serialize to:
image-set(url(""example.png"") 1x
for specified value (as returned viagetPropertyValue()
like:
testDiv.style.getPropertyValue(""background-image"");
)and to
If needed, the new behavior can be turned off via theimage-set(url(""example.png"") 1dppx)
for computed value (as returned via
getComputedStyle()
likewindow.getComputedStyle(testDiv)[""background-image""]
).CSSImageSet
runtime flag. The rendering and image-selection behavior will be the same for both the prefixed and standard syntax (Chrome Status).
- Support for Private State Tokens
Starting in Chrome 113, the Private State Tokens API will be available for use by websites. Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without the exchange of user identifying information. Availability of Private State Tokens will be controlled using a new setting in Chrome settings called Auto-verify.
- Enable access to WebUSB API from extension service workers in Chrome 114
As early as Chrome 114, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Changes to Google Password Manager in Chrome 114
In Chrome 114 the password manager will be re-branded as Google Password Manager.
Google Password Manager will offer more functionality and will be easier to access. You will be able to access the new look password manager via the three dot menu (previously located in Settings>Autofill). The upgraded Google Password Manager groups similar passwords together, has an improved checkup flow and users will be able to add the password manager to their desktop, for easy access.
- Network Service on Windows will be sandboxed
As early as Chrome 114, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
In ChromeOS 113, Cursive, a stylus-first notes app, will be available for Chromebook. It will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Upcoming Admin console changes
Chrome 111
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Reminder of change in launch schedule | ✓ | ||
Privacy Sandbox updates in Chrome 111 | ✓ | ||
PPB_VideoDecoder(Dev) API removed | ✓ | ||
New Chrome sync dialog in Chrome for Desktop | ✓ | ||
Payment Handler API requires CSP connect-src | ✓ | ||
Out-of-process System DNS Resolution | ✓ | ||
Azure AD single sign-on (SSO) | ✓ | ||
Web speech recognition API on iOS | ✓ | ||
Chrome updater on Windows and Mac serves the most recent 12 versions | ✓ | ||
Policy name changes | ✓ | ||
Chrome Browser Cloud Management subscription | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Fast Pair | ✓ | ||
Keyboard shortcuts link in Text app | ✓ | ||
Print job origin identification for managed devices | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Configure print server policies with Google groups | ✓ | ||
New policies in Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
LegacySameSiteCookieBehaviorEnabledForDomainList policy extended | ✓ | ||
Enable access to WebHID API from extension service workers in Chrome 112 | ✓ | ||
Unused site permissions module in Safety Check | ✓ | ||
Default to origin-keyed agent clustering in Chrome 112 | ✓ | ||
New Chrome Sync data types available in Takeout in Chrome 112 | ✓ | ||
Chrome for Testing | ✓ | ||
Policy troubleshooting page available on Android | ✓ | ||
Risk Assessment card | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ||
Auto upgrade mixed content to HTTPS | ✓ | ||
Launching FastCheckout for Checkout experiences | ✓ | ||
Collect additional data for off-store extensions in telemetry reports | ✓ | ||
Updated onboarding experience | ✓ | ||
Deprecation trial for unpartitioned 3rd party Storage, Service Workers, and Communication APIs | ✓ | ||
Changes to phishing protection on Android as early as Chrome 113 | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Enable access to WebUSB API from extension service workers in Chrome 113 | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
First-Party Sets user controls | ✓ | ||
Removal ChromeRootStoreEnabled policy | ✓ | ||
Full History sync | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Screencast supports multi-language transcription in recordings | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
New Chrome browser insights | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Reminder of change in launch schedule
Starting in Chrome 110, Chrome started rolling out to the Stable channel one week earlier than previously planned to a very small subset of users. For example, the Chrome 111 Stable release moves from March 7 to March 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users happens at a similar timeframe to the earlier communicated dates. This slower initial rollout leads to better stability and makes it easier for enterprises to stay on the latest and safest version of Chrome.
For more details, read about managing Chrome updates and check out the Chrome release schedule.
- Privacy Sandbox updates in Chrome 111
Chrome 111 updates the user experience of the new ad privacy features related to the Privacy Sandbox project. As part of this, Chrome now shows users a confirmation dialog that introduces the new features to users, and directs them to the appropriate settings pages to allow them to set their preferences.
IT admins can disable Chrome's Privacy Sandbox settings via the PrivacySandboxAdTopicsEnabled, PrivacySandboxSiteEnabledAdsEnabled, and PrivacySandboxAdMeasurementEnabled enterprise policies, and suppress the user-facing prompt via the PrivacySandboxPromptEnabled policy.
For more information, see the developer documentation about Privacy Sandbox technologies in Chrome.
- PPB_VideoDecoder(Dev) API removed
The PPB_VideoDecoder(Dev) API was introduced for Adobe Flash. Since Flash is no longer supported in Chrome, we are removing this API in Chrome 111. If you need any extra time to migrate legacy applications, you can use the ForceEnablePepperVideoDecoderDevAPI enterprise policy. This policy will only be supported through Chrome 114. If you need to use the policy after that, file a bug on crbug.com before May 5, 2023, explaining your use case.
- New Chrome sync dialog in Chrome for Desktop
Some users now see a visually updated dialog to turn on Chrome Sync in Chrome 111. Relevant enterprise policies such as BrowserSignin, SyncDisabled, RestrictSigninToPattern and SyncTypesListDisabled continue to work as before to configure Chrome sync.
- Payment Handler API requires CSP connect-src
If your organization uses the Web Payment API (Payment Handler and Payment Request) and also uses Content-Security-Policy (CSP) for better protection, then you need to add the domains of HTTP requests sent from the Web Payment API to the connect-src directive of the CSP. This is enforced in Chrome 111. For more information, see this developer blog post.
- Out-of-process System DNS Resolution
Starting gradually in Chrome 111, as part of the Linux and Android network service sandboxes, system DNS resolution moves out of the network service and into the unsandboxed browser process, as system DNS resolution cannot run while sandboxed on these platforms. The Enterprise policy OutOfProcessSystemDnsResolutionEnabled is available to control this feature. Setting this policy to false causes system DNS resolution to run in the network process rather than the browser process. This might force the network service sandbox to be disabled, degrading the security of Google Chrome.
- Azure AD single sign-on (SSO)
Chrome 111 now supports automatic sign-on into Microsoft identity providers using account information from Microsoft Windows. This feature is disabled by default and can be enabled using the CloudAPAuthEnabled policy.
- Chrome updater on Windows and Mac serves the most recent 12 versions
The Chrome updater now supports serving versions of Chrome that reached 100% rollout, within the latest 12 releases on the Beta, Stable, and Extended Stable channels. If you're using the TargetVersionPrefix enterprise policy, ensure you are within 12 versions of the latest release. If you don't manually manage Chrome updates, no action is required.
- Policy name changes
We’ve renamed the policies related to Window Placement, to better align with the underlying API and permissions, which have recently been renamed to Window Management. Starting in Chrome 111, DefaultWindowManagementSetting, WindowManagementAllowedForUrls, WindowManagementBlockedForUrls, WindowManagementSettings policies now supercede the DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls policies. The WindowPlacement variants will be removed in a future version. The WindowPlacementSettings atomic group has been renamed to WindowManagementSettings.
- Chrome Browser Cloud Management subscription
As early as March 2023, the Chrome Browser Cloud Management (CBCM) subscription will be automatically added to all Admin console accounts who are using CBCM without the subscription. CBCM customers are now required to have the Chrome Browser Cloud Management subscription to use the service. This change adds no new cost to your existing account and there are no actions required.
- New and updated policies in Chrome browser
Policy Description DomainReliabilityAllowed Allow reporting of domain reliability related data. MixedContentAutoupgradeEnabled Enable mixed content auto upgrading on HTTPS sites. DefaultWindowManagementSetting Default Window Management permission setting. WindowManagementAllowedForUrls Allow Window Management permission on these sites. WindowManagementBlockedForUrls Block Window Management permission on these sites. OutOfProcessSystemDnsResolutionEnabled Enable system DNS resolution outside of the network service. ForceEnablePepperVideoDecoderDevAPI Enable support for the PPB_VideoDecoder(Dev) API. CloudAPAuthEnabled Allow automatic sign-in to Microsoft® cloud identity providers. PrivacySandboxPromptEnabled Choose whether the Privacy Sandbox prompt can be shown to your users. PrivacySandboxAdMeasurementEnabled Choose whether the Privacy Sandbox ad measurement setting can be disabled. PrivacySandboxAdTopicsEnabled Choose whether the Privacy Sandbox Ad topics setting can be disabled. PrivacySandboxSiteEnabledAdsEnabled Choose whether the Privacy Sandbox Site-suggested ads setting can be disabled. GetDisplayMediaSetSelectAllScreensAllowedForUrls (now on Linux) Enables auto-select for multi screen captures.
ChromeOS updates
- Fast Pair
Fast Pair now makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat.
- Keyboard shortcuts link in Text app
The ChromeOS Text app has a series of built-in keyboard shortcuts. ChromeOS 111 adds a link to the Help Center article from the Text app settings, to provide instructions on how to use these keyboard shortcuts.
- Print job origin identification for managed devices
To improve support for specific advanced printing workflows in managed environments, mostly encountered in the Healthcare space, print jobs need to contain information about the device that they originated from. ChromeOS 111 introduces the client-info IPP attribute to populate an admin-specified value, which identifies a device used for downstream printing workflow or reporting activities.
Additionally, all print jobs now indicate ChromeOS together with the running release version.
This new attribute in print jobs is only available for jobs originating from managed devices and controlled by a new admin policy.
Admin console updates
- Configure print server policies with Google groups
Admins can now use new or existing Google groups to configure print servers for users in your organization. That means when you need to configure a print server for a specific set of users–who may or may not belong to different Organizational Units (OUs)–you can now use the flexibility of groups without needing to reconfigure your OUs. Note that configuration of print server policies for user groups works exactly the same as it does for printers.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field LensDesktopNTPSearchEnabled User & Browser Settings; Managed Guest Session Chrome
ChromeOSStartup > New Tab Google Lens button SendMouseEventsDisabled
FormControlsEnabledUser & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidLegacy site compatibility > Disabled element MouseEvents UserBorealisAllowed User & Browser Settings; Managed Guest Session ChromeOS User experience > Allow Borealis on ChromeOS OffsetParentNewSpecBehaviorEnabled User & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidLegacy site compatibility > Enable Legacy HTMLElement Offset behavior AccessControlAllowMethods
InCORSPreflightSpecConformantUser & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidNetwork > CORS Access Control Allow Methods Conformance
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- LegacySameSiteCookieBehaviorEnabledForDomainList policy extended
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. LegacySameSiteCookieBehaviorEnabledForDomainList policy will continue to be supported up until Chrome 121.
- Unused site permissions module in Safety Check
In Chrome 112, Safety Check will be expanded to include auto-revocation of unused site permissions on Chrome. Chrome will reset permissions from sites that have low recent engagement. Chrome informs the user about auto-revocation of permissions and offers options to opt out or re-grant. Permissions granted by enterprise policies are not affected. This launch follows the first extension of Safety Check that introduced proactive notification of permission reminders.
- Default to origin-keyed agent clustering in Chrome 112
In Chrome 112, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior. You can read more in the blog post.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- New Chrome Sync data types available in Takeout in Chrome 112
There will be more Chrome data available to export in Takeout and Domain Wide Takeout (DWT). The following data types are available: AUTOFILL, PRIORITY_PREFERENCE, WEB_APP, DEVICE_INFO, TYPED_URL, ARC_PACKAGE, OS_PREFERENCE, OS_PRIORITY_PREFERENCE, PRINTER.
You can control which data types are synced to Chrome Sync using the SyncTypesListDisabled enterprise policy.
- Chrome for Testing
In Chrome 112, Puppeteer, Chrome's browser automation library, will start using the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you might consider allowlisting the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, we are phasing out support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 112, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/
notifications/manifest/cr_install.html
- Auto upgrade mixed content to HTTPS on iOS in Chrome 112
Chrome on iOS will start automatically upgrading passive mixed content (HTTP image, audio and video on HTTPS pages) to HTTPS when possible. The current behavior on iOS is to block passive mixed content. All other Chrome platforms already optimistically upgrade passive mixed content. An Enterprise policy MixedContentAutoupgradeEnabled is available to disable mixed content auto upgrading on HTTPS sites on iOS. The policy will be removed in 116.
- Launching FastCheckout for Checkout experiences
In Chrome 112, some users will see an updated Autofill UI targeting checkout pages on shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 112 will start collecting additional telemetry on off-store extensions, such as file hashes and the manifest.json file. The data collected are analyzed on Google servers to detect malicious off-store extensions and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Updated onboarding experience
In Chrome 112, some users may see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, EnableSyncConsent, RestrictSigninToPattern and SyncTypesListDisabled will continue to be available as before to control whether the user can sign into Chrome and turn on sync. The PromotionalTabsEnabled policy can be used to skip the onboarding altogether.
- Deprecation Trial for Unpartitioned 3rd party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 113, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts would also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs will remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 112 will also add the ThirdPartyStoragePartitioningEnabled enterprise policy, which will allow for unpartitioning all APIs in third-party contexts, to be supported for at least 12 milestones.
- Changes to phishing protection on Android as early as Chrome 113
When a user authenticates to Android with their Google password, for example during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Network Service on Windows will be sandboxed
As early as Chrome 113, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enable access to WebUSB API from extension service workers in Chrome 113
As early as Chrome 113, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 will introduce user controls for these First-Party Sets. Two enterprise policies will be made available to manage First-Party sets: one to disable First-Party Sets and one to provide your own sets.
- Removal ChromeRootStoreEnabled policy
In Chrome 105, we announced the launch of the Chrome Root Store on Windows and Mac. A new policy, called ChromeRootStoreEnabled, was introduced to allow selective disabling of the Chrome Root Store in favor of the platform root store. This policy will be removed from Windows and Mac on Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. If you previously disabled the Chrome Root Store to work around either of these issues, please test again with Chrome 111. We are working on launching the Chrome Root Store for Android, Linux, and ChromeOS. As the Chrome Root Store launches on more platforms, we will continue to provide the policy on those platforms for six months after launch.
- Full History sync
Starting with Chrome 112, Typed URLs will stop syncing for Enterprise users. Open Tabs will continue syncing as usual, unless disabled by existing SyncDisabled and SyncTypesListDisabled policies.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage will have the following restrictions:
- SSL errors within webview will show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window will cause the window reference returned by the window.open call in the originating webview to be invalidated.
In Chrome 112, you’ll be able to test out this new behavior by navigating tochrome://flags
and enabling thechrome://flags/#enable-webview-tag-mparch-behavior
.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 112, Cursive, a stylus-first notes app, will be available for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Screencast supports multi-language transcription in recordings
As early as ChromeOS 112, we plan to dramatically expand Screencast recording capabilities by including a wide range of languages by integrating with Google's S3 transcription API.
The Screencast app for ChromeOS lets users record transcribed screencasts on their Chromebook. In previous versions, this feature was available in EN-US only, which meant that only English speaking users in the US could record screencasts. Soon, it will be possible to record and transcribe screencasts in a wide range of languages including Spanish, Japanese, French, Italian, and German.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Chrome 110
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Windows 7/8/8.1 and Windows Server 2012/2012 R2 are no longer supported
Microsoft is ending support for most variants of Windows 7/8/8.1 in January 2023. As announced in a previous blog post, Chrome 109 is the last supported version of Chrome for these operating systems.
Chrome running on Windows Server 2012 and Windows Server 2012 R2 will not be updated beyond Chrome 109, as those operating systems (OS) are based on Windows 8/8.1. However, critical security fixes will be issued to Chrome 109 on these two OS versions until October 10, 2023 to ease customer transitions. For the most up-to-date information, see this post in the Chrome Enterprise and Education help center.
- Detailed translation settings
Chrome 110 adds new detailed translation settings for controlling the current target language: Never translate languages and Always translate languages. These settings were previously only editable from the Translate UI bubble but now are permanently exposed under chrome://settings/language. Enterprise admins can use the existing TranslateEnabled policy to globally enable or disable translation.
- Change in launch schedule
Starting in Chrome 110, Chrome rolls out to the Stable channel one week earlier than previously planned to a very small subset of users. For example, the Chrome 110 Stable release moves from February 7 to February 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users happens at a similar timeframe to the earlier communicated dates. This slower initial rollout leads to better stability and makes it easier for enterprises to stay on the latest and safest version of Chrome.
For more details, read about managing Chrome updates and check out the Chrome release schedule.
- App Store rating on iOS
In Chrome 110, some iOS users might be presented with Apple’s standardized App Store rating prompt at most once per year. The prompt gives users the option to rate the app or dismiss the prompt. An enterprise policy, AppStoreRatingEnabled, is available to disable any appearance of the prompt.
- User-level Enhanced Safe Browsing on iOS
For Chrome on iOS where the Safe Browsing protection level is not controlled by SafeBrowsingProtectionLevel, users who are signed in and syncing, and have enabled Enhanced Safe Browsing on their Google Account, are now notified that Enhanced Safe Browsing has been enabled on their Chrome profile. Disabling Enhanced Safe Browsing on a synced Google Account disables Enhanced Safe Browsing for their Chrome profile. Additionally, users that are signed-in and non-synced might be prompted to enable Chrome Enhanced Safe Browsing within 5 minutes of enabling Account Level Enhanced Safe Browsing.
- Chrome Headless mode upgrades
Chrome’s Headless mode provides a full Chrome browser to tooling vendors and developers that don’t need to bring pixels to the screen. It's used for test automation, automation of workflow steps, for example, steps required when setting up a new machine in an enterprise or autofill-like behavior, scraping web content, web rendering services, and so on.
We’ve rebuilt Headless mode so that it’s much closer to Chrome’s regular mode. This provides more consistent experiences, including respecting enterprise policies when in Headless mode.
- MetricsReportingEnabled policy available on Android in Chrome
As early as Chrome 110, Chrome on Android slightly modifies the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there is no change to the first run experience. If the admin enables metrics, users can still change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- WebAuthn cannot be used on sites with TLS certificate errors
Starting on Chrome 110, Chrome stops allowing WebAuthn requests on websites with TLS certificate errors. The criteria are the same as those used for showing danger interstitials or a Not secure pill on the omnibox. This prevents bad actors from generating valid assertions in a Man-in-the-Middle attack on users who might skip the interstitial.
Enterprises can use the AllowWebAuthnWithBrokenTlsCerts policy if needed as a workaround.
- Cookie information from extensions
When you enable Enhanced Safe Browsing, Chrome now collects telemetry information about the cookie information extensions request. These activities are analyzed on Google servers and further improve the detection of malicious and policy violating extensions. This improvement allows better protection for all Chrome extension users.
- Deprecation of WebSQL and other old Storage features
Chrome 110 removes the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API. Admins can re-enable webkitStorageInfo until Chrome 112, using the enterprise policy, PrefixedStorageInfoEnabled.
WebSQL in third-party contexts is already disabled, and it has had a warning in DevTools since Chrome 105. Chrome 110 removes support in non-secure contexts. An enterprise policy, WebSQLNonSecureContextEnabled, allows Web SQL to function in non-secure contexts for a few months past the removal date.
- Easier password updates when a compromise is detected
The Check passwords tool now has an expanded set of URLs pointing directly to a Change password form. This allows users to take action and fix compromised passwords. The Check passwords tool is only available if PasswordManagerEnabled is set to true or unset.