For administrators who manage Chrome browser or ChromeOS devices for a business or school.
- For emails about future releases, sign up here.
- To try out new features before they're released, sign up for the trusted tester program.
- Connect with other Chrome Enterprise IT admins through the Chrome Enterprise Customer Forum.
- Sign up to take the ChromeOS administrator credential exam.
- Get help and see additional resources below.
Table updated: January 10, 2023
Open all | Close all Chrome 108
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Improving performance: Memory Saver and Energy Saver modes | ✓ | ||
Google Password Manager: Notes for passwords | ✓ | ||
Google Password Manager: Updates on iOS | ✓ | ||
Windows: pin to taskbar during install | ✓ | ||
Custom default error pages for Progressive Web Apps | ✓ | ||
New Chrome sync dialog on iOS | ✓ | ||
Price tracking | ✓ | ||
Change asynchronous methods to synchronous in FileSystemSyncAccessHandle | ✓ | ||
Chrome on Linux to use Chrome's built-in DNS client by default | ✓ | ||
Improved reporting for internal callback mechanism | ✓ | ||
Cookies and site data dialog improvements | ✓ | ||
Improve sharing of previewed files | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Cursive canvas lock | ✓ | ||
Screencast multi-accounts | ✓ | ||
ChromeOS Version Rollback | ✓ | ||
ChromeOS Camera App: Document scanning improvements | ✓ | ||
Captive portal improvements | ✓ | ✓ | |
Easier ways to navigate your virtual keyboard | ✓ | ||
SIM lock policy | ✓ | ✓ | |
FilesApp trash | ✓ | ✓ | |
Contact center Desk API connectors | ✓ | ||
Human Presence Sensor | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS data controls | ✓ | ✓ | ✓ |
App Details - installation requests | ✓ | ✓ | |
Apps & Extension usage reports | ✓ | ||
New Chrome Browser Cloud Management sign-up experience | ✓ | ||
Delegated Admins can see all their devices | ✓ | ✓ | |
New policies in the Admin console | ✓ | ✓ | ✓ |
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Confirmation permission chips in the address bar | ✓ | ||
Google Update internal upgrades | ✓ | ||
About this page on Desktop in Chrome 109 | ✓ | ||
Chrome to change the UI for some download warnings | ✓ | ||
Detailed translation settings in Chrome 109 | ✓ | ||
Changes to HTMLElement.offsetParent | ✓ | ||
Changes to mouse events on disabled form controls | ✓ | ||
UrlParamFilterEnabled removed in Chrome 109 | ✓ | ||
Removal of master_preferences in Chrome 109 | ✓ | ||
User-level Enhanced Safe Browsing on iOS in Chrome 109 | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Release of Speculation Rules API for prerender in Android | ✓ | ||
Device token deletion | ✓ | ||
Content analysis connector for local DLP Agent integration | ✓ | ||
Change in launch schedule starting in Chrome 110 | ✓ | ||
Windows 10 as minimum required version in Chrome 110 | ✓ | ||
Private Network Access preflights for subresources enforced in Chrome 113 | ✓ | ✓ | |
Rolling out GPU Changes to NaCL Swapchain and video decoding | ✓ | ||
Access to WebHID API from extension service workers in Chrome 110 | ✓ | ||
WebAuthn cannot be used on sites with TLS certificate errors | ✓ | ||
Strict MIME type checks for Worker scripts | ✓ | ||
Default to origin-keyed agent clustering in Chrome 110 | ✓ | ||
WebUSB from extension service workers | ✓ | ||
Deprecation of Web SQL and other old Storage features | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Channel labeling on ChromeOS | ✓ | ||
Fast Pair | ✓ | ||
Updates to emoji picker | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Improving performance: Memory Saver and Energy Saver modes
In Chrome 108 on Windows, Mac, and ChromeOS, some users experience new performance-enhancing features: Memory Saver and Energy Saver. These features are designed to improve the performance of Chrome, and extend battery life, respectively. Users can control these features using the options under Settings > Performance.
As part of this launch, Chrome now includes the following enterprise policies:
- TabDiscardingExceptions: By using this policy, you specify URL patterns that are never discarded by the browser.
- BatterySaverModeAvailability: When set to Disabled, the Battery Saver mode is switched off. When set to EnabledBelowThreshold or not set, Battery Saver Mode is enabled when the device is on battery power and battery level is low. When set to EnabledOnBattery, Battery Saver Mode is enabled when the device is on battery power.
- HighEfficiencyModeEnabled: This policy enables or disables the High Efficiency Mode setting.
- Google Password Manager: Updates on iOS
From Chrome on iOS 108, it is easier for users to access their passwords. We have simplified the password list view, to show users just their passwords. Password-related settings display on their own screen, making it easier for users to see and manage their settings in one place. Existing features like adding or editing passwords and password checkup remain available on the password list view.
- Windows: pin to taskbar during install
As early as Chrome 108, the Chrome installer pins Chrome to the Windows taskbar for easier access to Chrome. You can use the do_not_create_desktop_shortcut setting in initial_preferences to control this behavior.
- New Chrome sync dialog on iOS
On Chrome on iOS, some users see a visually updated dialog to turn on Chrome sync in the first run. Relevant enterprise policies such as BrowserSignin, SyncDisabled, RestrictAccountsToPatterns and SyncTypesListDisabled continue to work as before and can be used to configure Chrome sync.
- Price tracking
Chrome 108 enables users to price track products from across the web, and receive email or mobile notifications when the price of a tracked item drops. Tracked items are saved alongside bookmarks with Sync. This feature is only available for signed-in, syncing users who have Web & App activity enabled. You can control this with the ShoppingListEnabled policy.
- Change asynchronous methods to synchronous in FileSystemSyncAccessHandle
In Chrome 108,getSize()
,truncate()
,flush()
andclose()
async methods inFileSystemSyncAccessHandle
primitive in the File System Access API have been converted to synchronous methods, in line with read()
andwrite()
methods.
This change supports a fully synchronous API forFileSystemSyncAccessHandle
, enabling high performance for WebAssembly (WASM) based applications.
We don't anticipate this change causing any issues. However, an enterprise policy, FileSystemSyncAccessHandleAsyncInterfaceEnabled, is available until Chrome 110 to enable the async methods. You can use this to rollback the change temporarily if you need to make any changes to your apps.
- Chrome on Linux to use Chrome's built-in DNS client by default
The built-in DNS client is enabled by default on Windows, macOS, Android, ChromeOS. As early as Chrome 108, Chrome on Linux also uses the built-in DNS client by default. Enterprises can opt out by setting BuiltInDnsClientEnabled policy to Disabled.
- Improved reporting for internal callback mechanism
Chrome 108 improves security by reporting misuse of our internal callback mechanism via crash reports. You can control this using the MetricsReportingEnabled policy.
- Cookies and site data dialog improvements
In Chrome 108, we’ve redesigned and simplified the Cookies and site data dialog so only per-site level information is displayed, and can be easily controlled by users. You can use the DefaultCookiesSetting, CookiesAllowedForUrls, CookiesBlockedForUrls, and CookiesSessionOnlyForUrls enterprise policies to control Chrome's behavior.
- New and updated policies in Chrome browser
Policy Description CopyPreventionSettings Allows blocking copying to the clipboard on specified URLs. TabDiscardingExceptions URL pattern Exceptions to tab discarding. HighEfficiencyModeEnabled Enable High Efficiency Mode. BatterySaverModeAvailability Enable Battery Saver Mode. OnFileTransferEnterpriseConnector Configuration policy for the OnFileTransfer Chrome Enterprise connector. FileSystemSyncAccessHandleAsyncInterfaceEnabled Re-enable the deprecated async interface for FileSystemSyncAccessHandle in File System Access API. VirtualKeyboardResizesLayoutByDefault (Android) The virtual keyboard resizes the layout viewport by default.
ChromeOS updates
- ChromeOS version rollback
The ChromeOS rollback feature enables managed devices to download and run an earlier version of ChromeOS than the one currently installed. Rollback works in conjunction with pinning to a target version, and requires that updates are enabled.
In this first release, rollback supports rolling back up to the previous N-3 release milestone, where N is the current release on the stable channel, as well as, the current release of the LTC and LTS channels.
The rollback feature will be available on the admin console from December 8th 2022. The earliest version of ChromeOS that you can roll back to is version 107.
Please note that installing an earlier ChromeOS version requires that devices have to perform a powerwash, an operation that erases any local user data.
- ChromeOS Camera App: Document scanning improvements
From M107, document scanning in the ChromeOS Camera App is automatically downloaded when the user selects it, making it available to more devices including those with Apollo Lake and MT8173 processors. From M108, the document scanning feature supports taking multiple pages and combining them into a single PDF.
- Captive portal improvements
ChromeOS has improved the user experience for signing into Wi-Fi networks that require captive portal sign-in, for example, at hotels or airports where you are directed to a web page to enter credentials or accept terms and conditions before being connected to the Internet. Improvements include:
- clearer messaging regarding the need to sign in
- easier to find access to sign in pages
- more reliable connection to sign in pages
- Easier ways to navigate your virtual keyboard
If you have a Chromebook with a touchscreen, it’s now even easier to type what you want easily with a newly redesigned virtual keyboard. With just a tap on the new header bar, you can switch between languages, pull up the emoji library, or access the handwriting tool. The virtual keyboard also more quickly processes fast typing – so no need to slow down to make sure that every key is pressed one by one.
- SIM lock policy
The ChromeOS Admin console now supports the ability to prohibit or allow managed users to lock their SIM card with a PIN.
This feature is available in all ChromeOS devices and is particularly useful for organizations that own their employees’ or students’ SIM cards and want to retain control over them. This is a highly requested feature from EDU because they want to avoid the situation of a student's SIM card PIN locking their device from a reliable internet connection (many students do not have internet at home, for example). EDU also wants to avoid the situation of students intentionally locking themselves out of an internet connection so as to prevent themselves from submitting assignments on time.
- Contact Center Desk API connectors
For contact center agents, productivity is paramount. But, with the range of apps, tabs and windows that agents use, it can be difficult and time-consuming to locate the right information at the right time. For agents managing multiple customer interactions simultaneously, it becomes even more difficult, leading to stress and frustration for the agent, and a longer wait time for your customers. ChromeOS Desk connectors solve this problem by introducing the desk as a container. Communications solutions that have integrated with ChromeOS Desk API automatically open a new desk per interaction. The desk opens all the tabs and apps an agent needs for this interaction, and once the interaction is complete, the desk closes down all these with one click. For each new interaction, a new desk opens, making it easier and faster for an agent to access the correct agent information at the right time.
Reach out to the ChromeOS team directly to join the Trusted Tester program and try ChromeOS Desk connectors.
- Human Presence Sensor
Some Lenovo ThinkPad Chromebooks now have screen privacy features that use Human Presence detection to lock the screen when the user leaves their device and alert the user when another person is looking at their screen. With Lock on Leave, we dim and lock the screen more quickly when no user is detected to protect their privacy. We also have a Keep Awake feature that prevents the screen from dimming when the user is present so that they can continue to view the screen. With Viewing Protection, users are shown an eye alert icon in the shelf and can choose to further mask all private notifications when we detect a second person.
Admin console updates
- ChromeOS data controls
Data controls are a set of controls for protecting enterprise users from data leakage on endpoints. These capabilities, integrated at the OS level, allow admins to track, restrict, or report the following actions when handling corporate content using simple workflow based rules that do not require content to be scanned:- Copy and paste
- Screen capture (screenshots and video capture)
- Screen sharing
- Printing
- And the ability to automatically turn on the electronic privacy screen on a compatible device
- Apps Details - Installation Requests
The list of extension requests that were previously shown in the right panel sidebar are now shown in a card in the App Details page called Installation Requests. Admins can see requests by organizational unit, browser, or user - making it easier for admins to make granular installation decisions. To allow extension requests, see our help center article.
- Apps & Extension usage report
There is a new warning icon for Extensions that are still using Manifest v2. To enable the Apps & Extension Usage Report, see this help center article. We also recommend contacting your internal developers or vendors that are still publishing Manifest v2 extensions to learn about their migration plans to Manifest v3. Please review the Extension Manifest v2 deprecation timeline for more information.
- New Chrome Browser Cloud Management sign-up experience
IT admins can now sign up for Chrome Browser Cloud Management using a new simple four-step sign-up flow. The new sign-up flow allows IT admins to create an Admin console account for Chrome Browser Cloud Management and it allows to optionally add the Chrome Enterprise Update (for ChromeOS) and Workspace free Essentials subscriptions to your new account. Learn more.
- Enrolling browsers with Mosyle
Mosyle is an Unified Endpoint Management platform focused on managing Apple devices. We have updated our documentation to describe how to deploy Chrome Browser Cloud Management tokens with Mosyle.
Enroll browsers with Mosyle (iOS/iPadOS)
Enroll browsers with Mosyle (macOS)
- New policies in the Admin console
Policy Name Pages Supported on Category/Field AllowOnlyPolicyNetworksToConnectIfAvailable Networks Settings ChromeOS General settings > Wi-Fi Networks Networks Settings All Platforms WIFI / Ethernet Settings > Details > Custom search domains HighEfficiencyModeEnabled User Settings All platforms Other settings VirtualKeyboardResizesLayoutByDefault User Settings All platforms User experience BatterySaverModeAvailability User Settings All platforms Power and shutdown TabDiscardingExceptions User settings All platforms Other settings FileSystemSyncAccessHandleAsyncInterfaceEnabled User settings All platforms Hardware
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel
Upcoming Chrome browser changes
- Confirmation permission chips in the address bar
Chrome is consolidating permission prompts and indicators to make them more consistent and easier to understand. Some users will see a new permissions chip experience in the address bar, a chip shown after a user has made a decision on a permission prompt. It confirms the action a user has just taken and is shown for 4 seconds. If the user clicks on it, the page info bubble is shown, which is a surface that among others, allows users to manage their permission settings for the current site.
For some users, the lock icon in the address bar will be hidden while a chip is being shown. Please note, chips are only visible during certain permission requests and while a confirmation chip is being displayed. As soon as the chip disappears, the lock icon is visible again.
- Google Update internal upgrades
Chrome 109 introduces the next version of Google Update based on tried-and-true Chromium technology. It will provide a cross-platform core for future development of update-related features. All existing enterprise policies and controls for managing Chrome's version work the same way.
- About this page on Desktop in Chrome 109
We are improving the From the web feature in the site info UI. It is now called About this page and it opens a website with multiple pieces of information regarding the source and topic of a website.
This feature is only enabled when Make searches and browsing better is enabled in Settings > Sync and Google Services > Other Google services. You can control this setting with the UrlKeyedAnonymizedDataCollectionEnabled policy.
- Chrome to change the UI for some download warnings
As early as Chrome 109, to protect users from malware, Chrome will start to show detailed context and customized UIs for some download warnings. For example, if Chrome detects a download to potentially steal user's information, the description will be changed from Chrome blocked this file because it is dangerous to This file contains malware that can compromise your personal or social network accounts. You can disable download warnings by setting the SafeBrowsingProtectionLevel enterprise policy, or allowlist specific domains using SafeBrowsingAllowlistDomains.
- Detailed translation settings in Chrome 109
New detailed translation settings have been added for controlling the current target language, never translate languages, and always translate languages. These settings were previously only editable from the Translate UI bubble but are now permanently exposed under chrome://settings/language. Enterprise users may use the existing TranslateEnabled enterprise policy to globally enable or disable translation.
- Changes to HTMLElement.offsetParent
In Chrome 109, the Javascript APIs HTMLElement.offsetParent, HTMLElement.offsetTop, and HTMLElement.offsetLeft will be changed in an edge case involving ShadowDOM in order to match the behavior of Firefox and Safari. A new enterprise policy, OffsetParentNewSpecBehaviorEnabled, will be added to disable the new behavior until Chrome 120. A polyfill was made in order to help migrate to the new behavior: https://github.com/josepharhar/offsetparent-polyfills.
- Changes to mouse events on disabled form controls
In Chrome 109, some users will see changes to the behavior of mouse events: clicking on form control elements with the disabled attribute will fire slightly different DOM events. Additional mouse events, including mousemove, mouseenter, mouseleave, mouseover, and more will be fired on these elements. The ancestors of some types of form controls will no longer receive click, mouseup, or mousedown events. A new enterprise policy, SendMouseEventsDisabledFormControlsEnabled, will be added to disable the new behavior until at least Chrome 120.
- UrlParamFilterEnabled removed in Chrome 109
The UrlParamFilterEnabled policy allows admins to control if parameters are removed when a user selects Open Link in Incognito Window from the context menu. This is a temporary policy introduced when the change was introduced in Chrome. The policy will be removed in Chrome 109.
- Removal of master_preferences in Chrome 109
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 108, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 109, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
Alternatively, you will be able to use the CompatibleInitialPreferences enterprise policy to extend support for the master_preferences naming. This policy is not currently available.
- User-level Enhanced Safe Browsing on iOS in Chrome 109
For Chrome on iOS where the Safe Browsing protection level is not controlled by SafeBrowsingProtectionLevel, users that are signed in and syncing that have enabled Enhanced Safe Browsing on their Google Account will be notified that Enhanced Safe Browsing has been enabled on their Chrome profile. Disabling Enhanced Safe Browsing on a synced Google Account will disable Enhanced Safe Browsing for their Chrome profile. Additionally, users that are signed-in and non-synced may be prompted to enable Chrome Enhanced Safe Browsing within 5 minutes of enabling Account Level Enhanced Safe Browsing.
- Intent to deprecate and remove: Event.path
To improve web compatibility, we will stop supporting the non-standard APIEvent.path
as early as Chrome 109. Websites should migrate toEvent.composedPath()
, which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView will allow you to extend the lifetime ofEvent.path
by an additional 6 milestones.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 109, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Release of Speculation Rules API for prerender in Android
Chrome 103 introduced same-origin prerendering triggered by the Speculation Rules API. Chrome 109 expands coverage to also allow triggering same-site cross-origin pages. This allows web authors to suggest to Chrome which cross-origin pages that the user is likely to navigate to next. This prerendering will be done with credentials and storage access, but such prerender targets will need to opt in by using theSupports-Loading-Mode: credentialed-prerender
header. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which will result in Chrome ignoring the hints provided using this API. See our article for more information.
- Content Analysis connector for Local DLP Agent Integration
Some third party software (for example, AV/DLP agents) injects code into Chrome. Though this practice is discouraged, it is still prevalent in the enterprise environment since there are no good alternatives for these local agents.
Chrome 110 will provide secure, native integration that transfers content (file or text) between Chrome and selected 3rd party DLP agents when a Chrome Browser Cloud Management managed user performs an action that sends data from their endpoint using Chrome Enterprise connectors.
- Change in launch schedule starting in Chrome 110
Starting in Chrome 110, Chrome will be rolled out to the Stable channel one week earlier than previously communicated. For example, the Chrome 110 Stable release moves from Feb 7 to Feb 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users will happen at a similar timeframe to the earlier communicated dates.
- Windows 10 as minimum required version in Chrome 110
Microsoft ends support for Windows 7 ESU, Windows 8, and Windows 8.1 extended support on January 10, 2023. Chrome 110, tentatively scheduled for release on February 1, is the first version of Chrome which will have a minimum Windows version of Windows 10.
- Chrome Private Network Access preflights for subresources enforced in Chrome 113
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post.
As early as Chrome 110 on Android, the warnings will turn into errors and affected requests will fail, for sites not opted out via an Origin Trial. Remaining platforms will also have these warnings enforced in Chrome 113. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- Rolling out GPU Changes to NaCL Swapchain and video decoding
As early as Chrome 110, we will refactor the implementation of the NaCL swapchain and the Pepper video decoding APIs. These changes are not intended to have any behavioral impact on users. However, it is possible that due to bugs they might result in visual artifacts, unacceptably slow performance when playing video, unacceptable increases in power, or crashes. Information about how to signal any problems will be available as these refactors roll out.
- WebAuthn cannot be used on sites with TLS certificate errors
Starting on M110, Chrome will stop allowing WebAuthn requests on websites with TLS certificate errors. The criteria will be the same used for showing danger interstitials or a Not secure pill on the omnibox. This will prevent bad actors from generating valid assertions in a Man-in-the-Middle attack on users who may skip the interstitial.
Enterprises will be able to use the AllowWebAuthnWithBrokenTlsCerts policy if needed as a workaround.
- Strict MIME type checks for Worker scripts
As early as Chrome 110, Chrome will strictly check MIME types for Worker scripts, like Service Workers or Web Workers. Strict checking means that Chrome will only accept JavaScript resources for Workers with a MIME type oftext/javascript
. Currently, Chrome will also accept other MIME types, liketext/ascii
. This change is aimed at improving the security of web applications, by preventing inclusion of inappropriate resources as JavaScript files.
Disabling the StrictMimetypeCheckForWorkerScriptsEnabled policy allows you to keep the current behavior.
- Default to origin-keyed agent clustering in Chrome 110
As early as Chrome 110, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- WebUSB from extension service workers
Chrome 111 will enable access to WebUSB API from extension service workers as a migration path for manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Deprecation of Web SQL and other old Storage features
The Web SQL API is rarely used, and since its removal by Safari, only Chromium-based browsers have supported it. It requires frequent security fixes, and developers have been discouraged from using it for years. We're now engaging in an effort to seek out and warn anyone who may still be using Web SQL, with the goal of removing it entirely in 2023.
What you need to do depends on how you're using Web SQL:
- If you're just using Web SQL to detect whether a given browser is Chrome, that method will stop working when Web SQL is removed. Navigator.userAgentData is a better alternative.
- If you're using Web SQL to simply store a few data points, localStorage and sessionStorage provide easier ways to do this.
- However, if you're using Web SQL for more complex storage, you'll need to find a proper replacement.
Here are some migration options for more complex storage:
- If your storage needs don't require a relational database, IndexedDB is the standard solution for structured storage on the web. Large sites rely on IndexedDB, and all major browsers support it.
- For those who do need a relational database, we are partnering with the SQLite team to create an evergreen cross-browser Web SQL replacement. The team is adding a web backend to SQLite, using Emscripten to compile it to WebAssembly and leveraging the new File System Access Handles API as a low-level virtual file interface. We expect this to be ready for use early in 2023. For more information, see our blog post Deprecating and removing Web SQL, which we'll update when noteworthy events occur.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. We'll remove this support in Chrome 110. An enterprise policy, WebSQLNonSecureContextEnabled, will let Web SQL function in non-secure contexts for a few months past the removal date.
In Chrome 110, we will also remove the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Network Service on Windows will be sandboxed
As early as Chrome 111, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 111 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 111, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome.
In 2023, extensions using Manifest V2 will cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3. If you need additional time to adjust to the Manifest V3 transition, you'll be able to extend Manifest V2 support in Chrome using an enterprise policy until January 2024.
You can see which manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), starting in 109 you will see which channel you are on in the bottom right. Selecting the time to open quick settings will have a new UI with the device build as well as a button directly to submit feedback.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 110, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 111.
- Updates to emoji picker
In ChromeOS 111, the emoji picker will include commonly used symbols and characters, such as scientific notations and math operators. In addition, we will include text-based emoticons (kaomoji) for even more expressive conversations. The new top-level navigation bar will help you find the high-level category quickly, ranging from emojis, symbols, and emoticons. The improved universal search will show possible matches from all categories.
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Support for Encrypted Client Hello (ECH) | ✓ | ||
User-Agent reduction Phase 5 | ✓ | ||
Marshmallow deprecation for Chrome on Android | ✓ | ||
BuiltinCertificateVerifierEnabled removed on Mac | ✓ | ||
Updates to Incognito Mode | ✓ | ||
A redesign for browser downloads | ✓ | ||
Password import for Chrome Desktop | ✓ | ||
Sync after sign-in intercept | ✓ | ✓ | |
Updated Media picker on Android | ✓ | ||
Automatic revocation of disruptive notifications | ✓ | ||
DisplayCapturePermissionsPolicyEnabled policy removed | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Camera Framing | ✓ | ||
Files app: Improved filtering in Recent tab | ✓ | ||
Lock device on lid close | ✓ | ||
3P Identity Provider: Autofill username | ✓ | ✓ | |
Deprecate Assistant stylus features | ✓ | ||
Saved desks | ✓ | ||
Close a desk and its windows in one click | ✓ | ||
Photos integrations | ✓ | ||
Long-press to add accents | ✓ | ||
ChromeOS Accessibility settings improvements | ✓ | ✓ | |
Multi-touch virtual keyboard | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Managed browser list: CSV export limit increased to 150,000 records | ✓ | ||
Admin console: Extension request card | ✓ | ||
Text action buttons instead of icons in Device and Browser lists | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Change Async methods to Sync in FileSystemSyncAccessHandle | ✓ | ✓ | |
As early as Chrome 108, Chrome will change the UI for some download warnings. | ✓ | ✓ | |
Password Manager: Updates on iOS | ✓ | ||
Password Manager: Notes for Passwords | ✓ | ||
Windows: Pin to taskbar during install | ✓ | ||
Removal of master_preferences | ✓ | ||
Device token deletion | ✓ | ||
Rolling out GPU changes to NaCL Swapchain and video decoding | ✓ | ||
Strict MIME type checks for Worker scripts | ✓ | ||
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Default to origin-keyed agent clustering in Chrome 109 | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Windows 10 minimum required version in Chrome 110 | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ✓ | |
Deprecation of Web SQL and other old storage features | ✓ | ||
Extensions must be updated to use Manifest V3 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Fast Pair | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
ChromeOS Camera App: Document scanning improvements | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Channel labeling on ChromeOS | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Support for Encrypted Client Hello (ECH)
Chrome 107 starts rolling out support for ECH on sites that opt in, as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS.
If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you encounter any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- User-Agent reduction Phase 5
User-Agent (UA) reduction describes the effort to minimize the identifying information shared in the User-Agent string which might be used for passive fingerprinting. Beginning in Chrome 107, Chrome reduces some portions of the User-Agent string on desktop devices. As previously detailed in the Chromium blog, we intend to proceed with Phase 5 of the User-Agent reduction plan. The<platform>
and<oscpu>
tokens, parts of the User-Agent string, are reduced to the relevant<unifiedPlatform>
token values, and are no longer updated. Additionally, the values for navigator.platform are frozen on desktop platforms. For more details, see this reference page and Chromium update.
The UserAgentReduction policy allows for opting out of these changes.
- BuiltinCertificateVerifierEnabled removed on Mac
In Chrome 107, we have removed the BuiltinCertificateVerifierEnabled policy on Mac. This policy was used to control the use of the built-in certificate verifier while using the platform provided root store. Since Chrome 105, a new implementation is available that uses the built-in certificate verifier with the Chrome Root Store. You can control the new implementation using the ChromeRootStoreEnabled policy.
- Updates to Incognito mode on iOS
Users can configure Chrome to open external links in Incognito using Settings > Privacy and Security > Ask to open links from other apps in Incognito. If you use the IncognitoModeAvailability policy to disable or to force Incognito mode, the policy setting takes precedence, and this user setting won't be available.
- A redesign for browser downloads
In Chrome 107, remaining users now see a redesigned downloads experience for desktop that moves downloads into a secondary UI surface, following an initial rollout in Chrome 102. The new download tray stems from the trusted UX of Chrome and allows for more effective warnings to better protect users. If you need extra time to adjust to this change, the DownloadBubbleEnabled enterprise policy is available to temporarily keep the old behavior.
- Password import for Chrome Desktop
Starting in Chrome 107 Desktop users can import their passwords using Chrome browser. Previously, users were only able to import viapasswords.google.com
. They can now upload a CSV file of passwords to add them to their saved passwords in Google Password Manager. If the user has sync enabled, their passwords are available across their devices, where they are signed in with the same account.
- Sync after sign-in intercept
To provide a more consistent experience, Chrome now shows a new welcome screen after the user creates a new profile through the sign-in intercept. The user can optionally enable sync as well as modify the new profile name and theme color. The sign-in intercept bubble now contains an enterprise disclaimer if a new profile is to be managed by an organization. This also modifies the signed-out profile creation experience for consistency with other flows.
Enterprise administrators can disable the welcome dialog by setting the PromotionalTabsEnabled policy to false.
- Automatic revocation of disruptive notifications
Some notification prompts and messages are increasingly disruptive for users. Chrome automatically removes the notification grant for sites that send such notifications to users, as these sites are violating Google’s Developer Terms of Service. These sites also have subsequent notification prompts muted.
Any sites listed in the NotificationsAllowedForUrls enterprise policy do not have their notification permissions revoked.
- DisplayCapturePermissionsPolicyEnabled policy removed
Thedisplay-capture
permissions-policy controls access to thegetDisplayMedia()
method, in accordance with the Screen Capture W3 specification.
In Chrome 94, we introduceddisplay-capture
as well as the enterprise policy, DisplayCapturePermissionsPolicyEnabled, for bypassing it. Chrome 107 removes this enterprise policy, so it is no longer possible to bypass thedisplay-capture
permissions-policy.
- New and updated policies in Chrome browser
Policy
Description
Show Journeys on the Chrome history page, available on Android.
Allow using Google Assistant on the web, for example, to enable changing passwords automatically.
Enable strict MIME type checking for worker scripts.
ShoppingListEnabled
This policy controls the availability of the shopping list feature.
ChromeOS updates
- Camera Framing
Camera Framing provides automatic zooming and centering of the user's face for video conference calls or taking selfies. If the device or camera supports Camera Framing, there’s a prompt and an option in Quick Settings to enable or disable the feature. To center yourself again, simply toggle the feature off and back on.
- Lock device on lid close
Settings now supports locking a device when the lid closes without suspending. This can be helpful if you have background tasks such as an SSH connection and don’t want them to be paused. The existing settings for Show lock screen when waking from sleep now also apply to lock the screen when closing the lid.
On an enterprise level, admins can set Action on lid close to Do nothing, by setting the LidCloseAction policy to 3 = Do nothing, and set Lock screen on sleep or lid close, by setting the ChromeOsLockOnIdleSuspend policy to true. With these settings, devices lock when the lid is closed except if they are docked and using an external monitor. In such a case, the device does not lock when the lid closes, but it locks if the external monitor is removed and the lid is still closed.
After locking, the device sleeps if configured to do so after an idle timeout, determined by the PowerManagementIdleSettings policy. If wake locks are allowed and an application holds a wake lock, with the AllowWakeLocks policy, the device does not sleep, which significantly affects battery consumption.
- 3P Identity Provider: Autofill username
With ChromeOS 107, we improve the online login flow for Chrome Enterprise and Education users that authenticate with Azure AD or Okta. Admins can activate the DeviceAutofillSAMLUsername policy to ensure that users no longer have to re-enter their username when authenticating with a third-party identity provider (3P IdP).
- Photos integrations
As early as Oct 3rd, Chromebook users get access to enhanced video editing features from Google Photos. The experience is optimized for a larger screen, and seamlessly integrates with the built-in Gallery app and your Chromebook files – so you can use local images and clips recorded on your Chromebook camera or stored in your Files app to build your movie.
While movie editing typically comes with a steep learning curve, the revamped movie creation tools in Google Photos help you make high-quality movies with just a few taps using your video clips and photos. Starting in Q4 2022, you can create beautiful movies from suggested themes, or put yourself in the director's seat and start from scratch, right on your Chromebook.
Admin console updates
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
Networks Settings
ChromeOS
General settings > Block SSIDs
User & Browser Settings
Chrome
ChromeOS
Security > Compromised password alerts
User & Browser Settings
ChromeOS
Security > WebAuthn
Device Settings
ChromeOS
Device updates > Auto-update settings > Allow peer to peer auto update downloads
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel
Upcoming Chrome browser changes
- Change Async methods to Sync in FileSystemSyncAccessHandle Launch
In Chrome 108,getSize()
,truncate()
,flush()
andclose()
async methods inFileSystemSyncAccessHandle
primitive in the File System Access API will be converted to synchronous methods, in line withread()
andwrite()
methods.
This change supports a fully synchronous API forFileSystemSyncAccessHandle
, enabling high performance for WebAssembly (WASM) based applications.
An enterprise policy, FileSystemSyncAccessHandleAsyncInterfaceEnabled, will be available until Chrome 110 to enable the async methods.
- As early as Chrome 108, Chrome will change the UI for some download warnings
To protect users from malware, Chrome will start to show detailed context and customized UIs for some download warnings. For example, if Chrome detects a download to potentially steal user's information, the description will be changed from Chrome blocked this file because it is dangerous to This file contains malware that can compromise your personal or social network accounts. You can disable download warnings by setting the SafeBrowsingProtectionLevel enterprise policy, or allowlist specific domains using SafeBrowsingAllowlistDomains.
- Password Manager: Updates on iOS
From Chrome on iOS 108, we plan to make it easier for users to access their passwords. The password list view will be simplified, to show users just their passwords. Password-related settings will be moved to their own screen, making it easier for users to see and manage their settings in one place. Existing features like adding or editing passwords and password checkup will remain available on the password list view.
- Password Manager: Notes for Passwords
From Chrome for Desktop 108, you will be able to save a note for each saved credential in the password manager. Passwords (and notes) will move to a sub-page and will no longer be accessible from the eye icon on the Password List View, as part of this change. You will now need to re-authenticate before accessing the sub-page.
- Windows: pin to taskbar during install
As early as Chrome 108, the Chrome installer will pin Chrome to the Windows taskbar for easier access to Chrome. You will be able to use thedo_not_create_desktop_shortcut
setting in initial_preferences to control this behavior.
- Removal of master_preferences
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 107, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 108, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
- Rolling out GPU Changes to NaCL Swapchain and video decoding
As early as Chrome 109, we will refactor the implementation of the NaCL swapchain and the Pepper video decoding APIs. These changes are not intended to have any behavioral impact on users. However, it is possible that due to bugs they might result in visual artifacts, unacceptably slow performance when playing video, unacceptable increases in power, or crashes. Information about how to signal any problems will be available as these refactors roll out.
- Strict MIME type checks for Worker scripts
Starting with Chrome 109, Chrome will strictly check MIME types for Worker scripts, like Service Workers or Web Workers. Strict checking means that Chrome will only accept JavaScript resources for Workers with a MIME type oftext/javascript
. Currently, Chrome will also accept other MIME types, liketext/ascii
. This change is aimed at improving the security of web applications, by preventing inclusion of inappropriate resources as JavaScript files.
- Chrome sends Private Network Access preflights for subresources
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post.
In Chrome 109 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- Default to origin-keyed agent clustering in Chrome 109
As early as Chrome 109, websites will be unable to set document.domain. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- Intent to deprecate and remove: Event.path
To improve web compatibility, we will stop supporting the non-standard API Event.path as early as Chrome 109. Websites should migrate toEvent.composedPath()
, which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView will allow you to extend the lifetime ofEvent.path
by an additional 6 milestones.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 109, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Windows 10 as minimum required version in Chrome 110
Microsoft ends support for Windows 7 ESU and Windows 8.1 extended support on January 10, 2023. Chrome 110, tentatively scheduled for release on February 7, is the first version of Chrome which will have a minimum Windows version of Windows 10.
- Network Service on Windows will be sandboxed
As early as Chrome 111, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 111 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 111, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property
Extension ID (Chrome App)
install_url (PWA / Web App)
Gmail
pjkljhegncpnkpknbcohdijeoejaedia
https://mail.google.com/mail/
installwebapp?usp=adminDocs
aohghmighlieiainnegkcijnfilokake
https://docs.google.com/document/
installwebapp?usp=adminDrive
apdfllckaahabafndbhieahigkjlhalf
https://drive.google.com/drive/
installwebapp?usp=adminSheets
felcaaldnbdncclmgdcncolpebgiejap
https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides
aapocclcgogkmnckokdopfmhonfmgoek
https://docs.google.com/presentation/
installwebapp?usp=adminYoutube
blpcfgokakmgnkcojhhkbfbldkacnbeo
https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Deprecation of Web SQL and other old Storage features
The Web SQL API is rarely used, and since its removal by Safari, only Chromium-based browsers have supported it. It requires frequent security fixes, and developers have been discouraged from using it for years. We're now engaging in an effort to seek out and warn anyone who may still be using Web SQL, with the goal of removing it entirely in 2023.
What you need to do depends on how you're using Web SQL:
- If you're just using Web SQL to detect whether a given browser is Chrome, that method will stop working when Web SQL is removed. Navigator.userAgentData is a better alternative.
- If you're using Web SQL to simply store a few data points,
localStorage
andsessionStorage
provide easier ways to do this. - However, if you're using Web SQL for more complex storage, you'll need to find a proper replacement.
Here are some migration options for more complex storage:
- If your storage needs don't require a relational database, IndexedDB is the standard solution for structured storage on the web. Large sites rely on IndexedDB, and all major browsers support it.
- For those who do need a relational database, we are partnering with the SQLite team to create an evergreen cross-browser Web SQL replacement. The team is adding a web backend to SQLite, using Emscripten to compile it to WebAssembly and leveraging the new File System Access Handles API as a low-level virtual file interface. We expect this to be ready for use early in 2023. For more information, see our blog post Deprecating and removing Web SQL, which we'll update when noteworthy events occur.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. We'll remove this support in early 2023. An enterprise policy, WebSQLNonSecureContextEnabled, will let Web SQL function in non-secure contexts for a few months past the removal date.
In early 2023, we will also remove the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome.
In 2023, extensions using Manifest V2 will cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3. If you need additional time to adjust to the Manifest V3 transition, you'll be able to extend Manifest V2 support in Chrome using an enterprise policy until January 2024.
You can see which manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 108.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 108, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- ChromeOS Camera App: Document scanning improvements
From M107, document scanning in the ChromeOS Camera App will be automatically downloaded when the user selects it, making it available to more devices including those with Apollo Lake and MT8173 processors. From M108, the document scanning feature will support taking multiple pages and combining them into a single PDF.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 109, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), starting in 109 you will see which channel you are on in the bottom right. Selecting the time to open quick settings will have a new UI with the device build as well as a button directly to submit feedback.
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Accurate screen labels for window placement | ✓ | ||
Chrome shows Journeys on the History page on Android | ✓ | ||
Incognito lock on Android | ✓ | ||
Incognito downloads prompt on Android | ✓ | ||
Release of Prerender2 in Desktop | ✓ | ||
Chrome allows users to search their history, bookmarks, and tabs directly in the Omnibox | ✓ | ||
New lock screen widgets for iOS 16 | ✓ | ||
Updates to the instructional chip shown for region search | ✓ | ||
Persistent quota deprecation launch | ✓ | ||
Changes to chrome.runtime | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Default link capture behavior | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Networks management in Chrome Policy API | ✓ | ||
CUPS print servers management in Chrome Policy API | ✓ | ||
Support for group-based policies for printers in Policy API | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Support for Encrypted Client Hello (ECH) | ✓ | ||
Link anonymization when entering Incognito | ✓ | ✓ | |
Device token deletion | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Removal of window.webkitStorageInfo | ✓ | ||
Removal of master_preferences | ✓ | ||
User-Agent reduction Phase 5 | ✓ | ||
Automated password changes on Desktop | ✓ | ||
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Marshmallow deprecation for Chrome on Android | ✓ | ||
BuiltinCertificateVerifierEnabled being removed on Mac | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ✓ | |
Default to origin-keyed agent clustering in Chrome 109 | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
Windows 10 as minimum required version in Chrome 110 | ✓ | ||
Web SQL deprecation in non-secure contexts | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Accessibility settings improvements | ✓ | ||
Photos integrations | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Long-press diacritics | ✓ | ||
Channel labeling on ChromeOS | ✓ | ||
Save and recall Desks | ✓ | ||
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Multi-touch virtual keyboard | ✓ | ||
Fast Pair | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Accurate screen labels for window placement
Chrome 105 launched a feature to display a label that meaningfully describes the screen to a user. For example, you can use this label to request permission to open and place windows on a connected screen.
This feature is a requested enhancement of the Multi-Screen Window Placement API which launched in Chrome 100, and was first rolled out in Chrome 105. You can read more on our Chrome Platform Status page. Enterprise policies are available to control access to the Window Placement API: WindowPlacementAllowedForUrls and WindowPlacementBlockedForUrls.
- Chrome shows Journeys on the History page on Android
- Incognito lock on Android
Chrome 106 on Android 11 and later requires authentication when resuming an Incognito session. The feature is disabled by default. It can be enabled using the new Lock Incognito tabs when you leave Chrome toggle under Settings > Privacy and security. This feature is not available on managed devices where the IncognitoModeAvailability enterprise policy is set to Disabled.
- Release of Prerender2 in Desktop
Expanding our prerender efforts released on Chrome 101 for Android, we shipped Prerender2 for Desktop in Chrome 105 which allows Chrome to pre-render pages that the user may highly-likely navigate next, aiming to produce an instant navigation. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which results in Chrome ignoring any hints or triggers to prerender a page. See our article for more information.
- Chrome allows users to search their history, bookmarks, and tabs directly in the Omnibox
Chrome 106 helps users to quickly find what they are looking for by enabling them to search their history, bookmarks, or tabs directly in the Omnibox. Using one of the prepopulated shortcuts—@history, @bookmarks, or @tabs—users can choose to conduct a focused search limited to the area selected. You can change or deactivate these shortcuts in Settings -> Search Engine > Manage search engine and site search > Site search.
- Updates to the instructional chip shown when using region search
When using Google Lens, some users see a new look on their instructional chip, which includes a helpful icon and updated text. This ensures users have all the information they need to search visual elements on their screen. You can control this feature with the LensRegionSearchEnabled enterprise policy.
- Persistent quota deprecation launch
In Chrome 106, the window.PERSISTENT quota type inwebkitRequestFileSystem
is no longer supported.webkitRequestFileSystem
still accepts a type parameter and use of the PERSISTENT and TEMPORARY types creates file systems with separate roots, but the PERSISTENT type no longer grants access to a persistent file system.
Legacy quota APInavigator.webkitPersistentStorage
is an alias tonavigator.webkitTemporaryStorage
. The deprecated quota, APIwebkitStorageInfo
, ignores thestorageType
parameter for its methods.
- Changes to chrome.runtime
In Chrome 106, chrome.runtime is no longer defined unconditionally on all sites. In contexts where there is no connectable extension, websites should never expectchrome.runtime
to be defined.
Over the past couple of months, we have taken steps to remove Chrome's legacy U2F security API. This API was implemented in an internal Chrome extension called CryptoToken, which by design was externally connectable from all URLs. The presence of this extension meant thatchrome.runtime
was effectively always defined on any web origin, because there was always at least one extension to connect to, even if the user installed no other connectable extensions. As part of the U2F removal process, Chrome 106 stops loading CryptoToken by default, which means thatchrome.runtime
is now undefined in contexts where there is no other connectable extension.
Websites should never assume thatchrome.runtime
is defined unconditionally. As a temporary workaround, the effects of this change can be reversed by enabling thechrome://flags/#load-cryptotoken-extension
flag or by using the enterprise policy named LoadCryptoTokenExtension.
- New and updated policies in Chrome browser
Policy Description Load the CryptoToken component extension at startup.
Configuration policy for the OnPrint Google Enterprise Connector.
Keep browsing data by default when creating enterprise profile.
Enable or disable persistent quota.
Re-enable the deprecated
window.webkitStorageInfo
API.
ChromeOS updates
- Default link capture behavior
Newly installed apps no longer handle links clicked in the browser by default. Links clicked in the browser are always opened in the browser, unless the Open supported links setting is enabled from the Settings app.
Admin console updates
- Networks management in Chrome Policy API
We have added support for network management in the Chrome Policy API. This allows admins to use the API to create, delete, and configure WiFi, ethernet, and VPN networks, and certificates. For more details, see Policy schema names.
- CUPS print servers management in Chrome Policy API
Admins can now create, delete, and manage print server configurations within their ecosystem using the Chrome Policy API. For more details, see the Chrome Printer Management API guide and Policy schema names.
- Support for group-based policies for printers in Policy API
Adding to existing support for printer management on an OU-by-OU basis, admins can now modify printer settings for particular Google groups within their organization using the Policy API. For more details, see Group policy.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field WebUsbAllowDevicesForUrls User & Browser Settings; Managed Guest Session Chrome ChromeOS Android Hardware > WebUSB API allowed devices ApplicationLocaleValue User & Browser Settings Windows User experience > Browser locale RestoreOnStartup User & Browser Settings; Managed Guest Session Chrome ChromeOS Startup > Pages to load on startup
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Support for Encrypted Client Hello (ECH)
As early as Chrome 107, Chrome will start rolling out support for ECH on sites that opt-in, as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS.If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it with Chrome 106. You can enable the new behavior by navigating to
If you encounter any incompatibilities, you will be able to use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.chrome://flags
and enabling the#encrypted-client-hello
flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
- Link anonymization when entering Incognito
As early as Chrome 107, Chrome will remove some URL parameters when a user selects Open link in incognito window from the context menu. You can control this behavior with the UrlParamFilterEnabled enterprise policy.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 107, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Removal of window.webkitStorageInfo
As early as Chrome 107, window.webkitStorageInfo API will be removed. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Removal of master_preferences
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 107, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 108, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
Alternatively, you will be able to use the CompatibleInitialPreferences enterprise policy to extend support for the master_preferences naming. This policy is not currently available.
- User-Agent reduction Phase 5
Beginning in Chrome 107, some portions of the User-Agent string will be reduced on desktop devices. As previously detailed in the Chromium blog, we intend to proceed with Phase 5 of the User-Agent reduction plan. The<platform>
and<oscpu>
tokens, parts of the User-Agent string, are reduced to the relevant<unifiedPlatform>
token values, and will no longer be updated. Additionally, the values fornavigator.platform
are frozen on desktop platforms. For more details, see this Chromium update.
The UserAgentReduction policy will allow for opting out of these changes.
- Automated password changes on Desktop
Chrome 107 will allow users to change their passwords automatically using Google Assistant on Desktop. If their passwords have been compromised, for example, this feature makes it easier to change passwords, and ultimately will help keep users safer. A policy will be available to enable or disable automated password changes in Google Assistant.
- Chrome sends Private Network Access preflights for subresources
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post).
In Chrome 107 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- BuiltinCertificateVerifierEnabled being removed on Mac
The BuiltinCertificateVerifierEnabled policy will be removed in Chrome 107 on Mac. This policy was used to control the use of the built-in certificate verifier while using the platform provided root store. Starting in Chrome 105, a new implementation is available that uses the built-in certificate verifier with the Chrome Root Store. The new implementation may be controlled by the ChromeRootStoreEnabled policy.
- Network Service on Windows will be sandboxed
As early as Chrome 108, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 109 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 109, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/installwebapp?usp=admin Docs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Default to origin-keyed agent clustering in Chrome 109
As early as Chrome 109, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
- Intent to deprecate and remove: Event.path
To improve web compatibility, we will stop supporting the non-standard APIEvent.path
as early as Chrome 109. Websites should migrate toEvent.composedPath()
, which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView will allow you to extend the lifetime ofEvent.path
by an additional 6 milestones.
- Windows 10 as minimum required version in Chrome 110
Microsoft ends support for Windows 7 ESU and Windows 8.1 extended support on January 10, 2023. Chrome 110, tentatively scheduled for release on February 7, is the first version of Chrome which will have a minimum Windows version of Windows 10.
- Web SQL deprecation in non-secure contexts
The non-standard Web SQL API is rarely used and requires frequent security fixes. At this point, only Chromium-based browsers support it. Web developers have been discouraged from using it for years. We are engaging in a careful process to seek out and warn partners who may still be using Web SQL, with the goal of removing it from Chrome entirely in 2023. Meanwhile, we're working on a replacement using WebAssembly.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. In early 2023, we plan to remove support in third-party contexts.
An enterprise policy, WebSQLNonSecureContextEnabled, is available when support ends, to allow Web SQL API to function in non-secure contexts if needed. The policy will expire in alignment with the API’s non-secure context removal schedule, currently planned for Chrome 110.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome.
In 2023, extensions using Manifest V2 will cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3. If you need additional time to adjust to the Manifest V3 transition, you'll be able to extend Manifest V2 support in Chrome using an enterprise policy until at least January 2024.
You can see which manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to our recent update on the transition to Manifest V3 and to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Photos integrations
As early as Oct 3rd, Chromebook users will get access to enhanced video editing features from Google Photos. The experience is optimized for a larger screen, and will seamlessly integrate with the built-in Gallery app and your Chromebook files—so you can use local images and clips recorded on your Chromebook camera or stored in your Files app to build your movie.
While movie editing typically comes with a steep learning curve, the revamped movie creation tools in Google Photos help you make high-quality movies with just a few taps using your video clips and photos. Starting in Q4 2022, you’ll be able to create beautiful movies from suggested themes, or put yourself in the director's seat and start from scratch, right on your Chromebook.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 107, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Long-press diacritics
In the virtual keyboard, users can hold a key to type an accented version or variant of that letter. Now users with a hardware keyboard can also hold a letter key to choose an accent or a letter variant. For example, hold the e key to see a list of accents, such as è in caffè or é in déjà vu.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), you will see which channel you are on next to the battery icon in the bottom right. Selecting the time to open quick settings will have a new UI with the device build as well as a button directly to submit feedback.
- Save and recall Desks
Starting in 107, you will be able to save and close an entire virtual desk, including all its app windows and their layout — perfect for when you want to switch gears or focus on a different task. When you’re ready to get back to it, you can open your saved desk and all its windows and tabs with a click.
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 108.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 108, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome apps no longer supported on Windows, Mac, and Linux: Chrome 105 shows warning message | ✓ | ✓ | |
Launch Renderer AppContainer | ✓ | ✓ | |
Chrome maintains its own default root store | ✓ | ||
Web SQL deprecation in non-secure contexts | ✓ | ||
Chrome sync ends support for Chrome 73 and earlier | ✓ | ||
Policies on Mac distinguished between user and machine | ✓ | ||
Add Set-Cookie as forbidden header name for Fetch | ✓ | ||
Disabling Chrome Variations no longer disables the Chrome Cleanup Tool | ✓ | ||
Internal certificate viewer for server certificates on Mac and Windows | ✓ | ||
Privacy Sandbox updates on FLEDGE on Android | ✓ | ||
WebAuthn: prompt users for Bluetooth permissions on macOS | ✓ | ||
Syntax changes to markup based Client Hints delegation | ✓ | ||
About this page (Android) | ✓ | ||
Enhanced Safe Browsing Google accounts integration on desktop | ✓ | ||
ForceBrowserSignIn policy requires EnableExperimentalPolicies on Linux | ✓ | ||
Browser extension telemetry | ✓ | ||
Accurate screen labels for window placement | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Close a desk and its windows in one click | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Group Based Policy for managed apps & extensions | ✓ | ||
Configure alerts for extension requests | ✓ | ||
Browser Details: Installed apps & extensions UX changes | ✓ | ✓ | |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Support for Encrypted Client Hello (ECH) | ✓ | ||
Changes to chrome.runtime | ✓ | ||
Persistent quota deprecation launch | ✓ | ||
Chrome will show Journeys on the History page on Android | ✓ | ||
Incognito lock on Android | ✓ | ||
Incognito downloads prompt on Android | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Removal of window.webkitStorageInfo | ✓ | ||
Removal of master_preferences | ✓ | ||
User-Agent reduction Phase 5 | ✓ | ||
Automated password changes on Desktop | ✓ | ||
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Marshmallow deprecation for Chrome on Android | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Accessibility settings improvements | ✓ | ||
Photos integrations | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Long-press diacritics | ✓ | ||
Fast Pair | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome apps no longer supported on Windows, Mac, and Linux: Chrome 105 shows warning message
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 109 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 109, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYouTube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Launch Renderer AppContainer
As early as Chrome 105, a further sandbox security mitigation applies to renderer processes. They are placed inside an additional App Container on top of the existing sandbox. This prevents malicious code from having any network privileges by subverting kernel APIs from within the renderer process.
While we do not expect any incompatibilities with this new mitigation, some security products might react adversely to this.
A new policy RendererAppContainerEnabled allows selective disabling of this security mitigation while these issues are resolved. You can set this policy to Disabled to force disable the mitigation, otherwise it is enabled by default.
- Chrome maintains its own default root store
As early as Chrome 105, to improve user security and provide a consistent experience across different platforms, Chrome maintains its own default root store and built-in certificate verifier. Chrome continues to use custom local roots installed to the operating system’s trust store. See our article about the Chrome Root Program for more information.
We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
A new policy, called ChromeRootStoreEnabled, allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be available until Chrome 111.
- Web SQL deprecation in non-secure contexts
The non-standard Web SQL API is rarely used and requires frequent security fixes. At this point, only Chromium-based browsers support it. Web developers have been discouraged from using it for years. We are engaging in a careful process to seek out and warn partners who may still be using Web SQL, with the goal of removing it from Chrome entirely in 2023. Meanwhile, we're working on a replacement using WebAssembly.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduce a deprecation warning in DevTools. In early 2023, we plan to remove support in third-party contexts.
An enterprise policy, WebSQLNonSecureContextEnabled, is available when support ends, to allow Web SQL API to function in non-secure contexts if needed. The policy will expire in alignment with the API’s non-secure context removal schedule.
- Policies on Mac distinguished between user and machine
Chrome 105 on Mac adheres to the same policy precedence as other platforms. As of 105, machine-level policies, for example, set via Chrome Browser Cloud Management token management, take precedence over user-level policies. Previously, all policies were set as machine-level, regardless of their origin. If this change has any unexpected effects on your users, you can temporarily use the PolicyScopeDetection enterprise policy to revert to the previous behavior.
- Add Set-Cookie as forbidden header name for Fetch
Set-Cookie headers are semantically response headers, so they cannot just be combined and require more complex handling in the Headers object. Starting with Chrome 105, the Set-Cookie header is forbidden as a request header to avoid leaking this complexity into requests, as it is not useful for requests anyway. You can read more about this change on Github.
- Disabling Chrome Variations no longer disables the Chrome Cleanup Tool
Starting in Chrome 105, turning off variations no longer affects whether the Chrome Cleanup Tool runs. This means that enterprises that already have Chrome Variations turned off might notice that the Chrome Cleanup Tool starts running once per week in Chrome 105 on Windows.
To disable it, you can still set the ChromeCleanupEnabled enterprise policy to Disabled.
- Internal certificate viewer for server certificates on Mac and Windows
In Chrome 105 on Mac and Windows, the certificate viewer accessed from the page info bubble switches from using the platform provided viewer to one that is provided by Chrome. The Chrome certificate viewer is already used on Linux and ChromeOS.
- Privacy Sandbox updates on FLEDGE on Android
In Chrome 105, the Privacy Sandbox provides controls for the new Topics & Interest Group APIs on Android. This follows the launch of these APIs on Desktop in Chrome 104. It also introduces a one-time dialog for Android users that explains Privacy Sandbox to users and allows them to manage their preferences. Guest users or managed EDU users do not see this dialog.
Some users may see this opt-in consent dialog:
Other users may see this dialog:
Admins can prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:- To allow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled.
- To disallow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This might cause some sites to stop working.
Any of the above settings will prevent the dialog from showing. Privacy Sandbox features are also disabled, and no dialog shown, if DefaultCookiesSetting is set to Do not allow any site to set local data.
- WebAuthn: prompt users for Bluetooth permissions on macOS
When a user attempts to use a phone as a security key on macOS, and Chrome does not have Bluetooth permission, and macOS doesn’t show a permission prompt itself, Chrome now prompts the user to open System Preferences to grant the required permission. This is not enabled for macOS 13 because, as of current macOS betas, it’s not yet possible to have the new System Settings open to the correct location.
- Syntax changes to markup based Client Hints delegation
We’re switching from syntax close to HTTP Permissions-Policy to use syntax closer to the iframe allow attribute at the request of developers.
There is existing HTML syntax to delegate client hints to third-party content which requires client information lost by user agent reduction. This syntax was introduced in Chrome 100 and is being removed in Chrome 105, for example:
<meta name="accept-ch" value="sec-ch-dpr=(https://foo.bar
https://baz.qux), sec-ch-width=(https://foo.bar)">
The replacement for this introduced in Chrome 105 is formatted as follows:
<meta http-equiv="delegate-ch" value="sec-ch-dpr https://foo.bar
https://baz.qux; sec-ch-width https://foo.bar">
- About this page on Android
We are improving the From the web feature in the site info UI. It is now called About this page and opens a website with multiple pieces of information regarding the source and topic of a website.
This feature is only enabled when Make searches and browsing better is enabled in Settings > Sync and Google Services > Other Google services. You can control this setting with the UrlKeyedAnonymizedDataCollectionEnabled policy.
- Enhanced Safe Browsing Google accounts integration on desktop
For Chrome on desktop where the Safe Browsing protection level is not controlled by the SafeBrowsingProtectionLevel policy, users who are signed in and syncing, and have enabled Safe Browsing > Enhanced protection on their Google Account are notified that Enhanced protection is also enabled on their Chrome profile. Similarly, when a user disables Safe Browsing > Enhanced protection on their Google Account, it is disabled for their Chrome profile too.
- ForceBrowserSignIn policy requires EnableExperimentalPolicies on Linux
Starting in Chrome 105, you can only enable ForceBrowserSignIn on Linux if you also set EnableExperimentalPolicies to true.
ForceBrowserSignIn has never been officially supported on Linux, as per its documentation. However, prior to Chrome 105, it was possible to set it on Linux. This update is part of an ongoing effort to reduce Chrome's binary size and to more strictly adhere to Chrome's documented behavior.
A future release of Chrome will add Force users to sign-in to use the browser support to the BrowserSignIn policy on Linux. Once this is complete, ForceBrowserSignIn will not function on Linux, even when EnableExperimentalPolicies is enabled.
- Browser extension telemetry
When you enable Safe Browsing > Enhanced protection, Chrome now collects telemetry information about installed extensions. It also monitors certain activities such as APIs executed and remote hosts contacted. These activities are analyzed on Google servers and further improve the detection of malicious and policy violating extensions. This improvement allows better protection for all Chrome extension users.
- Accurate screen labels for window placement
Chrome 105 now displays a label that meaningfully describes the screen to a user. For example, you can use this label to request permission to open and place windows on a connected screen. This is a feature enhancement for the Multi-Screen Window Placement API, which launched in Chrome 100. You can read more on our Chrome Platform Status page. Enterprise policies are available to control access to the Window Placement API: WindowPlacementAllowedForUrls and WindowPlacementBlockedForUrls.
- New and updated policies in Chrome browser
Policy Description PolicyAtomicGroupsEnabled Enables the concept of policy atomic groups. PolicyListMultipleSourceMergeList Allow merging list policies from different sources (now also available on iOS). PolicyDictionaryMultipleSourceMergeList Allow merging dictionary policies from different sources (now available on Android and iOS). PolicyScopeDetection Allow policy scope detection on macOS. ChromeRootStoreEnabled Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates. ComponentUpdatesEnabled Enable component updates in Google Chrome (now available on Android and iOS). CloudUserPolicyOverridesCloudMachinePolicy Allow user cloud policies to override Chrome Browser Cloud Management policies (now available on iOS). EventPathEnabled Re-enable the Event.path API (available until Chrome 115). WebSQLNonSecureContextEnabled Force WebSQL in non-secure contexts to be enabled (available until Chrome 110). EnterpriseAuthenticationAppLinkPolicy External authentication app launch URLs (Android Webview). EncryptedClientHelloEnabled Enable TLS Encrypted ClientHello.
ChromeOS updates
Admin console updates
- Group-based policy for apps & extensions
Admins can configure app & extension permissions for their organizations using Google groups in addition to organizational units. If you want to install an app for a small number of users–who might belong to different organizational units–you can now add those users to a group instead of moving them into a different organizational unit. Note that apps & extensions policies for groups take precedence over those set for organizational units, so if a user belongs to both a group and an organizational unit where you have a policy set, they follow the permissions set for their group rather than their organizational unit. Also note that you are only able to add users to Google groups at this time. Learn more.
- Configure alerts for extension requests
You can now configure alerts for extension requests by creating reporting or activity Rules. Follow the steps listed in this help center article.
- Browser Details: Installed apps & extensions UX changes
In the Browser Details page, there is an Installed apps & extensions card. When the user clicks on an app, a new page opens up–the App Details page. Previously, an overflow menu allowed admins to take a limited set of actions and now admins can set policy in the App Details page.
Browser Details:
App Details:
- New policies in the Admin console
Policy Name Pages Supported on Category/Field RendererAppContainerEnabled User & Browser Settings Chrome Security > Renderer App Container UnthrottledNestedTimeoutEnabled User & Browser Settings; Managed Guest Session Chrome ChromeOS Android Content > Javascript setTimeout() clamping ChromeAppsEnabled Additional App Settings Chrome Additional application settings > Extend support for Chrome Apps
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Support for Encrypted Client Hello (ECH)
As early as Chrome 106, Chrome will start rolling out support for ECH on sites that opt-in, as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS. There is an enterprise policy available to disable ECH, also available in Chrome 105.
If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it with Chrome 106. If you encounter any incompatibilities, you will be able to use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- Changes to chrome.runtime
Chrome 106 will include a change that causes chrome.runtime to no longer be defined unconditionally on all sites. In contexts where there is no connectable extension, websites should never expect chrome.runtime to be defined.
Over the past couple of months, we have taken steps to remove Chrome's legacy U2F security API. This API was implemented in an internal Chrome extension called CryptoToken, which by design was externally connectable from all URLs. The presence of this extension meant that chrome.runtime was effectively always defined on any web origin, because there was always at least one extension to connect to, even if the user installed no other connectable extensions. As part of the U2F removal process, Chrome 106 stops loading CryptoToken by default, which means that chrome.runtime will now be undefined in contexts where there is no other connectable extension.
Websites should never assume that chrome.runtime is defined unconditionally. As a temporary workaround, the effects of this change can be reversed by enabling thechrome://flags/#load-cryptotoken-extension
flag or an upcoming enterprise policy named LoadCryptoTokenExtension.
- Persistent quota deprecation launch
In Chrome 106, window.PERSISTENT quota type inwebkitRequestFileSystem
will no longer be supported.webkitRequestFileSystem
will still accept a type parameter and use of the PERSISTENT and TEMPORARY types will create file systems with separate roots, but the PERSISTENT type will no longer grant access to a persistent file system.
- Chrome will show Journeys on the History page on Android
Chrome 96 started clustering local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. This feature will also become available on Android as early as Chrome 106. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy.
- Incognito lock on Android
Chrome 106 will introduce an option for users on Android 11 and later to require authentication when resuming an Incognito session. The feature will be OFF by default. It can be turned ON using the new Lock Incognito tabs when you leave Chrome toggle under Settings > Privacy & Security. This feature will not be available on managed devices where the IncognitoModeAvailability enterprise policy is set to Disabled.
- Incognito downloads prompt on Android
When a user initiates a download while browsing on an Incognito tab, they will see a new informative prompt. Users have the option to dismiss the prompt or tap Download to go ahead and save the file. Files downloaded on Incognito will continue to be accessible through the download manager.
- Network Service on Windows will be sandboxed
As early as Chrome 107, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Removal of window.webkitStorageInfo
As early as Chrome 107, window.webkitStorageInfo API will be removed. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Removal of master_preferences
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 106, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 107, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
Alternatively, you will be able to use the CompatibleInitialPreferences enterprise policy to extend support for the master_preferences naming. This policy is not currently available.
- User-Agent reduction Phase 5
As of Chrome 107, some portions of the User-Agent string will be reduced on desktop. As previously detailed in the Chromium blog, we intend to proceed with Phase 5 of the User-Agent reduction plan. The<platform>
and<oscpu>
tokens, parts of the User-Agent string, are reduced to the relevant<unifiedPlatform>
token values, and will no longer be updated. Additionally, the values fornavigator.platform
are frozen on desktop platforms (see this Chromium update).
The UserAgentReduction policy will allow for opting out of these changes.
- Automated password changes on Desktop
Chrome 107 will use the Google Assistant to help users change passwords that have been compromised. This reduces friction in updating passwords to help keep users safe. A policy will be available to control the Google Assistant directly, allowing you to enable password leak detection without the Google Assistant assisting in changing passwords.
- Chrome sends Private Network Access preflights for subresources
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools (more details here).
In Chrome 107 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
Upcoming ChromeOS changes
- Photos integrations
As early as ChromeOS 106, Chromebook users will get access to enhanced video editing features from Google Photos. The experience is optimized for a larger screen, and will seamlessly integrate with the built-in Gallery app and your Chromebook files – so you can use local images and clips recorded on your Chromebook camera or stored in your Files app to build your movie. While movie editing typically comes with a steep learning curve, the revamped movie creation tools in Google Photos help you make high-quality movies with just a few taps using your video clips and photos. You’ll be able to create beautiful movies from suggested themes, or put yourself in the director's seat and start from scratch, right on your Chromebook.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 106, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Long-press diacritics
The Essential Inputs team is planning to launch improvements to diacritic typing by including a key press functionality that showcases a new accent menu. This accent menu reveals diacritical marks associated with characters when the user presses and holds a key down on key characters with diacritics. Users will then have the option to select and insert a diacritic character or close the menu without selection. Look out for this upcoming feature in ChromeOS 106.
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 108.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 108, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome 104 increases the nesting threshold for setTimeouts and setIntervals | ✓ | ✓ | |
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Privacy Sandbox updates | ✓ | ||
Improved first run experience on iOS | ✓ | ||
Chrome 104 no longer supports OS X 10.11 and macOS 10.12 | ✓ | ||
Changes in cookie expiration date limit | ✓ | ||
Intent to remove: Legacy Client Hint mode | ✓ | ||
U2F API no longer supported | ✓ | ||
Improved first run experience changes on Windows | ✓ | ||
Calendar integration on iOS | ✓ | ||
HTTPS-First mode for iOS | ✓ | ||
Block iframe contexts navigating to filesystem: URLs | ✓ | ||
Preconnecting on downpressed links | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security/ Privacy | User productivity/ Apps | Management |
Forced reboot in user session | ✓ | ✓ | |
Smart Lock UX update | ✓ | ||
Monthly Calendar View | ✓ | ||
Close Desk and Windows | ✓ | ||
Notifications UI revamp | ✓ | ✓ | ✓ |
PDF annotating support on Gallery app | ✓ | ||
Play Store Results in Launcher Search | ✓ | ||
Kiosk and Signage solution preview | ✓ | ||
Screen saver photo frame | ✓ | ||
Multiple display support for Chrome Remote Desktop | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
CSV export for the Versions and the Apps and extensions usage reports | ✓ | ||
New Chrome Guides in the Admin console | ✓ | ||
New App Details page | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Launch Renderer AppContainer | ✓ | ✓ | |
Chrome will maintain its own default root store | ✓ | ||
Support for Encrypted Client Hello (ECH) | ✓ | ||
Chrome will show Journeys on the History page on Android | ✓ | ||
Web SQL Depreciation in non-secure contexts | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome sync ends support for Chrome 73 and earlier | ✓ | ✓ | |
Policies on Mac distinguished between user and machine | ✓ | ||
Change to forbidden header names for Fetch | ✓ | ||
Disabling Chrome Variations will no longer disable the Chrome Cleanup Tool | ✓ | ||
Use internal certificate viewer for server certificates on desktop | ✓ | ||
Case-matching on CORS preflight requests | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ✓ | |
Upcoming Chrome OS changes | Security/ Privacy | User productivity/ Apps | Management |
Adaptive charging to extend battery life | ✓ | ||
Chrome OS Accessibility settings improvements | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Photos integrations | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Long-press diacritics | ✓ |
The enterprise release notes are available in 8 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome 104 increases the nesting threshold for setTimeouts and setIntervals
setTimeout(..., 0)
is commonly used to break down long Javascript tasks and let other internal tasks run, which prevents the browser from hanging. In Chrome 104, some users might see that setTimeouts and setIntervals with an interval < 4ms are not clamped as aggressively as they were before. We have increased the nesting threshold, from 5 to 100, which determines whensetTimeout(..., <4ms)
are clamped. This improves short horizon performance, but websites abusing the API will still eventually have their setTimeouts clamped. A temporary Enterprise policy UnthrottledNestedTimeoutEnabled allows you to control this feature. When the policy is set to Enabled, setTimeouts and setIntervals with an interval smaller than 4ms are not clamped as aggressively.
- Chrome sends Private Network Access preflights for subresources
Chrome 104 sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools, see here for more details).
In Chrome 107 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion about Private Network Access preflights.
- Privacy Sandbox updates
The Privacy Sandbox release in Chrome 104 provides controls for the new Topics & Interest Group APIs. It also introduces a one-time dialog that explains Privacy Sandbox to users and allows them to manage their preferences. Guest users or managed EDU users do not see this dialog.
Some users may see this opt-in consent dialog:
Other users may see this dialog:
Admins can prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:- To allow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled.
- To disallow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This might cause some sites to stop working.
- Improved first run experience on iOS
In Chrome 104, some users might see a new onboarding experience with fewer steps and a more intuitive way to sign into Chrome. Enterprise policies, like BrowserSignin, SyncDisabled, SyncTypesListDisabled and MetricsReportingEnabled, to control whether the user can sign into Chrome and other aspects of the onboarding experience continue to be available as before.
- Chrome 104 no longer supports OS X 10.11 and macOS 10.12
Chrome 104 no longer supports OS X 10.11 and macOS 10.12, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Changes in cookie expiration date limit
Beginning with Chrome 104, any newly set or refreshed cookies have their expiration date limited to no more than 400 days in the future. Cookies which request expiration dates after 400 days in the future can still be set, but their expiration is adjusted down to 400 days. Existing cookies retain their prior expiration date (even if it was more than 400 days in the future), but refreshing them causes the cap to be enforced.
- Intent to remove: Legacy Client Hint mode
In Chrome 104, the Client Hints,dpr
,width
,viewport-width
, anddevice-memory
, are no longer delegated to all third party frames and subresources by default on Android. The Android behavior now replicates that of all other platforms, which is to only delegate to the first party frame and subresources by default.
- U2F API no longer supported
The U2F API for interacting with USB security keys has been disabled by default since Chrome 98. Websites are advised to migrate to the Web Authentication API. Chrome 104 removes the U2fSecurityKeyApiEnabled enterprise policy for temporarily re-enabling this API. The U2FSecurityKeyAPI origin trial, which lets websites re-enable U2F, will end July 26, 2022. We are offering existing trial participants that have not yet fully migrated to WebAuthn an extension of the trial until September 20, 2022. If you are an existing origin trial participant and would like to extend your trial tokens beyond the July 26 deadline, please get in touch with our team. The U2F API will be fully removed in Chrome 106.
- Improved first run experience changes on Windows
In Chrome 104 on Windows, some users might see a different sequence of onboarding steps in the chrome://welcome tab that is opened when Chrome is launched for the first time. Admins can use existing Enterprise policies such as BrowserSignin, PromotionalTabsEnabled, SyncDisabled to control the onboarding process.
- HTTPS-First mode for iOS
Beginning with Chrome 104, HTTPS-First mode is available on iOS. This feature allows users to opt-in to a fully default HTTPS experience, via Chrome Settings. In this mode, Chrome attempts to upgrade all navigations to HTTPS. Sites that only support HTTP display an interstitial.
The HttpsOnlyMode policy will be available in Chrome 105. This policy will allow enterprises to disable the HTTPS-First mode feature.
- Block iframe contexts navigating to filesystem: URLs
Beginning in Chrome 104, as part of the Storage Partitioning effort, iframes are no longer allowed to navigate to afilesystem://
URL. This matches the existing behavior of forbidding top-level frame navigation tofilesystem://
.
As a possible workaround for sites relying on this pattern, a blob: URL can be created from afilesystem://
URL. For example:
let url = 'filesystem:example_resource';
window.webkitResolveLocalFileSystemURL(url, fileEntry => {
fileEntry.file(file => {
let blob_url = URL.createObjectURL(file);
iframe.src = blob_url;
});
});
- Preconnecting on downpressed links
To increase page loading performance, for some users, Chrome 104 preconnects to the target of a link as soon as the user presses on the link without waiting for the user to lift their finger up or for JavaScript to execute. You can disable this behavior using the NetworkPredictionOptions policy.
Chrome OS updates
- Smart Lock UX update
Starting in Chrome 104, Smart Lock, which allows users to unlock their Chromebook using their connected Android phone, is faster than ever, with greater performance, reliability, and an overhauled design. To get started, navigate to Chrome OS Settings>Connected devices, select your Android phone, and enable Smart Lock.
- PDF annotating support on Gallery app
The Gallery app, a built-in media app on Chromebook, now supports PDF annotating. Besides viewing a PDF, you can highlight text, fill out forms, add text or freeform annotation in the app. And with free hand annotation, you can add your signature to a document, then easily share the PDF through the app.
- Kiosk and Signage solution preview
We're excited to announce the preview of the new end-to-end solution focused on ChromeOS for kiosks and digital signage. This solution includes a kiosk specific enrollment flow, license management, and user experience. This solution is offered with a new license, Kiosk and Signage Upgrade, for $25 annually.
- Screen saver photo frame
We are excited to announce a new screen saver feature within personalization settings that allows users to view their personal photos and curated images when their devices are idle. You can choose albums from Google Photos or curated artwork to display on your screen when screen saver is enabled.
- New Chrome Guides in the Admin console
Chrome 104 introduces the new Chrome Guides which help IT administrators discover and set common management features for Chrome browser and ChromeOS. For example, the feature provides a series of guides to enroll browsers and devices, set policies and view reports.
- New App Details page
Chrome 104 introduces a new App Details page that gives admins more information when they click on an app in the Apps and extension usage report. Learn more in the help center.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Launch Renderer AppContainer
As early as Chrome 105, a further sandbox security mitigation will be applied to renderer processes. They will be additionally placed inside an App Container on top of the existing sandbox. This prevents malicious code from having any network privileges by subverting kernel APIs from within the renderer process.
While we do not expect any incompatibilities with this new mitigation, some security products might react adversely to this. A new policy RendererAppContainerEnabled has been added to allow selective disabling of this security mitigation for a limited time while these issues are resolved. This policy can be set to Disabled to force disable the mitigation, otherwise it will be enabled by default.
- Chrome will maintain its own default root store
As early as Chrome 105, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store and built-in certificate verifier. Chrome will continue to use custom local roots installed to the operating system’s trust store. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet. See our article about the Chrome Root Program for more information. A new policy ChromeRootStoreEnabled will allow selective disabling of the Chrome Root Store in favor of the platform root store for a limited time. This policy can be set to Disabled to force the use of the platform root store, otherwise it will be enabled by default.
- Support for Encrypted Client Hello (ECH)
As early as Chrome 105, Chrome will start rolling out ECH as a continuation of our network related efforts, for example, Secure DNS, to improve our users’ privacy and safety on the web. While the feature is under development, there will be an enterprise policy available to disable the feature, also available in Chrome 105.
If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it with Chrome 105. If you encounter any incompatibilities, you will be able to use the EncryptedClientHelloEnabled enterprise policy to revert to the previous behavior.
- Chrome will show Journeys on the History page on Android
Chrome 96 started clustering local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. This feature will also become available on Android as early as Chrome 105. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy.
- Web SQL deprecation in non-secure contexts
Starting Chrome 105, Web SQL API will be deprecated for non-secure contexts with the aim to fully deprecate and remove the API from Chrome in the future. For non-secure contexts, the API is planned to be disabled in Chrome 107.
An enterprise policy, WebSQLNonSecureContextEnabled, will be available between Chrome 105 and Chrome 110 to allow Web SQL API to function in non-secure contexts if needed.
- Network Service on Windows will be sandboxed
As early as Chrome 105, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Policies on Mac distinguished between user and machine
Chrome 105 on Mac adheres to the same policy precedence as other platforms. As of 105, machine-level policies,for example, set via CBCM token management, will take precedence over user-level policies. Previously, all policies were set as machine-level, regardless of their origin. If this change has any unexpected effects on your users, you can temporarily use the PolicyScopeDetection enterprise policy to revert to the previous behavior.
- Change to forbidden header names for Fetch
Set-Cookie headers are semantically response headers, so they cannot just be combined and require more complex handling in the Headers object. Starting with Chrome 105, the Set-Cookie header will be forbidden as a request header to avoid leaking this complexity into requests, as it is not useful for requests anyway. You can read more about this change here.
- Disabling Chrome Variations will no longer disable the Chrome Cleanup Tool
Starting in Chrome 105, turning off variations will no longer affect whether the Chrome Cleanup Tool runs. This means that enterprises that already have Chrome Variations turned off may notice that the Chrome Cleanup Tool starts running once per week in Chrome 105 on Windows.
You can still disable it by setting the Enterprise policy ChromeCleanupEnabled to Disabled.
- Use internal certificate viewer for server certificates on desktop
In Chrome 105 on Mac and Windows, the certificate viewer accessed from the page info bubble will switch from using the platform provided viewer to one that is provided by Chrome. The Chrome certificate viewer is already used on Linux and ChromeOS.
- Case-matching on CORS preflight requests
Currently Chrome uppercases request methods when matching with Access-Control-Allow-Methods response headers in CORS preflight. Chrome 106 will not uppercase request methods, except forDELETE
,GET
,HEAD
,OPTIONS
,POST
, andPUT
(all case-insensitive). So, Chrome 104 will require exact case-sensitive matching. An enterprise policy will be available to maintain temporary compatibility with existing non-compliant solutions.
Previously accepted, but rejected in Chrome 106:
Request:fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: FOO
Previously rejected, but accepted in Chrome 106:
Request: fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: Foo
Note:post
andput
are not affected because they are in https://fetch.spec.whatwg.org/#concept-method-normalize, whilepatch
is affected.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 106, Chrome-on-Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 109 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
If you're force-installing any Chrome apps, starting Chrome 105, users will be shown a message stating that the app is no longer supported. The installed Chrome Apps will still be launchable.
As early as Chrome 109, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary they can add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYouTube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/notifications/
manifest/cr_install.html
Upcoming Chrome OS changes
- Adaptive charging to extend battery life
As early as Chrome 105, adaptive charging will help to extend your battery’s lifespan by understanding how you use your device and optimizing charging accordingly. This new feature will analyze your device usage patterns and keep your battery working in the optimal charge range to avoid overcharging thereby delaying battery deterioration.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting with Chrome 106, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Photos integrations
As early as Chrome 106, Chromebook users will get access to enhanced video editing features from Google Photos. The experience is optimized for a larger screen, and will seamlessly integrate with the built-in Gallery app and your Chromebook files – so you can use local images and clips recorded on your Chromebook camera or stored in your Files app to build your movie. While movie editing typically comes with a steep learning curve, Google Photos’ revamped movie creation tools help you make high-quality movies with just a few taps using your video clips and photos. You’ll be able to create beautiful movies from suggested themes, or put yourself in the director's seat and start from scratch, right on your Chromebook.
- Cursive pre-installed for Enterprise and Education accounts
As early as Chrome 106, Cursive will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. Cursive is a stylus-first notes app for Chromebooks.
- Long-press diacritics
The Essential Inputs team is planning to launch improvements to diacritic typing by including a key press functionality that showcases a new accent menu. This accent menu reveals diacritical marks associated with characters when the user presses and holds a key down on key characters with diacritics. Users will then have the option to select and insert a diacritic character or close the menu without selection. Look out for this upcoming feature in Chrome 106.
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022 | ✓ | ||
Chrome on Windows uses built-in DNS client by default | ✓ | ||
Release of Speculation Rules API for prerender on Android | ✓ | ||
Local Fonts Access API | ✓ | ||
Unified password manager on Android | ✓ | ✓ | |
Chrome Actions on iOS | ✓ | ||
Improved credit and debit card Autofill | ✓ | ||
Removing LockIconInAddressBarEnabled policy | ✓ | ||
Enhanced Safe Browsing on iOS | ✓ | ||
Reporting Connector | ✓ | ||
Profile Separation Dialog rolled back | ✓ | ||
Thank With Google Android integration | ✓ | ||
HTTPS Key Pinning enforcement enabled on Android | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
New built-in Screencast app for Chrome OS | ✓ | ||
Fast Pair makes Bluetooth pairing easier | ✓ | ||
Receive Wi-Fi credentials with Nearby Share | ✓ | ||
Phone Hub camera roll | ✓ | ||
Split sync settings on Chrome OS into Browser and OS categories | ✓ | ||
Launcher (Search) redesign: Open Tab and Shortcut search | ✓ | ||
Block accounts becoming secondary accounts | ✓ | ✓ | |
Admin console updates | Security | User productivity/ Apps | Management |
Customize icon and name of managed websites | ✓ | ✓ | |
Pin Chrome app updates in Kiosk | ✓ | ||
Updates to the Chrome Management Telemetry API | ✓ | ||
Remote eSIM provisioning and management | ✓ | ✓ | |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Increase the nesting threshold before which setTimeout(..., <4ms) start being clamped, from 5 to 100. | ✓ | ||
Chrome will send Private Network Access preflights for subresources | ✓ | ||
Privacy Sandbox updates | ✓ | ||
Case-matching on CORS preflight requests | ✓ | ||
Improved first run experience on iOS | ✓ | ||
Extended support for Legacy Same Site Cookie Behavior policy | ✓ | ||
Chrome 104 will no longer support OS X 10.11 and macOS 10.12 | ✓ | ||
Changes in cookie expiration date limit | ✓ | ||
Chrome will show Journeys on the History page on Android | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
U2F API no longer supported as early as Chrome 104 | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 106 | ✓ | ✓ | |
Launch Renderer AppContainer | ✓ | ✓ | |
Intent to Remove: Legacy Client Hint Mode | ✓ | ||
Chrome sync will end support for Chrome 73 and earlier | ✓ | ✓ | |
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Upcoming Chrome OS changes | Security | User productivity/ Apps | Management |
Forced reboot in user session | ✓ | ||
PDF annotating support on Gallery app | ✓ | ||
Smart Lock UX update | ✓ | ||
Upcoming Admin console changes | Security | User productivity/ Apps | Management |
New CSV export for some Chrome Admin console reports in Chrome 104 | ✓ | ✓ | |
New App Details page in Chrome 104 | ✓ |
Chrome browser updates
- Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022
As part of the gradual deprecation of Manifest V2, the Chrome Web Store stopped accepting submissions of new Public or Unlisted Manifest V2 extensions after January 17, 2022. On June 29, 2022, Chrome also applies this restriction to new extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. Extensions which are already submitted may continue to be updated until January 2023.
For more details, refer to the Manifest V2 support timeline.
- Chrome on Windows uses Chrome's built-in DNS client by default
The built-in DNS client is enabled by default on macOS, Android and Chrome OS. Chrome on Windows now also uses the built-in DNS client by default. Enterprises can opt out by setting BuiltInDnsClientEnabled policy to Disabled.
- Release of Speculation Rules API for prerender on Android
Expanding our prerender efforts released in Chrome 101, we now ship the Speculations Rules API for Android in Chrome 103. This API allows web authors to suggest to Chrome which pages that the user is very likely to navigate to next. This influences Chrome during the decision to prerender a particular URL before the user navigates to it, aiming to offer an instant navigation. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which results in Chrome ignoring the hints provided using this API. See our article on speculative prerendering for more information.
- Local Fonts Access API
Users of design applications often want to use fonts present on their local device. The Local Fonts Access API gives web applications the ability to enumerate local fonts and some metadata about each. This API also gives web applications access to the font data as a binary blob, allowing those fonts to be rendered within their applications using custom text stacks. The enterprise policies applicable to this feature are DefaultLocalFontsSetting, LocalFontsAllowedForUrls and LocalFontsBlockedForUrls.
- Chrome Actions on iOS
Chrome Actions help users get things done fast, directly from the address bar. We first released Chrome Actions on desktop a couple of years ago, with Actions like Clear browsing data. In Chrome 103, we bring some of them to Chrome on iOS, like:
- Manage Passwords
- Open Incognito Tab
- Clear Browsing Data
- And more!
Chrome on iOS allows users to take actions directly from the address bar, like clearing browsing data, using a button that appears among auto-complete suggestions. This feature is already available on desktop platforms. For more details about Chrome Actions, see this article in the Help Center.
- Improved credit and debit card Autofill
Over the course of Chrome 103, credit and debit card Autofill will start supporting cloud-based upload via Google Pay, enabling Autofill for your cards across all your Chrome devices. You can control credit card autofill with the AutofillCreditCardEnabled enterprise policy.
- Removing LockIconInAddressBarEnabled policy
Chrome 94 launched an experiment to replace the lock icon as the connection security indicator. The LockIconInAddressBarEnabled policy was added to allow organizations to continue to show the lock icon during the experiment. The experiment is no longer active, so the policy is no longer available in Chrome 103.
- Enhanced Safe Browsing on iOS
To match Safe Browsing functionality from other platforms, we now add functionality so that a user on iOS can choose what type of Safe Browsing protection they would like. Where an enterprise controls this setting, the enterprise is allowed to set the level of Safe Browsing protection, and users under the enterprise are not allowed to change the preference. An enterprise policy SafeBrowsingProtectionLevel is available to control Safe Browsing and the mode it operates in.
- Reporting Connector
For Security Insights and Reporting, Chrome browser reporting integrations afford IT teams added visibility into security events across Google Workspace and Cloud products and leading partner solutions. For example, the Splunk Cloud Platform integration (New) gives IT teams actionable insights into potentially risky events like navigating to a malicious site, downloading malware, and reusing corporate passwords. Palo Alto Networks and CrowdStrike integrations will be available through our Chrome Enterprise Trusted Tester Program soon.
- Profile Separation Dialog rolled back
The previous release of Chrome introduced a dialog to users when they signed in to a managed account from an unmanaged profile. By default, Chrome would create a new profile for the managed account. This change was surprising to some users and their admins, and it has been removed by default in Chrome 103. If you want to keep it, you can still configure Chrome to show the dialog using the Managed Accounts Sign Restriction enterprise policy.
The goal of this feature is to improve data separation between personal and enterprise data. Chrome intends to continue making changes to achieve this goal. Future changes will be communicated in the release notes with enterprise controls.
- HTTPS Key Pinning enforcement enabled on Android
For a small set of opt-in domains, including Google properties, Chrome enforces that the HTTPS certificate is issued by the expected CA. This process is known as key pinning. The set of expected issuer keys is the pin set. Key pinning has been enabled on desktop since 2014 and earlier, and is now enabled on Android. Key pinning is bypassed when the HTTPS connection to a pinned site verifies through a locally installed root certificate, such as those used by DLP and TLS interception products. This behavior already exists on desktop, and is being extended to Android. Enterprises that proxy traffic through a private root should see no change in behavior.
- New and updated policies in Chrome browser
Policy
Description
Setting the policy to “2” blocks sites from using the clipboard site permission. Setting the policy to “3” or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.
Setting the policy lets you set a list of URL patterns that specify sites that can use the clipboard site permission.
Setting the policy lets you set a list of URL patterns that specify sites that can't use the clipboard site permission.
This policy specifies how long (in seconds) a cast device that was previously selected via an access code or QR code can be seen within the Google Cast menu of cast devices.
Setting the policy to BlockLocalFonts (value 2) automatically denies the local fonts permission to sites by default. This will limit the ability of sites to see information about local fonts.
Sets a list of site URL patterns that specify sites which will automatically grant the local fonts permission. This will extend the ability of sites to see information about local fonts.
Sets a list of site URL patterns that specify sites which will automatically deny the local fonts permission. This will limit the ability of sites to see information about local fonts.
Chrome OS updates
- New built-in Screencast app for Chrome OS
Screencast is a new app built into Chrome OS to record, share, and watch engaging demos and lessons. It uses speech-to-text tools built into your Chromebook to automatically transcribe your narration into text to navigate and search the video, translate, and trim your recordings - no editing/rendering required. You can even draw or write on your screen as you record using a mouse, touchscreen, or stylus to diagram or highlight key concepts. With Screencast, anyone can create their own library of recorded screencasts, automatically uploaded to Google Drive. Learn more. See Screencast in action.
- Fast Pair makes Bluetooth pairing easier
Fast Pair makes Bluetooth pairing easier on Chrome OS devices and Android phones. When you turn on your Fast Pair-enabled accessory (like Pixel Buds), it automatically detects and pairs with your Chrome OS device in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between your Chrome OS and Android devices.
- Receive Wi-Fi credentials with Nearby Share
Nearby Share on Chrome OS now supports receiving Wi-Fi credentials from Android devices. To get started, navigate to the Wi-Fi detail page on Android, tap the share icon, then Nearby Share - here, any Chromebook or Android phone discovered nearby that you select is offered the Wi-Fi network credentials, and automatically joins that network thereafter.
- Phone Hub camera roll
Phone Hub now provides access to your phone's most recent photos, right from the Chrome OS desktop. To use this feature, look for the phone icon in your system tray - if you need to grant any permissions, you will be prompted to do so, after which your most recent photos will automatically appear in Phone Hub, ready for use in docs, emails, and so on.
- Split sync settings on Chrome OS into Browser and OS categories
OS sync preferences are now distinct from browser sync preferences, so browser-specific sync data types (like Bookmarks) are no longer shown in the OS settings, while OS-specific data types like Apps and Wallpaper are moved to the OS settings. Also, browser-specific toggles have been removed from the Sync and Google services page in OS settings.
- Launcher (Search) redesign: Open Tab and Shortcut search
Users can now search through their open tabs and device shortcuts using the new Launcher. Launcher is accessible via the Search button on the keyboard or by clicking the dot on the bottom left of the screen. Stay tuned as we will continue to add new capabilities to Launcher search.
- Block accounts becoming secondary accounts
SecondaryGoogleAccountUsage is a new policy that enables administrators to prevent managed accounts becoming secondary accounts, even if multiple user sign-ins are allowed.
Admin console updates
- Updates to the Chrome Management Telemetry API
We have enriched the Chrome Management Telemetry API (documentation) with additional fields. These include additional audio telemetry information, for example, microphone mute status, volume level status, device name for connected input/output devices. It also includes network information, for example, transmission/receiving bit rates, MEID/IMEI/ICCID/MDM info for cellular devices. In addition, for devices with 12th Generation Intel vPro processors the Chrome Management Telemetry API can now report Total Memory Encryption state, Key Locker configuration status and Thunderbolt security info.
- Remote eSIM provisioning and management
Admins now have the ability to remotely activate an eSIM cellular connection and manage it at scale. Previously, admins had to manually setup an eSIM profile on each individual device with a QR code. In addition to scaled activation of cellular connections, admins can force the use of only managed cellular profiles and remotely clear eSIM profiles on compatible LTE devices.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field PolicyListMultipleSourceMergeList User & Browser Settings Chrome
Android
Setting sources > PolicyMergelist > PolicyDictionaryMultipleSourceMergeList User & Browser Settings Chrome Android Setting sources > PolicyMergelist CloudReportingUploadFrequency User & Browser Settings Chrome
ChromeOS
Android
IOS
User reporting > Frequency of browser status reporting User & Browser Settings ChromeOS Power and shutdown > Adaptive charging model SystemTerminalSshAllowed User & Browser Settings ChromeOS Virtual machines (VMs) and developers > SSH in terminal system app DownloadBubbleEnabled User & Browser Settings;
Managed Guest Session
Chrome
ChromeOS
User experience > Download bubble
User & Browser Settings;
Managed Guest Session
Chrome
ChromeOS
Android
User experience > URL parameter filtering
User & Browser Settings
ChromeOS
Sign-in settings -> Add restriction on a managed account's usage as a secondary account on Chrome OS
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Increase the nesting threshold before which setTimeout(..., <4ms) start being clamped, from 5 to 100.
setTimeout(..., 0)
is commonly used to break down long Javascript tasks and let other internal tasks run, which prevents the browser from hanging. setTimeouts and setIntervals with an interval < 4ms are not clamped as aggressively as they were before. This improves short horizon performance, but websites abusing the API will still eventually have their setTimeouts clamped. A temporary Enterprise policy UnthrottledNestedTimeoutEnabled will be available to control this feature. When the policy is set to Enabled, setTimeouts and setIntervals with an interval smaller than 4ms are not clamped as aggressively.
- Chrome will send Private Network Access preflights for subresources
In Chrome 104 at the earliest, Chrome will send a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new `Access-Control-Request-Private-Network: true` header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matching
`Access-Control-Allow-Private-Network: true` header, a warning is shown in DevTools (more details here).
In Chrome 107 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings using chrome://flags/#private-network-access-send-preflights. If you want to test how it behaves once warnings turn into errors, you can enable chrome://flags/#private-network-access-respect-preflight-results.
To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion about Private Network Access preflights.
- Privacy Sandbox updates
The Privacy Sandbox release in Chrome 104 will provide controls for the new Topics & Interest Group APIs. It will also introduce a one-time dialog that explains Privacy Sandbox to users and allows them to manage their preferences. This dialog is not shown for Guest users or managed EDU users.
Admins can prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:- To allow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled
- To disallow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This might cause some sites to stop working.
-
Case-matching on CORS preflight requests
Currently Chrome uppercases request methods when matching with Access-Control-Allow-Methods response headers in CORS preflight. Chrome 104 will not uppercase request methods, except forDELETE
,GET
,HEAD
,OPTIONS
,POST
, andPUT
(all case-insensitive). So, Chrome 104 will require exact case-sensitive matching.
Previously accepted, but rejected in Chrome 104:
Request:fetch(url, {method: 'Foo'})
ResponseHeader: Access-Control-Allow-Methods: FOO
Previously rejected, but accepted in Chrome 104:
Request:fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: Foo
Note:post
andput
are not affected because they are in https://fetch.spec.whatwg.org/#concept-method-normalize, whilepatch
is affected.
- Improved first run experience on iOS
In Chrome 104, some users might see a new onboarding experience with fewer steps and a more intuitive way to sign into Chrome. Enterprise policies, like BrowserSignin, SyncDisabled, SyncTypesListDisabled and MetricsReportingEnabled, to control whether the user can sign into Chrome and other aspects of the onboarding experience will continue to be available as before.
- Extended support for Legacy Same Site Cookie Behavior policy
Support for LegacySameSiteCookieBehaviorEnabledForDomainList policy has been extended up to Chrome 115 and is now scheduled for removal late June 2023.
- Chrome 104 will no longer support OS X 10.11 and macOS 10.12
Chrome 104 will no longer support OS X 10.11 and macOS 10.12, which are already outside of their support window with Apple. Users will have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Changes in cookie expiration date limit
Beginning with Chrome 104, any newly set or refreshed cookies will have their expiration date limited to no more than 400 days in the future. Cookies which request expiration dates after 400 days in the future will still be set, but their expiration will be adjusted down to 400 days. Existing cookies will retain their prior expiration date (even if it was more than 400 days in the future), but refreshing them will cause the cap to be enforced.
- Chrome will show Journeys on the History page on Android
Chrome 96 started clustering local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. This feature will also become available on Android as early as Chrome 104. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy.
- Network Service on Windows will be sandboxed
As early as Chrome 105, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- U2F API no longer supported as early as Chrome 104
The U2F API for interacting with USB security keys has been disabled by default since Chrome 98. Websites are advised to migrate to the Web Authentication API. Chrome 104 will remove the U2fSecurityKeyApiEnabled enterprise policy for temporarily re-enabling this API. The U2FSecurityKeyAPI origin trial, which lets websites re-enable U2F, is going to end July 26, 2022. We are offering existing trial participants that have not yet fully migrated to WebAuthn an extension of the trial until September 20, 2022. If you are an existing origin trial participant and would like to extend your trial tokens beyond the July 26 deadline, please get in touch with our team. The U2F API will be fully removed in Chrome 106.
- Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 106
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 106 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
If you're force-installing any Chrome apps, starting Chrome 104, users will be shown a message stating that the app is no longer supported. The installed Chrome Apps will still be launchable.
Starting with Chrome 106, Chrome Apps on WIndows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary they can add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYouTube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Launch Renderer AppContainer
In Chrome 104, a further sandbox security mitigation will be applied to renderer processes. They will be additionally placed inside an App Container on top of the existing sandbox. This prevents malicious code from having any network privileges by subverting kernel APIs from within the renderer process.
While we do not expect any incompatibilities with this new mitigation, some security products might react adversely to this. A new policy RendererAppContainerEnabled will be added in Chrome 104 to allow selective disabling of this security mitigation for a limited time while these issues are resolved. This policy can be set to Disabled to force disable the mitigation, otherwise it will be enabled by default.
- Intent to remove: Legacy Client Hint mode
In Chrome 104, the Client Hints, `dpr`, `width`, `viewport-width`, and `device-memory`, will no longer be delegated to all third party frames and subresources by default on Android. The Android behavior will now replicate that of all other platforms, which is to only delegate to the first party frame and subresources by default.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 106, Chrome-on-Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
Upcoming Chrome OS changes
- PDF annotating support on Gallery app
As early as Chrome 104, the Gallery app – Chromebook’s built in media app– will support PDF annotating. Besides viewing a PDF, you will be able to highlight text, fill out forms, add text or freeform annotation in the app. And with free hand annotation you can add your signature to a document, then easily share the PDF right through the app.
- Smart Lock UX update
Starting in Chrome 104, Smart Lock, which allows users to unlock their Chromebook using their connected Android phone, will be faster than ever, with greater performance, reliability, and an overhauled design. To get started, navigate to Chrome OS Settings>Connected devices, select your Android phone, and enable Smart Lock.
Upcoming Admin console changes
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Chrome leverages MiraclePtr to improve security | ✓ | ||
Virtual card numbers in Autofill | ✓ | ✓ | |
Changes to URL parameters | ✓ | ||
A redesign for browser downloads | ✓ | ||
Chrome releases on Windows and Android now include multiple versions | ✓ | ||
Chrome New Profile Separation Dialog | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Long-term Support (LTS) | ✓ | ✓ | |
USB Type-C cable notifications | ✓ | ||
Camera settings improvements | ✓ | ||
Launcher redesign: Open Tab search | ✓ | ||
File manager ZIP extraction | ✓ | ||
Built-in IKEv2 VPN support on Chrome OS | ✓ | ✓ | |
Admin console updates | Security | User productivity/ Apps | Management |
New look for the Device list and Browser list pages | ✓ | ||
New security events for the Chrome Audit Log | ✓ | ✓ | |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Privacy Sandbox updates | ✓ | ||
Case-matching on CORS preflight requests | ✓ | ||
Local Fonts Access API | ✓ | ||
Unified password manager on Android | ✓ | ✓ | |
Chrome Actions on iOS | ✓ | ||
Improved credit and debit card Autofill | ✓ | ||
Removing LockIconInAddressBarEnabled policy |
✓ | ||
Improved first run experience on iOS | ✓ | ||
Chrome on Windows will use Chrome's built-in DNS client by default | ✓ | ||
Release of Speculation Rules API for prerender in Android | ✓ | ||
Enhanced Safe Browsing on iOS | ✓ | ||
MetricsReportingEnabled policy will be available on Android | ✓ | ||
Chrome 104 will no longer support OS X 10.11 and macOS 10.12 | ✓ | ||
Changes in cookie expiration date limit | ✓ | ||
Chrome will show Journeys on the History page on Android | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome 104 will remove U2F API | ✓ | ||
Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022 | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 104 | ✓ | ✓ | |
Default to origin-keyed agent clustering | ✓ | ||
Upcoming Chrome OS changes | Security | User productivity/ Apps | Management |
Fast Pair on Chrome OS | ✓ | ||
Forced reboot in user session | ✓ | ✓ | |
Backlight PDF support with text annotation | ✓ | ||
Smart Lock UX update | ✓ | ||
Upcoming Admin console changes | Security | User productivity/ Apps | Management |
New CSV export for some Admin console reports in Chrome 103 | ✓ | ✓ |
Chrome browser updates
- Chrome sends Private Network Access preflights for subresources
In Chrome 102, Chrome sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new`Access-Control-Request-Private-Network: true`
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matching `Access-Control-Allow-Private-Network: true
` header, a warning is shown in DevTools (more details here).
In Chrome 105 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature prior to Chrome 106, the Chrome team has created the `--enable-features=PrivateNetworkAccessRespectPreflightResults` command-line flag (also available as chrome://flags/#private-network-access-respect-preflight-results).
To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion about Private Network Access preflights.
- Virtual card numbers in Autofill
To make checking out with autofill more secure, virtual cards for participating US banks are available in Chrome 102. Virtual cards let users pay with unique virtual card numbers so they don’t need to share their real card numbers with merchants. When autofill is enabled, virtual card numbers are automatically generated at checkout for opted-in users. You can control Chrome's credit card autofill behavior with the AutofillCreditCardEnabled enterprise policy.
- Changes to URL parameters
Chrome 102 might remove some URL parameters when a user selects Open link in incognito window from the context menu. You can control this behavior with the UrlParamFilterEnabled enterprise policy.
- A redesign for browser downloads
With Chrome 102, some users see a redesigned user experience for browser downloads. We are replacing the existing downloads shelf with a dedicated downloads bubble in Chrome browser’s top bar. You can control this with the DownloadBubbleEnabled enterprise policy.
- Chrome releases on Windows and Android include multiple versions
To better compare the behavior of a new release of Chrome against the existing one, Chrome now makes multiple new versions available during a rollout. This is an internal change to our update strategy, which has no effect on enterprises. Admins do not need to adjust their update policies and strategy. However, in the interest of transparency, we're sharing this update so that those responsible for Chrome releases understand why they're seeing extra versions of Chrome available during rollouts.
- Chrome New Profile Separation Dialog
Chrome 102 brings better separation between personal and enterprise-managed data. When the user signs into a managed account, they will have the option to either keep existing browsing data separate, or merge it with the managed account. By default, the data is kept separate, so a new profile will be created. Or, if they choose, they can merge the existing profile into the managed account. This prevents inadvertent sharing of personal data with work accounts. The ManagedAccountsSigninRestriction policy can be used to hide the checkbox altogether, allowing admins to force users to create a separate work profile.
- New and updated policies in Chrome browser
Policy
Description
When enabled or not set, the URL parameter filter might remove some parameters when a user selects Open link in incognito window from the context menu. When disabled, no filtering is performed.
This policy allows an admin to specify settings for installed web apps.
This policy controls whether a user will be presented with an option, within the Google Cast menu, which allows them to cast to devices that do not appear in the Google Cast menu. If enabled, users can cast to the device using either the access code or QR code displayed on the cast device's screen.
Controls Warn Before Quitting (⌘Q) dialog when the user is attempting to quit the browser (Mac only).
This policy allows adding restrictions on managed accounts. Two new options are available in Chrome 102: primary_account_keep_existing_data and
primary_account_strict_keep_existing_data.
Chrome OS updates
- Long-term support (LTS)
With the release of Chrome 102, devices that are on the Long-term support candidate (LTC) channel automatically upgrade from version LTC-96 to version LTC-102. This is our first major LTC update.
Devices that are on the LTS channel will remain on LTS-96 until LTS-102 releases in September.
Note: This is a good time to check your organization’s release configuration and verify if your devices are on the LTS or the LTC channel.
As a best practice, most of your devices should be on the LTS channel. We recommend that you keep some devices on the LTC channel in order to preview features in the upcoming LTS release in advance, and have time to plan and execute any necessary change management before the new LTS is released.
Admins can switch between LTS and other channels if desired. For more details about LTS, see this article in the Help Center.
- Camera settings improvements
Chrome 102 adds improvements for the Chrome OS Camera app, to make it simpler and easier to use. On the left-side tool, it is easier to access the different options and users can now clearly see what feature is currently turned on or off. Under the Settings tab, we’ve made all Camera options more readable and easier to find.
- Launcher redesign includes Open Tab search
Chrome 102 adds Open Tab search integration into the redesigned Launcher. This updated version allows users to open the Launcher, and search for a browser tab that is currently open.
As a category, open tabs are ranked just like any other category; the order is based on how often the user tends to click on that type of result.
- A match is done on both the URL and the tab name.
- A user can select the tab and go to it within the browser.
Tabs playing active audio are returned as top search values, as well as tabs that have been recently used or other tabs with the same name.
- Built-in IKEv2 VPN support on Chrome OS
Chrome OS now supports IKEv2 VPN as a built-in VPN client. It is configurable through system settings and policies, similar to L2TP/IPsec VPN, and OpenVPN.
IKEv2 VPN is one of the modern and most widely used VPN protocols. This feature allows users to connect to IKEv2 VPNs directly through Chrome OS system settings, without the need to install third-party apps.
Admin console updates
- New security events for the Chrome Audit Log
The Chrome Audit Log now has three new categories of security events, which include events for when users login and logout of devices, for when user accounts are added or removed from a device, and for when a managed device changes boot mode to developer or verified mode. For more information, go to the Chrome Workspace Admin Help Center.
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
User & Browser Settings;
Managed Guest Session
Chrome OS
User Experience > Fullscreen after unlock
User & Browser Settings
Chrome
Chrome OS
User Experience > Middle slot announcement on the New Tab Page
Device Settings
Chrome OS
Other settings > Android apps for unaffiliated users
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Privacy Sandbox updates
The Privacy Sandbox release in Chrome 103 will provide controls for the new Topics & Interest Group APIs. It will also introduce a one-time dialog that explains Privacy Sandbox to users and allows them to manage their preferences. This dialog is not shown for Guest users or managed EDU users.
Admins can prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:- To allow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled
- To disallow third-party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This might cause some sites to stop working.
- Case-matching on CORS preflight requests
Chrome 102 and below uppercase request methods when matching withAccess-Control-Allow-Methods
response headers in CORS preflight. Chrome 103 will not uppercase request methods, except for DELETE, GET, HEAD, OPTIONS, POST, and PUT (all case-insensitive). So, Chrome 103 will require exact case-sensitive matching.
Previously accepted, but rejected in Chrome 103:- Request:
fetch(url, {method: 'Foo'})
- Response Header:
Access-Control-Allow-Methods: FOO
Previously rejected, but accepted in Chrome 103:- Request:
fetch(url, {method: 'Foo'})
- Response Header:
Access-Control-Allow-Methods: Foo
Note:post
andput
are not affected because they are in https://fetch.spec.whatwg.org/#concept-method-normalize, whilepatch
is affected. - Request:
- Local Fonts Access API
Users of design applications often want to use fonts present on their local device. The Local Fonts Access API will give web applications the ability to enumerate local fonts and some metadata about each. This API will also give web applications access to the font data as a binary blob, allowing those fonts to be rendered within their applications using custom text stacks. The enterprise policies applicable to this feature are DefaultLocalFontsSetting, LocalFontsAllowedForUrls and LocalFontsBlockedForUrls. The API will be available as early as Chrome 103.
- Chrome Actions on iOS
Chrome Actions help users get things done fast, directly from the address bar. We first released Chrome Actions on desktop a couple of years ago, with Actions like Clear browsing data. In Chrome 103, we’ll be bringing some of them to Chrome on iOS, like:
- Manage passwords
- Open Incognito tab
- Clear browsing data
- And more!
Chrome on iOS allows users to take actions directly from the address bar, like clearing browsing data, using a button that appears among auto-complete suggestions. This feature is already available on desktop platforms.
- Improved credit and debit card Autofill
Over the course of Chrome 103, credit and debit card Autofill will start supporting cloud-based upload via Google Pay, enabling Autofill for your cards across all your Chrome devices. You can control credit card autofill with the AutofillCreditCardEnabled enterprise policy.
- Removing LockIconInAddressBarEnabled policy
Chrome 94 launched an experiment to replace the lock icon as the connection security indicator. The LockIconInAddressBarEnabled policy was added to allow organizations to continue to show the lock icon during the experiment. The experiment is no longer active, so the policy will no longer be available starting with Chrome 103.
- Improved first run experience on iOS
In Chrome 103, some users might see a new onboarding experience with fewer steps and a more intuitive way to sign into Chrome. Enterprise policies, like BrowserSignin, SyncDisabled, SyncTypesListDisabled and MetricsReportingEnabled, to control whether the user can sign into Chrome and other aspects of the onboarding experience will continue to be available as before.
- Chrome on Windows will use Chrome's built-in DNS client by default
The built-in DNS client is enabled by default on macOS, Android and Chrome OS. Chrome on Windows will also use the built-in DNS client by default as early as Chrome 103. Enterprises can opt out by setting BuiltInDnsClientEnabled policy to Disabled.
- Release of Speculation Rules API for prerender in Android
Expanding our prerender efforts released on Chrome 101, we will ship the Speculations Rules API for Android in Chrome 103. This API will allow web authors to suggest to Chrome which pages that the user is very likely to navigate to next. This will influence Chrome during the decision to prerender a particular URL before the user navigates to it, aiming to offer an instant navigation. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which will result in Chrome ignoring the hints provided using this API. See our article on speculative prerendering for more information.
- Enhanced Safe Browsing on iOS
To match Safe Browsing functionality from other platforms, we will add functionality so that a user on iOS can choose what type of Safe Browsing protection they would like. Where an enterprise controls this setting, the enterprise will be allowed to set the level of Safe Browsing protection, and users under the enterprise will not be allowed to change the preference. An enterprise policy SafeBrowsingProtectionLevel is available to control Safe Browsing and the mode it operates in.
- MetricsReportingEnabled policy will be available on Android in Chrome 103
Chrome-on-Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Chrome 104 will no longer support OS X 10.11 and macOS 10.12
Chrome 104 will no longer support macOS versions 10.11 and 10.12, which are already outside of their support window with Apple. Users will have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Changes in cookie expiration date limit
Beginning with Chrome 104, any newly set or refreshed cookies will have their expiration date limited to no more than 400 days in the future. Cookies which request expiration dates after 400 days in the future will still be set, but their expiration will be adjusted down to 400 days. Existing cookies will retain their prior expiration date (even if it was more than 400 days in the future), but refreshing them will cause the cap to be enforced.
- Chrome will show Journeys on the History page on Android
Chrome 96 started clustering local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. These Journeys will become available on Android in Chrome 104. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy.
- Network Service on Windows will be sandboxed
As early as Chrome 104, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 104 will remove U2F API
The U2F API for interacting with USB security keys has been disabled by default since Chrome 98. Chrome is currently running an Origin Trial that lets websites temporarily re-enable the U2F API. This Origin Trial will end on July 26, 2022 and the U2F API will be fully removed in Chrome 104.
If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.
- Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022
As part of the gradual deprecation of Manifest V2, the Chrome Web Store stopped accepting submissions of new Public or Unlisted Manifest V2 extensions after January 17, 2022. In June 2022, Chrome expands this restriction to new extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. Extensions which are already submitted may continue to be updated until January 2023.
For more details, refer to the Manifest V2 support timeline.
- Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 106
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 106 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
If you're force-installing any Chrome apps, starting Chrome 104, users will be shown a message stating that the app is no longer supported. The installed Chrome Apps will still be launchable.
Starting with Chrome 106, Chrome Apps on WIndows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary they can add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYouTube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Default to origin-keyed agent clustering in Chrome 106
As early as Chrome 106, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
An enterprise policy will be available to extend the current behavior.
Upcoming Chrome OS changes
- Fast Pair on Chrome OS
Starting in Chrome 103, Fast Pair will make Bluetooth pairing easier on Chrome OS devices and Android phones. When you turn on your Fast Pair-enabled accessory (like Pixel Buds), it will automatically detect and pair with your Chrome OS device in a single tap. Fast Pair will also associate your Bluetooth accessory with your Google account, making it incredibly simple to move between your Chrome OS and Android devices.
- Smart Lock UX update
Starting in Chrome 104, Smart Lock, which allows users to unlock their Chromebook using their connected Android phone, will be faster than ever, with greater performance, reliability, and an overhauled design.
Upcoming Admin console changes
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Removing setTimeout(,0) clamping to 1ms | ✓ | ||
Deprecation Origin Trial for UA reduction | ✓ | ||
Chrome Browser Cloud Management maintains compatibility with the most recent 12 versions of Chrome | ✓ | ||
Chrome supports notification permission changes on Android 13 and above | ✓ | ||
Chrome removes support for WebSQL in a third-party context | ✓ | ||
Compare search results with new Side Search feature | ✓ | ||
Control camera and microphone permissions in on iOS | ✓ | ||
Chrome runs prerendering autocomplete suggestions from the Omnibox | ✓ | ||
Chrome removes legacy policies with non-inclusive names | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Network-based recovery for Chrome OS | ✓ | ||
Policy support for additional openVPN settings | ✓ | ||
UI-based firmware updates for peripherals | ✓ | ||
Crostini upgrade to Debian 11 (Bullseye) | ✓ | ||
UI improvements for the Camera app | ✓ | ||
Cursive canvas lock | ✓ | ||
Forced reboots across managed devices | ✓ | ||
Admin console updates | Security | User productivity/ Apps | Management |
Identification variables for Android managed configuration policy | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 102 | ✓ | ✓ | |
Privacy Sandbox updates in Chrome 102 | ✓ | ||
Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022 | ✓ | ||
Chrome to send Private Network Access preflights for subresources as early as Chrome 102 | ✓ | ||
Chrome will use MiraclePtr to improve security as early as Chrome 102 | ✓ | ||
MetricsReportingEnabled policy available on Android in Chrome 102 | ✓ | ||
Chrome 103 will use case-matching on CORS preflight requests | ✓ | ||
Chrome Actions on iOS in Chrome 103 | ✓ | ||
Network Service on Windows will be sandboxed in Chrome 104 | ✓ | ||
Default to origin-keyed agent clustering in Chrome 106 | ✓ | ||
Chrome 107 will replace master_preferences with initial_preferences | ✓ | ||
Upcoming Admin console changes | Security | User productivity/ Apps | Management |
New CSV export for some Admin console reports in Chrome 103 | ✓ | ✓ |
Chrome browser updates
- Removing setTimeout(,0) clamping to 1ms
Chrome 101 removes a web intervention for some users that clamped setTimeout(,0) timers to 1ms. In Chrome 101, those users see timers fire immediately. Note that nested timer calls clamp to 4ms after repeated nested calls. This change brings Chrome in line with web specifications and might improve performance on some pages.
It's possible that this change will introduce bugs in web applications that rely on the current clamped behavior. If you have any apps affected by this change, you can use the SetTimeoutWithout1MsClampEnabled policy to revert to the Chrome 100 behavior.
- Deprecation Origin Trial for UA reduction
As previously announced, Chrome 101 protects user privacy by reducing the granularity of information in the User-Agent string. In this phase, the MINOR.BUILD.PATCH version info is reduced to 0.0.0. If a site needs this information, it should migrate to the User Agent Client Hints API. Sites that need more time to test or migrate can take advantage of a Deprecation Trial, which started in Chrome 100.
You can also control this using the UserAgentReduction enterprise policy. You can test the new reduced-granularity User-Agent string by setting the policy to 2, or you can delay the change while you update your apps by setting it to 1.
- Chrome Browser Cloud Management maintains compatibility with the most recent 12 versions of Chrome
Starting with Chrome 101, Chrome Browser Cloud Management maintains compatibility with the most recent 12 versions of Chrome. Older versions may lose some Chrome Browser Cloud Management features without notice, or behave unexpectedly. For your security, you should keep Chrome auto-update enabled, which keeps your fleet on the most recent version of Chrome. If you manage Chrome updates manually, staying close to the most recent version both keeps your users safer, and ensures you stay within the compatibility window.
- Chrome 101 supports notification permission changes in Android 13 and above
Android 13 is changing the way push notification permissions behave by default. All Android apps require users to explicitly allow OS notification permissions, as opposed to Android 12 and earlier where it was granted by default. Chrome running on Android 13 now prompts the user for permission at app launch up to two times.
- Chrome removes support for WebSQL in a third-party context
The WebSQLInThirdPartyContextEnabled policy was introduced to give admins additional time to react to the removal of WebSQL in a third-party context. As planned, this policy is removed in Chrome 101.
- Compare search results with new Side Search feature
Side Search allows users to compare search results via a side panel UI to get the right answer faster. This means users can view a page and the search results at the same time, without needing to navigate back and forth or losing their search results. This is helpful for users who are actively searching for something and need more than one site, for example, planning an employee dinner, putting together presentations, and so on. You can control this feature using the SideSearchEnabled policy.
- Control camera and microphone permissions on iOS
In Chrome 101, after granting Chrome both app level and site level permission to use the camera or microphone, users can now control camera or microphone usage. Users can tap the icon on the left of the location bar to trigger a popup that shows switches to control the camera or microphone. Alternatively, users can go to Site Information in the context menu and do the same.
- Chrome runs prerendering autocomplete suggestions from the Omnibox
Chrome 101 enables Omnibox, or URL bar, prerendering. With this feature, Chrome starts prerendering the high-confidence Omnibox autocomplete suggestions. Chrome is currently prefetching resources for high-confidence suggestions using No-state Prefetch, but with this feature we can further process the webpage, including DOM tree construction and script execution. Enterprises can opt-out of this feature using the NetworkPredictionOptions policy.
- Chrome removes legacy policies with non-inclusive names
Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work.
This transition period was originally planned for Chrome 95, but was extended to Chrome 101 to give admins more time to transition their policies. In Chrome 101, the policies in the left column of the following table no longer function. Please ensure you're using the corresponding policy from the right column instead:
Legacy Policy Name
New Policy Name
NativeMessagingBlacklist
NativeMessagingBlocklist
NativeMessagingWhitelist
NativeMessagingAllowlist
AuthNegotiateDelegateWhitelist
AuthNegotiateDelegateAllowlist
AuthServerWhitelist
AuthServerAllowlist
SpellcheckLanguageBlacklist
SpellcheckLanguageBlocklist
AutoplayWhitelist
AutoplayAllowlist
SafeBrowsingWhitelistDomains
SafeBrowsingAllowlistDomains
ExternalPrintServersWhitelist
ExternalPrintServersAllowlist
NoteTakingAppsLockScreenWhitelist
NoteTakingAppsLockScreenAllowlist
PerAppTimeLimitsWhitelist
PerAppTimeLimitsAllowlist
URLWhitelist
URLAllowlist
URLBlacklist
URLBlocklist
ExtensionInstallWhitelist
ExtensionInstallAllowlist
ExtensionInstallBlacklist
ExtensionInstallBlocklist
UserNativePrintersAllowed
UserPrintersAllowed
DeviceNativePrintersBlacklist
DevicePrintersBlocklist
DeviceNativePrintersWhitelist
DevicePrintersAllowlist
DeviceNativePrintersAccessMode
DevicePrintersAccessMode
DeviceNativePrinters
DevicePrinters
NativePrinters
Printers
NativePrintersBulkConfiguration
PrintersBulkConfiguration
NativePrintersBulkAccessMode
PrintersBulkAccessMode
NativePrintersBulkBlacklist
PrintersBulkBlocklist
NativePrintersBulkWhitelist
PrintersBulkAllowlist
UsbDetachableWhitelist
UsbDetachableAllowlist
QuickUnlockModeWhitelist
QuickUnlockModeAllowlist
AttestationExtensionWhitelist
AttestationExtensionAllowlist
PrintingAPIExtensionsWhitelist
PrintingAPIExtensionsAllowlist
AllowNativeNotifications
AllowSystemNotifications
DeviceUserWhitelist
DeviceUserAllowlist
NativeWindowOcclusionEnabled
WindowOcclusionEnabled
If both the legacy policy and the new policy are set for any row in the table above, the new policy overrides the legacy policy.
If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console manages the transition automatically.
- New and updated policies in Chrome browser
Policy
Description
Allow showing the most recent default search engine results page in a browser side panel.
Frequency of cloud reporting in hours.
Enable Optimization Guide Fetching.
Force WebSQL to be enabled.
Control Javascript
setTimeout()
function minimum timeout.
Chrome OS updates
- Network-based recovery for Chrome OS
Network-based recovery provides a built-in recovery mechanism for Chrome OS that doesn’t need external tools such as a USB stick, an Android device, a second computer, a USB cable, and so on. It is available on most of the new Chrome OS devices launching after April 20, 2022.
- UI-based firmware updates for peripherals
Chrome OS now performs firmware updates for peripherals using fwupd, an open source firmware update framework. The previous automatic firmware update approach has its limits as major market players introduce significant changes requiring long update sessions, which can sometimes cause devices to malfunction.
Using fwupd, Chrome OS provides a UI for firmware updates for peripheral devices, allowing users to perform the update when needed.
- Crostini upgrades to Debian 11 (Bullseye)
When users signed up for Crostini, they received a container with Debian 10 (Buster). Debian 11 (Bullseye) is now stable and used for new Crostini installs. We recommend that existing Crostini users upgrade to Bullseye to access new features and simplify support.
Chrome allows users to trigger an upgrade, both via a prompt that occurs at certain times, as well as through Settings. The upgrade displays progress to the user and explains any errors that might occur.
In addition, Chrome 101 now stores an upgrade log, in Downloads, and notifies the user about it, so it's easier to troubleshoot upgrade issues.
- UI improvements for the Camera app
Chrome 101 includes improvements for the Chrome OS Camera app, to make it simpler and easier to use. On the left-side tool, it is easier to access the different options and users can now clearly see what feature is currently turned on or off. Under the Settings tab, we’ve made all Camera options more readable and easier to find.
- Cursive canvas lock
A new canvas lock toggle in Cursive allows you to quickly enable or disable pan and zoom for the canvas. This helps avoid any accidental movements of the canvas while you write. You can turn on canvas lock from the 3-dot menu, and then quickly toggle it using a button on top of the canvas.
- Forced reboot across managed devices
Admins can now automate the reboot process across managed devices. To help reduce operational overhead and improve certain application flows, you can schedule recurring device reboots across kiosks, managed guest and standard user sessions. This essentially forces the device to reboot, even during an active session.
Admin console updates
- Identification variables for Android managed configuration policy
Managed configuration files can now include placeholders that Chrome OS substitutes for the indicated value(s) before providing the configuration file to the Android app. Admins can work with the Android app developer to determine what values to use in a custom policy. All values are optional. See the help center for more details on specific identification variables.
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
User & Browser Settings
Chrome
Chrome OS
Android
Network > CORS non-wildcard request headers support
User & Browser Settings
Managed Guest Session
Chrome OS
Accessibility > On-screen keyboard in tablet mode
Device Settings
Chrome OS
Imprivata > Shared Kiosk mode
Device Settings
Chrome OS
Imprivata > Shared apps & extensions
User & Browser Settings
Managed Guest Session
Chrome OS
Other settings > Fast Pair (fast Bluetooth pairing)
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 102
As previously announced, Chrome apps will be phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 102 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy called ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 releases.
If you're force-installing any Chrome apps, users will be shown a message stating that the app is no longer supported. To fix this, remove the extension ID from the force-install extension list, and if necessary they can add the corresponding install_url to the Web App force install list. For common Google apps, the install_urls are listed below:
Property
Extension ID (Chrome App)
install_url (PWA / Web App)
Gmail
pjkljhegncpnkpknbcohdijeoejaedia
https://mail.google.com/mail/
installwebapp?usp=adminDocs
aohghmighlieiainnegkcijnfilokake
https://docs.google.com/document/
installwebapp?usp=adminDrive
apdfllckaahabafndbhieahigkjlhalf
https://drive.google.com/drive/
installwebapp?usp=adminSheets
felcaaldnbdncclmgdcncolpebgiejap
https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides
aapocclcgogkmnckokdopfmhonfmgoek
https://docs.google.com/presentation/
installwebapp?usp=adminYoutube
blpcfgokakmgnkcojhhkbfbldkacnbeo
https://www.youtube.com/s/notifications/
manifest/cr_install.html
- Privacy Sandbox updates in Chrome 102
The Privacy Sandbox release in Chrome 102 will provide controls for the new Topics & Interest Group APIs. It will also introduce a one-time dialog that explains Privacy Sandbox to users and will allow them to manage their preferences. This dialog will not be shown for Guest users or managed EDU users.
Admins will be able to prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:
- To allow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled
- To disallow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This may cause some sites to stop working.
- Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022
As part of the gradual deprecation of Manifest V2, the Chrome Web Store stopped accepting submissions of new Public or Unlisted Manifest V2 extensions after January 17, 2022. In June 2022, Chrome expands this restriction to new extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. Extensions that are already submitted can continue to be updated until January 2023.
For more details, refer to the Manifest V2 support timeline.
- Chrome will send Private Network Access preflights for subresources as early as Chrome 102
As early as Chrome 102, Chrome plans to send a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices.
In a future milestone of Chrome, the response must carry a matchingAccess-Control-Allow-Private-Network: true
header.
A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
- MetricsReportingEnabled policy available on Android in Chrome 102
Chrome-on-Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin has disabled metrics reporting, there will be no change. If the admin has enabled metrics, users will still be able to disable it.
- Chrome 103 will use case-matching on CORS preflight requests
Chrome 101 and below uppercases request methods when matching with Access-Control-Allow-Methods response headers in CORS preflight. Chrome 101 doesn't uppercase request methods, except for those normalized in the spec https://fetch.spec.whatwg.org/#concept-method-normalize, and so requires exact case-sensitive matching.
Previously accepted, but now rejected:
Request:fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: FOO
Previously rejected, but now accepted:
Request:fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: Foo
Note:post
andput
are not affected because they are in https://fetch.spec.whatwg.org/#concept-method-normalize, whilepatch
is affected.
- Chrome Actions on iOS in Chrome 103
Chrome Actions help users get things done fast, directly from the address bar. We first released Chrome Actions on desktop a couple of years ago, with Actions like Clear browsing data. In Chrome 103, we will bring some of them to Chrome on iOS, like:
- Manage passwords
- Open Incognito tab
- Clear browsing data
- And more!
Chrome on iOS will allow users to take actions directly from the address bar, like clearing browsing data, using a button that will appear among auto-complete suggestions. This feature is already available on desktop platforms.
- Chrome 104 will no longer support OS X 10.11 and macOS 10.12
Chrome 104 will no longer support macOS versions 10.11 and 10.12, which are already outside of their support window with Apple. Users will have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Network Service on Windows will be sandboxed in Chrome 104
As early as Chrome 104, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service might be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy will allow you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Default to origin-keyed agent clustering in Chrome 106
As early as Chrome 106, websites will be unable to set document.domain. Websites will need to use alternative approaches such as postMessage() or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note: document.domain has no effect if only one document sets it.
An enterprise policy will be available to extend the current behavior.
- Chrome 107 will replace master_preferences with initial_preferences
Initial preferences allow you to deploy default preferences when users first open Chrome browser. Theinitial_preferences
file will replace themaster_preferences
file, which accomplished the same thing before Chrome 91. To minimize disruption, Chrome currently accepts bothmaster_preferences
andinitial_preferences
. In Chrome 107, Chrome will stop accepting the oldmaster_preferences
file name, and only accept the file if it is namedinitial_preferences
.
Please ensure that if you're using initial preferences, that the file is namedinitial_preferences
and notmaster_preferences
. You do not need to change the contents of the file in any way.
Upcoming Admin console changes
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Screen sharing fix for macOS | ✓ | ||
Chrome major version number reaches 100 | ✓ | ||
Updates for Legacy Browser Support <open-in> rules | ✓ | ||
Chrome 100 removes the AllowSyncXHRInPageDismissal policy | ✓ | ||
New WebHID enterprise policies | ✓ | ||
Chrome 100 removes Lite Mode on Android | ✓ | ||
Chrome Actions introduced on Android | ✓ | ||
Chrome on Android supports login using QR codes | ✓ | ||
Updates to the Certificate Transparency policy | ✓ | ||
Multi-Screen Window Placement API stable launch | ✓ | ||
Changes to tab-sharing blue border behavior | ✓ | ||
Chrome on iOS users can choose their default website view | ✓ | ||
Chrome adds Google Account-tied tokens to Enhanced Safe Browsing pings | ✓ | ||
Dismiss password alerts on Desktop | ✓ | ✓ | |
Chrome expands SCT auditing to more users | ✓ | ||
Chrome no longer supports TLS 1.0/1.1 on Android WebView | ✓ | ||
Enterprise policies are available for new users on iOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Chrome OS Dictation text editing | ✓ | ||
Chrome OS Flex | ✓ | ✓ | ✓ |
Admin console updates | Security | User productivity/ Apps | Management |
Chrome Browser Cloud Management (CBCM) supports Chrome on Android | ✓ | ✓ | |
Remotely connect to any device from the Admin console | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Chrome 101 will remove setTimeout clamping to 1ms | ✓ | ||
Chrome 101 will add new CSV Export for some Chrome Admin console reports | ✓ | ||
Deprecation Origin Trial for UA Reduction in Chrome 101 | ✓ | ||
Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome | ✓ | ||
Chrome 101 will support Android 13 and above notification permission changes | ✓ | ||
MetricsReportingEnabled policy available in Chrome 101 on Android | ✓ | ||
Privacy Sandbox updates in Chrome 101 | ✓ | ||
WebSQLInThirdPartyContextEnabled will be removed in Chrome 101 | ✓ | ||
Compare search results with new Side Search feature in Chrome 101 | ✓ | ||
Legacy policies with non-inclusive names will be removed in Chrome 101 | ✓ | ||
Chrome apps will no longer work in Chrome 102 on Windows, Mac, and Linux | ✓ | ✓ | |
Chrome 102 to use case-matching on CORS preflight requests | ✓ | ||
Chrome 102 to send Private Network Access preflights for subresources | ✓ | ||
Chrome will use MiraclePtr to improve security | ✓ | ||
Network Service on Windows to be sandboxed in Chrome 102 | ✓ | ||
Default to origin-keyed agent clustering in Chrome 106 | ✓ |
Chrome browser updates
- Screen sharing fix for macOS
If your users are having trouble sharing their screens on macOS, please see this guide for instructions on how to fix it.
- Chrome major version number reaches 100
Chrome is now on a 3-digit version number. When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries.
An Enterprise policy ForceMajorVersionToMinorPositionInUserAgent is available to control whether the User-Agent string major version should be frozen at 99. If you have an app that is broken in version 100 due to a User-Agent parsing error, you can set the policy to 2 and the User-Agent string freezes the major version at 99 and includes the browser's major version in the minor position.
- Updates for Legacy Browser Support <open-in> rules
When the BrowserSwitcherParsingMode policy is set to IE-compatible, Chrome updates the Legacy Browser Support rules:
- For v2 sitelists,
<open-in>
behavior is changed in the following ways:<open-in>None</open-in>
entries are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.<open-in>MSEdge</open-in>
entries will open in Chrome, as Windows treats this to mean the default, modern browser.- Anything unspecified opens in any browser, the same as greylist entries
- For v1 sitelists,
doNotTransition="true"
entries are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
To mitigate disruption, this change only applies if you set BrowserSwitcherParsingMode policy is set to 1.
The documentation for Legacy Browser Support can be found here. - For v2 sitelists,
- Chrome 100 removes the AllowSyncXHRInPageDismissal policy
The AllowSyncXHRInPageDismissal policy was introduced in Chrome 78 to give enterprises more time to adapt to the removal of synchronous XHR requests during page dismissal. Though this policy was originally planned to be removed in Chrome 93, the transition period was extended to allow developers more time to adapt. This transition period is now closed and Chrome 100 removes this policy.
- New WebHID enterprise policies
As early as Chrome 100, Chrome adds new policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.
Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.
- Chrome 100 removes Lite Mode on Android
Lite Mode was a way to reduce data usage on Android devices. Since its introduction, the cost of data has been reduced in many countries, and Chrome has invested in other ways to save data. As a result, Lite Mode is no longer available, including the DataCompressionProxyEnabled policy used to control it.
- Chrome Actions introduced on Android
Chrome Actions help users get things done fast, directly from the address bar. We first released Chrome Actions on desktop a couple of years ago, with Actions like Clear browsing data. Now, we’re bringing some of them to Chrome on Android, like:
- Manage passwords
- Open Incognito tab
- Clear browsing data
- And more!
Chrome on Android allows users to take actions directly from the address bar, like clearing browsing data, using a button that appears among auto-complete suggestions. This feature is already available on desktop platforms.
- Updates to the Certificate Transparency policy
In Chrome 100, the Certificate Transparency requirements in Chrome change; certificates are no longer required to include signed certificate timestamps (SCTs) from one Google operated and one non-Google operated log, and instead are required to include SCTs from at least two logs from different operators. Additionally, the amount of SCTs required for certificates with a lifetime between 180 days and 15 months increase, from 2 to 3. The existing policies that allow selectively disabling CT enforcement (CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls) continue to work.
- Multi-Screen Window Placement API stable launch
Multi-Screen Window Placement API adds new screen information APIs and makes incremental improvements to existing window placement APIs, allowing web applications to offer compelling multi-screen experiences. The existing singularwindow.screen
offers a limited view of available screen space, and window placement functions generally clamp bounds to the current screen. This feature unlocks modern multi-screen workspaces for web applications.
A new set of policies, DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls, lets admins force their fleet to employ a default setting and automatically accept or deny the Window Placement permission without prompting the user, per origin.
- Chrome adds Google Account-tied tokens to Enhanced Safe Browsing pings
For users who consented to Enhanced Safe Browsing and are signed in to their Google accounts, Chrome adds Google Account-tied tokens to various incident reporting pings, except when in Incognito mode. This enables better tailored protection after encountering Safe Browsing warnings.
You control this feature on your environment using the SafeBrowsingProtectionLevel enterprise policy.
- Dismiss password alerts on Desktop
To reduce noise from unnecessary alerts, Chrome Desktop users can now dismiss password alerts for compromised passwords. You can prevent end users from dismissing password alerts with the PasswordDismissCompromisedAlertEnabled policy.
- Chrome expands SCT auditing to more users
As part of Chrome's Certificate Transparency protections, Chrome expands the existing signed certificate timestamp (SCT) auditing to all users that have Safe Browsing enabled. With this change, Chrome makes rare — less than one in 10,000 TLS connections — privacy-preserving queries to Google to ensure that Certificate Transparency logs are operating correctly. If a query detects a misbehaving log, the client will provide evidence of that misbehavior (the certificate chain and all SCTs) to Google. Chrome does not share certificates that are not issued by publicly trusted root certificates. CT ensures that all certificates or SCTs from publicly trusted roots are already public information, and no additional data is collected.
- Chrome no longer supports TLS 1.0/1.1 on Android WebView
In Chrome 98, TLS 1.0/1.1 support was fully removed from Chrome on Windows, Mac, Linux, Android, and iOS. Starting in Chrome 100, TLS 1.0/1.1 is no longer supported on Android WebView. This might affect Android Apps using WebView which rely on connecting to a server that does not support TLS 1.2 or higher. Please update any servers to support modern TLS versions.
- New and updated policies in Chrome browser
Policy
Description
Enable dismissing compromised password alerts for entered credentials.
List of origins allowing all HTTP authentication.
Control use of the WebHID API.
Allow the WebHID API on these sites.
Block the WebHID API on these sites.
Automatically grant permission to sites to connect to any HID device.
Automatically grant permission to these sites to connect to HID devices with the given vendor and product IDs.
Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage.
Allows origin-keyed agent clustering by default.
Default Window Placement permission setting.
Allow Window Placement permission on these sites.
Block Window Placement permission on these sites.
Disable download file type extension-based warnings for specified file types on domains.
Chrome OS updates
- Chrome OS Dictation text editing
Dictation lets you use your voice to dictate text anywhere you would usually type on your Chromebook. Now, you can also edit text with your voice using commands like delete, undo, or select all. This feature is particularly useful for those who have motor impairments or anyone who prefers to use their voice to type.
We’re initially launching with a small number of commands; we plan to add more in the future. Try it out by turning on dictation under Settings > Accessibility > Keyboard and text input. Whenever you are in a text area, you can select Search + d to activate dictation.
- Chrome OS Flex
We announced early access to a new version of Chrome OS bringing the benefits of Chrome OS to PCs and Macs. Chrome OS Flex is the cloud-first, fast, easy-to manage, and secure operating system for PCs and Macs. Chrome OS Flex is now on the beta channel and since launch, 100+ more devices have been verified to work with Chrome OS Flex. Try it out and share your feedback to help us shape this product.
Admin console updates
- Chrome Browser Cloud Management (CBCM) supports Chrome on Android
CBCM now supports enrolling Chrome on Android and sends reporting information back to the Admin console. Admins can get reporting information on policies that have been enabled, the OS version, model name, and other important data. More details are in our help center.
- Remotely connect to any device from the Admin console
Admins can now establish a remote Chrome Remote Desktop (CRD) connection using a remote command under Device details for any device with an affiliated user or managed guest session. Previously, this feature was only available for devices in kiosk mode. More details are in our help center.
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
User & Browser Settings;
Managed Guest Session
Chrome
Chrome OS
Content > iframe navigation
User & Browser Settings
Browser
Network > Network service sandbox
User & Browser Settings;
Managed Guest Session
Chrome
Chrome OS
Android
Network > User-Agent Reduction
User & Browser Settings;
Managed Guest Session
Chrome
Chrome OS
Android
Network > User-Agent client hints
Device Settings
Chrome OS
Other settings > International keyboard shortcuts mapping
User & Browser Settings;
Managed Guest Session
Chrome OS
User experience > Quick Answers > Enable Quick Answers
User & Browser Settings;
Managed Guest Session
Chrome OS
User experience > Quick Answers > Enable Quick Answers definition
User & Browser Settings;
Managed Guest Session
Chrome OS
User experience > Quick Answers > Enable Quick Answers translation
User & Browser Settings;
Managed Guest Session
Chrome OS
User experience > Quick Answers > Enable Quick Answers unit conversion
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Chrome 101 will remove setTimeout clamping to 1ms
Chrome 101 removes a web intervention for some users that clampedsetTimeout(function,0)
timers to 1ms. In Chrome 101, those users will see timers fire immediately. Note that nested timer calls will clamp to 4ms after repeated nested calls. This change brings Chrome in line with web specifications and may improve performance on some pages.
It's possible that this change will introduce bugs in web applications that rely on the current clamped behavior. If you have any apps affected by this change, you can use the SetTimeoutWithout1MsClampEnabled policy to revert to the Chrome 100 behavior.
- Deprecation Origin Trial for UA Reduction in Chrome 101
As previously announced, Chrome 101 protects user privacy by reducing the granularity of information in the User-Agent string. In this phase, the MINOR.BUILD.PATCH version info is reduced to "0.0.0". If a site needs this information, it should migrate to the User Agent Client Hints API. Sites that need more time to test or migrate can take advantage of a Deprecation Trial, starting in Chrome 100.
You can also control this using the UserAgentReduction Enterprise policy. You can test the new reduced-granularity User-Agent string by setting the policy to 2, or you can delay the change while you update your apps by setting it to 1.
- Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome
Starting with Chrome 101, Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome. Older versions may lose some CBCM features without notice, or behave unexpectedly. For your security, you should keep Chrome auto-update enabled, which will keep your fleet on the most recent version of Chrome. If you manage Chrome updates manually, staying close to the most recent version will both keep your users safer, and ensure you stay within the CBCM compatibility window.
- Chrome 101 will support Android 13 and above notification permission changes
Android 13 is changing the way push notification permissions behave by default. All Android apps will require users to explicitly allow OS notification permissions (as opposed to Android 12 and earlier where it was granted by default). Chrome running on this version of Android will prompt the user for permission at app launch up to two times.
- MetricsReportingEnabled policy available in Chrome 101 on Android
Chrome-on-Android will be slightly modifying the First Run Experience to support the MetricsReportingEnabled policy. If the admin has disabled metrics reporting, there will be no change. If the admin has enabled metrics, users will still be able to disable it.
- Privacy Sandbox updates in Chrome 101
The Privacy Sandbox release in Chrome 101 provides controls for the new Topics & Interest Group APIs. It also introduces a one-time dialog that explains Privacy Sandbox to users and allows them to manage their preferences. This dialog is not shown for Guest users or managed EDU users.
Admins can prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:
- To allow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled
- To disallow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This may cause some sites to stop working.
Privacy Sandbox features will also be disabled (and no dialog shown) if DefaultCookiesSetting is set to Do not allow any site to set local data.
- WebSQLInThirdPartyContextEnabled will be removed in Chrome 101
WebSQLInThirdPartyContextEnabled was introduced to give admins additional time to react to the removal of WebSQL in a third-party context. As planned, it is removed in Chrome 101.
- Compare search results with new Side Search feature in Chrome 101
Side Search allows users to compare search results via a side panel UI to get the right answer faster. This means users can view a page and the search results at the same time, without needing to navigate back and forth or losing their search results. This is helpful for users who are actively searching for something and need more than one site, for example, planning an employee dinner, putting together presentations, and so on. This feature can be controlled using the SideSearchEnabled policy.
- Legacy policies with non-inclusive names will be removed in Chrome 101
Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work.
This transition period was originally planned for Chrome 95, but was extended to Chrome 101 to give admins more time to transition their policies. In Chrome 101, the policies in the left column of the following table will no longer function. Please ensure you're using the corresponding policy from the right column instead:
Legacy Policy Name
New Policy Name
NativeMessagingBlacklist
NativeMessagingBlocklist
NativeMessagingWhitelist
NativeMessagingAllowlist
AuthNegotiateDelegateWhitelist
AuthNegotiateDelegateAllowlist
AuthServerWhitelist
AuthServerAllowlist
SpellcheckLanguageBlacklist
SpellcheckLanguageBlocklist
AutoplayWhitelist
AutoplayAllowlist
SafeBrowsingWhitelistDomains
SafeBrowsingAllowlistDomains
ExternalPrintServersWhitelist
ExternalPrintServersAllowlist
NoteTakingAppsLockScreenWhitelist
NoteTakingAppsLockScreenAllowlist
PerAppTimeLimitsWhitelist
PerAppTimeLimitsAllowlist
URLWhitelist
URLAllowlist
URLBlacklist
URLBlocklist
ExtensionInstallWhitelist
ExtensionInstallAllowlist
ExtensionInstallBlacklist
ExtensionInstallBlocklist
UserNativePrintersAllowed
UserPrintersAllowed
DeviceNativePrintersBlacklist
DevicePrintersBlocklist
DeviceNativePrintersWhitelist
DevicePrintersAllowlist
DeviceNativePrintersAccessMode
DevicePrintersAccessMode
DeviceNativePrinters
DevicePrinters
NativePrinters
Printers
NativePrintersBulkConfiguration
PrintersBulkConfiguration
NativePrintersBulkAccessMode
PrintersBulkAccessMode
NativePrintersBulkBlacklist
PrintersBulkBlocklist
NativePrintersBulkWhitelist
PrintersBulkAllowlist
UsbDetachableWhitelist
UsbDetachableAllowlist
QuickUnlockModeWhitelist
QuickUnlockModeAllowlist
AttestationExtensionWhitelist
AttestationExtensionAllowlist
PrintingAPIExtensionsWhitelist
PrintingAPIExtensionsAllowlist
AllowNativeNotifications
AllowSystemNotifications
DeviceUserWhitelist
DeviceUserAllowlist
NativeWindowOcclusionEnabled
WindowOcclusionEnabled
If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
If you're managing Chrome via the Google Admin console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin console will manage the transition automatically.
- Chrome apps will no longer work in Chrome 102 on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps on Windows, Mac, and Linux will now stop functioning in Chrome 102. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps for an additional 2 releases.
- Chrome 102 to use case-matching on CORS preflight requests
Chrome 101 and previous releases uppercase request methods when matching with Access-Control-Allow-Methods response headers in CORS preflight. Chrome 102 no longer uppercases request methods, except for those normalized in the spec. So, Chrome 102 and later will require exact case-sensitive matching.
Previously accepted, but now rejected:
Request:
fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: FOO
Previously rejected, but now accepted:
Request:
fetch(url, {method: 'Foo'})
Response Header:Access-Control-Allow-Methods: Foo
Note:post
andput
methods are not affected because they are in in the spec, whilepatch
is affected.
- Chrome to send Private Network Access preflights for subresources
As early as Chrome 102, Chrome plans to send a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new Access-Control-Request-Private-Network: true header. In this initial phase, this request is sent, but no response is required from network devices.
In a future release of Chrome, the response must carry a matchingAccess-Control-Allow-Private-Network: true
header.
A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
- Network Service on Windows will be sandboxed in Chrome 102
As early as Chrome 102, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Default to origin-keyed agent clustering in Chrome 106
As early as Chrome 106, websites will be unable to set document.domain. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note: document.domain has no effect if only one document sets it.
An enterprise policy will be available to extend the current behavior.
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Uninstall WebApps from Windows OS settings | ✓ | ||
Certificate Transparency expanded on Android | ✓ | ||
Rollback on private network access pre-flights | ✓ | ||
Chrome 99 the adds NTPMiddleSlotAnnouncementVisible policy | ✓ | ||
Chrome 99 removes the CrossOriginWebAssemblyModuleSharingEnabled policy | ✓ | ||
Chrome 99 updates the code signing certificate for Chrome on macOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Nearby Share background scanning | ✓ | ||
Keep full-screen mode after unlock | ✓ | ✓ | |
Introducing the Files SWA | ✓ | ||
Optimized user experience on touch screens | ✓ | ||
Drag windows to New Desk in Overview | ✓ | ||
GIF animation mode on Camera | ✓ | ||
Admin console updates | Security | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Chrome 100 will remove the AllowSyncXHRInPageDismissal policy | ✓ | ||
Chrome 100 will update Legacy Browser Support <open-in> rules | ✓ | ||
Chrome Major Version number will reach 100 | ✓ | ✓ | |
Chrome 100 will remove Lite Mode on Android | ✓ | ||
Updated Certificate Transparency Policy |
✓ | ✓ | |
Network Service on Windows will be sandboxed | ✓ | ||
New WebHID enterprise policies | ✓ | ||
Support for Encrypted Client Hello (ECH) | ✓ | ||
New CSV export for some Admin console reports | ✓ | ||
Deprecation Origin Trial for UA reduction | ✓ | ||
chrome://management for Chrome-on-Android | ✓ | ||
Multi-Screen Window Placement API stable launch | ✓ | ✓ | |
Chrome Browser Cloud Management will extend Chrome compatibility | ✓ | ||
Legacy policies with non-inclusive names will be removed in Chrome 101 | ✓ | ||
Default to origin-keyed agent clustering | ✓ |
Chrome browser updates
- Rollback on private network access pre-flights
Chrome 98 introduced Private Network Access pre-flights to improve user security. Due to bug reports, Chrome 99 rolls back this feature to better address interactions with developer and enterprise environments. We will announce plans to re-introduce this feature in future release notes.
- Chrome 99 adds the NTPMiddleSlotAnnouncementVisible policy
Enterprise administrators are able to control the visibility of the middle slot announcement on the Desktop New tab page using the NTPMiddleSlotAnnouncementVisible enterprise policy.
- Chrome 99 updates the code signing certificate for Chrome on macOS
The code signing certificate for Chrome on macOS is changing. If you are managing Chrome with Parental Controls Application Restrictions, you need to update the designated requirement in the configuration profile, under theappID
key. An example profile with the updated designated requirements can be found here: https://crbug.com/1295049#c3.
Similarly, managing Chrome's Privacy Preferences Policy Control with theCodeRequirement
key might also require an update. If you have been using the designated requirement from a previous version of Chrome, you need to update theCodeRequirement
key. You can view the updated requirement with the following command:
> codesign -d -r- /Path/to/Chome99.app
- Chrome 99 removes the CrossOriginWebAssemblyModuleSharingEnabled policy
Chrome 95 prevented WebAssembly module sharing between cross-origin but same-site environments, but included a temporary policy, CrossOriginWebAssemblyModuleSharingEnabled, to bypass the feature. Chrome 99 removes this temporary policy.
- New and updated policies in Chrome browser
Policy Description NTPMiddleSlotAnnouncementVisible Show the middle slot announcement on the New Tab Page ForceMajorVersionToMinorPositionInUserAgent Test the 3-digit Major Version number in UA strings NewTabPageLocation
New on iOSConfigure the New Tab page URL
Chrome OS updates
- Nearby Share background scanning
Nearby Share is Google’s solution to enable seamless sharing from device to device. To provide a better user experience, Chrome OS adds support for background scanning, which allows a Chrome OS device to detect and proactively notify a user when someone nearby is sharing which makes it easier to share without having to temporarily enter high visibility mode. This functionality has been present on Android since the launch of Nearby Share in 2019, and now behaves the same way on Chrome OS, to ensure consistency and predictability.
- Keep full-screen mode after unlock
Chrome 99 improves support for full screen VDI use cases. Until now, full screen virtualized desktops returned to a maximized window after unlocking a device. The new KeepFullscreenWithoutNotificationUrlAllowList policy allows admins to exempt certain URLs and apps from exiting full screen after unlock. This unblocks the use of virtualized desktops in user sessions and in Imprivata-based managed guest sessions.
- GIF animation mode on Camera
With GIF mode, you can now record up to five-second videos of product demos, and it will automatically turn into a shareable GIF.
Admin console updates
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
User & Browser Settings
Chrome OS
Omnibox search provider > Side panel search history
User & Browser Settings
Chrome
Network > Network service sandbox
Additional Apps Settings
Chrome OS
Additional application settings > Full restore
Additional Apps Settings
Chrome OS
Additional application settings > Android ghost windows
User & Browser Settings
Chrome
Chrome OS
Content > Custom Protocol Handlers
User & Browser Settings;
Managed Guest Session
Chrome
Chrome OS
Android
Security > WebSQL in third-party context
User & Browser Settings
Chrome
Legacy Browser Support > Sitelist parsing mode
Device settings
Chrome OS
Power and shutdown > Scheduled reboot
User & Browser Settings;
Managed Guest Session
Chrome OS
User Experience > Quick Answers > Enable Quick Answers
User & Browser Settings;
Managed Guest Session
Chrome OS
User Experience > Quick Answers > Enable Quick Answers definition
User & Browser Settings;
Managed Guest Session
Chrome OS
User Experience > Quick Answers > Enable Quick Answers translation
User & Browser Settings;
Managed Guest Session
Chrome OS
User Experience > Quick Answers > Enable Quick Answers unit conversion
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Chrome 100 will remove the AllowSyncXHRInPageDismissal policy
The AllowSyncXHRInPageDismissal policy was introduced in Chrome 78 to give enterprises more time to adapt to the removal of synchronous XHR requests during page dismissal. Though this policy was originally planned to be removed in Chrome 93, the transition period was extended to allow developers more time to adapt. This transition period is now closed and the policy will be removed in Chrome 100.
- Chrome 100 will update Legacy Browser Support <open-in> rules
In Chrome 100, when the BrowserSwitcherParsingMode policy is set to IE-compatible, Legacy Browser Support rules are updated:
- For v2 sitelists, <open-in> behavior is changed in the following ways:
- <open-in>None</open-in> entries are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
- <open-in>MSEdge</open-in> entries will open in Chrome, as Windows treats this to mean the default, modern browser.
- Anything unspecified opens in any browser, the same as greylist entries
- For v1 sitelists:
- doNotTransition="true" entries are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
To mitigate disruption, this change only applies if you set BrowserSwitcherParsingMode policy is set to 1.
For more details on Legacy Browser Support, see here. - For v2 sitelists, <open-in> behavior is changed in the following ways:
- Chrome Major Version number will reach 100
Chrome will reach a 3-digit major version number in March, 2022. When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries. In order to avoid the same issue again, developers and IT admins should test their services in advance.
To help, the Chrome team created the ForceMajorVersion100InUserAgent flag (chrome://flags/#force-major-version-to-100). This forces the browser to send 100 as the major version number; see blog for details. You should use this flag to uncover and address any issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here.
An enterprise policy ForceMajorVersionToMinorPositionInUserAgent is also available to control whether the User-Agent string major version should be frozen at 99. If you have an app that is broken in version 100 (due to a User-Agent parsing error), you can set the policy to 2 and the User-Agent string will freeze the major version as 99 and include the browser's major version in the minor position.
- Chrome 100 will remove Lite Mode on Android
Lite Mode was a way to reduce data usage on Android devices. Since its introduction, the cost of data has been reduced in many countries, and Chrome has invested in other ways to save data. As a result, Lite Mode will no longer be available, including the DataCompressionProxyEnabled policy used to control it.
- Updates to Certificate Transparency policy
In Chrome 100, the Certificate Transparency requirements in Chrome will change, certificates will no longer be required to include signed certificate timestamps (SCTs) from one Google operated and one non Google operated log, and instead will be required to include SCTs from at least two logs from different operators. Additionally, the amount of SCTs required for certificates with a lifetime between 180 days and 15 months will increase, from 2 to 3. The existing policies that allow selectively disabling CT enforcement (CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls) will continue to work.
- Network Service on Windows will be sandboxed
As early as Chrome 100, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- New WebHID enterprise policies
As early as Chrome 100, Chrome will add policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.
Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.
- Support for Encrypted Client Hello (ECH)
As early as Chrome 100, Chrome will start supporting ECH as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS. Many organizations’ infrastructure relies on the ability to inspect Server Name Indication (SNI), for example, with filtering, logging, and so on. You might want to explore a DNS-based approach and the associated group policies from the OS, or Chrome browser for DNS-over-HTTPS.
- Deprecation Origin Trial for UA reduction
As previously announced, Chrome 101 protects user privacy by reducing the granularity of information in the User-Agent (UA) string. In this phase, the MINOR.BUILD.PATCH version info is reduced to "0.0.0". If a site needs this information, it should migrate to the User Agent Client Hints API. Sites that need more time to test or migrate can take advantage of a Deprecation Trial, starting in Chrome 100.
You can also control this using the UserAgentReduction enterprise policy. You can test the new reduced-granularity UA string by setting the policy to 2. Alternatively, you can delay the change while you update your apps by setting it to 1.
- Multi-Screen Window Placement API stable launch
Multi-Screen Window Placement API will add new screen information APIs and will make incremental improvements to existing window placement APIs. This will allow web applications to offer compelling multi-screen experiences. The existing singular window.screen offers a limited view of available screen space, and window placement functions generally restrict the current screen. This feature will unlock modern multi-screen workspaces for web applications.
A new set of policies, DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls, will let admins force their fleet to employ a default setting and automatically accept or deny the Window Placement permission without prompting the user, on a per-origin basis.
- Chrome Browser Cloud Management will extend Chrome compatibility
As early as with Chrome 101, Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome. Older versions may lose some CBCM features without notice, or behave unexpectedly. For your security, you should keep Chrome auto-update enabled, which will keep your fleet on the most recent version of Chrome. If you manage Chrome updates manually, staying close to the most recent version will both keep your users safer, and ensure you stay within the CBCM compatibility window.
- Legacy policies with non-inclusive names will be removed in Chrome 101
Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work.
This transition period was originally planned for Chrome 95, but was extended to Chrome 101 to give admins more time to transition their policies. In Chrome 101, the policies in the left column of the following table will no longer function. Please ensure you're using the corresponding policy from the right column instead:
Legacy Policy Name
New Policy Name
NativeMessagingBlacklist
NativeMessagingBlocklist
NativeMessagingWhitelist
NativeMessagingAllowlist
AuthNegotiateDelegateWhitelist
AuthNegotiateDelegateAllowlist
AuthServerWhitelist
AuthServerAllowlist
SpellcheckLanguageBlacklist
SpellcheckLanguageBlocklist
AutoplayWhitelist
AutoplayAllowlist
SafeBrowsingWhitelistDomains
SafeBrowsingAllowlistDomains
ExternalPrintServersWhitelist
ExternalPrintServersAllowlist
NoteTakingAppsLockScreenWhitelist
NoteTakingAppsLockScreenAllowlist<
PerAppTimeLimitsWhitelist
PerAppTimeLimitsAllowlist
URLWhitelist
URLAllowlist
URLBlacklist
URLBlocklist
ExtensionInstallWhitelist
ExtensionInstallAllowlist
ExtensionInstallBlacklist
ExtensionInstallBlocklist
UserNativePrintersAllowed
UserPrintersAllowed
DeviceNativePrintersBlacklist
DevicePrintersBlocklist
DeviceNativePrintersWhitelist
DevicePrintersAllowlist
DeviceNativePrintersAccessMode
DevicePrintersAccessMode
DeviceNativePrinters
DevicePrinters
NativePrinters
Printers
NativePrintersBulkConfiguration
PrintersBulkConfiguration
NativePrintersBulkAccessMode
PrintersBulkAccessMode
NativePrintersBulkBlacklist
PrintersBulkBlocklist
NativePrintersBulkWhitelist
PrintersBulkAllowlist
UsbDetachableWhitelist
UsbDetachableAllowlist
QuickUnlockModeWhitelist
QuickUnlockModeAllowlist
AttestationExtensionWhitelist
AttestationExtensionAllowlist
PrintingAPIExtensionsWhitelist
PrintingAPIExtensionsAllowlist
AllowNativeNotifications
AllowSystemNotifications
DeviceUserWhitelist
DeviceUserAllowlist
NativeWindowOcclusionEnabled
WindowOcclusionEnabled
If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
- Default to origin-keyed agent clustering
As early as Chrome 103, websites will be unable to set document.domain. Websites will need to use alternative approaches such as postMessage() or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send an Origin-Agent-Cluster: ?0 header along with all documents that require that behavior.
Note: document.domain has no effect if only one document sets it.
An enterprise policy will be available when this change ships to extend the current behavior.
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Use Chrome passwords in other apps on iOS | ✓ | ||
Update GREASE brand list generation | ✓ | ✓ | |
Chrome disables the U2F API by default | ✓ | ✓ | |
Chrome no longer allows TLS 1.0 or TLS 1.1 | ✓ | ||
Private network access preflights for subresources | ✓ | ||
Integrate Enhanced Safe Browsing preference with account settings | ✓ | ✓ | |
TFLite model for client-side phishing detection | ✓ | ||
Chrome deprecates the installed_browser_version field in the Directory API | ✓ | ||
New extensions must be submitted with Manifest v3 | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Expanded keyboard shortcuts for Desks | ✓ | ||
Add Save to settings to screen capture | ✓ | ||
Support for Network Based Recovery (NBR) | ✓ | ||
Admin console updates | Security | User productivity/ Apps | Management |
Search devices by version or mode | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Chrome Major Version number will reach 100 | ✓ | ✓ | |
Network Service on Windows will be sandboxed | ✓ | ||
WebHID enterprise policies | ✓ | ||
Default to origin-keyed agent clustering | ✓ | ||
Change tab-sharing blue order behavior | ✓ |
Chrome browser updates
- Use Chrome passwords in other apps on iOS
Chrome 98 informs iOS users that they can use any passwords saved in Chrome in other apps on their device.
The Chrome > Settings > Passwords screen shows a new option for Passwords in Other Apps, which guides users to turn on this feature in iOS autofill settings.
You can control if users can save passwords using Chrome with the PasswordManagerEnabled policy.
- Update GREASE brand list generation
User-Agent Client Hints GREASE aims to prevent bad or exclusionary assumptions from being built on top of the proposed replacement for User-Agent strings. This means that users of less well-tested browsers will not be rejected for not matching the precise format of a more-well tested browsers UA string.
This change aligns our implementation of GREASE in User-Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. While we are rolling out this change gradually and continue to watch for negative impacts, such as WAF software flagging headers as invalid traffic, admins can opt out using the UserAgentClientHintsGREASEUpdateEnabled enterprise policy.
- Chrome disables the U2F API by default
The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). Chrome 98 disables the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.
- Chrome no longer allows TLS 1.0 or TLS 1.1
The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
In Chrome 91, we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it is not possible to bypass the interstitial.
- Private network access preflights for subresources
Chrome sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header, and the response must carry a matchingAccess-Control-Allow-Private-Network: true
header.
A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an Intranet, to a localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
Chrome 98 sends these preflight requests but does not yet require them to succeed. Failed preflights only display warnings in DevTools, which you can use to detect problematic fetches in your web apps. In Chrome 101 at the earliest, failed preflights will cause the entire request to fail depending on compatibility data. See the blog post for more information.
You can control this behavior using enterprise policies InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls.
- Integrate Enhanced Safe Browsing preference with account settings
Chrome now prompts users who opt in to Account Enhanced Safe Browsing to enable Enhanced Safe Browsing in Chrome. Their Safe Browsing setting is still controlled by the SafeBrowsingProtectionLevel policy.
- TFLite model for client-side phishing detection
Chrome uses an on-device Machine Learning (ML) model to better detect phishing attempts, and better protect users. As in earlier versions, Chrome displays a full-page interstitial warning if Chrome detects a possible phishing attempt. This was previously launched for Android in Chrome 92, and is now on desktop platforms as well.
With this change, Chrome sends the following to the Safe Browsing service:- the version of the model that was executed
- the scores the model gave for each category
- a boolean describing whether the new model was used to generate the scores
You can control Safe Browsing using the SafeBrowsingProtectionLevel policy. This feature applies to users with the protection level set at 1 or greater.
- Chrome deprecates the installed_browser_version field in the Directory API
TheinstalledBrowserVersion
property inChromebrowser
resources in Directory API: Chrome Browsers has been deprecated and replaced by thependingBrowserVersion
property. ThependingBrowserVersion
represents the version of Chrome browser that is installed on browser restart.
- New extensions must be submitted with Manifest v3
As part of the gradual deprecation of Manifest V2, the Chrome Web Store has stopped accepting submissions of new Manifest V2 extensions as of January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.
This change does not affect updates to already published extensions. Also, it does not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. Note that the next phase of deprecation, in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. For more details, refer to the Manifest V2 support timeline.
- New and updated policies in Chrome browser
Policy Description URLBlocklist (new on iOS) Block access to a list of URLs URLAllowlist (new on iOS) Allow access to a list of URLs UserAgentClientHintsGREASEUpdateEnabled Control the User-Agent Client Hints GREASE Update feature UserAgentReduction Enable or disable the User-Agent Reduction
Chrome OS updates
- Support for Network Based Recovery (NBR)
In Chrome 98, some users can re-flash their devices with a fresh copy of the OS and firmware, letting them recover if the message: Chrome OS is missing or damaged appears. NBR requires a network connection. This feature will roll out to more devices in later releases.
Admin console updates
- New policies in the Admin console
Policy Name Pages Supported on Category/Field ScreenBrightnessPercent User & Browser Settings; Managed Guest Session Chrome OS Security > Screen brightness PrintPostScriptMode User & Browser Settings Chrome Printing > PostScript printer mode SandboxExternalProtocolBlocked User & Browser Settings; Managed Guest Session Chrome Chrome OS Content > iframe navigation U2fSecurityKeyApiEnabled User & Browser Settings Chrome Security > U2F Security Key API DeviceRebootOnUserSignout Device Settings Chrome OS Power and shutdown > Reboot on sign-out
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Chrome Major Version number will reach 100
Chrome will reach a 3-digit major version number in March, 2022. When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries. In order to avoid the same issue again, developers and IT admins should test their services in advance.
To help, the Chrome team created the ForceMajorVersion100InUserAgent flag (chrome://flags/#force-major-version-to-100). This forces the browser to send 100 as the major version number (blog). You should use this flag to uncover and address any issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here.
- Network Service on Windows will be sandboxed
As early as Chrome 100, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- WebHID enterprise policies
As early as Chrome 100, Chrome will add policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.
Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.
- Default to origin-keyed agent clustering
As early as Chrome 103, websites will be unable to set document.domain. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note: document.domain has no effect if only one document sets it.
An enterprise policy will be available when this change ships to extend the current behavior.
- Change tab-sharing blue border behavior
When a user chooses to share their tab from a site participating in the region capture origin trial, the blue border used to signify that a tab is being shared will no longer be shown.
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Launch Control Flow Guard for Windows | ✓ | ||
Certificate Transparency enabled on Chrome for Android | ✓ | ||
About this site | ✓ | ||
Test improvements to the Manage search engines settings | ✓ | ||
Chrome 97 removes profiles from memory when their windows are closed | ✓ | ||
Chrome disables WebSQL in third-party contexts | ✓ | ||
New Manifest V2 extensions not accepted after January 17, 2022 | ✓ | ✓ | |
Improved Chrome Autofill on Desktop | ✓ | ✓ | |
Optimized user experience on iOS | ✓ | ||
Private Network Access preflights for subresources | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Chrome Management Telemetry API | ✓ | ✓ | |
Revamped user and device reporting controls | ✓ | ||
Chrome Policy API supports Device settings | ✓ | ✓ | |
Offline grammar check | ✓ | ||
Magnifier continuous panning | ✓ | ||
Gallery app supports audio playing and multi window | ✓ | ||
Admin console updates | Security | User productivity/ Apps | Management |
Browser list data downloadable in CSV format | ✓ | ||
Read-only privilege for managed browsers | ✓ | ||
Reports overview page | ✓ | ||
Insights report: Devices that need attention | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Network Service on Windows will be sandboxed | ✓ | ||
Use of Chrome passwords in other apps on iOS | ✓ | ||
Update GREASE brand list generation | ✓ | ✓ | |
Chrome will maintain its own default root store | ✓ | ||
Chrome will disable the U2F API by default | ✓ | ✓ | |
Chrome will no longer allow TLS 1.0 or TLS 1.1 | ✓ | ||
Chrome may leverage MiraclePtr to improve security | ✓ | ||
Feature flag to force the Chrome Major Version number to 100 | ✓ | ✓ |
Chrome browser updates
- Launch Control Flow Guard for Windows
Chrome 97 improves security by introducing Control Flow Guard (CFG) for Windows to make memory corruption vulnerabilities more difficult to exploit. This change might cause interoperability issues with software that injects code into Chrome’s process space, such as Data Loss Prevention software. Please file a bug to let us know if you encounter issues.
As CFG affects how Chrome is compiled, it is not possible to control it using enterprise policies, but you can test it in the Dev and Beta channels for Chrome 97.
- Certificate Transparency enabled on Chrome for Android
Certificate Transparency is already enforced on desktop platforms, and is now enforced for some users on Chrome 97 for Android, with a wider release planned for a later version. You can selectively disable Certificate Transparency using the CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls enterprise policies.
- Test improvements to the Manage search engines settings
Site search helps users save time by searching through specific sites directly from the address bar on Chrome desktop. We are improving the Settings>Manage search engines page to help users have better control over Site search. Chrome 97 tests a number of these improvements:
- To help users better understand Site search, we renamed the page to Manage search engines and site search and added explanations to each section of the page.
- Now, when users visit a site that is eligible to work with Site search, that is, compliant with the OpenSearch spec, it will no longer be automatically activated for Site search. To activate a site, users select Settings>Manage search engines and site search>Inactive shortcuts>Activate. To prevent user workflows from being disrupted, Site search providers that people have used before in Chrome remain activated.
- The DefaultSearchProviderEnabled enterprise policy maintains the same behavior.
- Chrome 97 removes profiles from memory when their windows are closed
Previously, when users closed Chrome windows for a profile, the profile object would stay loaded in memory. It would continue using memory and other system resources. It would also run jobs in the background like Sync and extension background scripts. The only way to unload a profile from memory was to exit Chrome entirely.
Chrome 97 removes profiles from memory when their windows are closed. This can save lots of system resources in multi-profile scenarios. It also lets Chrome clean up ephemeral profile data from disk more efficiently, strengthening its privacy guarantees.
- Chrome disables WebSQL in third-party contexts
Chrome 97 disables WebSQL in third-party contexts, such as cross-origin iframes, as a continuation to the deprecation in Chrome 94. This change does not affect WebSQL in first-party contexts, but the eventual goal is to deprecate and remove all WebSQL.
An enterprise policy, WebSQLInThirdPartyContextEnabled, can re-enable WebSQL in third-party contexts until Chrome 101, when support for WebSQL in third-party contexts will be removed entirely.
- New Manifest V2 extensions not accepted after January 17, 2022
As part of the gradual deprecation of Manifest V2, the Chrome Web Store will stop accepting submissions of new Manifest V2 extensions after January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.
The change does not affect updates to already published extensions. Also, it does not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome.
Note that the next phase of deprecation, in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows.
For more details, refer to the Manifest V2 support timeline.
- Improved Chrome Autofill on Desktop
A shifted Autofill position enables users to preview autofilling more clearly within form fields. The addition of visual icons is a first step to clarifying what fields are expected to be filled. For example, a profile icon means Autofill fills any form fields related to address and contact info saved in Autofill.
- Optimized user experience on iOS
Chrome on iOS optimizes user experience by fetching page load metadata from a Google service, based on the pages that users navigate to. All requests to Google are anonymous, and you can control this behavior with the UrlKeyedAnonymizedDataCollectionEnabled enterprise policy.
- Private Network Access preflights for subresources
Sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new `Access-Control-Request-Private-Network: true` header, and the response must carry a matching `Access-Control-Allow-Private-Network: true` header.
A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
You can control this behavior using enterprise policies InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls.
- New and updated policies in Chrome browser
Policy Description HistoryClustersVisible Controls the visibility of history clusters on the Chrome history page RemoteAccessHostClipboardSizeBytes The maximum size, in bytes, that can be transferred between client and host via clipboard synchronization RemoteAccessHostAllowRemoteSupportConnections Allow remote support connections to this machine PolicyListMultipleSourceMergeList
(New on Android)Allow merging list policies from different sources CloudUserPolicyMerge
(New on Android)Enables merging of user cloud policies into machine-level policies BrowserSignin
(Force sign in new on iOS)Force users to sign-in to use the browser CloudPolicyOverridesPlatformPolicy
(new on Android)Google Chrome cloud policy overrides platform policy CloudUserPolicyOverridesCloudMachinePolicy
(new on Android)Allow user cloud policies to override Chrome Browser Cloud Management policies. CORSNonWildcardRequestHeadersSupport CORS non-wildcard request headers support
Chrome OS updates
- Chrome Management Telemetry API
This is a new API that provides telemetry information from managed Chrome OS devices. The initial set of telemetry data focuses on hardware performance—CPU, memory, storage, and graphics. You can see the full documentation here.
- Revamped user and device reporting controls
There are now additional controls for reporting within device settings. You can view all available data for features that require reporting, such as the device details, insight reports, or the Telemetry API. Please see the support article for additional information.
- Chrome Policy API supports Device settings
The Chrome Policy API is a suite of services that allows Chrome administrators to view, manage, and get insights about the usage of Chrome OS and Chrome browsers in their organization. The API was launched in March 2021 with support for User and printer settings. Subsequently, support for Apps and Extensions settings was added. Now in Chrome 97, the API includes support for Device Settings.
- Magnifier continuous panning
Chrome OS Magnification now allows you to choose to move the portion of the screen that is magnified continuously as you move the mouse. This is in addition to the previous existing options that allow you to move the magnified area when your mouse touches the edge of the screen or the option that keeps the mouse in the center of the screen. To access this feature, go to Chrome OS Settings > Advanced > Accessibility > Manage accessibility features > Enable fullscreen magnifier.
Admin console updates
- Insights report: Devices that need attention
A new report highlights categories of devices that require attention. The new report is available under the Device > Chrome > Reports > Insights menu.
The categories are:- Devices that have not synched policies in 28 days
- Devices that have not seen user activity in 28 days
- Devices that are pending OS updates
- Devices that are not compliant with the OS version that was set by policy
- For example, if a device policy requires Chrome 94 running on devices, but several devices are on Chrome 90.
- Devices that are unable to apply a policy due to an OS mismatch
- For example, if a set policy due to be applied has a minimum supported Chrome OS version of Chrome 96, but devices are on Chrome 90.
Clicking on the category takes you to the device list page with filters applied according to the category. For more details, see this Help Center article.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field RelaunchWindow User & Browser Settings Chrome Chrome OS Chrome Updates > Relaunch Notification > Relaunch window duration
TermsOfServiceURL
(support docs)New to User & Browser Settings; Managed Guest Session Chrome OS General > Custom terms of service DeviceDebugPacketCaptureAllowed Device Settings Chrome OS Other settings > Allow debug network packet captures AdditionalDnsQueryTypesEnabled User & Browser Settings; Managed Guest Session Chrome Chrome OS Android Network > DNS queries for additional DNS record types LockIconInAddressBarEnabled User & Browser Settings; Managed Guest Session Chrome Chrome OS Android User experience > Lock icon in the omnibox for secure connections PrintPreviewUseSystemDefaultPrinter User & Browser Settings Chrome Printing > System Default Printer DeviceLoginScreenPromptOn
MultipleMatchingCertificatesDevice Settings Chrome OS Other settings > Prompt when multiple certificates match on the sign-in screen PromptOnMultipleMatchingCertificates User & Browser Settings Chrome Chrome OS Other settings > Prompt when multiple certificates match
Coming soon
Upcoming Chrome browser changes
- Network Service on Windows will be sandboxed
As early as Chrome 98, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Use of Chrome passwords in other apps on iOS
From Chrome 98, iOS users will be informed that they can use their saved passwords in other apps on their device.
The Chrome > Settings > Passwords screen will show a new option for Passwords in Other Apps, which will guide users to turn on this feature in iOS autofill settings.
- Update GREASE brand list generation
User-Agent GREASE aims to prevent bad or exclusionary assumptions from being built on top of User-Agent strings. This change aligns our implementation of GREASE in User-Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. While we will roll out this change gradually and watch for negative impacts, admins can opt out via the UserAgentClientHintsGREASEUpdateEnabled enterprise policy escape hatch (available in Chrome 98).
- Chrome will maintain its own default root store
As early as Chrome 98, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
- Chrome will disable the U2F API by default
The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.
- Chrome will no longer allow TLS 1.0 or TLS 1.1
The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it will no longer be possible to bypass the interstitial.
- Chrome may leverage MiraclePtr to improve security
As early as Chrome 99, Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 101.
- Feature flag to force the Chrome Major Version number to 100
Users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number. When browsers went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries. With this feature flag, we can uncover and address these issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here.
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Chrome on Android no longer supports Android Lollipop | ✓ | ||
Apps shortcut in the bookmarks bar defaults to off | ✓ | ||
Network data moves to a new folder on Windows | ✓ | ||
New security events for BeyondCorp Enterprise Threat and Data Protection | ✓ | ||
Feature flag to force the Chrome Major Version number to 100 | ✓ | ||
DNS-based HTTP to HTTPS redirect | ✓ | ||
Chrome shows Journeys in the History page | ✓ | ||
Chrome starts deprecating the U2F security key API | ✓ | ✓ | |
Chrome on Android shows reuse warnings for Google passwords | ✓ | ||
Chrome sync ends support for Chrome 48 and earlier | ✓ | ||
Google Toolbar for Internet Explorer no longer available | ✓ | ||
Chrome installer for macOS now available as a single universal version | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome OS updates | Security | User productivity/ Apps | Management |
Long-term support channel | ✓ | ||
Cloud Based Certificate Provisioning using SCEP | ✓ | ✓ | |
SAML password change : Chrome Device Token API | ✓ | ||
Terms of Service for managed user sessions | ✓ | ||
Side Search on Chrome OS | ✓ | ||
Nearby Share from ARC++ sharesheet | ✓ | ||
Switch Access Setup Guide | ✓ | ||
New preference setting for Link capturing | ✓ | ||
Add clipboard suggestions to on-screen keyboard | ✓ | ||
Chrome Wallpaper app enhancements | ✓ | ||
Notification settings move to Chrome OS Settings | ✓ | ||
Admin console updates | Security | User productivity/ Apps | Management |
New interface for selecting Chrome apps and extensions | ✓ | ✓ | |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security | User productivity/ Apps | Management |
Launch Control Flow Guard for Windows | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Certificate Transparency enabled on Chrome for Android | ✓ | ||
CORS Authorization mishandling | ✓ | ||
Chrome will maintain its own default root store | ✓ | ||
Chrome will no longer allow TLS 1.0 or TLS 1.1 | ✓ | ||
Chrome autofill will be more predictable | ✓ | ||
New Manifest V2 extensions not accepted after January 17, 2022 | ✓ | ✓ | |
Different-origin iframes JavaScript dialogs deprecation has been postponed indefinitely | ✓ | ||
Upcoming Admin console changes | Security | User productivity/ Apps | Management |
Browser list data downloadable in CSV format | ✓ | ||
Read-only privilege for managed browsers | ✓ | ||
Reports overview page | ✓ | ||
Insights report: Devices that need attention | ✓ |
Chrome browser updates
- Chrome on Android no longer supports Android Lollipop
Chrome 96 does not support or ship to users running Android Lollipop.
The last version of Chrome that supports Android Lollipop is Chrome 95, and it included a message to affected users informing them to upgrade their operating system.
- Apps shortcut in the bookmarks bar defaults to off
The Apps shortcut in the bookmarks bar now defaults to off. Chrome also updates the current state for all users who have not changed their setting to the new default (off).
- Network data moves to a new folder on Windows
Data that is needed by the network service, including cookies and other data files, is now stored in a subdirectory underneath the previous location called Network. This is to support the upcoming Network Sandbox (see below). This migration happens automatically and transparently. No action is required, however, you might need to update any scripts that rely on the location of these files.
- New security events for BeyondCorp Enterprise Threat and Data Protection
Chrome 96 adds two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality allows admins to understand enterprise credential usage, to shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.
- Feature flag to force the Chrome Major Version number to 100
Starting in Chrome 96, users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number. When browsers went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries. With this feature flag, we can uncover and address these issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here.
- DNS-based HTTP to HTTPS redirect
Chrome queries DNS for HTTPS records (alongside traditional A and AAAA queries). When a website has deployed an HTTPS DNS record and Chrome receives it, Chrome always connects to the website via HTTPS (Chrome Status). This was previously enabled for 50% of users on the Canary, Dev, and Beta channels.
- Chrome shows Journeys in the History page
For some users, Chrome 96 clusters local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy, starting in Chrome 97.
- Chrome starts deprecating the U2F security key API
The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). Beginning with Chrome 96, when sites make U2F API requests, users might see a prompt that includes a notice about the U2F API’s deprecation. In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.
- Chrome on Android shows reuse warnings for Google passwords
Similar to Chrome on other platforms, Chrome on Android now shows warnings if it detects that your Google passwords were reused on a malicious website. You can control this behavior using the PasswordProtectionWarningTrigger enterprise policy.
- Chrome sync ends support for Chrome 48 and earlier
As previously communicated, Chrome sync no longer supports Chrome 48 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome sync.
- Google Toolbar for Internet Explorer no longer available
The Google Toolbar for Internet Explorer is being phased out. As of mid-November, it will no longer be available for download.
- Chrome installer for macOS now available as a single universal version
The.dmg
installer available to users on macOS now contains both the x86_64 and the arm64 versions of the product. When installing, users no longer have to choose the CPU architecture. With Chrome 96, existing Chrome installations will be updated to universal automatically. This may increase the size of Chrome on disk.
Note that the enterprise-specific.pkg
installer was already a universal installer.
- New and updated policies in Chrome browser
Policy Description SyncDisabled (new on iOS)
Control Chrome sync.
Allow use of the deprecated U2F Security Key API.
Allow user cloud policies to override Chrome Browser Cloud Management policies.
Allow Chrome to block navigations toward external protocols in sandboxed iframes.
BrowsingDataLifetime (new on Android)
Configure (per data-type) when data is deleted by the browser.
Temporarily re-enables WebSQL in third-party contexts.
Prompt for the client certificate when multiple certificates match.
Controls whether or not the network service process runs sandboxed.
Chrome OS updates
For over a decade, Chrome OS has delivered new milestone releases every six weeks, providing users and IT with a secure, speedy, and stable experience. Earlier this year, we announced that Chrome OS would switch to a 4-week stable release, starting with Chrome 96. This shift allows us to deliver features and security updates more quickly.
- Long-term support channel
From Chrome 96, Chrome OS provides an option for organizations to use a new Long-term support (LTS) channel, with feature milestone updates every six months. Devices on the LTS channel will still receive frequent security updates. Admins can easily switch from LTS to other channels if desired. For more details, see this article.
- Cloud Based Certificate Provisioning using SCEP
Chrome OS provides a new way to provision and renew certificates on managed devices in Microsoft Active Directory Certificate Service (ADCS) environments using the Simple Certificate Enrollment Protocol (SCEP). The new provisioning flow, for device-based certificates, enables automated certificate deployment and renewals that occur with no end user interaction and before user sign-in. For more details, see this article.
- SAML password change : Chrome Device Token API
Chrome 96 supports password updates on Chrome OS devices after a user’s password is changed on a third-party Identity Provider (IdP). This helps to increase the convenience for the end user, and to enforce corporate policies on Chrome OS devices. Admins can use the Chrome Device Token API to allow IdPs to notify Chrome OS devices that users have changed their password. API documentation is available, and this article (step 4/5) has been updated with guidance for administrators.
- Terms of Service for managed user sessions
Admins can now display their Terms of Service to users at the beginning of every managed user’s session. This functionality was previously available for managed guest sessions only.
- Side Search on Chrome OS
To make it easier to compare search results and find what you’re looking for more quickly in Chrome browser, there’s a new side panel in Chrome OS. You can now view a page and the search results at the same time. This lets you view a page right in your main browser window without needing to navigate back and forth or losing your search results. Admins can disable this feature via the SideSearchEnabled policy.
- Nearby Share from ARC++ sharesheet
This feature allows users to use Nearby Share from Android Runtime for Chrome (ARC++). Prior to this Nearby Share has been available in Files app, PWAs and other system apps. Nearby Share allows users to easily share content across devices, for example, from Chromebook to a device running Chrome browser, such as an Android phone or a Windows PC.
- Switch Access setup guide
Switch Access is an alternate input method that enables users to control their device with just one or more buttons. As of Chrome 96, Switch Access users will now have a setup guide which will help walk new users through the process of setting up and using their switches.
- New preference setting for link capturing
This adds a new preference to Apps settings that allows users to set apps as the default handler of supported links. For example, the Zoom PWA can become the default handler for zoom.us links.
- Add clipboard suggestions to on-screen keyboard
Chrome 96 suggests recently copied items in the on-screen keyboard or Virtual Keyboard suggestion row to simplify your paste actions. If you copy an item and open your Virtual Keyboard you should see that item as an option in the top row. Click it to paste. Previously, Chrome 94 made clipboard items accessible from the virtual keyboard. Chrome 96 adds clipboard items copied within the last two minutes to the suggestion row in the virtual keyboard for even easier access.
- Chrome Wallpaper app enhancements
TheChrome OS wallpaper picker now has a more visual UI that helps users to select from a variety of wallpaper collections or their own images. Users can open it from the home screen using right-click > Set wallpaper.
- Notification settings move to Chrome OS Settings
Chrome 96 includes a new dedicated Notifications page in Chrome OS Settings. In earlier releases, Notifications were accessed from the Quick Settings menu.
Admin console updates
- New interface for selecting Chrome apps and extensions
The Admin console now uses the same user interface as the Chrome Web Store for selecting new Chrome apps and extensions.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field Device Settings
Chrome OS
Other settings > Data access protection for peripherals
User & Browser Settings;
Managed Guest Session Settings
Chrome
Chrome OS
Android
Content > Request from insecure websites to more-private network endpoints
Device Settings
Chrome OS
Kiosk settings > Kiosk virtual keyboard features
User & Browser Settings;
Managed Guest Session Settings
Chrome OS
User experience > Allowed input methods
User & Browser Settings;
Managed Guest Session Settings
Chrome
Chrome OS
Security > Insecure Media Capture
User & Browser Settings;
Managed Guest Session Settings
Chrome OS
User experience > Allowed chrome OS languages
User & Browser Settings;
Managed Guest Session Settings
Chrome
Chrome OS
User experience > Spell check > Enforced spellcheck languages
User & Browser Settings;
Managed Guest Session Settings
Chrome
Chrome OS
User experience > Spell check > Disabled spellcheck languages
User & Browser Settings
Chrome
Chrome OS
Content > Allow WebAssembly cross-origin
User & Browser Settings
Chrome OS
Security > SAML single sign-on password synchronization flows
User & Browser Settings
Chrome OS
Security > SAML single sign-on password synchronization > Password synchronization between third-party SSO providers and Chrome devices
User & Browser Settings
Chrome OS
Security > SAML single sign-on password synchronization > How many days in advance to notify SAML users when their password is due to expire
User & Browser Settings
Chrome
Sign-in settings > Separate profile for managed Google Identity
User & Browser Settings
Chrome OS
Android applications > Sharing from Android apps to Web apps
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Launch Control Flow Guard for Windows
As early as Chrome 97, Chrome will make security improvements by introducing Control Flow Guard (CFG) for Windows. This change might cause interoperability issues with software that injects code into Chrome’s process space, such as Data Loss Prevention software. Please file a bug to let us know if you encounter issues.
As CFG affects how Chrome is compiled, it will not be possible to control it via enterprise policies, but you can test it in the Dev and Beta channels for Chrome 97.
- Network Service on Windows will be sandboxed
As early as Chrome 97, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. An enterprise policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Certificate Transparency enabled on Chrome for Android
Certificate Transparency is already enforced on desktop platforms, and will be enforced for some users on Chrome 97 for Android, with a wider release planned for a later version. You can selectively disable Certificate Transparency using the CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls enterprise policies.
- CORS Authorization mishandling
When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response (Chrome Status). The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.
Note that Authorization headers attached by Chrome during the authentication process are out of scope for this change.
- Chrome will maintain its own default root store
As early as Chrome 98, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
- Chrome will no longer allow TLS 1.0 or TLS 1.1
The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it will no longer be possible to bypass the interstitial.
- Chrome Autofill will be more predictable
Chrome Autofill will be more visible with a new menu position. It will also add dynamic highlighting to show precisely what fields will be filled automatically.
- New Manifest V2 extensions not accepted after January 17, 2022
As part of the gradual deprecation of Manifest V2, the Chrome Web Store will stop accepting submissions of new Manifest V2 extensions after January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.
The change will not affect updates to already published extensions. Also, it will not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome.
Note that the next phase of deprecation in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows.
For more details, refer to the Manifest V2 support timeline.
- Different-origin iframes JavaScript dialogs deprecation has been postponed indefinitely
Previously, we announced a planned change that would cause Chrome to prevent iframes from triggering prompts (window.alert
,window.confirm
,window.prompt
), if the iframe is a different origin from the top-level page. This change was originally planned for Chrome 92, but has been postponed indefinitely due to the feedback we received on this change. We will provide advance notice in the future if we decide to re-enable this change.
You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag.
Upcoming Admin console changes
- Browser list data downloadable in CSV format
As early as Chrome 97, Chrome will introduce an optional CSV format to download the browser list data from the Admin console.
- Read-only privilege for managed browsers
As early as Chrome 97, Chrome will introduce a read-only privilege for managed browsers. Admins will be able to easily create custom admin roles with read-only access to managed browsers in the Admin console.
- Reports overview page
A new reports overview page will provide a summary of all the reports available. The new page will be available under the Device > Chrome > Reports menu.
- Insights report: Devices that need attention
A new report will highlight categories of devices that require attention. The new report will be available under the Device > Chrome > Reports > Insights menu.
The categories are:- Devices that have not synched policies in 28 days
- Devices that have not seen user activity in 28 days
- Devices that are pending OS updates
- Devices that are not compliant with the OS version that was set by policy
- For example, if a device policy requires Chrome 94 running on devices, but several devices are on Chrome 90
- Devices that are unable to apply a policy due to an OS mismatch
- For example, if a set policy due to be applied has a minimum supported Chrome OS version of Chrome 96, but devices are on Chrome 90
Clicking on the category will take you to the device list page with filters applied according to the category.
For more details, see this Help Center article.
These Chrome 95 release notes contain Chrome Browser updates only. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 and will include all relevant security fixes on the Chrome 94 milestone.
Chrome browser updates | Security | User productivity/ Apps | Management |
---|---|---|---|
Stricter parsing rules for Legacy Browser Support | ✓ | ||
Origin Trial for reduced User-Agent strings | ✓ | ||
Chrome deprecates WebAssembly cross-origin module sharing | ✓ | ||
Explicit user prompts for Autofill addresses | ✓ | ✓ | |
New Side Panel feature | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Admin console updates | Security | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser updates | Security | User productivity/ Apps | Management |
Chrome on Android will no longer support Android Lollipop | ✓ | ||
Apps shortcut in the bookmarks bar will default to off | ✓ | ||
Network data will be migrated to a new folder on Windows | ✓ | ||
Network service on Windows will be sandboxed | ✓ | ||
New security events for BeyondCorp Enterprise Threat and Data Pro |