Archived release notes

DOWNLOAD Release notes (PDF)

↑ back to top

 

Chrome browser updates

• Removing setTimeout(,0) clamping to 1ms   
  
  Chrome 101 removes a web intervention for some users that clamped setTimeout(,0) timers to 1ms. In Chrome 101, those users see timers fire immediately. Note that nested timer calls clamp to 4ms after repeated nested calls. This change brings Chrome in line with web specifications and might improve performance on some pages.
  
  It's possible that this change will introduce bugs in web applications that rely on the current clamped behavior. If you have any apps affected by this change, you can use the SetTimeoutWithout1MsClampEnabled policy to revert to the Chrome 100 behavior.

• Deprecation Origin Trial for UA reduction   
  
  As previously announced, Chrome 101 protects user privacy by reducing the granularity of information in the User-Agent string. In this phase, the MINOR.BUILD.PATCH version info is reduced to 0.0.0. If a site needs this information, it should migrate to the User Agent Client Hints API. Sites that need more time to test or migrate can take advantage of a Deprecation Trial, which started in Chrome 100.
  
  You can also control this using the UserAgentReduction enterprise policy. You can test the new reduced-granularity User-Agent string by setting the policy to 2, or you can delay the change while you update your apps by setting it to 1.

• Chrome Browser Cloud Management maintains compatibility with the most recent 12 versions of Chrome   
  
  Starting with Chrome 101, Chrome Browser Cloud Management maintains compatibility with the most recent 12 versions of Chrome. Older versions may lose some Chrome Browser Cloud Management features without notice, or behave unexpectedly. For your security, you should keep Chrome auto-update enabled, which keeps your fleet on the most recent version of Chrome. If you manage Chrome updates manually, staying close to the most recent version both keeps your users safer, and ensures you stay within the compatibility window.

• Chrome 101 supports notification permission changes in Android 13 and above   
  
  Android 13 is changing the way push notification permissions behave by default. All Android apps require users to explicitly allow OS notification permissions, as opposed to Android 12 and earlier where it was granted by default. Chrome running on Android 13 now prompts the user for permission at app launch up to two times.

• Chrome removes support for WebSQL in a third-party context   
  
  The WebSQLInThirdPartyContextEnabled policy was introduced to give admins additional time to react to the removal of WebSQL in a third-party context. As planned, this policy is removed in Chrome 101.

• Compare search results with new Side Search feature   
  
  Side Search allows users to compare search results via a side panel UI to get the right answer faster. This means users can view a page and the search results at the same time, without needing to navigate back and forth or losing their search results. This is helpful for users who are actively searching for something and need more than one site, for example, planning an employee dinner, putting together presentations, and so on. You can control this feature using the SideSearchEnabled policy.

• Control camera and microphone permissions on iOS   
  
  In Chrome 101, after granting Chrome both app level and site level permission to use the camera or microphone, users can now control camera or microphone usage. Users can tap the icon on the left of the location bar to trigger a popup that shows switches to control the camera or microphone. Alternatively, users can go to Site Information in the context menu and do the same.

• Chrome runs prerendering autocomplete suggestions from the Omnibox   
  
  Chrome 101 enables Omnibox, or URL bar, prerendering. With this feature, Chrome starts prerendering the high-confidence Omnibox autocomplete suggestions. Chrome is currently prefetching resources for high-confidence suggestions using No-state Prefetch, but with this feature we can further process the webpage, including DOM tree construction and script execution. Enterprises can opt-out of this feature using the NetworkPredictionOptions policy.

• Chrome removes legacy policies with non-inclusive names   
  
  Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work.
  
  This transition period was originally planned for Chrome 95, but was extended to Chrome 101 to give admins more time to transition their policies. In Chrome 101, the policies in the left column of the following table no longer function. Please ensure you're using the corresponding policy from the right column instead:
   

  Legacy Policy Name	New Policy Name
  NativeMessagingBlacklist	NativeMessagingBlocklist
  NativeMessagingWhitelist	NativeMessagingAllowlist
  AuthNegotiateDelegateWhitelist	AuthNegotiateDelegateAllowlist
  AuthServerWhitelist	AuthServerAllowlist
  SpellcheckLanguageBlacklist	SpellcheckLanguageBlocklist
  AutoplayWhitelist	AutoplayAllowlist
  SafeBrowsingWhitelistDomains	SafeBrowsingAllowlistDomains
  ExternalPrintServersWhitelist	ExternalPrintServersAllowlist
  NoteTakingAppsLockScreenWhitelist	NoteTakingAppsLockScreenAllowlist
  PerAppTimeLimitsWhitelist	PerAppTimeLimitsAllowlist
  URLWhitelist	URLAllowlist
  URLBlacklist	URLBlocklist
  ExtensionInstallWhitelist	ExtensionInstallAllowlist
  ExtensionInstallBlacklist	ExtensionInstallBlocklist
  UserNativePrintersAllowed	UserPrintersAllowed
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode
  DeviceNativePrinters	DevicePrinters
  NativePrinters	Printers
  NativePrintersBulkConfiguration	PrintersBulkConfiguration
  NativePrintersBulkAccessMode	PrintersBulkAccessMode
  NativePrintersBulkBlacklist	PrintersBulkBlocklist
  NativePrintersBulkWhitelist	PrintersBulkAllowlist
  UsbDetachableWhitelist	UsbDetachableAllowlist
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist
  AttestationExtensionWhitelist	AttestationExtensionAllowlist
  PrintingAPIExtensionsWhitelist	PrintingAPIExtensionsAllowlist
  AllowNativeNotifications	AllowSystemNotifications
  DeviceUserWhitelist	DeviceUserAllowlist
  NativeWindowOcclusionEnabled	WindowOcclusionEnabled

  
  
  If both the legacy policy and the new policy are set for any row in the table above, the new policy overrides the legacy policy. 
  
  If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console manages the transition automatically.

• New and updated policies in Chrome browser   
   

  Policy	Description
  SideSearchEnabled	Allow showing the most recent default search engine results page in a browser side panel.
  CloudReportingUploadFrequency	Frequency of cloud reporting in hours.
  OptimizationGuideFetchingEnabled	Enable Optimization Guide Fetching.
  WebSQLAccess	Force WebSQL to be enabled.
  SetTimeoutWithout1MsClampEnabled	Control Javascript setTimeout() function minimum timeout.

   

   

Chrome OS updates

• Network-based recovery for Chrome OS   
  
  Network-based recovery provides a built-in recovery mechanism for Chrome OS that doesn’t need external tools such as a USB stick, an Android device, a second computer, a USB cable, and so on. It is available on most of the new Chrome OS devices launching after April 20, 2022.

• Policy support for additional openVPN settings   
  
  Additional OpenVPN properties can now be set in the Admin console when configuring a managed VPN connection. This includes packet authentication and encryption algorithms, compression algorithm, key direction, and TLS auth key.

• UI-based firmware updates for peripherals   
  
  Chrome OS now performs firmware updates for peripherals using fwupd, an open source firmware update framework. The previous automatic firmware update approach has its limits as major market players introduce significant changes requiring long update sessions, which can sometimes cause devices to malfunction.
  
  Using fwupd, Chrome OS provides a UI for firmware updates for peripheral devices, allowing users to perform the update when needed.

• Crostini upgrades to Debian 11 (Bullseye)   
  
  When users signed up for Crostini, they received a container with Debian 10 (Buster). Debian 11 (Bullseye) is now stable and used for new Crostini installs. We recommend that existing Crostini users upgrade to Bullseye  to access new features and simplify support.
  
  Chrome  allows users to trigger an upgrade, both via a prompt that occurs at certain times, as well as through Settings. The upgrade displays progress to the user and explains any errors that might occur.
  
  In addition, Chrome 101 now stores an upgrade log, in Downloads, and notifies the user about it, so it's easier to troubleshoot upgrade issues.

• UI improvements for the Camera app   
  
  Chrome 101 includes improvements for the Chrome OS Camera app, to make it simpler and easier to use. On the left-side tool, it is easier to access the different options and users can now clearly see what feature is currently turned on or off. Under the Settings tab, we’ve made all Camera options more readable and easier to find. 

• Cursive canvas lock   
  
  A new canvas lock toggle in Cursive allows you to quickly enable or disable pan and zoom for the canvas. This helps avoid any accidental movements of the canvas while you write. You can turn on canvas lock from the 3-dot menu, and then quickly toggle it using a button on top of the canvas.

• Forced reboot across managed devices   
  
  Admins can now automate the reboot process across managed devices. To help reduce operational overhead and improve certain application flows, you can schedule recurring device reboots across kiosks, managed guest and standard user sessions. This essentially forces the device to reboot, even during an active session.

Admin console updates

• Identification variables for Android managed configuration policy   
  
  Managed configuration files can now include placeholders that Chrome OS substitutes for the indicated value(s) before providing the configuration file to the Android app. Admins can work with the Android app developer to determine what values to use in a custom policy. All values are optional. See the help center for more details on specific identification variables.

• New policies in the Admin console   
   

  Policy Name	Pages	Supported on	Category/Field
  CORSNonWildcardRequestHeadersSupport	User & Browser Settings	Chrome Chrome OS Android	Network > CORS non-wildcard request headers support
  TouchVirtualKeyboardEnabled	User & Browser Settings Managed Guest Session	Chrome OS	Accessibility > On-screen keyboard in tablet mode
  DeviceRestrictedManagedGuestSessionEnabled	Device Settings	Chrome OS	Imprivata > Shared Kiosk mode
  RestrictedManagedGuestSessionExtensionCleanupExemptList	Device Settings	Chrome OS	Imprivata > Shared apps & extensions
  FastPairEnabled	User & Browser Settings Managed Guest Session	Chrome OS	Other settings > Fast Pair (fast Bluetooth pairing)

   

   

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Chrome apps no longer supported on Windows, Mac, and Linux as early as Chrome 102   
  
  As previously announced, Chrome apps will be phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 102 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy called ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 releases.
  
  If you're force-installing any Chrome apps, users will be shown a message stating that the app is no longer supported. To fix this, remove the extension ID from the force-install extension list, and if necessary they can add the corresponding install_url to the Web App force install list. For common Google apps, the install_urls are listed below:
   

  Property	Extension ID (Chrome App)	install_url (PWA / Web App)
  Gmail	pjkljhegncpnkpknbcohdijeoejaedia	https://mail.google.com/mail/ installwebapp?usp=admin
  Docs	aohghmighlieiainnegkcijnfilokake	https://docs.google.com/document/ installwebapp?usp=admin
  Drive	apdfllckaahabafndbhieahigkjlhalf	https://drive.google.com/drive/ installwebapp?usp=admin
  Sheets	felcaaldnbdncclmgdcncolpebgiejap	https://docs.google.com/spreadsheets/ installwebapp?usp=admin
  Slides	aapocclcgogkmnckokdopfmhonfmgoek	https://docs.google.com/presentation/ installwebapp?usp=admin
  Youtube	blpcfgokakmgnkcojhhkbfbldkacnbeo	https://www.youtube.com/s/notifications/ manifest/cr_install.html

   

   

• Privacy Sandbox updates in Chrome 102   
  
  The Privacy Sandbox release in Chrome 102 will provide controls for the new Topics & Interest Group APIs. It will also introduce a one-time dialog that explains Privacy Sandbox to users and will allow them to manage their preferences. This dialog will not be shown for Guest users or managed EDU users.
  
  Admins will be able to prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:
   
  • To allow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled 
  • To disallow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This may cause some sites to stop working.
  Privacy Sandbox features will also be disabled, and no dialog shown, if DefaultCookiesSetting is set to Do not allow any site to set local data.

• Private extensions using Manifest V2 no longer accepted in the Chrome Web Store in June 2022   
  
  As part of the gradual deprecation of Manifest V2, the Chrome Web Store stopped accepting submissions of new Public or Unlisted Manifest V2 extensions after January 17, 2022. In June 2022, Chrome expands this restriction to new extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. Extensions that are already submitted can continue to be updated until January 2023.
  
  For more details, refer to the Manifest V2 support timeline.

• Chrome will send Private Network Access preflights for subresources as early as Chrome 102   
  
  As early as Chrome 102, Chrome plans to send a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new Access-Control-Request-Private-Network: true header. In this initial phase, this request is sent, but no response is required from network devices.
  
  In a future milestone of Chrome, the response must carry a matching Access-Control-Allow-Private-Network: true header.
  
  A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.

• Chrome will use MiraclePtr to improve security as early as Chrome 102   
  
  MiraclePtr is a technology that reduces the risk of security vulnerabilities relating to memory safety. Chrome is currently testing the impacts of MiraclePtr for some users. A full release is planned as early as Chrome 102.

• MetricsReportingEnabled policy available on Android in Chrome 102 
  
  Chrome-on-Android will slightly modify the first run experience to support the MetricsReportingEnabled policy.  If the admin has disabled metrics reporting, there will be no change. If the admin has enabled metrics, users will still be able to disable it.

• Chrome 103 will use case-matching on CORS preflight requests   
  
  Chrome 101 and below uppercases request methods when matching with Access-Control-Allow-Methods response headers in CORS preflight. Chrome 101 doesn't uppercase request methods, except for those normalized in the spec https://fetch.spec.whatwg.org/#concept-method-normalize, and so requires exact case-sensitive matching.
  
  Previously accepted, but now rejected:
  
      Request: fetch(url, {method: 'Foo'})
      Response Header: Access-Control-Allow-Methods: FOO
  
  Previously rejected, but now accepted:
  
      Request: fetch(url, {method: 'Foo'})
      Response Header: Access-Control-Allow-Methods: Foo
  
  Note: post and put are not affected because they are in https://fetch.spec.whatwg.org/#concept-method-normalize, while patch is affected.

• Chrome Actions on iOS in Chrome 103   
  
  Chrome Actions help users get things done fast, directly from the address bar. We first released Chrome Actions on desktop a couple of years ago, with Actions like Clear browsing data. In Chrome 103, we will bring some of them to Chrome on iOS, like:
   
  • Manage passwords
  • Open Incognito tab
  • Clear browsing data
  • And more!
  
  
  Chrome on iOS will allow users to take actions directly from the address bar, like clearing browsing data, using a button that will appear among auto-complete suggestions. This feature is already available on desktop platforms.

• Chrome 104 will no longer support OS X 10.11 and macOS 10.12   
  
  Chrome 104 will no longer support macOS versions 10.11 and 10.12, which are already outside of their support window with Apple. Users will have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.

• Network Service on Windows will be sandboxed in Chrome 104   
  
  As early as Chrome 104, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service might be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy will allow you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.

• Default to origin-keyed agent clustering in Chrome 106   
  
  As early as Chrome 106, websites will be unable to set document.domain. Websites will need to use alternative approaches such as postMessage() or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send an Origin-Agent-Cluster: ?0 header along with all documents that require that behavior.  
  
  Note: document.domain has no effect if only one document sets it.
  
  An enterprise policy will be available to extend the current behavior.

• Chrome 107 will replace master_preferences with initial_preferences   
  
  Initial preferences allow you to deploy default preferences when users first open Chrome browser. The initial_preferences file will replace the master_preferences file, which accomplished the same thing before Chrome 91. To minimize disruption, Chrome currently accepts both master_preferences and initial_preferences. In Chrome 107, Chrome will stop accepting the old master_preferences file name, and only accept the file if it is named initial_preferences.
  
  Please ensure that if you're using initial preferences, that the file is named initial_preferences and not master_preferences. You do not need to change the contents of the file in any way.

Upcoming Admin console changes

• New CSV export for some Chrome Admin console reports in Chrome 103   
  
  As early as Chrome 103, Chrome will introduce a new CSV download option for the Apps & Extensions Usage report data and the Versions report data.
  
  

↑ back to top

 

Chrome browser updates

• Screen sharing fix for macOS   
  
  If your users are having trouble sharing their screens on macOS, please see this guide for instructions on how to fix it.

• Chrome major version number reaches 100   
  
  Chrome is now on a 3-digit version number.  When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries.
  
  An Enterprise policy ForceMajorVersionToMinorPositionInUserAgent is available to control whether the User-Agent string major version should be frozen at 99. If you have an app that is broken in version 100 due to a User-Agent parsing error, you can set the policy to 2 and the User-Agent string freezes the major version at 99 and includes the browser's major version in the minor position.

• Updates for Legacy Browser Support <open-in> rules   
  
  When the BrowserSwitcherParsingMode policy is set to IE-compatible, Chrome updates the Legacy Browser Support rules:
   
  • For v2 sitelists, <open-in> behavior is changed in the following ways:
    • <open-in>None</open-in> entries are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
    • <open-in>MSEdge</open-in> entries will open in Chrome, as Windows treats this to mean the default, modern browser.
    • Anything unspecified opens in any browser, the same as greylist entries
  • For v1 sitelists, doNotTransition="true" entries  are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
  
  To mitigate disruption, this change only applies if you set BrowserSwitcherParsingMode policy is set to 1.
  
  The documentation for Legacy Browser Support can be found here.

• Chrome 100 removes the AllowSyncXHRInPageDismissal policy   
  
  The AllowSyncXHRInPageDismissal policy was introduced in Chrome 78 to give enterprises more time to adapt to the removal of synchronous XHR requests during page dismissal. Though this policy was originally planned to be removed in Chrome 93, the transition period was extended to allow developers more time to adapt. This transition period is now closed and Chrome 100 removes this policy.

• New WebHID enterprise policies   
  
  As early as Chrome 100, Chrome adds new policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.
  
  Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.

• Chrome 100 removes Lite Mode on Android   
  
  Lite Mode was a way to reduce data usage on Android devices. Since its introduction, the cost of data has been reduced in many countries, and Chrome has invested in other ways to save data. As a result, Lite Mode is no longer available, including the DataCompressionProxyEnabled policy used to control it.

• Chrome Actions introduced on Android   
  
  Chrome Actions help users get things done fast, directly from the address bar. We first released Chrome Actions on desktop a couple of years ago, with Actions like Clear browsing data. Now, we’re bringing some of them to Chrome on Android, like:
   
  • Manage passwords
  • Open Incognito tab
  • Clear browsing data
  • And more!
  
  Chrome on Android allows users to take actions directly from the address bar, like clearing browsing data, using a button that appears among auto-complete suggestions. This feature is already available on desktop platforms.

• Chrome on Android supports login using QR codes   
  
  Chrome 100 allows users to use any Android phone as a security key by scanning a QR code. Previously, only phones that were syncing to the same Google account as the desktop could be used. Bluetooth is still required to show proximity. 
  
  

• Updates to the Certificate Transparency policy   
  
  In Chrome 100, the Certificate Transparency requirements in Chrome change; certificates are no longer required to include signed certificate timestamps (SCTs) from one Google operated and one non-Google operated log, and instead are required to include SCTs from at least two logs from different operators. Additionally, the amount of SCTs required for certificates with a lifetime between 180 days and 15 months increase, from 2 to 3. The existing policies that allow selectively disabling CT enforcement (CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls) continue to work.

• Multi-Screen Window Placement API stable launch   
  
  Multi-Screen Window Placement API adds new screen information APIs and makes incremental improvements to existing window placement APIs, allowing web applications to offer compelling multi-screen experiences. The existing singular window.screen offers a limited view of available screen space, and window placement functions generally clamp bounds to the current screen. This feature unlocks modern multi-screen workspaces for web applications.
  
  A new set of policies, DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls, lets admins force their fleet to employ a default setting and automatically accept or deny the Window Placement permission without prompting the user, per origin.

• Changes to tab-sharing blue border behavior   
  
  When a user shares their tab, the blue border used to indicate that a tab is being shared no longer appears around the whole tab. Instead, only the captured content has a blue border.
  
  

• Chrome on iOS users can choose their default website view   
  
  In Chrome on iOS, users can choose the default view, Desktop or Mobile, in which the websites are requested. You can access this from Settings.

• Chrome adds Google Account-tied tokens to Enhanced Safe Browsing pings   
  
  For users who consented to Enhanced Safe Browsing and are signed in to their Google accounts, Chrome adds Google Account-tied tokens to various incident reporting pings, except when in Incognito mode. This enables better tailored protection after encountering Safe Browsing warnings.
  
  You control this feature on your environment using the SafeBrowsingProtectionLevel enterprise policy.

• Dismiss password alerts on Desktop   
  
  To reduce noise from unnecessary alerts, Chrome Desktop users can now dismiss password alerts for compromised passwords. You can prevent end users from dismissing password alerts with the PasswordDismissCompromisedAlertEnabled policy.

• Chrome expands SCT auditing to more users   
  
  As part of Chrome's Certificate Transparency protections, Chrome expands the existing signed certificate timestamp (SCT) auditing to all users that have Safe Browsing enabled. With this change, Chrome makes rare — less than one in 10,000 TLS connections — privacy-preserving queries to Google to ensure that Certificate Transparency logs are operating correctly. If a query detects a misbehaving log, the client will provide evidence of that misbehavior (the certificate chain and all SCTs) to Google. Chrome does not share certificates that are not issued by publicly trusted root certificates. CT ensures that all certificates or SCTs from publicly trusted roots are already public information, and no additional data is collected.

• Chrome no longer supports TLS 1.0/1.1  on Android WebView   
  
  In Chrome 98, TLS 1.0/1.1 support was fully removed from Chrome on Windows, Mac, Linux, Android, and iOS. Starting in Chrome 100, TLS 1.0/1.1 is no longer supported on Android WebView. This might affect Android Apps using WebView which rely on connecting to a server that does not support TLS 1.2 or higher. Please update any servers to support modern TLS versions.

• Enterprise policies are available for new users on iOS   
  
  Chrome 100 on iOS checks for enterprise policies at the very beginning of a user’s first run experience, so that the user's experience immediately corresponds to the enterprise configuration.

• New and updated policies in Chrome browser   
   

  Policy	Description
  PasswordDismissCompromisedAlertEnabled	Enable dismissing compromised password alerts for entered credentials.
  AllHttpAuthSchemesAllowedForOrigins	List of origins allowing all HTTP authentication.
  DefaultWebHidGuardSetting	Control use of the WebHID API.
  WebHidAskForUrls	Allow the WebHID API on these sites.
  WebHidBlockedForUrls	Block the WebHID API on these sites.
  WebHidAllowAllDevicesForUrls	Automatically grant permission to sites to connect to any HID device.
  WebHidAllowDevicesForUrls	Automatically grant permission to these sites to connect to HID devices with the given vendor and product IDs.
  WebHidAllowDevicesWithHidUsagesForUrls	Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage.
  OriginAgentClusterDefaultEnabled	Allows origin-keyed agent clustering by default.
  DefaultWindowPlacementSetting	Default Window Placement permission setting.
  WindowPlacementAllowedForUrls	Allow Window Placement permission on these sites.
  WindowPlacementBlockedForUrls	Block Window Placement permission on these sites.
  ExemptDomainFileTypePairsFromFileTypeDownloadWarnings	Disable download file type extension-based warnings for specified file types on domains.

Chrome OS updates

• Chrome OS Dictation text editing   
  
  Dictation lets you use your voice to dictate text anywhere you would usually type on your Chromebook. Now, you can also edit text with your voice using commands like delete, undo, or select all. This feature is particularly useful for those who have motor impairments or anyone who prefers to use their voice to type.
  
  We’re initially launching with a small number of commands; we plan to add more in the future. Try it out by turning on dictation under Settings > Accessibility > Keyboard and text input. Whenever you are in a text area, you can select Search + d to activate dictation.

• Chrome OS Flex   
  
  We announced early access to a new version of Chrome OS bringing the benefits of Chrome OS to PCs and Macs. Chrome OS Flex is the cloud-first, fast, easy-to manage, and secure operating system for PCs and Macs. Chrome OS Flex is now on the beta channel and since launch, 100+ more devices have been verified to work with Chrome OS Flex. Try it out and share your feedback to help us shape this product.

Admin console updates

• Chrome Browser Cloud Management (CBCM) supports Chrome on Android   
  
  CBCM now supports enrolling Chrome on Android and sends reporting information back to the Admin console. Admins can get reporting information on policies that have been enabled, the OS version, model name, and other important data. More details are in our help center.

• Remotely connect to any device from the Admin console   
  
  Admins can now establish a remote Chrome Remote Desktop (CRD) connection using a remote command under Device details for any device with an affiliated user or managed guest session. Previously, this feature was only available for devices in kiosk mode. More details are in our help center.

• New policies in the Admin console   
   

  Policy Name	Pages	Supported on	Category/Field
  SandboxExternalProtocolBlocked	User & Browser Settings; Managed Guest Session	Chrome Chrome OS	Content > iframe navigation
  NetworkServiceSandboxEnabled	User & Browser Settings	Browser	Network > Network service sandbox
  UserAgentReduction	User & Browser Settings; Managed Guest Session	Chrome Chrome OS Android	Network > User-Agent Reduction
  UserAgentClientHintsGREASEUpdateEnabled	User & Browser Settings; Managed Guest Session	Chrome Chrome OS Android	Network > User-Agent client hints
  DeviceI18nShortcutsEnabled	Device Settings	Chrome OS	Other settings > International keyboard shortcuts mapping
  QuickAnswersEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User experience > Quick Answers > Enable Quick Answers
  QuickAnswersDefinitionEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User experience > Quick Answers > Enable Quick Answers definition
  QuickAnswersTranslationEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User experience > Quick Answers > Enable Quick Answers translation
  QuickAnswersUnitConversionEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User experience > Quick Answers > Enable Quick Answers unit conversion

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Chrome 101 will remove setTimeout clamping to 1ms   
  
  Chrome 101 removes a web intervention for some users that clamped setTimeout(function,0) timers to 1ms. In Chrome 101, those users will see timers fire immediately. Note that nested timer calls will clamp to 4ms after repeated nested calls. This change brings Chrome in line with web specifications and may improve performance on some pages.
  
  It's possible that this change will introduce bugs in web applications that rely on the current clamped behavior. If you have any apps affected by this change, you can use the SetTimeoutWithout1MsClampEnabled policy to revert to the Chrome 100 behavior.

• Chrome 101 will add new CSV Export for some Chrome Admin console reports   
  
  As early as Chrome 101, Chrome will introduce a new CSV download option for the Apps & Extensions Usage report data and the Versions report data.
  
  

• Deprecation Origin Trial for UA Reduction in Chrome 101   
  
  As previously announced, Chrome 101 protects user privacy by reducing the granularity of information in the User-Agent string. In this phase, the MINOR.BUILD.PATCH version info is reduced to "0.0.0". If a site needs this information, it should migrate to the User Agent Client Hints API. Sites that need more time to test or migrate can take advantage of a Deprecation Trial, starting in Chrome 100.
  
  You can also control this using the UserAgentReduction Enterprise policy. You can test the new reduced-granularity User-Agent string by setting the policy to 2, or you can delay the change while you update your apps by setting it to 1.

• Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome   
  
  Starting with Chrome 101, Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome. Older versions may lose some CBCM features without notice, or behave unexpectedly. For your security, you should keep Chrome auto-update enabled, which will keep your fleet on the most recent version of Chrome. If you manage Chrome updates manually, staying close to the most recent version will both keep your users safer, and ensure you stay within the CBCM compatibility window.

• Chrome 101 will support Android 13 and above notification permission changes   
  
  Android 13 is changing the way push notification permissions behave by default. All Android apps will require users to explicitly allow OS notification permissions (as opposed to Android 12 and earlier where it was granted by default). Chrome running on this version of Android will prompt the user for permission at app launch up to two times.

• MetricsReportingEnabled policy available in Chrome 101 on Android   
  
  Chrome-on-Android will be slightly modifying the First Run Experience to support the MetricsReportingEnabled policy.  If the admin has disabled metrics reporting, there will be no change. If the admin has enabled metrics, users will still be able to disable it.

• Privacy Sandbox updates in Chrome 101   
  
  The Privacy Sandbox release in Chrome 101 provides controls for the new Topics & Interest Group APIs. It also introduces a one-time dialog that explains Privacy Sandbox to users and allows them to manage their preferences. This dialog is not shown for Guest users or managed EDU users.
  
  Admins can prevent the dialog from appearing for their managed users by controlling third party cookies explicitly via policy:
   
  • To allow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to disabled 
  • To disallow third party cookies and Privacy Sandbox features, set BlockThirdPartyCookies to enabled. This may cause some sites to stop working.
  
  Privacy Sandbox features will also be disabled (and no dialog shown) if DefaultCookiesSetting is set to Do not allow any site to set local data.

• WebSQLInThirdPartyContextEnabled will be removed in Chrome 101   
  
  WebSQLInThirdPartyContextEnabled was introduced to give admins additional time to react to the removal of WebSQL in a third-party context. As planned, it is removed in Chrome 101.

• Compare search results with new Side Search feature in Chrome 101   
  
  Side Search allows users to compare search results via a side panel UI to get the right answer faster. This means users can view a page and the search results at the same time, without needing to navigate back and forth or losing their search results. This is helpful for users who are actively searching for something and need more than one site, for example, planning an employee dinner, putting together presentations, and so on. This feature can be controlled using the SideSearchEnabled policy.

• Legacy policies with non-inclusive names will be removed in Chrome 101   
  
  Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work.
  
  This transition period was originally planned for Chrome 95, but was extended to Chrome 101 to give admins more time to transition their policies. In Chrome 101, the policies in the left column of the following table will no longer function. Please ensure you're using the corresponding policy from the right column instead:
   

  Legacy Policy Name	New Policy Name
  NativeMessagingBlacklist	NativeMessagingBlocklist
  NativeMessagingWhitelist	NativeMessagingAllowlist
  AuthNegotiateDelegateWhitelist	AuthNegotiateDelegateAllowlist
  AuthServerWhitelist	AuthServerAllowlist
  SpellcheckLanguageBlacklist	SpellcheckLanguageBlocklist
  AutoplayWhitelist	AutoplayAllowlist
  SafeBrowsingWhitelistDomains	SafeBrowsingAllowlistDomains
  ExternalPrintServersWhitelist	ExternalPrintServersAllowlist
  NoteTakingAppsLockScreenWhitelist	NoteTakingAppsLockScreenAllowlist
  PerAppTimeLimitsWhitelist	PerAppTimeLimitsAllowlist
  URLWhitelist	URLAllowlist
  URLBlacklist	URLBlocklist
  ExtensionInstallWhitelist	ExtensionInstallAllowlist
  ExtensionInstallBlacklist	ExtensionInstallBlocklist
  UserNativePrintersAllowed	UserPrintersAllowed
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode
  DeviceNativePrinters	DevicePrinters
  NativePrinters	Printers
  NativePrintersBulkConfiguration	PrintersBulkConfiguration
  NativePrintersBulkAccessMode	PrintersBulkAccessMode
  NativePrintersBulkBlacklist	PrintersBulkBlocklist
  NativePrintersBulkWhitelist	PrintersBulkAllowlist
  UsbDetachableWhitelist	UsbDetachableAllowlist
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist
  AttestationExtensionWhitelist	AttestationExtensionAllowlist
  PrintingAPIExtensionsWhitelist	PrintingAPIExtensionsAllowlist
  AllowNativeNotifications	AllowSystemNotifications
  DeviceUserWhitelist	DeviceUserAllowlist
  NativeWindowOcclusionEnabled	WindowOcclusionEnabled

  
  
  If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
  
  If you're managing Chrome via the Google Admin console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin console will manage the transition automatically.
   

• Chrome apps will no longer work in Chrome 102 on Windows, Mac, and Linux   
  
  As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps on Windows, Mac, and Linux will now stop functioning in Chrome 102. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps for an additional 2 releases.

• Chrome 102 to use case-matching on CORS preflight requests   
  
  Chrome 101 and previous releases uppercase request methods when matching with Access-Control-Allow-Methods response headers in CORS preflight. Chrome 102 no longer uppercases request methods, except for those normalized in the spec. So, Chrome 102 and later will require exact case-sensitive matching.
   

  Previously accepted, but now rejected:

      Request: fetch(url, {method: 'Foo'})
      Response Header: Access-Control-Allow-Methods: FOO

  Previously rejected, but now accepted:

      Request: fetch(url, {method: 'Foo'})
      Response Header: Access-Control-Allow-Methods: Foo

  
  Note: post and put methods are not affected because they are in in the spec, while patch is affected.

• Chrome to send Private Network Access preflights for subresources   
  
  As early as Chrome 102, Chrome plans to send a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new Access-Control-Request-Private-Network: true header. In this initial phase, this request is sent, but no response is required from network devices.
  
  In a future release of Chrome, the response must carry a matching Access-Control-Allow-Private-Network: true header.
  
  A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.

• Chrome to use MiraclePtr to improve security   
  
  MiraclePtr is a technology that reduces the risk of security vulnerabilities relating to memory safety. Chrome is currently testing the impacts of MiraclePtr for some users. A full release is planned as early as Chrome 102.

• Network Service on Windows will be sandboxed in Chrome 102   
  
  As early as Chrome 102, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.

• Default to origin-keyed agent clustering in Chrome 106   
  
  As early as Chrome 106, websites will be unable to set document.domain. Websites will need to use alternative approaches  such as postMessage() or Channel Messaging API  to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send an Origin-Agent-Cluster: ?0  header along with all documents that require that behavior.  
  
  Note: document.domain has no effect if only one document sets it.
  
  An enterprise policy will be available to extend the current behavior.

↑ back to top

 

Chrome browser updates

• Uninstall WebApps from Windows OS settings   
  
  Windows provides a mechanism to uninstall native Win32 apps through Windows settings or the Control Panel. This feature allows you to uninstall Progressive Web Apps (PWAs) in the same way on the Windows operating system.

• Certificate Transparency expanded on Android   
  
  Certificate transparency is already enforced on desktop platforms, and for some Android users. Chrome 99 expands certificate transparency to all Android Chrome users.

• Rollback on private network access pre-flights   
  
  Chrome 98 introduced Private Network Access pre-flights to improve user security. Due to bug reports, Chrome 99 rolls back this feature to better address interactions with developer and enterprise environments. We will announce plans to re-introduce this feature in future release notes.

• Chrome 99 adds the NTPMiddleSlotAnnouncementVisible policy   
  
  Enterprise administrators are able to control the visibility of the middle slot announcement on the Desktop New tab page using the NTPMiddleSlotAnnouncementVisible enterprise policy. 

• Chrome 99 updates the code signing certificate for Chrome on macOS   
  
  The code signing certificate for Chrome on macOS is changing. If you are managing Chrome with Parental Controls Application Restrictions, you need to update the designated requirement in the configuration profile, under the appID key. An example profile with the updated designated requirements can be found here: https://crbug.com/1295049#c3.
  
  Similarly, managing Chrome's Privacy Preferences Policy Control with the CodeRequirement key might also require an update. If you have been using the designated requirement from a previous version of Chrome, you need to update the CodeRequirement key. You can view the updated requirement with the following command: 
  
  > codesign -d -r- /Path/to/Chome99.app

• Chrome 99 removes the CrossOriginWebAssemblyModuleSharingEnabled policy   
  
  Chrome 95 prevented WebAssembly module sharing between cross-origin but same-site environments, but included a temporary policy, CrossOriginWebAssemblyModuleSharingEnabled, to bypass the feature. Chrome 99 removes this temporary policy.

• New and updated policies in Chrome browser   
   

  Policy	Description
  NTPMiddleSlotAnnouncementVisible	Show the middle slot announcement on the New Tab Page
  ForceMajorVersionToMinorPositionInUserAgent	Test the 3-digit Major Version number in UA strings
  NewTabPageLocation New on iOS	Configure the New Tab page URL

  
   
   

Chrome OS updates

• Nearby Share background scanning   
  
  Nearby Share is Google’s solution to enable seamless sharing from device to device. To provide a better user experience, Chrome OS adds support for background scanning, which allows a Chrome OS device to detect and proactively notify a user when someone nearby is sharing which makes it easier to share without having to temporarily enter high visibility mode. This functionality has been present on Android since the launch of Nearby Share in 2019, and now behaves the same way on Chrome OS, to ensure consistency and predictability.

• Keep full-screen mode after unlock   
  
  Chrome 99 improves support for full screen VDI use cases. Until now, full screen virtualized desktops returned to a maximized window after unlocking a device. The new KeepFullscreenWithoutNotificationUrlAllowList policy allows admins to exempt certain URLs and apps from exiting full screen after unlock. This unblocks the use of virtualized desktops in user sessions and in Imprivata-based managed guest sessions.

• Introducing the Files SWA   
  
  Up to now, the Files app was a Chrome App. Chrome 99 implements FIles as a System Web App (SWA). The Files SWA provides the same features as the Files Chrome App.

• Optimized user experience on touch screens   
  
  Chrome 99 improves the user experience on touchscreen devices through better palm rejection performance. This is achieved by optimizing touches from multiple fingers.

• Drag windows to New Desk in Overview   
  
  You can now create a new desk on the fly for an existing window by dragging and dropping a window to New Desk in Overview.

• GIF animation mode on Camera   
  
  With GIF mode, you can now record up to five-second videos of product demos, and it will automatically turn into a shareable GIF.
   

Admin console updates

• New policies in the Admin console   
   

  Policy Name	Pages	Supported on	Category/Field
  SideSearchEnabled	User & Browser Settings	Chrome OS	Omnibox search provider > Side panel search history
  NetworkServiceSandboxEnabled	User & Browser Settings	Chrome	Network > Network service sandbox
  FullRestoreEnabled	Additional Apps Settings	Chrome OS	Additional application settings > Full restore
  GhostWindowEnabled	Additional Apps Settings	Chrome OS	Additional application settings > Android ghost windows
  RegisteredProtocolHandlers	User & Browser Settings	Chrome Chrome OS	Content > Custom Protocol Handlers
  WebSQLInThirdPartyContextEnabled	User & Browser Settings; Managed Guest Session	Chrome Chrome OS Android	Security > WebSQL in third-party context
  BrowserSwitcherParsingMode	User & Browser Settings	Chrome	Legacy Browser Support > Sitelist parsing mode
  DeviceScheduledReboot	Device settings	Chrome OS	Power and shutdown > Scheduled reboot
  QuickAnswersEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User Experience > Quick Answers > Enable Quick Answers
  QuickAnswersDefinitionEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User Experience > Quick Answers > Enable Quick Answers definition
  QuickAnswersTranslationEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User Experience > Quick Answers > Enable Quick Answers translation
  QuickAnswersUnitConversionEnabled	User & Browser Settings; Managed Guest Session	Chrome OS	User Experience > Quick Answers > Enable Quick Answers unit conversion

  
  
  

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Chrome 100 will remove the AllowSyncXHRInPageDismissal policy   
  
  The AllowSyncXHRInPageDismissal policy was introduced in Chrome 78 to give enterprises more time to adapt to the removal of synchronous XHR requests during page dismissal. Though this policy was originally planned to be removed in Chrome 93, the transition period was extended to allow developers more time to adapt. This transition period is now closed and the policy will be removed in Chrome 100.

• Chrome 100 will update Legacy Browser Support <open-in> rules   
  
  In Chrome 100, when the BrowserSwitcherParsingMode policy is set to IE-compatible, Legacy Browser Support rules are updated:
   
  • For v2 sitelists, <open-in> behavior is changed in the following ways:
    • <open-in>None</open-in> entries are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
    • <open-in>MSEdge</open-in> entries will open in Chrome, as Windows treats this to mean the default, modern browser.
    • Anything unspecified opens in any browser, the same as greylist entries
  • For v1 sitelists: 
    • doNotTransition="true" entries  are treated as a greylist, and will open in any browser, rather than as inverted sitelist entries.
  
  
  To mitigate disruption, this change only applies if you set BrowserSwitcherParsingMode policy is set to 1.
  
  For more details on Legacy Browser Support, see here.

• Chrome Major Version number will reach 100   
  
  Chrome will reach a 3-digit major version number in March, 2022.  When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries. In order to avoid the same issue again, developers and IT admins should test their services in advance. 
  
  To help, the Chrome team created the ForceMajorVersion100InUserAgent flag (chrome://flags/#force-major-version-to-100). This forces the browser to send 100 as the major version number; see blog for details.  You should use this flag to uncover and address any issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here. 
  
  An enterprise policy ForceMajorVersionToMinorPositionInUserAgent is also available to control whether the User-Agent string major version should be frozen at 99. If you have an app that is broken in version 100 (due to a User-Agent parsing error), you can set the policy to 2 and the User-Agent string will freeze the major version as 99 and include the browser's major version in the minor position. 

• Chrome 100 will remove Lite Mode on Android   
  
  Lite Mode was a way to reduce data usage on Android devices. Since its introduction, the cost of data has been reduced in many countries, and Chrome has invested in other ways to save data. As a result, Lite Mode will no longer be available, including the DataCompressionProxyEnabled policy used to control it.

• Updates to Certificate Transparency policy   
  
  In Chrome 100, the Certificate Transparency requirements in Chrome will change, certificates will no longer be required to include signed certificate timestamps (SCTs) from one Google operated and one non Google operated log, and instead will be required to include SCTs from at least two logs from different operators. Additionally, the amount of SCTs required for certificates with a lifetime between 180 days and 15 months will increase, from 2 to 3. The existing policies that allow selectively disabling CT enforcement (CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls) will continue to work.

• Network Service on Windows will be sandboxed   
  
  As early as Chrome 100, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.

• New WebHID enterprise policies   
  
  As early as Chrome 100, Chrome will add policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.
  
  Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.

• Support for Encrypted Client Hello (ECH)   
  
  As early as Chrome 100, Chrome will start supporting ECH as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS. Many organizations’ infrastructure relies on the ability to inspect Server Name Indication (SNI), for example, with filtering, logging, and so on. You might want to explore a DNS-based approach and the associated group policies from the OS, or Chrome browser for DNS-over-HTTPS.

• New CSV export for some Admin console reports   
  
  As early as Chrome 100, Chrome will introduce a new CSV download option for the Apps & Extensions Usage report data and the Versions report data.
  
   

• Deprecation Origin Trial for UA reduction   
  
  As previously announced, Chrome 101 protects user privacy by reducing the granularity of information in the User-Agent (UA) string. In this phase, the MINOR.BUILD.PATCH version info is reduced to "0.0.0". If a site needs this information, it should migrate to the User Agent Client Hints API. Sites that need more time to test or migrate can take advantage of a Deprecation Trial, starting in Chrome 100.
  
  You can also control this using the UserAgentReduction enterprise policy. You can test the new reduced-granularity UA string by setting the policy to 2. Alternatively,  you can delay the change while you update your apps by setting it to 1.

• chrome://management for Chrome-on-Android   
  
  The chrome://management page is being updated to have more detail when Chrome-on-Android is managed via Chrome Browser Cloud Management.
  
  

• Multi-Screen Window Placement API stable launch   
  
  Multi-Screen Window Placement API will add new screen information APIs and will make incremental improvements to existing window placement APIs. This will allow web applications to offer compelling multi-screen experiences. The existing singular window.screen offers a limited view of available screen space, and window placement functions generally restrict the current screen. This feature will unlock modern multi-screen workspaces for web applications.
  
  A new set of policies, DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls, will let admins force their fleet to employ a default setting and automatically accept or deny the Window Placement permission without prompting the user, on a per-origin basis.

• Chrome Browser Cloud Management will extend Chrome compatibility   
  
  As early as with Chrome 101, Chrome Browser Cloud Management will maintain compatibility with the most recent 12 versions of Chrome. Older versions may lose some CBCM features without notice, or behave unexpectedly. For your security, you should keep Chrome auto-update enabled, which will keep your fleet on the most recent version of Chrome. If you manage Chrome updates manually, staying close to the most recent version will both keep your users safer, and ensure you stay within the CBCM compatibility window.

• Legacy policies with non-inclusive names will be removed in Chrome 101   
  
  Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work.
  
  This transition period was originally planned for Chrome 95, but was extended to Chrome 101 to give admins more time to transition their policies. In Chrome 101, the policies in the left column of the following table will no longer function. Please ensure you're using the corresponding policy from the right column instead:
  
  

  Legacy Policy Name	New Policy Name
  NativeMessagingBlacklist	NativeMessagingBlocklist
  NativeMessagingWhitelist	NativeMessagingAllowlist
  AuthNegotiateDelegateWhitelist	AuthNegotiateDelegateAllowlist
  AuthServerWhitelist	AuthServerAllowlist
  SpellcheckLanguageBlacklist	SpellcheckLanguageBlocklist
  AutoplayWhitelist	AutoplayAllowlist
  SafeBrowsingWhitelistDomains	SafeBrowsingAllowlistDomains
  ExternalPrintServersWhitelist	ExternalPrintServersAllowlist
  NoteTakingAppsLockScreenWhitelist	NoteTakingAppsLockScreenAllowlist<
  PerAppTimeLimitsWhitelist	PerAppTimeLimitsAllowlist
  URLWhitelist	URLAllowlist
  URLBlacklist	URLBlocklist
  ExtensionInstallWhitelist	ExtensionInstallAllowlist
  ExtensionInstallBlacklist	ExtensionInstallBlocklist
  UserNativePrintersAllowed	UserPrintersAllowed
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode
  DeviceNativePrinters	DevicePrinters
  NativePrinters	Printers
  NativePrintersBulkConfiguration	PrintersBulkConfiguration
  NativePrintersBulkAccessMode	PrintersBulkAccessMode
  NativePrintersBulkBlacklist	PrintersBulkBlocklist
  NativePrintersBulkWhitelist	PrintersBulkAllowlist
  UsbDetachableWhitelist	UsbDetachableAllowlist
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist
  AttestationExtensionWhitelist	AttestationExtensionAllowlist
  PrintingAPIExtensionsWhitelist	PrintingAPIExtensionsAllowlist
  AllowNativeNotifications	AllowSystemNotifications
  DeviceUserWhitelist	DeviceUserAllowlist
  NativeWindowOcclusionEnabled	WindowOcclusionEnabled

  
  
  If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy. 
  
  If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.

• Default to origin-keyed agent clustering   
  
  As early as Chrome 103, websites will be unable to set document.domain. Websites will need to use alternative approaches  such as postMessage() or Channel Messaging API  to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send an Origin-Agent-Cluster: ?0  header along with all documents that require that behavior.  
  
  Note: document.domain has no effect if only one document sets it.
  
  An enterprise policy will be available when this change ships to extend the current behavior.

DOWNLOAD Release notes (PDF)

↑ back to top

 

Chrome browser updates

• Use Chrome passwords in other apps on iOS   
  
  Chrome 98 informs iOS users that they can use any passwords saved in Chrome in other apps on their device.
  
  The Chrome > Settings > Passwords screen shows a new option for Passwords in Other Apps, which guides users to turn on this feature in iOS autofill settings.
  
  You can control if users can save passwords using Chrome with the PasswordManagerEnabled policy.

• Update GREASE brand list generation   
  
  User-Agent Client Hints GREASE aims to prevent bad or exclusionary assumptions from being built on top of the proposed replacement for User-Agent strings. This means that users of less well-tested browsers will not be rejected for not matching the precise format of a more-well tested browsers UA string.
  
  This change aligns our implementation of GREASE in User-Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. While we are rolling out this change gradually and continue to watch for negative impacts, such as WAF software flagging headers as invalid traffic, admins can opt out using the UserAgentClientHintsGREASEUpdateEnabled enterprise policy.

• Chrome disables the U2F API by default  
  
  The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). Chrome 98 disables the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
  
  Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
  
  Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
  
  If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.

• Chrome no longer allows TLS 1.0 or TLS 1.1   
  
  The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
  
  In Chrome 91, we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it is not possible to bypass the interstitial.

• Private network access preflights for subresources   
  
  Chrome sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new Access-Control-Request-Private-Network: true header, and the response must carry a matching Access-Control-Allow-Private-Network: true header.
  
  A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an Intranet, to a localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
  
  Chrome 98 sends these preflight requests but does not yet require them to succeed. Failed preflights only display warnings in DevTools, which you can use to detect problematic fetches in your web apps.  In Chrome 101 at the earliest, failed preflights will cause the entire request to fail depending on compatibility data. See the blog post for more information.
  
  You can control this behavior using enterprise policies InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls.

• Integrate Enhanced Safe Browsing preference with account settings   
  
  Chrome now prompts users who opt in to Account Enhanced Safe Browsing to enable Enhanced Safe Browsing in Chrome. Their Safe Browsing setting is still controlled by the SafeBrowsingProtectionLevel policy.

• TFLite model for client-side phishing detection   
  
  Chrome uses an on-device Machine Learning (ML) model to better detect phishing attempts, and better protect users. As in earlier versions, Chrome displays a full-page interstitial warning if Chrome detects a possible phishing attempt. This was previously launched for Android in Chrome 92, and is now on desktop platforms as well.
  
  With this change, Chrome sends the following to the Safe Browsing service:
  • the version of the model that was executed
  • the scores the model gave for each category
  • a boolean describing whether the new model was used to generate the scores
  
  You can control Safe Browsing using the SafeBrowsingProtectionLevel policy. This feature applies to users with the protection level set at 1 or greater.

• Chrome deprecates the installed_browser_version field in the Directory API   
  
  The installedBrowserVersion property in Chromebrowser resources in Directory API: Chrome Browsers has been deprecated and replaced by the pendingBrowserVersion property. The pendingBrowserVersion represents the version of Chrome browser that is installed on browser restart.

• New extensions must be submitted with Manifest v3   
  
  As part of the gradual deprecation of Manifest V2, the Chrome Web Store has stopped accepting submissions of new Manifest V2 extensions as of January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.
  
  This change does not affect updates to already published extensions. Also, it does not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. Note that the next phase of deprecation, in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. For more details, refer to the Manifest V2 support timeline.

• New and updated policies in Chrome browser   
  
  

  Policy	Description
  URLBlocklist (new on iOS)	Block access to a list of URLs
  URLAllowlist (new on iOS)	Allow access to a list of URLs
  UserAgentClientHintsGREASEUpdateEnabled	Control the User-Agent Client Hints GREASE Update feature
  UserAgentReduction	Enable or disable the User-Agent Reduction

Chrome OS updates

• Expanded keyboard shortcuts for Desks   
  
  Chrome 98 adds a new shortcut to make it faster and easier to switch Desks. Create up to 8 desks to organize your projects and use the shortcut Shift + Search  + 1 through Shift + Search  + 8 to jump from one desk to another using only the keyboard.

• Add Save to settings to screen capture   
  
  Now users can save screen captures to any local or drive folder of their choice, making capturing and using content even more efficient.

• Support for Network Based Recovery (NBR)   
  
  In Chrome 98, some users can re-flash their devices with a fresh copy of the OS and firmware, letting them recover if the message: Chrome OS is missing or damaged appears. NBR requires a network connection. This feature will roll out to more devices in later releases.

Admin console updates

• Search devices by version or model   
  
  In the Chrome filters view for the devices page for ChromeOS, you can now filter and search the devices by version and by model.

• New policies in the Admin console   
  
  

  Policy Name	Pages	Supported on	Category/Field
  ScreenBrightnessPercent	User & Browser Settings; Managed Guest Session	Chrome OS	Security > Screen brightness
  PrintPostScriptMode	User & Browser Settings	Chrome	Printing > PostScript printer mode
  SandboxExternalProtocolBlocked	User & Browser Settings; Managed Guest Session	Chrome Chrome OS	Content > iframe navigation
  U2fSecurityKeyApiEnabled	User & Browser Settings	Chrome	Security > U2F Security Key API
  DeviceRebootOnUserSignout	Device Settings	Chrome OS	Power and shutdown > Reboot on sign-out

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Chrome Major Version number will reach 100   
  
  Chrome will reach a 3-digit major version number in March, 2022.  When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries. In order to avoid the same issue again, developers and IT admins should test their services in advance. 
  
  To help, the Chrome team created the ForceMajorVersion100InUserAgent flag (chrome://flags/#force-major-version-to-100). This forces the browser to send 100 as the major version number (blog).  You should use this flag to uncover and address any issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here. 

• Network Service on Windows will be sandboxed   
  
  As early as Chrome 100, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.

• WebHID enterprise policies   
  
  As early as Chrome 100, Chrome will add policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.
  
  Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.

• Default to origin-keyed agent clustering   
  
  As early as Chrome 103, websites will be unable to set document.domain. Websites will need to use alternative approaches  such as postMessage() or Channel Messaging API  to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send an Origin-Agent-Cluster: ?0 header along with all documents that require that behavior. 
  
  Note: document.domain has no effect if only one document sets it.
  
  An enterprise policy will be available when this change ships to extend the current behavior.

• Change tab-sharing blue border behavior   
  
  When a user chooses to share their tab from a site participating in the region capture origin trial, the blue border used to signify that a tab is being shared will no longer be shown.

DOWNLOAD Release notes (PDF)

↑ back to top

 

Chrome browser updates

• Launch Control Flow Guard for Windows   
  
  Chrome 97 improves security by introducing Control Flow Guard (CFG) for Windows to make memory corruption vulnerabilities more difficult to exploit. This change might cause interoperability issues with software that injects code into Chrome’s process space, such as Data Loss Prevention software. Please file a bug to let us know if you encounter issues. 
  
  As CFG affects how Chrome is compiled, it is not possible to control it using enterprise policies, but you can test it in the Dev and Beta channels for Chrome 97.

• Certificate Transparency enabled on Chrome for Android   
  
  Certificate Transparency is already enforced on desktop platforms, and is now enforced for some users on Chrome 97 for Android, with a wider release planned for a later version. You can selectively disable Certificate Transparency using the CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls enterprise policies.  

• About this site   
  
  Some users in Chrome 97 see a short description of a website in the Site information UI if the Make searches and browsing better setting is enabled. 
   
  
   

• Test improvements to the Manage search engines settings   
  
  Site search helps users save time by searching through specific sites directly from the address bar on Chrome desktop. We are improving the Settings>Manage search engines page to help users have better control over Site search. Chrome 97 tests a number of these improvements: 
   
  • To help users better understand Site search, we renamed the page to Manage search engines and site search and added explanations to each section of the page.
  • Now, when users visit a site that is eligible to work with Site search, that is, compliant with the OpenSearch spec, it will no longer be automatically activated for Site search. To activate a site, users select Settings>Manage search engines and site search>Inactive shortcuts>Activate. To prevent user workflows from being disrupted, Site search providers that people have used before in Chrome remain activated.
  • The DefaultSearchProviderEnabled enterprise policy maintains the same behavior.  

• Chrome 97 removes profiles from memory when their windows are closed   
  
  Previously, when users closed Chrome windows for a profile, the profile object would stay loaded in memory. It would continue using memory and other system resources. It would also run jobs in the background like Sync and extension background scripts. The only way to unload a profile from memory was to exit Chrome entirely.
  
  Chrome 97 removes profiles from memory when their windows are closed. This can save lots of system resources in multi-profile scenarios. It also lets Chrome clean up ephemeral profile data from disk more efficiently, strengthening its privacy guarantees.  

• Chrome disables WebSQL in third-party contexts   
  
  Chrome 97 disables WebSQL in third-party contexts, such as cross-origin iframes, as a continuation to the deprecation in Chrome 94. This change does not affect WebSQL in first-party contexts, but the eventual goal is to deprecate and remove all WebSQL.
  
  An enterprise policy, WebSQLInThirdPartyContextEnabled, can re-enable WebSQL in third-party contexts until Chrome 101, when support for WebSQL in third-party contexts will be removed entirely.

• New Manifest V2 extensions not accepted after January 17, 2022   
  
  As part of the gradual deprecation of Manifest V2, the Chrome Web Store will stop accepting submissions of new Manifest V2 extensions after January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.
  
  The change does not affect updates to already published extensions. Also, it does not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. 
  
  Note that the next phase of deprecation, in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows.
  
  For more details, refer to the Manifest V2 support timeline.  

• Improved Chrome Autofill on Desktop   
  
  A shifted Autofill position enables users to preview autofilling more clearly within form fields. The addition of visual icons is a first step to clarifying what fields are expected to be filled. For example, a profile icon means Autofill fills any form fields related to address and contact info saved in Autofill. 
  

• Optimized user experience on iOS   
  
  Chrome on iOS optimizes user experience by fetching page load metadata from a Google service, based on the pages that users navigate to. All requests to Google are anonymous, and you can control this behavior with the UrlKeyedAnonymizedDataCollectionEnabled enterprise policy. 

• Private Network Access preflights for subresources   
  
  Sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new `Access-Control-Request-Private-Network: true` header, and the response must carry a matching `Access-Control-Allow-Private-Network: true` header.
  
  A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
  
  You can control this behavior using enterprise policies InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls.  

• New and updated policies in Chrome browser   
   

  Policy	Description
  HistoryClustersVisible	Controls the visibility of history clusters on the Chrome history page
  RemoteAccessHostClipboardSizeBytes	The maximum size, in bytes, that can be transferred between client and host via clipboard synchronization
  RemoteAccessHostAllowRemoteSupportConnections	Allow remote support connections to this machine
  PolicyListMultipleSourceMergeList (New on Android)	Allow merging list policies from different sources
  CloudUserPolicyMerge (New on Android)	Enables merging of user cloud policies into machine-level policies
  BrowserSignin (Force sign in new on iOS)	Force users to sign-in to use the browser
  CloudPolicyOverridesPlatformPolicy (new on Android)	Google Chrome cloud policy overrides platform policy
  CloudUserPolicyOverridesCloudMachinePolicy (new on Android)	Allow user cloud policies to override Chrome Browser Cloud Management policies.
  CORSNonWildcardRequestHeadersSupport	CORS non-wildcard request headers support

   

Chrome OS updates

• Chrome Management Telemetry API   
  
  This is a new API that provides telemetry information from managed Chrome OS devices. The initial set of telemetry data focuses on hardware performance—CPU, memory, storage, and graphics. You can see the full documentation here.  

• Revamped user and device reporting controls   
  
  There are now additional controls for reporting within device settings. You can view all available data for features that require reporting, such as the device details, insight reports, or the Telemetry API. Please see the support article for additional information.  

• Chrome Policy API supports Device settings   
  
  The Chrome Policy API is a suite of services that allows Chrome administrators to view, manage, and get insights about the usage of Chrome OS and Chrome browsers in their organization. The API was launched in March 2021 with support for User and printer settings. Subsequently, support for Apps and Extensions settings was added. Now in Chrome 97, the API includes support for Device Settings. 

• Offline grammar check   
  
  Grammar check is now available on Chrome OS devices with or without the internet. It’s enabled by default, so just click on the suggested text to accept it. It works on text fields across the web so you can write notes, send calendar invites, build docs, and more. 

• Magnifier continuous panning   
  
  Chrome OS Magnification now allows you to choose to move the portion of the screen that is magnified continuously as you move the mouse. This is in addition to the previous existing options that allow you to move the magnified area when your mouse touches the edge of the screen or the option that keeps the mouse in the center of the screen. To access this feature, go to Chrome OS Settings > Advanced > Accessibility > Manage accessibility features > Enable fullscreen magnifier. 

• Gallery app supports audio playing and multi window   
  
  Audio playing experience on Chrome OS gets a brand new look under the Gallery app. Additionally, Gallery now supports multiple windows. This means users can view and edit multiple media files simultaneously.  

Admin console updates

• Browser list data downloadable in CSV format   
  
  Chrome introduces an optional CSV format to download the browser list data from the Admin console. 

• Read-only privilege for managed browsers   
  
  Chrome introduces a read-only privilege for managed browsers. Admins can easily create custom admin roles with read-only access to managed browsers in the Admin console. 

• Reports overview page   
  
  A new reports overview page provides a summary of all the reports available. The new page is available under the Device > Chrome > Reports menu. 

• Insights report: Devices that need attention  
  
  A new report highlights categories of devices that require attention. The new report is available under the Device > Chrome > Reports > Insights menu.
  
  The categories are:
  • Devices that have not synched policies in 28 days
  • Devices that have not seen user activity in 28 days
  • Devices that are pending OS updates
  • Devices that are not compliant with the OS version that was set by policy 
    • For example, if a device policy requires Chrome 94 running on devices, but several devices are on Chrome 90.
  • Devices that are unable to apply a policy due to an OS mismatch 
    • For example, if a set policy due to be applied has a minimum supported Chrome OS version of Chrome 96, but devices are on Chrome 90.
  
  Clicking on the category takes you to the device list page with filters applied according to the category. For more details, see this Help Center article.

• New policies in the Admin console   
   

  Policy Name	Pages	Supported on	Category/Field
  RelaunchWindow	User & Browser Settings	Chrome Chrome OS	Chrome Updates > Relaunch Notification > Relaunch window duration
  TermsOfServiceURL (support docs)	New to User & Browser Settings; Managed Guest Session	Chrome OS	General > Custom terms of service
  DeviceDebugPacketCaptureAllowed	Device Settings	Chrome OS	Other settings > Allow debug network packet captures
  AdditionalDnsQueryTypesEnabled	User & Browser Settings; Managed Guest Session	Chrome Chrome OS Android	Network > DNS queries for additional DNS record types
  LockIconInAddressBarEnabled	User & Browser Settings; Managed Guest Session	Chrome Chrome OS Android	User experience > Lock icon in the omnibox for secure connections
  PrintPreviewUseSystemDefaultPrinter	User & Browser Settings	Chrome	Printing > System Default Printer
  DeviceLoginScreenPromptOn MultipleMatchingCertificates	Device Settings	Chrome OS	Other settings > Prompt when multiple certificates match on the sign-in screen
  PromptOnMultipleMatchingCertificates	User & Browser Settings	Chrome Chrome OS	Other settings > Prompt when multiple certificates match

   

Coming soon

Upcoming Chrome browser changes

• Network Service on Windows will be sandboxed   
  
  As early as Chrome 98, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter. 

• Use of Chrome passwords in other apps on iOS   
  
  From Chrome 98, iOS users will be informed that they can use their saved passwords in other apps on their device.
  
  The Chrome > Settings > Passwords screen will show a new option for Passwords in Other Apps, which will guide users to turn on this feature in iOS autofill settings. 

• Update GREASE brand list generation   
  
  User-Agent GREASE aims to prevent bad or exclusionary assumptions from being built on top of User-Agent strings. This change aligns our implementation of GREASE in User-Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. While we will roll out this change gradually and watch for negative impacts, admins can opt out via the UserAgentClientHintsGREASEUpdateEnabled enterprise policy escape hatch (available in Chrome 98). 

• Chrome will maintain its own default root store   
  
  As early as Chrome 98, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.  

• Chrome will disable the U2F API by default   
  
  The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
  
  Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
  
  Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
  
  If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.

• Chrome will no longer allow TLS 1.0 or TLS 1.1   
  
  The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
  
  In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it will no longer be possible to bypass the interstitial.  

• Chrome may leverage MiraclePtr to improve security   
  
  As early as Chrome 99, Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 101. 

• Feature flag to force the Chrome Major Version number to 100   
  
  Users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number. When browsers went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries. With this feature flag, we can uncover and address these issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here.  

Chrome browser updates

• Chrome on Android no longer supports Android Lollipop   
  
  Chrome 96 does not support or ship to users running Android Lollipop.
  
  The last version of Chrome that supports Android Lollipop is Chrome 95, and it included a message to affected users informing them to upgrade their operating system. 

• Apps shortcut in the bookmarks bar defaults to off   
  
  The Apps shortcut in the bookmarks bar now defaults to off. Chrome also updates the current state for all users who have not changed their setting to the new default (off). 

• Network data moves to a new folder on Windows   
  
  Data that is needed by the network service, including cookies and other data files, is now stored in a subdirectory underneath the previous location called Network. This is to support the upcoming Network Sandbox (see below). This migration happens automatically and transparently. No action is required, however, you might need to update any scripts that rely on the location of these files. 

• New security events for BeyondCorp Enterprise Threat and Data Protection   
  
  Chrome 96 adds two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality allows admins to understand enterprise credential usage, to shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches. 

• Feature flag to force the Chrome Major Version number to 100   
  
  Starting in Chrome 96, users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number.  When browsers went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries.  With this feature flag, we can uncover and address these issues before Chrome 100 rolls out.  We encourage admins to submit any issues encountered here. 

• DNS-based HTTP to HTTPS redirect   
  
  Chrome queries DNS for HTTPS records (alongside traditional A and AAAA queries). When a website has deployed an HTTPS DNS record and Chrome receives it, Chrome always connects to the website via HTTPS (Chrome Status). This was previously enabled for 50% of users on the Canary, Dev, and Beta channels. 

• Chrome shows Journeys in the History page   
  
  For some users, Chrome 96 clusters local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy, starting in Chrome 97. 

• Chrome starts deprecating the U2F security key API   
  
  The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn).  Beginning with Chrome 96, when sites make U2F API requests, users might see a prompt that includes a notice about the U2F API’s deprecation. In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
  
  Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
  
  Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
  
  If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details. 

• Chrome on Android shows reuse warnings for Google passwords   
  
  Similar to Chrome on other platforms, Chrome on Android now shows warnings if it detects that your Google passwords were reused on a malicious website. You can control this behavior using the PasswordProtectionWarningTrigger enterprise policy. 

• Chrome sync ends support for Chrome 48 and earlier   
  
  As previously communicated, Chrome sync no longer supports Chrome 48 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome sync. 

• Google Toolbar for Internet Explorer no longer available   
  
  The Google Toolbar for Internet Explorer is being phased out. As of mid-November, it will no longer be available for download. 

• Chrome installer for macOS now available as a single universal version   
  
  The .dmg installer available to users on macOS now contains both the x86_64 and the arm64 versions of the product. When installing, users no longer have to choose the CPU architecture. With Chrome 96, existing Chrome installations will be updated to universal automatically. This may increase the size of Chrome on disk.
  
  Note that the enterprise-specific .pkg installer was already a universal installer. 

• New and updated policies in Chrome browser   
   

  Policy	Description
  SyncDisabled (new on iOS)	Control Chrome sync.
  U2fSecurityKeyApiEnabled	Allow use of the deprecated U2F Security Key API.
  CloudUserPolicyOverridesCloudMachinePolicy	Allow user cloud policies to override Chrome Browser Cloud Management policies.
  SandboxExternalProtocolBlocked	Allow Chrome to block navigations toward external protocols in sandboxed iframes.
  BrowsingDataLifetime (new on Android)	Configure (per data-type) when data is deleted by the browser.
  WebSQLInThirdPartyContextEnabled	Temporarily re-enables WebSQL in third-party contexts.
  PromptOnMultipleMatchingCertificates	Prompt for the client certificate when multiple certificates match.
  NetworkServiceSandboxEnabled	Controls whether or not the network service process runs sandboxed.

   

Chrome OS updates

• Long-term support channel   
  
  From Chrome 96, Chrome OS provides an option for organizations to use a new Long-term support (LTS) channel, with feature milestone updates every six months. Devices on the LTS channel will still receive frequent security updates. Admins can easily switch from LTS to other channels if desired. For more details, see this article. 

• Cloud Based Certificate Provisioning using SCEP   
  
  Chrome OS provides a new way to provision and renew certificates on managed devices in Microsoft Active Directory Certificate Service (ADCS) environments using the Simple Certificate Enrollment Protocol (SCEP). The new provisioning flow, for device-based certificates, enables automated certificate deployment and renewals that occur with no end user interaction and before user sign-in. For more details, see this article. 

• SAML password change : Chrome Device Token API   
  
  Chrome 96  supports password updates on Chrome OS devices after a user’s password is changed on a third-party Identity Provider (IdP). This helps to increase the convenience for the end user, and to enforce corporate policies on Chrome OS devices. Admins can use the Chrome Device Token API to allow IdPs to notify Chrome OS devices that users have changed their password. API documentation is available, and this article (step 4/5) has been updated with guidance for administrators. 

• Terms of Service for managed user sessions   
  
  Admins can now display their Terms of Service to users at the beginning of every managed user’s session. This functionality was previously available for managed guest sessions only. 

• Side Search on Chrome OS   
  
  To make it easier to compare search results and find what you’re looking for more quickly in Chrome browser, there’s a new side panel in Chrome OS. You can now view a page and the search results at the same time. This lets you view a page right in your main browser window without needing to navigate back and forth or losing your search results. Admins can disable this feature via the SideSearchEnabled policy. 

• Nearby Share from ARC++ sharesheet   
  
  This feature allows users to use Nearby Share from Android Runtime for Chrome (ARC++). Prior to this Nearby Share has been available in Files app, PWAs and other system apps. Nearby Share allows users to easily share content across devices, for example, from Chromebook to a device running Chrome browser, such as an Android phone or a Windows PC. 

• Switch Access setup guide   
  
  Switch Access is an alternate input method that enables users to control their device with just one or more buttons. As of Chrome 96, Switch Access users will now have a setup guide which will help walk new users through the process of setting up and using their switches. 

• New preference setting for link capturing   
  
  This adds a new preference to Apps settings that allows users to set apps as the default handler of supported links. For example, the Zoom PWA can become the default handler for zoom.us links. 

• Add clipboard suggestions to on-screen keyboard   
  
  Chrome 96 suggests recently copied items in the on-screen keyboard or Virtual Keyboard suggestion row to simplify your paste actions. If you copy an item and open your Virtual Keyboard you should see that item as an option in the top row. Click it to paste. Previously, Chrome 94 made clipboard items accessible from the virtual keyboard. Chrome 96 adds clipboard items copied within the last two minutes to the suggestion row in the virtual keyboard for even easier access. 

• Chrome Wallpaper app enhancements   
  
  TheChrome OS wallpaper picker now has a more visual UI that helps users to select from a variety of wallpaper collections or their own images. Users can open it from the  home screen using right-click > Set wallpaper. 

• Notification settings move to Chrome OS Settings   
  
  Chrome 96 includes a new dedicated Notifications page in Chrome OS Settings. In earlier releases, Notifications were accessed from the Quick Settings menu. 

Admin console updates

• New interface for selecting Chrome apps and extensions   
  
  The Admin console now uses the same user interface as the Chrome Web Store for selecting new Chrome apps and extensions.
  
  

• New policies in the Admin console   
   

  Policy Name	Pages	Supported on	Category/Field
  DevicePciPeripheralDataAccessEnabled	Device Settings	Chrome OS	Other settings > Data access protection for peripherals
  InsecurePrivateNetworkRequestsAllowed	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content > Request from insecure websites to more-private network endpoints
  VirtualKeyboardFeatures	Device Settings	Chrome OS	Kiosk settings > Kiosk virtual keyboard features
  AllowedInputMethods	User & Browser Settings; Managed Guest Session Settings	Chrome OS	User experience > Allowed input methods
  DisplayCapturePermissionsPolicyEnabled	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS	Security > Insecure Media Capture
  AllowedLanguages	User & Browser Settings; Managed Guest Session Settings	Chrome OS	User experience > Allowed chrome OS languages
  SpellcheckLanguage	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS	User experience > Spell check > Enforced spellcheck languages
  SpellcheckLanguageBlocklist	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS	User experience > Spell check > Disabled spellcheck languages
  CrossOriginWebAssemblyModuleSharingEnabled	User & Browser Settings	Chrome Chrome OS	Content > Allow WebAssembly cross-origin
  LockScreenReauthenticationEnabled	User & Browser Settings	Chrome OS	Security > SAML single sign-on password synchronization flows
  SamlInSessionPasswordChangeEnabled	User & Browser Settings	Chrome OS	Security > SAML single sign-on password synchronization > Password synchronization between third-party SSO providers and Chrome devices
  SamlPasswordExpirationAdvanceWarningDays	User & Browser Settings	Chrome OS	Security > SAML single sign-on password synchronization > How many days in advance to notify SAML users when their password is due to expire
  ManagedAccountsSigninRestriction	User & Browser Settings	Chrome	Sign-in settings > Separate profile for managed Google Identity
  ArcAppToWebAppSharingEnabled	User & Browser Settings	Chrome OS	Android applications > Sharing from Android apps to Web apps

   

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Launch Control Flow Guard for Windows   
  
  As early as Chrome 97, Chrome will make security improvements by introducing Control Flow Guard (CFG) for Windows. This change might cause interoperability issues with software that injects code into Chrome’s process space, such as Data Loss Prevention software. Please file a bug to let us know if you encounter issues. 
  
  As CFG affects how Chrome is compiled, it will  not be possible to control it via enterprise policies, but you can test it in the Dev and Beta channels for Chrome 97. 

• Network Service on Windows will be sandboxed   
  
  As early as Chrome 97, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. An enterprise policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter. 

• Certificate Transparency enabled on Chrome for Android   
  
  Certificate Transparency is already enforced on desktop platforms, and will be enforced for some users on Chrome 97 for Android, with a wider release planned for a later version. You can selectively disable Certificate Transparency using the CertificateTransparencyEnforcementDisabledForCas, CertificateTransparencyEnforcementDisabledForLegacyCas, and CertificateTransparencyEnforcementDisabledForUrls enterprise policies. 

• CORS Authorization mishandling   
  
  When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response (Chrome Status). The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.
  
  Note that Authorization headers attached by Chrome during the authentication process are out of scope for this change. 

• Chrome will maintain its own default root store   
  
  As early as Chrome 98, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet. 

• Chrome will no longer allow TLS 1.0 or TLS 1.1   
  
  The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
  
  In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it will no longer be possible to bypass the interstitial. 

• Chrome Autofill will be more predictable   
  
  Chrome Autofill will be more visible with a new menu position. It will also add dynamic highlighting to show precisely what fields will be filled automatically. 

• New Manifest V2 extensions not accepted after January 17, 2022   
  
  As part of the gradual deprecation of Manifest V2, the Chrome Web Store will stop accepting submissions of new Manifest V2 extensions after January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.
  
  The change will not affect updates to already published extensions. Also, it will not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. 
  
  Note that the next phase of deprecation in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows.
  
  For more details, refer to the Manifest V2 support timeline. 

• Different-origin iframes JavaScript dialogs deprecation has been postponed indefinitely   
  
  Previously, we announced a planned change that would cause Chrome to prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt), if the iframe is a different origin from the top-level page. This change was originally planned for Chrome 92, but has been postponed indefinitely due to the feedback we received on this change. We will provide advance notice in the future if we decide to re-enable this change. 
  
  You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag. 

Upcoming Admin console changes

• Browser list data downloadable in CSV format   
  
  As early as Chrome 97, Chrome will introduce an optional CSV format to download the browser list data from the Admin console. 

• Read-only privilege for managed browsers   
  
  As early as Chrome 97, Chrome will introduce a read-only privilege for managed browsers. Admins will be able to easily create custom admin roles with read-only access to managed browsers in the Admin console. 

• Reports overview page   
  
  A new reports overview page will provide a summary of all the reports available. The new page will be available under the Device > Chrome > Reports menu. 

• Insights report: Devices that need attention   
  
  A new report will highlight categories of devices that require attention. The new report will be available under the Device > Chrome > Reports > Insights menu.
  
  The categories are:
  • Devices that have not synched policies in 28 days
  • Devices that have not seen user activity in 28 days
  • Devices that are pending OS updates
  • Devices that are not compliant with the OS version that was set by policy
    • For example, if a device policy requires Chrome 94 running on devices, but several devices are on Chrome 90
  • Devices that are unable to apply a policy due to an OS mismatch 
    • For example, if a set policy due to be applied has a minimum supported Chrome OS version of Chrome 96, but devices are on Chrome 90
  
  Clicking on the category will take you to the device list page with filters applied according to the category.
  
  For more details, see this Help Center article. 

These Chrome 95 release notes contain Chrome Browser updates only. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 and will include all relevant security fixes on the Chrome 94 milestone.

Chrome browser updates

• Stricter parsing rules for Legacy Browser Support   
  
  Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft Edge or Internet Explorer can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to IESiteListMode, Chrome interprets those rules in the same way as Edge and Internet Explorer. 

• Origin Trial for reduced User-Agent strings
  
  Chrome 95 begins an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string appears in both the User-Agent HTTP request header and the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  This Origin Trial will run over the next six releases, until the reduced User-Agent starts a phased rollout. Subsequently, for sites that may need more time for migration, a deprecation Origin Trial will be available. Enterprises can opt in to the Origin Trial here when it is available. 

• Chrome deprecates WebAssembly cross-origin module sharing
  
  Chrome 95 prevents WebAssembly module sharing between cross-origin but same-site environments. This allows agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec (Chrome Status).
  
  If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy CrossOriginWebAssemblyModuleSharingEnabled is available to allow module sharing for cross-origin same-site environments. This policy will be removed in Chrome 97. 

• Explicit user prompts for Autofill addresses
  
  In previous releases, when Autofill was enabled, Chrome saved detected addresses as users submitted forms. This update provides more transparency and control to the user by adding a save prompt, and giving the user the control to edit, save, update, or discard the detected address before it is stored. When the AutofillAddressEnabled policy is set to false, this feature is not enabled. 

• New Side Panel feature
  
  Chrome on Windows, Mac, ChromeOS, and Linux, introduces a new side panel feature. This panel, opened by a toolbar icon, provides easier access to the Reading list and Bookmarks, in a vertical list. The side panel can be left open while the user browses. 

↑ back to top

• New and updated policies in Chrome browser
   

  Policy	Description
  BrowserLegacyExtensionPointsBlocked	Setting the policy to Enabled or leaving it unset will enable ProcessExtensionPointDisablePolicy to block legacy extension points in the Browser process.
  BrowserSwitcherParsingMode	This policy controls how Google Chrome interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and BrowserSwitcherExternalGreylistUrl.
  ContextAwareAccessSignalsAllowlist	Enables Chrome Enterprise Platform Identity Connector for a list of URLs.   Setting this policy specifies which URLs should be allowed to be part of the attestation flow to get the set of signals from the machine.
  PrintPdfAsImageDefault	Controls if Google Chrome makes the Print as image option default to set when printing PDFs.
  PrintPostScriptMode	Controls how Google Chrome prints on Microsoft Windows.

↑ back to top

Admin console updates

• New policies in the Admin console
   

  Policy Name	Pages	Supported on	Category/Field
  SuggestLogoutAfterClosingLastWindow	Managed Guest Session Settings	Chrome OS	Session settings / Display the logout confirmation dialog
  DeviceMinimumVersion	Device Settings	Chrome OS	Device update settings / Auto-update settings / Enforce updates
  DeviceMinimumVersionAueMessage	Device Settings	Chrome OS	Device update settings / Auto-update settings / Enforce updates Auto Update Expiration (AUE) message
  JavaScriptJitAllowedForSites	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content / JavaScript JIT / Allow JavaScript to use JIT on these sites
  DefaultJavaScriptJitSetting	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content / JavaScript JIT
  JavaScriptJitBlockedForSites	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content / JavaScript JIT / Block JavaScript from using JIT on these sites
  RemoteDebuggingALlowed	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS	Security / Allow remote debugging
  DesktopSharingHubEnabled	User & Browser Settings	Chrome	Content / Desktop sharing in the omnibox and 3-dot menu

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Chrome on Android will no longer support Android Lollipop
  
  The last version of Chrome that will support Android Lollipop will be Chrome 95, and it includes a message to affected users informing them to upgrade their operating system. Chrome 96 will not support nor ship to users running Android Lollipop. 

• Apps shortcut in the bookmarks bar will default to off   
  
  As early as Chrome 96, Chrome will make the Apps shortcut in the bookmark bar default to off. Chrome will also update the current state for all users who have never changed their setting to the new default (off).

• Network data will be migrated to a new folder on Windows   
  
  In Chrome 96, data that is needed by the network service, including cookies and other data files, will be migrated to a subdirectory underneath the current location called Network. This is to support the upcoming Network Sandbox (see below). This migration will happen automatically and transparently. No action is required, however, you might need to update any scripts that rely on the location of these files.

• Network Service on Windows will be sandboxed   
  
  To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service (as early as Chrome 97). As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. An enterprise policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. Please consider testing the sandbox in your environment using these instructions and report any issues encountered.

• New security events to BeyondCorp Enterprise Threat and Data Protection   
  
  Chrome 96 will add two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow admins to understand enterprise credential usage, to shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.

↑ back to top

• NewTabPageLocation enterprise policy on Incognito 
  
  Chrome 96 will fix a bug that prevents users from starting new Incognito sessions when the enterprise policy NewTabPageLocation is set to a chrome://… URL. In future, this policy will be ignored in Incognito mode. Users on Incognito will see the default new tab page. There’s no change in how the policy is applied on regular mode (non-Incognito windows).

• Feature flag to force the Chrome Major Version number to 100   
  
  Starting in Chrome 96, users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number.  When Chrome went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries.  With this feature flag, we can uncover and address these issues before Chrome 100 rolls out.  We encourage admins to submit any issues encountered here.

• DNS-based HTTP to HTTPS redirect
  
  As early as Chrome 96, Chrome will query DNS for HTTPS records (alongside traditional A and AAAA queries). When a website has deployed an HTTPS DNS record and Chrome receives it, Chrome will always connect to the website via HTTPS (Chrome Status). 

• Chrome will begin deprecating the U2F security key API
  
  The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn).  Beginning with Chrome 96, when sites make U2F API requests, users may see a prompt that includes a notice about the U2F API’s deprecation. In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.
  
  Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.
  
  Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.
  
  If you run a website that still uses this API, please refer to the deprecation announcement for more details. 

• CORS Authorization mishandling
  
  When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response (Chrome Status). The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.
  
  Note that Authorization headers attached by Chrome during the authentication process are out of scope for this change. 

↑ back to top

• Chrome will maintain its own default root store
  
  To improve user security, and provide a consistent experience across different platforms, Chrome, as early as Chrome 97, intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

• Chrome will remove legacy policies with non-inclusive names
  
  Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
  
  Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy. Deprecated policies will be available in the Deprecated policies folder and deleted policies will be in the Removed policies folder in the GPO editor.
  
  This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97. Please ensure you're using the corresponding policy from the right column instead:
   

  Legacy Policy Name	New Policy Name
  NativeMessagingBlacklist	NativeMessagingBlocklist
  NativeMessagingWhitelist	NativeMessagingAllowlist
  AuthNegotiateDelegateWhitelist	AuthNegotiateDelegateAllowlist
  AuthServerWhitelist	AuthServerAllowlist
  SpellcheckLanguageBlacklist	SpellcheckLanguageBlocklist
  AutoplayWhitelist	AutoplayAllowlist
  SafeBrowsingWhitelistDomains	SafeBrowsingAllowlistDomains
  ExternalPrintServersWhitelist	ExternalPrintServersAllowlist
  NoteTakingAppsLockScreenWhitelist	NoteTakingAppsLockScreenAllowlist
  PerAppTimeLimitsWhitelist	PerAppTimeLimitsAllowlist
  URLWhitelist	URLAllowlist
  URLBlacklist	URLBlocklist
  ExtensionInstallWhitelist	ExtensionInstallAllowlist
  ExtensionInstallBlacklist	ExtensionInstallBlocklist
  UserNativePrintersAllowed	UserPrintersAllowed
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode
  DeviceNativePrinters	DevicePrinters
  NativePrinters	Printers
  NativePrintersBulkConfiguration	PrintersBulkConfiguration
  NativePrintersBulkAccessMode	PrintersBulkAccessMode
  NativePrintersBulkBlacklist	PrintersBulkBlocklist
  NativePrintersBulkWhitelist	PrintersBulkAllowlist
  UsbDetachableWhitelist	UsbDetachableAllowlist
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist
  AttestationExtensionWhitelist	AttestationExtensionAllowlist
  PrintingAPIExtensionsWhitelist	PrintingAPIExtensionsAllowlist
  AllowNativeNotifications	AllowSystemNotifications
  DeviceUserWhitelist	DeviceUserAllowlist
  NativeWindowOcclusionEnabled	WindowOcclusionEnabled

   

  If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

↑ back to top

• Chrome will no longer allow TLS 1.0 or TLS 1.1
  
  The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
  
  In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 98, it will no longer be possible to bypass the interstitial. 

• Different-origin iframes will no longer trigger JavaScript dialogs
  
  Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. Once this deprecation launches, you can control the behavior with the enterprise policy SuppressDifferentOriginSubframeDialogs.
  
  You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag. 

Upcoming Admin console changes

• Browser list data downloadable in CSV format
  
  As early as Chrome 97, a CSV format will be introduced as an option to download the browser list data from the Admin console. 

↑ back to top

Chrome OS updates

• Enhanced voices in select-to-speak
  
  Select-to-speak supports people who have challenges reading text content due to vision impairments and conditions like dyslexia, by allowing them to select pieces of text and hear them out loud. This enhancement gives select-to-speak the ability to produce realistic, natural-sounding voices as it speaks the text content.
  
   

• Include desk labels when moving tabs
  
  If you use desks on Chrome OS, it's now easier to organize your browser tabs. Windows in the same desk appear together when you select Move tab to another window.
  
   

• Document scanning in the camera app
  
  The camera app now supports document scanning. With document scanning, the camera can identify, capture, and crop your documents. You can also save your documents as a PDF or image.
  
   

Admin console updates

• Extensions version pinning
  
  Chrome browser and Chrome OS admins can now pin extensions (and apps) to specific versions, either by self-hosting them or from the Chrome Webstore (based on an automatic hosting in Google Cloud Storage).  Learn more
  
   

• Read-only delegated admin
  
  A new read-only delegated admin permission allows IT admins to grant read-only access to Chrome OS device info in their Google Admin console and in the Directory API.  Read-only access is useful for help desk admins, 3P partners, for reporting tools, and more!
  
   

• Search by on-device policy name
  
  IT admins can now search by on-device policy name to the Admin console. For example, if an admin searches for ProxyPacUrl, they’ll see the corresponding setting, Proxy mode, in the Admin console. Admins can also use new info bubbles that appear next to a setting name to see the corresponding on-device policy name.
  
   

• New policies in the Admin console
   

  Policy Name	Pages	Supported on	Category/Field
  SuggestLogoutAfterClosingLastWindow	Managed Guest Session Settings	Chrome OS	Session settings / Display the logout confirmation dialog
  DeviceMinimumVersion	Device Settings	Chrome OS	Device update settings / Auto-update settings / Enforce updates
  DeviceMinimumVersionAueMessage	Device Settings	Chrome OS	Device update settings / Auto-update settings / Enforce updates Auto Update Expiration (AUE) message
  JavaScriptJitAllowedForSites	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content / JavaScript JIT / Allow Javascript to use JIT on these sites
  DefaultJavaScriptJitSetting	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content / JavaScript JIT
  JavaScriptJitBlockedForSites	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS Android	Content / JavaScript JIT / Block JavaScript from using JIT on these sites
  TripleDESEnabled	User & Browser Settings	Chrome Chrome OS Android	Security / 3DES cipher suites in TLS
  RemoteDebuggingAllowed	User & Browser Settings; Managed Guest Session Settings	Chrome Chrome OS	Security / Allow remote debugging
  DesktopSharingHubEnabled	User & Browser Settings	Chrome	Content / Desktop sharing in the omnibox and 3-dot menu

  
   

Chrome browser updates

• Chrome moves to a 4-week stable channel and introduces an 8-week extended stable channel 
  
  Chrome on mobile, Windows, Mac, and Linux moves from its 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. 
  
  No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you can use the existing TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new major release every 8 weeks instead. You can find more details in our help center article. Note: If you decide to move to the extended stable channel, we recommend testing it out on a small set of machines or organizational units before deploying it on your entire fleet. Extended Stable is identical to Stable for the first 4 weeks of each cycle, so this sort of testing is most valuable in the last 4 weeks of the Extended Stable cycle.
  
  To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 
  
   

• Chrome on iOS can apply .mobileconfig files
  
  A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, MOBILECONFIG files can be downloaded and installed from Safari and Mail apps. Chrome on iOS now allows users to download these files. Users then have to manually install the profile from the Settings app.
   

• Chrome deprecates WebSQL in third-party contexts
  
  Chrome 94 no longer uses WebSQL in third-party contexts, such as cross-origin iframes. A console message is printed each time a WebSQL database opens in a third-party context to alert developers of the upcoming removal. This change does not affect WebSQL in first-party contexts, but the eventual goal is to deprecate and remove all WebSQL.
  
  WebSQL in third-party contexts will be disabled in Chrome 97, but an enterprise policy will be made available to re-enable it. As of Chrome 101, WebSQL in third-party contexts will be removed entirely.
  
   

• Chrome launches HTTPS-First mode (Android and desktop)
  
  HTTPS-First mode attempts to upgrade all page loads to HTTPS and displays a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible. Users see a warning before connecting to sites over HTTP.
  
  An enterprise policy, HttpsOnlyMode, is available to control the use of this mode.
  
   

• Chrome blocks the MK external protocol
  
  Chrome now blocks the legacy external MK protocol for use with Internet Explorer. This protocol enables legacy web apps to extract information from compressed files. This is a legacy asynchronous pluggable protocol that is disabled by default in Internet Explorer. Chrome now blocks this protocol to mitigate potential malicious use.
  
   

• Chrome / Citrix Workspace (self-service plugin) stability
  
  Recent versions of Citrix Workspace install a DLL on Windows that can interfere with the Chrome browser process. Only Windows 10 or 11 systems with Control-flow Enforcement Technology (CET) or Hardware-enforced Stack Protection (Intel 11th Gen and AMD Zen 3 CPUs) with Citrix Workspace installed and Client Protection enabled are affected. While we are working with Citrix to resolve this, please consider using Citrix Workspace with Client Protection Disabled as a temporary workaround.
  
   

• Chrome no longer allows insecure public pages to make requests to private or local URLs
  
  Non-secure contexts served from public IP addresses can no longer make subresource requests to IP addresses belonging to private and local IP addresses (as defined in Private Network Access). For example, http://public.example served on IP 1.2.3.4 cannot make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You can control this behavior using the InsecurePrivateNetworkRequestsAllowed or InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies, which became available for testing in Chrome 92. See this blog post for more details.
  
   

• PWAs can register as (platform level) URL handlers
  
  Chrome 94 runs an Origin Trial to allow Progressive Web Apps (PWAs) to register as URL handlers. This means that PWAs can be launched in response to URL link activations, including activations from native apps. PWAs can register to handle any HTTPS URL, not just URLs from their own app scope. If you’re interested in learning more about PWAs as URL handlers, please refer to this article.
  
   

• Chrome sync ends support for Chrome 48 and earlier
  
  Chrome sync no longer supports Chrome 48 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome sync.
  
   

• Chrome launches a sharing hub
  
  In Chrome 94, users can more easily share their current page, including Send to your devices, get a QR code for the current URL, and share to third-party websites. The option to Send to your devices is only available to signed-in users. If the user is not signed in, the option does not appear. You can control this feature using an enterprise policy called DesktopSharingHubEnabled.
  
   

• Admins can enforce profile separation through enterprise policy
  
  Chrome 94 updates the dialog when users sign into a managed profile if the ManagedAccountsSigninRestriction policy is set. The new notice clarifies that a separate profile is required by the admin, and the choices for the user are simplified. Some users see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.
  
   

• New enterprise policies for the Web Serial API
  
  The Web Serial API allows websites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policies could only control how the feature was blocked. In Chrome 94, SerialAllowAllPortsForUrls and SerialAllowUsbDevicesForUrls allow admins to grant a website access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.
  
   

• Chrome settings restructure
  
  To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience is available starting with Chrome 94.
  
   

• Chrome updates Certificate Transparency log list via Component Updater
  
  Chrome 94 uses Component Updater to dynamically update the Certificate Transparency log list, separating these updates from full browser updates. This allows out-of-date clients to keep enforcing Certificate Transparency. Note that full browser updates still contain the transparency log list.
  
   

• Chrome introduces tab grid bulk actions 
  
  Chrome for iOS adds an edit mode to the tab grid to allow easier management of open tabs. Users can select multiple tabs and then add them to the reading list, bookmarked, shared, or closed.
  
   

• New onboarding experience for Chrome on iOS 
  
  Chrome 94 revamps the existing onboarding screens, separating the sign-up and sync features.
  
   

• Chrome removes the UserAgentClientHintsEnabled policy 
  
  The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. Chrome 94 removes this policy.
  
   

• Chrome launches an API that allows sites to know when the user is active
  
  Chrome 94 launches the Idle Detection API, allowing websites to request to know if users are idle, allowing messaging apps to direct notifications to the best device. This was previously in Origin Trial and is now rolled out to Stable.
  
   

• Chrome launches display-capture
  
  The display-capture permissions-policy allows sites to more safely embed documents in an iframe. It does so by controlling such documents’ access to screen-capture APIs. This permissions-policy’s default setting prevents screen-capture by cross-origin iframes. For websites that are non-compliant with the spec and need more time to implement the display-capture feature, an enterprise policy, named DisplayCapturePermissionsPolicyEnabled, allows selective bypassing of the display-capture permissions-policy. This enterprise policy will be removed after Chrome 100.
  
   

• BeyondCorp Enterprise: custom warnings and bypass justifications
  
  Today BeyondCorp Enterprise shows generic, predefined warn and block messages when files are flagged due to DLP Rule violations or other Chrome Security events. Chrome 94 introduces the ability to provide more meaningful, customized warning messages to end users. Administrators can now customize these warning messages to make it meaningful, and also add a learn more link to such warnings.
  
   

• Chrome launches What's New in Chrome
  
  What’s New in Chrome is a way for users to discover new features. Starting in Chrome 94, some users see a page that highlights a few features. What’s New in Chrome automatically displays as the focused tab. You can disable this feature by using the existing PromotionalTabsEnabled enterprise policy.
  
   

New and updated policies in Chrome browser

Admin console updates

• Search by on-device policy name in the Admin console
  
  Chrome 94 adds the ability to search by on-device policy name to the Admin console. Now when admins enter an on-device policy name, for example, ProxyPacUrl, into the search bar, they’ll see the corresponding setting, for example, Proxy mode, in the Admin console. Admins can also use new info bubbles that appear next to a setting name to see the corresponding on-device policy name.
  
   

• New channel option Extended Stable for Chrome Browser Cloud Management
  
  Chrome adds Extended Stable as a drop-down option for channel selection in the Chrome update section.
  
   

New policies in the Admin console

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

• Chrome 95 will introduce stricter parsing rules for Legacy Browser Support
  
  Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft Edge or Internet Explorer can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge and Internet Explorer.
  
   

• As early as Chrome 95, the network Service on Windows will be sandboxed
  
  To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.
  
   

• Chrome 95 will conduct an Origin Trial for User-Agent Reduction
  
  Chrome 95 will be conducting an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string will appear in both the User-Agent HTTP request header as well as the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  The Origin Trial will last six milestones until the reduced User-Agent string becomes the default in Chrome, with a deprecation Origin Trial to continue receiving the full User-Agent string for those sites that still need more time to migrate. Enterprises can opt in to the Origin Trial here when it is available.
  
   

• Chrome 95 will deprecate WebAssembly cross-origin module sharing
  
  Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments. This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.
  
  If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.
  
   

• As early as Chrome 95, Apps shortcut in the bookmarks bar will default to off
  
  Chrome will make the Apps shortcut in the bookmark bar default to off and update the current state for all users who have never changed their setting to the new default (off).
  
   

• Chrome 96 will add new security events to BeyondCorp Enterprise Threat and Data Protection (Password leak and login)
  
  Chrome 96 will add two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow administrators to understand enterprise credential usage and Shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.
  
   

• Migrate to Open Screen Library Cast channel
  
  Chrome 96 will use a new implementation, Open Screen Library, to connect to devices that support Cast like Chromecast, Nest Hub and Android TV.  Chrome users will not observe any differences in how Cast works.
  
   

• NewTabPageLocation enterprise policy on Incognito
  
  Chrome 96 will fix a bug that prevents users from starting new Incognito sessions when the enterprise policy NewTabPageLocation is set to a chrome://… URL. In future, this policy will be ignored in Incognito mode. Users on Incognito will see the default new tab page. There’s no change in how the policy is applied on regular mode (non-Incognito windows).
  
   

• As early as Chrome 97, Chrome will no longer allow TLS 1.0 or TLS 1.1
  
  The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
  
  In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 97, it will no longer be possible to bypass the interstitial.
  
   

• CORS Authorization mishandling
  
  When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.
  
  Please note that Authorization headers attached by Chrome during the authentication process are out of scope for this change.
  
   

• As early as Chrome 97, Chrome will maintain its own default root store
  
  To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
  
   

• Chrome 97 will remove legacy policies with non-inclusive names
  
  Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
  
  Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
  
  This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97. Please ensure you're using the corresponding policy from the right column instead:
   

  Legacy Policy Name	New Policy Name
  NativeMessagingBlacklist	NativeMessagingBlocklist
  NativeMessagingWhitelist	NativeMessagingAllowlist
  AuthNegotiateDelegateWhitelist	AuthNegotiateDelegateAllowlist
  AuthServerWhitelist	AuthServerAllowlist
  SpellcheckLanguageBlacklist	SpellcheckLanguageBlocklist
  AutoplayWhitelist	AutoplayAllowlist
  SafeBrowsingWhitelistDomains	SafeBrowsingAllowlistDomains
  ExternalPrintServersWhitelist	ExternalPrintServersAllowlist
  NoteTakingAppsLockScreenWhitelist	NoteTakingAppsLockScreenAllowlist
  PerAppTimeLimitsWhitelist	PerAppTimeLimitsAllowlist
  URLWhitelist	URLAllowlist
  URLBlacklist	URLBlocklist
  ExtensionInstallWhitelist	ExtensionInstallAllowlist
  ExtensionInstallBlacklist	ExtensionInstallBlocklist
  UserNativePrintersAllowed	UserPrintersAllowed
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode
  DeviceNativePrinters	DevicePrinters
  NativePrinters	Printers
  NativePrintersBulkConfiguration	PrintersBulkConfiguration
  NativePrintersBulkAccessMode	PrintersBulkAccessMode
  NativePrintersBulkBlacklist	PrintersBulkBlocklist
  NativePrintersBulkWhitelist	PrintersBulkAllowlist
  UsbDetachableWhitelist	UsbDetachableAllowlist
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist
  AttestationExtensionWhitelist	AttestationExtensionAllowlist
  PrintingAPIExtensionsWhitelist	PrintingAPIExtensionsAllowlist
  AllowNativeNotifications	AllowSystemNotifications
  DeviceUserWhitelist	DeviceUserAllowlist
  NativeWindowOcclusionEnabled	WindowOcclusionEnabled

  
   
  If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.
  
   

• In Chrome 98, Chrome apps will be deprecated on Mac, Windows, and Linux
  
  As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 98. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy called ChromeAppEnabled will be available to extend support for them until June 2022.
  
   

• As early as Chrome 98, different-origin iframes will no longer trigger JavaScript dialogs
  
  Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. Once this deprecation launches, you can control the behavior with the enterprise policy SuppressDifferentOriginSubframeDialogs.
  
  You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag.
  
   

Upcoming Admin console changes

• Browser list data will be available for download in CSV format in the Admin console
  
  As early as Chrome 95, a CSV format will be introduced as an option to download the browser list data from the Admin console.
  
   

• Chrome will delete inactive browsers from Chrome Browser Cloud Management 
  
  Many enterprise customers have to adhere to regulation around data retention. To aid in this effort, as early as chrome 95, we will launch a new policy that will automatically delete inactive browser information from Google servers.
  
  By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value (Allowable range: 28 - 730 days).
  
   

Chrome browser updates

• SyncXHR policy is no longer available
  
  Chrome 93 removes the AllowSyncXHRInPageDismissal enterprise policy. Before updating to Chrome 93, web application owners must update all apps that previously relied on legacy platform behavior. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
  
   

• New RelaunchWindow policy
  
  The RelaunchWindow enterprise policy allows admins to specify a window of time when Chrome relaunches to force an update to apply. You can use this policy, in conjunction with RelaunchNotification, RelaunchNotificationPeriod, and RelaunchHeadsUpPeriod to control when Chrome relaunches to apply an update. RelaunchWindow helps you to minimize disruption and to force a relaunch outside of business hours. In Chrome 93, these policies are available in Group Policy. These policies will become available in the Admin console at a later date.
  
   

• New JavaScript JIT setting policies 
  
  Chrome 93 introduces three new policies: 
  • DefaultJavaScriptJitSetting
  • JavaScriptJitAllowedForSites
  • JavaScriptJitBlockedForSites
  
  These policies allow Chrome's JavaScript engine to default to using the Ignition interpreter in a JIT-less mode for a set of enterprise-defined sites.
  
  Disabling the JavaScript JIT in this way may allow Chrome to render web content in a more secure configuration, as no executable permissions are needed for memory regions. However, disabling JIT has performance costs and currently disables some parts of JavaScript, including WebAssembly.
  
   

• Full launch of Drive priority launchpad on New tab page
  
  To help users get work done faster, Chrome 93 shows the Drive files the user is more likely to need on the New tab page. This feature uses Drive’s existing priority API, which powers the Priority section of drive.google.com. Some users see this change in Chrome 93.
  
   

• Publishing updates to extensions requires 2-Step Verification
  
  As part of the rollout of a set of updates and clarifications to the Chrome Web Store extension policies, the Chrome Web Store now requires 2-Step Verification on developer accounts before adding a new extension or updating an existing extension. This does not impact extensions that are self-hosted, sideloaded, or that are no longer being updated.
  
  Developer accounts belonging to organizations where the admin has disabled 2-Step Verification for their organization are exempt from this requirement.
  
   

• Updates to the lock icon in the address bar 
  
  Some users might see a new icon replacing the lock in the address bar, which is shown on sites that support HTTPS. The new icon aims to improve the discoverability of the Page Info surface, which includes site-level security and privacy information and controls. A Not Secure indicator continues to appear on sites without HTTPS support. An enterprise policy, LockIconInAddressBarEnabled, is available to revert to the original lock icon. See our blog post Increasing HTTPS Adoption for more information.
  
   

• New feature changes to the User-Agent Client Hints API updates
  
  Chrome 93 adds four feature changes to the User-Agent client hints API:
  • Adding a Sec-CH-UA-Bitness User Agent Client Hint to return the bitness of the platform, which might be useful, for example, for sending optimized binaries during a download.
  • Making Sec-CH-UA-Platform a low-entropy hint that is sent by default. Prior to this change, this hint would need to be requested.

  • Including low-entropy hints by default in UADataValues (returned by getHighEntropyValues()): if a hint moves from high to low-entropy, this prevents site compatibility issues.

  • Adding a toJSON method to NavigatorUAData. Instead of returning {}, JSON.stringify(navigator.userAgentData) is now useful.
  
  An enterprise policy UserAgentClientHintsEnabled is available to control this feature. This policy will be removed in Chrome 94. Developers can leave feedback at crbug.com/1241062 on any issues related to this feature.
  
   

• Chrome on iOS adds a new way to sign in
  
  On iOS, when a user signs in to their Google Account on the web, they can sign in to Chrome with a Google Account that’s already saved on their device. This does not enable Chrome sync by default; the user can opt into that separately if they want sync enabled. You can control the behavior of sign-in on Chrome on iOS and other platforms using the BrowserSignIn policy.
  
   

• Chrome performs sentiment measurement
  
  Chrome 93 performs sentiment measurement of users of Trusted Surface, Privacy Settings and Transactions. These surveys are delivered on the New tab page after the user has engaged with the feature. The delivery of these surveys can be disabled by disabling metrics via the MetricsReportingEnabled policy.
  
   

• Chrome redesigns desktop page info surface
  
  Chrome 93 continues to redesign the desktop page info surface. The purpose of this redesign is to improve scalability by introducing modular subpages, toggles for permissions and restructuring the main view to surface the important information first.
  
   

• Tab Groups in desktop Recently closed menu
  
  Chrome 93 allows users to see their tab groups in the Recently closed menu and helps alleviate worry about permanent loss of groups. This launch enables the whole group and individual tabs inside a group to restore from the Chrome desktop recently closed menu.
  
   

• Save payment information to a Google Account 
  
  In Chrome 93, users who are signed in to their managed Google Account see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy. This was previously available on Android and desktop and is now also available on iOS.
  
   

• URL protocol handlers in web manifests
  
  Chrome 93 is running an Origin Trial for URL protocol handlers in web manifests. This Origin Trial started in Chrome 92 and will end in Chrome 94. The handlers follow the PWA's lifecycle -- they are set up on PWA install, and removed on PWA uninstall. You can find out more in this article.
  
  Note: The Origin Trial started in Chrome 92 but was initially not part of the Chrome 92 blog post.
  
   

• New Incognito Exit Point on Clear browsing data
  
  Chrome 93 introduces a new Close windows confirmation dialog which is displayed when a user selects Clear browsing data from the overflow menu or Chrome Actions on Omnibox while on Incognito mode. This dialog contains text explaining that Clear browsing data ends the Incognito session, and two call-to-action buttons: Close windows and Cancel.
  
   

• Pausing quantum computer resistant security 
  
  Some devices behaved unexpectedly when Chrome offered quantum-resistant cryptography for TLS connections. We’re working with those companies to provide fixed firmware for their devices and have temporarily disabled this technology.
  
  For more details, see the Chromium Open Source Project.
  
   

• LegacySameSiteCookieBehaviorEnabled is no longer available
  
  When same-site cookie behavior was introduced, Chrome included policies to give admins extra time to adjust the implementation of any enterprise apps that relied on the legacy cookie behavior.
  
  The first phase of the transition plan ends in Chrome 93, and LegacySameSiteCookieBehaviorEnabled is no longer taking effect. You will still be able to opt specific sites into the legacy cookie behavior using LegacySameSiteCookieBehaviorEnabledForDomainList until December 31st, 2022.
  
   

• 3DES TLS cipher suites are no longer supported
  
  Chrome 93 removes support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy was made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.
  
   

• Ubuntu 16.04 is no longer supported
  
  Ubuntu 16.04 is past the end of standard support, and is no longer supported. The updated system requirements for Chrome are available here.
  
   

• New and updated policies in Chrome browser
   

  Policy	Description
  DefaultJavaScriptJitSetting	Allows you to set whether Google Chrome runs the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.
  DesktopSharingHubEnabled	Enable the sharing icon from the omnibox and the entry from the 3-dot menu.
  JavaScriptJitAllowedForSites	Allows you to set a list of site URL patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.
  JavaScriptJitBlockedForSites	Allows you to set a list of site URL patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.
  LockIconInAddressBarEnabled	Controls the treatment for lock icon in the omnibox. From Chrome 93, there is a new omnibox icon for secure connections. If the policy is Enabled, Chrome uses the existing lock icon for secure connections. If the policy is Disabled or not set, Chrome uses the default icon for secure connections.
  RelaunchWindow	Specify a target time window for the end of the relaunch notification period.
  RemoteDebuggingAllowed	Controls whether users may use remote debugging.

Chrome OS updates

• Enable Android applications to access Chrome OS certificates
  
  Previously Android applications could only access certificates provisioned within Android, but not those in Chrome OS. Admins can now enable Android apps to access Chrome OS user and device certificates.
  
  For more information, see the Help Center.
  
   

• Regular online re-authentication for identity providers on the login and lock screen
  
  Regular online authentication provides additional security for organizations that require 2FA or MFA authentication and organizations that use third-party identity providers like Okta.
  
  As an admin, you can require regular online re-authentication on the login screen for users of third-party identity providers.  Chrome OS 93 expands this capability to re-authenticate using the lock screen and also extends re-authentication support to users of Google identity, including those using 2FA like Yubikeys or SMS.
  
  There are now three new controls to help manage online re-authentication: 
   
  1. SAML single sign-on unlock frequency
  2. Google online login frequency
  3. Google online unlock frequency
   

Admin console updates

• Sending Extension Requests for Chrome browser Desktop and Chrome OS
  
  As an admin, you can block users from installing extensions and the Chrome Web Store will now have a Request button so that you can see their requests from within the Admin console and take an action to allow or to block the extensions.  To enable the feature, please follow the steps in the Help Center.
  
   

• Chrome Browser Cloud Management is available for Chrome-on-iOS
  
  Chrome Browser Cloud Management now supports Chrome-on-iOS.  The policies for Chrome-on-iOS can be seen at https://chromeenterprise.google/policies (then filter for iOS platform).  To get started, please visit the Help Center.
  
   

• Chrome Browser Cloud Management Release Channel selector
  
  Admin console now has a release channel selector (Stable, Beta, Dev) for Chrome Browser Cloud Management on Windows, Mac, or Linux.  For more details, see the Help Center.
  
   

• New policies in the Admin console
   

  Policy Name	Pages	Supported on	Category/Field
  SamlLockScreenOfflineSigninTimeLimitDays	User & Browser Settings	Chrome OS	Security/SAML single sign-on unlock frequency
  GaiaLockScreenOfflineSigninTimeLimitDays	User & Browser Settings	Chrome OS	Security/Google online unlock frequency
  ForcedLanguages	User & Browser Settings	Chrome Win/Mac/Linux	User experience/Preferred languages

  
  
   

Coming soon