Planning your return to office strategy? See how Chrome OS can help.

Saat ini laman yang diminta belum tersedia dalam bahasa Anda. Pilih bahasa lain di bagian bawah laman atau terjemahkan laman web ke bahasa pilihan Anda secara instan, menggunakan fitur terjemahan yang ada di Google Chrome.

Chrome Enterprise release notes

Last updated on: July 20, 2021

For administrators who manage Chrome browser or Chrome OS devices for a business or school.

In the following notes, the stable release or milestone number (M##) refers to the version of the scheduled feature launch. For example, M75 indicates a feature scheduled to launch with the stable version of Chrome 75. See below for a changelog and version history of Chrome.
 
 

Current Chrome version release notes

Open all   |   Close all Chrome 92

Chrome browser updates

 

  • Chrome blocks ports 989 and 990

    Chrome 92 adds ports 989 (ftps-data) and 990 (ftps) to the restricted ports list and blocks traffic through them. This does not affect customers using standard ports, but custom configurations using non-standard ports may be affected.
    If you're affected by this change, you can use the ExplicitlyAllowedNetworkPorts enterprise policy to allow these specific ports in your environment. You can specifically allow ports 989 and 990 until February 2022.
     
  • Chrome adds FLoC controls to Privacy Sandbox settings 

    Last year, we announced a new initiative, known as Privacy Sandbox, to develop a set of open standards to fundamentally enhance privacy on the web. Chrome 92 adds controls to the Privacy Sandbox settings page to provide improved transparency and control for Federated Learning of Cohorts (FLoC). You can disable the complete Privacy Sandbox, including FLoC, by policy in general by blocking 3P cookies, or all cookies. Alternatively for specific sites, you can disable the sandbox by blocking cookies for a URL.
     
  • Chrome on Android includes a new on-device model for phishing detection

    Chrome on Android uses an on-device Machine Language (ML) model to better detect phishing attempts, and better protect users. As in earlier versions, Chrome displays a full-page interstitial warning if Chrome detects a possible phishing attempt.

    With this change, Chrome sends the following to the Safe Browsing service: 
    • the version of the model that was executed
    • the scores the model gave for each category
    • a boolean describing whether the new model was used to generate the scores

    You can control Safe Browsing using the SafeBrowsingProtectionLevel policy. This feature applies to users with the SafeBrowsingProtectionLevel policy set at protection level of 1 or greater.
     
  • Back/forward cache desktop full launch for all websites

    As a follow-up to a previous launch on Chrome for Android, Chrome 92 launches back/forward cache on desktop platforms. Back/forward cache is a browser optimization that enables instant back and forward navigations. You can temporarily disable this feature via the BackForwardCacheEnabled policy with Group Policy or in the Google Admin console. If you do so, please share details about the issue that led you to disable back/forward cache.
     
  • Magic Toolbar is now available on Chrome on Android 

    The Chrome toolbar on Android now includes a new customizable button that shows different shortcuts depending on what the user is most likely to need.
     
  • Publishing updates to extensions requires 2-Step Verification

    As part of the rollout of a set of updates and clarifications to the Chrome Web Store extension policies, the Chrome Web Store now requires 2-Step Verification on developer accounts prior to adding a new extension or updating an existing extension. This does not impact extensions that are self-hosted, sideloaded, or that are no longer being updated.
     
  • Chrome expands DNS HTTPS record queries for users using classic DNS 

    In previous versions, Chrome only queried and parsed DNS HTTPS records alongside the traditional A and AAAA records for users using Secure DNS. Chrome 92 expands this behavior to users using classic DNS. Chrome uses these records to improve privacy and performance of HTTPS web connections. You can temporarily disable these extra queries for users using classic DNS with the AdditionalDnsQueryTypesEnabled policy with Group Policy or in the Google Admin console. If you do so, please share details about issues that led you to use the policy as a workaround. Note that this policy has no effect for users using Secure DNS.
     
  • Different-origin iframes cannot trigger JavaScript dialogs

    Chrome 92 prevents iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.
    If you have any web apps affected by this change, you can use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 95.
     
  • SharedArrayBuffers need Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy 

    If your organization uses apps that leverage SharedArrayBuffers, those apps need to set Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in the HTTP header. Web apps not setting the appropriate policies can no longer access SharedArrayBuffers.
     
  • Android removes setting for “Show suggestions for similar pages”

    Chrome 92 on Android removes the end user setting for "Show suggestions for similar pages when a page can't be found" from the Sync and Google services settings. This setting was previously removed on Desktop.
    You can control the DNS probes associated with this feature with the AlternateErrorPagesEnabled enterprise policy. 
     
  • Drive priority launchpad on New Tab page

    To help users get work done faster, Chrome 92 shows the Drive docs the user is more likely to need on the New Tab page. This feature uses Drive’s existing priority API, which powers the Priority section drive.google.com. Some users see this change in Chrome 92 and a full launch is expected in Chrome 93.
     
  • Developers can change the name and icon of PWAs

    Developers can now update the name and icon for default Progressive Web Apps (PWAs) and PWAs installed using the ExtensionInstallForcelist enterprise policy.
     
  • Chrome trials the suppression of autofill suggestions

    In Chrome 92, we are conducting a short trial on a small randomly selected number of forms where the browser doesn't show autofill suggestions. The trial is limited to address and credit card forms. Passwords are not affected. You can opt out by using the ChromeVariations policy. Setting the policy to CriticalFixesOnly (value 1) allows only variations considered critical security or stability fixed to be applied to Google Chrome.
     
  • Google Lens replaces Search by Image on Chrome Desktop

    In Chrome 92, for Chrome users whose default search engine is set to Google, the Search with Google Lens context menu item replaces the Search Google for Image desktop context menu item. The new menu item sends users to a standalone Lens Web app. If desired, however, users can navigate to Google Image Search from Lens.
     
  • Chrome separates sign-in and sync on iOS 

    On iOS, Chrome 92 separates the Sync and Google services settings into two items: Sync and Google services. There is a new control in Google services, Allow Chrome sign-in, to disable Chrome sign-in (and therefore also sync).
     
  • Chrome displays a new warning text if a download might lead to account compromise 

    If a user initiates a download that Safe Browsing determined is associated with stealing cookies, some users on desktop platforms see a new warning, filename.exe could let attackers steal your personal information.
     
  • Incognito removes UI links to history

    Chrome does not save history in Incognito mode, but some platforms still show a link to history on the Incognito UI. On Android, to make it clear that Chrome is not saving history, the History menu item in Incognito windows temporarily links to an explainer page instead of linking to a user's history.
     
  • Chrome disables extensions removed from the Chrome Web Store

    Chrome disables extensions that were removed from the Chrome Web Store due to non-compliance with our Chrome Web Store policies. However, if an admin has force-installed an extension, Chrome does not disable it.
    Remember, if you need help with an extension that you manage, you can visit Chrome Web Store One Stop Support.
     

Chrome OS updates

 

  • Chrome improves Android and Linux app support for Desks
    http://crbug/1203496

    You can now assign Android and Linux apps to desks. Right-click on the app window to assign it to a specific desk or to all desks.
     
  • Chrome supports continuous dictation 
    http://crbug/1200667

    Dictation now allows you to continuously dictate your text and only times out if you stop talking.
     
  • Point Scanning for Switch Access 
    http://crbug/1167368

    Point Scanning is a new navigation mode for Switch Access. It allows users to select any spot on the screen and trigger an action. The user first presses their switch when the correct horizontal position is selected, and presses their switch again when the correct vertical position is selected.
     
  • Chrome adds further integrations to Tote
    http://crbug/1201265

    You can now quickly find downloads from your Android Apps and from your Chrome print to pdf functionality in Tote.
     
  • MultiPaste now available for Virtual Keyboard
    http://crbug/1175122

    Chrome OS makes its clipboard history, which launched in Chrome OS 89, accessible from the Virtual Keyboard in Chrome OS 91 and later.
     
  • Chrome 92 improves shortcuts for international keyboards
    http://crbug/1159454

    Chrome OS improves keyboard shortcuts for both international and US users; you can see these updates in the Shortcuts app.
     
  • Chrome OS Camera now supports PTZ Controls
    http://crbug/1186787

    You can now pan, tilt, or zoom your camera from the Chrome Camera app. This feature requires a camera with PTZ support.
     
  • Emoji picker for physical keyboards
    http://crbug/1152237

    Chrome OS includes a new emoji picker, with search functionality and multi-skintone support.
     
  • Chrome OS device help in launcher search
    http://crbug/1126816

    Quickly find help for your Chrome OS device by searching for it in launcher search.
     
  • Some protected content may no longer play on M89 and earlier
    Chrome known issues

    From August 3rd, some protected video and audio content may no longer play on M89 and earlier.
     

Admin console updates

 

  • Additional policies in the Admin console

 

Policy Name

Pages

Supported on

Category/Field

SystemFeaturesDisableMode

Managed Guest Session Settings

Chrome OS

User experience / Disabled system features visibility

SuppressDifferentOriginSubframeDialogs

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Content / Cross-origin JavaScript dialogs

EnterpriseHardwarePlatformAPIEnabled

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Hardware / Enterprise Hardware Platform API

LensCameraAssistedSearchEnabled

User & Browser Settings

Android

User experience / Google Lens camera assisted search

NearbyShareAllowed

User & Browser Settings

Chrome OS

Connected devices / Nearby share

SharedArrayBufferUnrestrictedAccessAllowed

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Network / SharedArrayBuffer

WebRtcIPHandling

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Network / WebRTC IP handling

FetchKeepaliveDurationSecondsOnShutdown

User & Browser Settings

Chrome

Power and shutdown / Keepalive duration / Fetch keepalive duration on Shutdown (in seconds)

CECPQ2Enabled

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Network / CECPQ2 post-quantum key-agreement for TLS

AudioProcessHighPriorityEnabled

User & Browser Settings

Chrome

Hardware / Audio process priority / Adjust the priority for the Chrome audio process

ExplicitlyAllowedNetworkPorts

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Network / Allowed network ports

AllowSystemNotifications

User & Browser Settings

Chrome

Security / System notifications

DefaultFileHandlingGuardSetting

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API

FileHandlingBlockedForUrls

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API / Block the File Handling API for these URLs

FileHandlingAllowedForUrls

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API / Allow the File Handling API for these URLs

BrowserThemeColor

User & Browser Settings

Chrome

General / Custom theme color / Hex color

PdfAnnotationsEnabled

User & Browser Settings

Chrome OS

Content / PDF Annotations

DeviceSystemWideTracingEnabled

Device Settings

Chrome OS

User and device reporting / System-wide performance trace collection

GaiaOfflineSigninTimeLimitDays

User Settings

Chrome OS

Security/Google online login frequency

 

  • New and updated policies (Chrome and Chrome OS)
     

Policy

Description

InsecurePrivateNetworkRequestsAllowed

Controls whether insecure websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.

CloudUserPolicyMerge

Allows policies associated with a Google Workspace account to be merged into machine-level policies.

GaiaLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen.

SamlLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via SAML can log in offline at the lock screen.

AdditionalDnsQueryTypesEnabled

Allow DNS queries for additional DNS record types.

PromptForDownloadLocation

Ask where to save each file before downloading.

DataLeakPreventionReportingEnabled

Enable data leak prevention reporting.

DataLeakPreventionRulesList

Sets a list of data leak prevention rules.

DeviceDebugPacketCaptureAllowed

Allow debug network packet captures.

SuggestLogoutAfterClosingLastWindow

Display the logout confirmation dialog.

TripleDESEnabled

Enable 3DES cipher suites in TLS.

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. Note that Chrome 94’s shorter development cycle means Chrome 93 will be live in the stable channel for less time as well; specific release dates for both milestones can be found on our schedule
    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. You can find more details on our blog post at blog.chromium.org
    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 
    To provide commercial users with another dependably secure stable platform, Chrome OS will also introduce a new channel with a 6-month update cadence by Chrome 96. More details to be announced soon.
     

Upcoming Chrome browser changes

 

  • Chrome 93 will no longer allow insecure public pages to make requests to private or local URLs

    Non-secure contexts served from public IP addresses will no longer be able to make subresource requests to IP addresses belonging to a more private address space (as defined in Private Network Access).
    For example, http://public.example served on IP 1.2.3.4 will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. Similarly, http://intranet.example served on IP 192.168.0.1 will not be able to make requests targeting localhost. You can control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies, which are available for testing in Chrome 92.
     
  • Chrome 93 will add a new enterprise policy for the Web Serial API

    The Web Serial API allows sites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policy controls could only control how the feature was blocked. In Chrome 93, admins will be able to grant a site access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.
     
  • New feature changes to the User-Agent Client Hints API updates

    Chrome 93 will add four feature changes to the User-Agent client hints API:
    • Adding a Sec-CH-UA-Bitness User Agent Client Hint to return the bitness of the platform, which might be useful, for example, for sending optimized binaries during a download.
    • Making Sec-CH-UA-Platform a low-entropy hint that is sent by default. Before this change, this hint would need to be requested.
    • Including low-entropy hints by default in UADataValues (returned by getHighEntropyValues()): if a hint moves from high to low-entropy, this prevents site compatibility issues.
    • Adding a toJSON method to NavigatorUAData. Instead of returning {}, JSON.stringify(navigator.userAgentData) will now be useful.
  • Chrome 93 will support using Android phones as security keys

    When Chrome on a desktop or laptop is signed into the same account as Chrome on an Android phone, that phone can be used as a security key.
    This feature requires that the desktop have a Bluetooth Low Energy (BLE) adaptor. Communication between the devices is end-to-end encrypted with keys exchanged over BLE to prove proximity with the phone.
     
  • Chrome 93 will use updated language in managed profile sign-in notice

    Chrome will update the notice when users sign into a managed profile. The new notice will have language clarifying that a separate profile is required and the available buttons will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.
     
  • Chrome 93 will test replacing the lock icon with a new icon

    Some users will see a new icon replacing the lock in the address bar, improving the discoverability of the Page Info surface, which includes site-level security and privacy information and controls. An enterprise policy, LockIconInAddressBarEnabled, will become available to revert to the original lock icon.
     
  • Chrome 93 will launch a sharing hub

    Users will be able to more easily share their current page, including the ability to send the current page to their devices, get a QR code for the current URL, and share to third party apps. You will be able to control this feature using an enterprise policy called DesktopSharingHubEnabled.
     
  • Chrome 93 will make Chrome Browser Cloud Management available on iOS

    The enterprise team is working to support Chrome-on-iOS for Chrome Browser Cloud Management. If you are interested in testing this functionality out earlier in Chrome 92, please sign up for our Trusted Tester program.
     
  • Chrome 93 on iOS will be able to apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, mobileconfig files can be downloaded and installed from Safari and Mail apps. Chrome will be able to download these files and continue to settings so the user can apply them.
     
  • As early as Chrome 94, the network service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience will be available starting with Chrome 94.
     
  • Chrome 93 on iOS will prefer https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then fallback to http://example.com if required. For more information, see Chrome’s blog post, A safer default for navigation: HTTPS.
    Desktop and Android users already have this change, and iOS will be rolled out in Chrome 93.
     
  • Chrome 93 on iOS will add a new way to sign in

    On iOS, when a user signs in to their Google Account on the web, they can sign in to Chrome with a Google Account that’s already saved on their device. This does not enable Chrome sync by default; the user can opt into that separately if they want sync enabled.
    You can control the behavior of sign-in on Chrome on iOS and other platforms using the BrowserSignIn policy.
     
  • Chrome 93 will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort we will launch a new policy that will automatically delete inactive browser information from Google servers.
    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value.
     
  • Chrome 93 will introduce JavaScript JIT setting policies 

    Chrome 93 will introduce three new policies; 
    • DefaultJavaScriptJitSetting
    • JavaScriptJitAllowedForSites
    • JavaScriptJitBlockedForSites 
    These policies will allow you to switch Chrome's JavaScript engine to use the Ignition interpreter in a JIT-less mode, by default.
    Disabling JIT in this way may allow Chrome to render web content in a more secure configuration, as no executable permissions are needed for memory regions. However, disabling JIT has performance costs and disables some parts of JavaScript, including WebAssembly.
     
  • Chrome 93 will no longer support SyncXHR policy 

    Chrome 93 will remove the AllowSyncXHRInPageDismissal enterprise policy. Admins must update any apps that rely on the legacy web platform behavior before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • Chrome 93 will no longer support Ubuntu 16.04

    Ubuntu 16.04 is past the end of standard support, and will not be supported as of Chrome 93. The updated system requirements for Chrome are available here.
     
  • Chrome 93 will remove 3DES TLS cipher suites

    Chrome will remove support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy will be made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.
     
  • Chrome 94 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft® Edge® or Internet Explorer® can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge® and Internet Explorer®.
     
  • As early as Chrome 94, Chrome may leverage MiraclePtr to improve security

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 94.
     
  • In Chrome 94, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 94. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.
     
  • Chrome 94 will remove UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. This policy will be removed in Chrome 94.
     
  • As early as Chrome 95, Chrome will maintain its own default root store

    To improve user security, and to provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments. This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.
    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.
     
  • Chrome 95 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist blacklist). To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead:
     

Legacy Policy Name

New Policy Name

NativeMessagingBlacklist

NativeMessagingBlocklist

NativeMessagingWhitelist

NativeMessagingAllowlist

AuthNegotiateDelegateWhitelist

AuthNegotiateDelegateAllowlist

AuthServerWhitelist

AuthServerAllowlist

SpellcheckLanguageBlacklist

SpellcheckLanguageBlocklist

AutoplayWhitelist

AutoplayAllowlist

SafeBrowsingWhitelistDomains

SafeBrowsingAllowlistDomains

ExternalPrintServersWhitelist

ExternalPrintServersAllowlist

NoteTakingAppsLockScreenWhitelist

NoteTakingAppsLockScreenAllowlist

PerAppTimeLimitsWhitelist

PerAppTimeLimitsAllowlist

URLWhitelist

URLAllowlist

URLBlacklist

URLBlocklist

ExtensionInstallWhitelist

ExtensionInstallAllowlist

ExtensionInstallBlacklist

ExtensionInstallBlocklist

UserNativePrintersAllowed

UserPrintersAllowed

DeviceNativePrintersBlacklist

DevicePrintersBlocklist

DeviceNativePrintersWhitelist

DevicePrintersAllowlist

DeviceNativePrintersAccessMode

DevicePrintersAccessMode

DeviceNativePrinters

DevicePrinters

NativePrinters

Printers

NativePrintersBulkConfiguration

PrintersBulkConfiguration

NativePrintersBulkAccessMode

PrintersBulkAccessMode

NativePrintersBulkBlacklist

PrintersBulkBlocklist

NativePrintersBulkWhitelist

PrintersBulkAllowlist

UsbDetachableWhitelist

UsbDetachableAllowlist

QuickUnlockModeWhitelist

QuickUnlockModeAllowlist

AttestationExtensionWhitelist

AttestationExtensionAllowlist

PrintingAPIExtensionsWhitelist

PrintingAPIExtensionsAllowlist

AllowNativeNotifications

AllowSystemNotifications

DeviceUserWhitelist

DeviceUserAllowlist

NativeWindowOcclusionEnabled

WindowOcclusionEnabled

 

If you're managing Chrome via the Google Admin console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin console will manage the transition automatically.

 

Previous release notes 

Chrome 91

Chrome browser updates

 
  • Chrome pauses collapsed tab groups 

    Chrome allows users to organize tabs into collapsible groups, helping them stay productive. For some users, Chrome 91 pauses those tabs when the user collapses them, to reduce CPU and power consumption. Chrome does not pause tabs if they are playing audio, holding a web lock, holding an IndexedDB lock, connected to a USB device, capturing video or audio, being mirrored, or capturing a window or display.
     
  • Chrome blocks port 10080 and adds a policy for allowing specific ports 

    Chrome 91 adds port 10080 to the restricted ports list and blocks traffic through it. This does not affect customers using standard ports, but custom configurations using non-standard ports may be affected.
    If you're affected by this change, or if you were affected by the previous change that blocked port 554, Chrome introduces the ExplicitlyAllowedNetworkPorts enterprise policy, where you can allow these specific ports in your environment.
     
  • Chrome enables quantum computer resistant security 

    Chrome 91 supports a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages fit in a single network frame.
    You can set the CECPQ2Enabled policy to disable this mechanism. You can also disable it by setting the ChromeVariations policy to a non-default value. For more details, see https://www.chromium.org/cecpq2.
     
  • Chrome no longer allows TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
    We previously communicated that this would happen as early as January 2021, but we extended the deadline until Chrome 91.
     
  • PWAs can launch when the user logs into the OS

    Users expect some apps, like chat apps, to launch as soon as they log into a Windows or Mac device. Chrome 91 allows users to set Progressive Web Apps (PWAs) to launch as soon as the user logs into the OS.
    As an admin, you can configure a PWA at install time with the option to launch automatically when a user logs in to its OS session.  
    You control this behavior using the WebAppSettings enterprise policy.
     
  • Chrome on iOS warns users if they reuse their saved passwords on known phishing sites

    To better protect users from phishing schemes, Chrome warns users if it appears that they've entered a saved password on a known phishing site. This feature is now being expanded to Chrome on iOS.  
    You control your organization's use of this feature using the PasswordManagerEnabled enterprise policy.

     
  • Chrome introduces initial_preferences

    As part of Chrome's move to using more inclusive naming, admins can control the browser's initial preferences using a file named initial_preferences. This file behaves the same way as, and will eventually replace, the master_preferences file that exists today. To minimize any disruption, Chrome continues to support the master_preferences file and more notice will be given before we remove support for master_preferences.
     
  • Chrome uses DNS-over-HTTPS on Linux
     
    DNS-over HTTPS protects user privacy by encrypting DNS queries, and was already enabled for Windows, Mac, ChromeOS, and Android in prior releases. Chrome 91 supports this feature on Linux. The DNS requests of all users will be auto-upgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available (based on a list of known DoH-capable servers).  
     
    You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy with Group Policy or in the Google Admin Console. Setting it to off ensures that your users are not affected by Secure DNS.
     
  • Chrome adds Referrer Chain to Client Side Detection pings
     
    To better protect users, Chrome conducts client-side checks of suspicious websites. In Chrome 91, if Enhanced Protection is enabled, the referrers of the website are also sent to Chrome.
     
    You control this behavior using the SafeBrowsingProtectionLevel enterprise policy.
     
  • Download deep scanning available for Enhanced Safe Browsing users
     
    Users who consented to Enhanced Safe Browsing can send downloads to Google for deep scanning when the existing safety checks are inconclusive.  
     
    You can disable this by controlling the user's Safe Browsing setting via the SafeBrowsingProtectionLevelpolicy. 
     
  • Chrome adds Google Account-tied tokens to Enhanced Safe Browsing pings
     
    For users who consented to Enhanced Safe Browsing, who have signed in to their Google accounts, Google Account-tied tokens are added to various phishing detection pings. This provides better protection and reduces false positives.  

    You control this feature on your environment using the SafeBrowsingProtectionLevel enterprise policy.
     
  • Chrome rollout status is available with the Chrome VersionHistory API
     
    The Chrome VersionHistory API is a web service API for retrieving information about Chrome versions and releases. It may be useful for administrators who want to see which versions of Chrome are currently rolled out, including to which fraction of users, to also see the history of Chrome rollouts.
     
    For more details, see https://developer.chrome.com/docs/versionhistory/.
     
  • Chrome can survey users about their experience managing Privacy Sandbox settings
     
    Users who visit the Privacy Sandbox settings page may be asked for their opinion about their experience. 
     
    You control if such surveys appear for your users with the MetricsReportingEnabled policy.
     
  • Chrome on Android tablets requests the desktop site
     
    Chrome 90 on Android tablets requested the desktop version of websites for some users. This is rolling out to all users in Chrome 91.
     
  • BrowserSignIn enterprise policy is available on iOS
     
    Admins can use the BrowserSignIn policy to allow, disable, or force users to sign into Chrome. Chrome 91 extends this policy to iOS. On iOS, you can use this policy to allow or disable user sign-in, but not force users to sign in.
     
  • Chrome uses updated table rendering
     
    Chrome 91 updates the way it renders tables on web pages. This change fixes known issues and brings Chrome closer to the behavior of other browsers, so we expect the impact to be minimal. However, you should test important workflows in your environment for unexpected issues. A full explainer is available here.

     
  • Chrome no longer accepts server certificates issued by the Camerfirma
     
    Websites that use server certificates issued by the Camerfirma Certification Authority are distrusted in Chrome 91. Affected sites should have already been contacted by Camerfirma and have migration plans in place. Note that this does not affect client certificates, only those used for authentication of TLS servers.
     
  • Network state partitioned in Chrome 91
     
    Today, some network objects are shared globally for performance reasons, but this makes it possible to fingerprint users and track them across sites. To protect user privacy, Chrome 91 partitions many network objects by topmost frame domain and iframe domain. A comprehensive description is available here.

    No impact is expected other than minor performance changes, but you can test the change in advance by using the command line flag: 
    --enable-features=PartitionConnectionsByNetworkIsolationKey,PartitionExpectCTStateByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey
     
  • Legacy Browser Support (LBS) parsing fix reverted in Chrome 91
     
    A fix in LBS was made in M90 that resulted in our rules parsing engine to be more strict and similar to the IE-sitelist rules parsing engine.  We have learned, however, that many customers relied on less-strict parsing behavior.  Due to the unintended impact, we are reverting the fix for Chromium bug 1176742.

    Please verify that your LBS rules work in M91 before deployment.  In a future release, we will offer a new policy to enable stricter rules parsing.
     

Chrome OS updates

 
  • Nearby Share on Chrome OS
     
    Nearby Share is a platform that provides easy, reliable, and secure file, text, and URL sharing across Chrome OS and Android devices.
     
  • VPN before login 
     
    Admins can configure built-in VPNs on Chrome OS so that users can connect to a VPN from the login screen. This allows users to authenticate securely via a VPN connection, which is especially helpful for enterprise-hosted single sign-on situations. Built-in VPN support includes L2TP/IPsec and OpenVPN.
     

Admin Console updates

 
  • Pin extensions to the browser toolbar
     
    Admins can now pin Chrome extensions to the browser toolbar from the Apps & Extension Page.  We recommend admins test out the feature on a small set of devices and browsers before deploying to their fleet. For more details, see here.
     
  • Chrome insights report: AUE Report
     
    The Auto Update Expiration (AUE) Chrome insights report allows admins to easily see how many Chrome OS devices in their fleet have reached their AUE dates or are expiring soon. Admins can navigate directly to the Device List from the report to view all devices expiring in the time frame selected. 
     
  • Sending Remote Commands for Chrome Desktop
     
    As an admin, you can use your Google Admin console to remotely send actions to managed Chrome Desktop Browsers (Win/Mac). For example, you can delete browser cache or cookies remotely.  For more details on sending commands, see here.
     
  • Additional policies in the Admin console 
     
Policy Name Pages Supported on Category/Field
KerberosRememberPasswordEnabled User & Browser Settings Chrome OS Kerberos / Remember Kerberos passwords
KerberosAddAccountsAllowed User & Browser Settings Chrome OS Kerberos / Kerberos accounts
SecurityTokenSessionBehavior User & Browser Settings; Managed Guest Session Settings Chrome OS Security / Security token removal / Action on security token removal (for example, smart card)
SecurityTokenSessionNotificationSeconds User & Browser Settings; Managed Guest Session Settings Chrome OS Security / Security token removal / Removal notification duration (seconds)
WebXRImmersiveArEnabled User & Browser Settings Android Other settings / WebXR "immersive-ar" sessions
SSLErrorOverrideAllowedForOrigins User & Browser Settings; Managed Guest Session Settings Chrome
Chrome OS
Android
Network / SSL error override allowed domains / Domains that allow clicking through SSL warnings
SystemProxySettings Device Settings Chrome OS Other settings / Authenticated Proxy Traffic
DeviceAllowMGSToStoreDisplayProperties Managed Guest Session Settings Chrome OS User experience / Persist display settings
DeviceAllowedBluetoothServices Device Settings Chrome OS Other settings / Bluetooth services allowed / Only allow connection to Bluetooth services in the list
DevicePciPeripheralDataAccessEnabled Device Settings Chrome OS Other settings / Data access protection for peripherals 

AccessibilityShortcutsEnabled

AutoclickEnabled

CaretHighlightEnabled

CursorHighlightEnabled

DictationEnabled

FloatingAccessibilityMenuEnabled

HighContrastEnabled

KeyboardFocusHighlightEnabled

LargeCursorEnabled

MonoAudioEnabled

PrimaryMouseButtonSwitch

ScreenMagnifierType

SelectToSpeakEnabled

SpokenFeedbackEnabled

StickyKeysEnabled

VirtualKeyboardEnabled

Device Settings

Chrome OS

Kiosk accessibility

  • New and updated policies (Chrome and Chrome OS)
Policy Description
BrowserThemeColor
Browser Only
Configure the color of the browser's theme
CECPQ2Enabled CECPQ2 post-quantum key-agreement enabled for TLS
DefaultFileHandlingGuardSetting Lets web apps ask for access to file types via the File Handling API.
DeviceAllowedBluetoothServices
Chrome OS Only
Only allow connection to the Bluetooth services in the list
ExplicitlyAllowedNetworkPorts Permits bypassing the list of restricted ports
FileHandlingAllowedForUrls Specifies web apps allowed to access file types via the File Handling API.
FileHandlingBlockedForUrls Specifies web apps blocked from accessing file types via the File Handling API.
ForcedLanguages
Browser Only
Configure the content and order of preferred languages
HeadlessMode Control use of the Headless Mode
SharedArrayBufferUnrestrictedAccessAllowed Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context.
SuppressDifferentOriginSubframeDialogs Specifies if JavaScript dialogs triggered from a different origin subframe will be blocked
URLBlocklist
New on iOS
Specifies disallowed URLs
URLAllowlist
New on iOS
Specificies allowed URLs
WebAppSettings
Browser only
Specifies settings for web apps installed through WebAppInstallForceList Note: This is an experimental policy that may be replaced in a future version of Chrome.
WebRtcIPHandling WebRTC will use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy

Coming soon


Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
 
  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94
     
    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly.
     
    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. More details can be found on our blog post at blog.chromium.org
     
    Chrome OS is working on the changes to the release cadence and will send a separate announcement.  As always, Chrome OS will prioritize the latest security updates, and maintain a high quality and stable experience for users, customers, partners, and developers.
     

Upcoming Chrome browser changes

 
  • Managed profile sign-in popup will be more clear in Chrome 92
     
    Chrome will update the notice when users sign into a managed profile. The new notice will use clear language and the available actions will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.  
     
  • SharedArrayBuffers will need Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in Chrome 92
     
    If your organization uses apps that leverage SharedArrayBuffers, those apps will need to set Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in the HTTP header. Web apps not setting the appropriate policies will no longer be able to access SharedArrayBuffers.  
    If your organization needs additional time to make the transition, the SharedArrayBufferUnrestrictedAccessAllowed policy will be available in Chrome 91. This is a temporary policy that will eventually be removed. The removal timeline will be communicated in future release notes.
     
  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 92
     
    Insecure pages will no longer be able to make subresource requests to IPs belonging to a more private address space (as defined in Private Network Access). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
     
  • Different-origin iframes will not be able to trigger javascript dialogs in Chrome 92
     
    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.
    If you have any web apps affected by this change, you'll be able to use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 95.
     
  • Chrome will launch a sharing hub in Chrome 92
     
    Users will be able to more easily share their current page in Chrome 92, including the ability to send the current page to their devices, get a QR code for the current URL,  screenshot and markup the current page, and share to third party apps.
    You'll be able to control this feature using an enterprise policy.
     
  • Chrome 92 on iOS will prefer https to http when not specified in the address bar
     
    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then fallback to http://example.com if required. For more information, see Chrome’s blog post, A safer default for navigation: HTTPS.
    Desktop and Android users already had this change, and iOS will be rolled out in Chrome 92.
     
  • Chrome 92 on Android will introduce the Magic Toolbar 

    The Chrome toolbar on Android will add a new adaptable button, which will show different shortcuts depending on what the user is most likely to need and will also be customizable. 
     
  • Chrome 92 will expand DNS HTTPS records queries for users using classic DNS 
     
    Chrome is currently querying and parsing DNS HTTPS records alongside the traditional A and AAAA records for users using Secure DNS. From Chrome 92,  we will expand this behavior to users using classic DNS. The information from these records will be used to improve privacy and performance of HTTPS web connections. You can temporarily disable these extra queries for users using classic DNS, via the AdditionalDnsQueryTypesEnabled policy with Group Policy or in the Google Admin Console. Please share details about issues that led you to use the policy as a workaround. Note that this policy has no effect for users using Secure DNS.
     
  • Lock in address bar will be replaced in Chrome 93
     
    The lock in the address bar will be replaced with a new icon. Chrome is moving to security messaging that highlights known security issues, and shows neutral messaging otherwise. Showing an icon that implies safety based solely on the connection's encryption may lead to a false sense of security.
     
  • Network Service on Windows will be sandboxed as early as Chrome 93
     
    The network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third party code that is currently able to tamper with the Network Service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data loss Prevention software.You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Chrome may leverage MiraclePtr to improve security, as early as Chrome 93
     
    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team is gathering data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel are excluded from MiraclePtr builds during this phase. A full release of MiraclePtr in Chrome may be as early as Chrome 93.
     
  • UserAgentClientHintsEnabled will be removed in Chrome 93
     
    When Chrome introduced User-Agent Client Hints, some servers were not able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard.
    To give enterprises extra time updating these servers, the UserAgentClientHintsEnabled policy was introduced. This transition period will end with Chrome 93, and the policy will be removed.
     
  • SyncXHR policy will no longer be supported on Chrome 93
     
    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • LegacySameSiteCookieBehaviorEnabled will be removed in Chrome 93
     
    When same-site cookie behavior was introduced, Chrome included policies to give admins extra time to adjust the implementation of any enterprise apps that relied on the legacy cookie behavior.
    The first phase of the transition plan will end in Chrome 93, and LegacySameSiteCookieBehaviorEnabled will no longer take effect. You will still be able to opt specific sites into the legacy cookie behavior using LegacySameSiteCookieBehaviorEnabledForDomainList until Chrome 109.
     
  • Chrome 93 will not support Ubuntu 16.04 

    Ubuntu 16.04 is past the end of standard support, and will not be supported as of Chrome 93. The updated system requirements for Chrome are available here.
     
  • Chrome 93 will remove 3DES TLS cipher suites 

    Chrome will remove support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy will be made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.
     
  • Chrome apps will be deprecated in Chrome 94 on Mac, Windows, and Linux 

    Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 94, as part of the previously-communicated plan to replace Chrome apps with the open web. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.
     
  • Chrome will maintain its own default root store as early as Chrome 95 

    To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • Legacy policies with non-inclusive names will be removed in Chrome 95 

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist blacklist). To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead:

     

    Legacy Policy Name New Policy Name
    NativeMessagingBlacklist NativeMessagingBlocklist
    NativeMessagingWhitelist NativeMessagingAllowlist
    AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist
    AuthServerWhitelist AuthServerAllowlist
    SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist
    AutoplayWhitelist AutoplayAllowlist
    SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains
    ExternalPrintServersWhitelist ExternalPrintServersAllowlist
    NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist
    PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist
    URLWhitelist URLAllowlist
    URLBlacklist URLBlocklist
    ExtensionInstallWhitelist ExtensionInstallAllowlist
    ExtensionInstallBlacklist ExtensionInstallBlocklist
    UserNativePrintersAllowed UserPrintersAllowed
    DeviceNativePrintersBlacklist DevicePrintersBlocklist
    DeviceNativePrintersWhitelist DevicePrintersAllowlist
    DeviceNativePrintersAccessMode DevicePrintersAccessMode
    DeviceNativePrinters DevicePrinters
    NativePrinters Printers
    NativePrintersBulkConfiguration PrintersBulkConfiguration
    NativePrintersBulkAccessMode PrintersBulkAccessMode
    NativePrintersBulkBlacklist PrintersBulkBlocklist
    NativePrintersBulkWhitelist PrintersBulkAllowlist
    UsbDetachableWhitelist UsbDetachableAllowlist
    QuickUnlockModeWhitelist QuickUnlockModeAllowlist
    AttestationExtensionWhitelist AttestationExtensionAllowlist
    PrintingAPIExtensionsWhitelist PrintingAPIExtensionsAllowlist
    AllowNativeNotifications AllowSystemNotifications
    DeviceUserWhitelist DeviceUserAllowlist
    NativeWindowOcclusionEnabled WindowOcclusionEnabled

If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
 

Upcoming Admin Console changes

 
  • Sending Extension Requests for Chrome Browser Desktop and Chrome OS 
     
    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a “Request” button so that you can see their requests from within the Admin Console and take an action to allow or to block the extensions.  You can sign up to get early access to this feature by filling out our Trusted Tester form. 

     
 
Chrome 90

Chrome Browser updates

 
  • Single words are not treated as intranet locations by default

    By default, Chrome improves user privacy and reduces load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" is no longer directed to "https://helpdesk/".
    You can control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.).
    Some users saw this change in Chrome 88 and 89; a full rollout is happening in Chrome 90.
     
  • Chrome prefers https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome attempts to navigate using https first, then falls back to http if https is not available. For example, if the user navigates to example.com, Chrome first attempts to navigate to https://example.com, then falls back to http://example.com if required. See Chrome’s blog post, A safer default for navigation: HTTPS, for more information.
    Desktop and Android users see this in Chrome 90, with a release on iOS following soon after.
     
     
  • Chrome blocks port 554 in Chrome 90

    Port 554 is added to the restricted ports list,  so Chrome blocks traffic through port 554. This should have no effect on customers using standard ports, but custom configurations (for example, delivering PAC scripts) using non-standard ports may be affected. You should instead use standard ports for your use case (for example, delivering PAC scripts via HTTPS through port 443).

     
  • The TargetChannel policy allows you to set Chrome's channel

    Chrome 90 allows you to choose between stable, beta, and dev channels via the enterprise policy TargetChannel. You can read more about setting the policies for Mac and Windows.

     
  • Chrome compresses public HTTPS images

    When Chrome Lite mode is enabled, Chrome compresses public HTTPS images to reduce users’ data costs, by routing the requests through a Google service. You can control this using the DataCompressionProxyEnabled enterprise policy.

     
  • Chrome saves data with Lite videos

    To reduce the data-cost and improve the experience of videos on metered and limited data connections, Chrome on Android reduces the effective bitrate of videos for Lite mode users on cellular connection. You can control this feature using the DataCompressionProxyEnabled policy.

     
  • AllowNativeNotifications updated to AllowSystemNotifications

    As part of Chrome's move to using more inclusive policy names, AllowNativeNotifications is renamed to AllowSystemNotifications. The existing AllowNativeNotifications policy will be available until Chrome 95.

     
  • Chrome supports Intel CET

    Chrome supports Intel’s Control Flow Enforcement Technology (CET), known as Hardware-enforced Shadow Stacks on Windows. This only affects Chrome running on hardware that supports CET (Intel 11th Gen or AMD Zen 3). While no issues are expected, you can manage CET by manipulating Image File Execution Options (IFEO) through group policy.

     
  • Some permission requests are less intrusive

    Permission requests that the user is unlikely to allow are automatically blocked, when Safe Browsing is set to Enhanced. A less intrusive UI allows the user to manage permissions for each site.


    You can control this feature on your environment using the SafeBrowsingProtectionLevel enterprise policy. Set it to 1 (standard), 2 (enhanced), or leave the policy unset to enable the quieter requests. Set it to 0 (disabled) to always use the standard requests instead of the quieter requests.

    You can also explicitly allow or disable notifications for certain sites using the NotificationsAllowedForUrls and NotificationsBlockedForUrls. This may be better suited for your use case and doesn't require the user to be prompted at all.

     
  • Extension settings load from the same place for all channels on Mac

    All Chrome channels read the extension policies from the same .plist file. For example, the extension Password Alert always loads its policies from com.google.Chrome.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist instead of com.google.Chrome.canary.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist in Chrome Canary.

     
  • Security key enterprise attestation

    Chrome supports device-unique attestation of security keys without needing a policy configured. This is useful in situations where security keys are distributed by an enterprise to personnel who may use them on non-policy-managed computers. This requires specially-manufactured security keys—talk to your security key vendor if this sounds useful.

     
  • WebXR depth sensing API will be supported

    The WebXR Depth Sensing API allows Chrome to measure distance from the user’s device to real world geometry in the user’s environment. With this, Chrome will be able to power immersive experiences in WebXR-powered apps (for example, for physics, and lifelike occlusion for augmented reality).

    You will be able to control access to WebXR and other augmented reality APIs using the WebXRImmersiveArEnabled enterprise policy.

     
  • Admin controls on shutdown delay for fetch keepalive

    When Chrome is closed, any outstanding fetch keepalive requests are cancelled by default. In Chrome 90, you can use the FetchKeepaliveDurationSecondsOnShutdown enterprise policy to block browser shutdown for a specified period of time to serve any outstanding fetch keepalive requests.

    This may be suitable for enterprise web applications that require the fetch keepalive requests to signal the end of a user session.

     
  • Legacy browser support works between Chrome and Microsoft Edge

    You can configure Legacy Browser Support to automatically switch between multiple browsers, assigning certain sites to always open in Chrome, while other sites always open in another browser, for example, Internet Explorer. With Chrome 90, we now support configuring your environment to switch between Chrome and Microsoft Edge in IE mode. See this help center article for more details.

     
  • Chrome on Android tablets requests the desktop site

    Chrome 90 on Android tablets requests the desktop version of websites for some users. This is expected to be rolled out to all users in Chrome 91.

     

Chrome OS updates

 
  • Deprecation of AMR and GSM audio codecs

    AMR-NB, AMR-WB, and GSM audio codecs are deprecated as part of this release. Affected users should file bugs here and may temporarily rollback this change via the use of chrome://flags/#deprecate-low-usage-codecs. Users with long-term need for these codecs may use stand-alone applications found in the Google Play Store.

 

  • New Diagnostics app

    The new Diagnostics app helps users understand how their Chrome OS device [battery, CPU, and memory] is performing. Within the app, users can also run troubleshooting tests – results are saved in a session log file for easy sharing with customer support.

     
  • Device Dock Update

    Device updates provide users the ability to have reliable and safe peripherals, by providing an avenue to update their software if needed. In Chrome OS 90, we are releasing a path for updates to docks with minimal user experience disruption, making it simple and safe for all our users that use Works With Chromebook certified accessories.

     
  • Updated UI for recent screenshots and downloads

    Quickly access your recent screenshots and downloads. Pin your important Files to launch, copy, or drag with one click. Visit here for more information.

     
  • Better account manager and add account flow

    Chrome OS’s account manager is getting a brand new design to help users better understand the Chrome OS identity model, such as the difference between device account and secondary Google Accounts, and the implications of adding multiple Google Accounts to a user session. Instead of being nested under the "People'' section, the redesigned account manager is part of a new "Accounts" section for clarity and ease of access. Finally, the add account flow is also redesigned to help nudge users away from adding their Google Accounts to user sessions that are not their own.

     
  • Add Live captions settings to Chrome OS settings

    Chrome Live Caption now supports Chrome OS. Live Captions enables you to caption any audio or video in your browser.

     
  • YouTube and Maps open in standalone windows for new users

    New users can now experience YouTube and Maps in standalone app windows by default, rather than opening as browser tabs. Existing users can right-click on the YouTube or Maps app icon, then select Open link in new tab or Open link in new window.

     
  • Files app: Enable offline for Docs, Sheets, and Slides files on Drive

    Users now have the ability to make Google Docs, Sheets, and Slides available for offline access directly from their Drive folder in the Chrome OS file manager.

     

Admin console updates

 
  • Chrome Policy API

    The Chrome Policy API is a brand new API for configuring Admin console Chrome policies. Admins can use the API to script changes across multiple OUs, compare policies or copy policies across multiple OUs, and more. The Chrome Policy API is now available with support for user & browser settings, as well as printer settings. Future versions of the API will also support managing apps & extensions, device settings, kiosk, and managed guest session settings.

     
  • Update Controls for macOS

    Admin Console now supports configuring update controls for macOS. Please see the Help Center article on how to configure these settings.

     
  • Version History API

    The Chrome Update team released a web service API for retrieving information about Chrome versions and releases.

     
  • Additional policies in the Admin console

    Many new policies are available in the Admin console, including:
     
Policy Name Pages Supported on Category/Field
BasicAuthOverHttpEnabled User & Browser Settings Chrome OS, Windows, Mac, Linux Network / Allow Basic authentication for HTTP
BrowserLabsEnabled User & Browser Settings Windows, Mac, Linux User experience / Browser experiments icon in toolbar
DefaultSensorsSetting User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Hardware / Sensors / Default access
EnableDeprecatedPrivetPrinting User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux Printing / Deprecated privet printing
FullscreenAlertEnabled User & Browser Settings Chrome OS User experience / Fullscreen alert
IntegratedWebAuthenticationAllowed User & Browser Settings Chrome OS Network / Login credentials for network authentication
NTPCardsVisible User & Browser Settings Chrome OS, Windows, Mac, Linux User experience / Show cards on the New Tab Page
PhoneHubAllowed User & Browser Settings Chrome OS Connected devices / Phone Hub
PhoneHubNotificationsAllowed User & Browser Settings Chrome OS Connected devices / Phone Hub
PhoneHubTaskContinuationAllowed User & Browser Settings Chrome OS Connected devices / Phone Hub
ProfilePickerOnStartupAvailability User & Browser Settings Windows, Mac, Linux Startup / Profile picker availability on browser startup
RemoteAccessHostDomainList User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux Remote access / Remote access hosts / Remote access host domain
SensorsAllowedForUrls User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Hardware / Sensors / Allow access to sensors on these sites
SensorsBlockedForUrls User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Hardware / Sensors / Block access to sensors on these sites
SigninInterceptionEnabled User & Browser Settings Windows, Mac, Linux Sign-in settings / Signin interception
TargetBlankImpliesNoOpener User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Security / Popup interactions
WifiSyncAndroidAllowed User & Browser Settings Chrome OS Other settings / Wi-Fi network configurations sync

 

  • New and updated policies (Chrome Browser and Chrome OS)
     
Policy Description
AllowSystemNotifications
Linux Only
Allow system notifications
AudioProcessHighPriorityEnabled
Windows Only
Allow the audio process to run with priority above normal on Windows
FetchKeepaliveDurationSecondsOnShutdown Fetch keepalive duration on Shutdown
SSLErrorOverrideAllowedForOrigins Allow proceeding from the SSL warning page on specific origins
WebXRImmersiveArEnabled Allow creating WebXR's "immersive-ar" sessions
WindowOcclusionEnabled
Browser only
Enable Window Occlusion

 

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly.

    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to switch Chrome to an extended stable channel, with a new release every 8 weeks instead. More details can be found on our blog post at blog.chromium.org.

    Chrome OS is also planning changes to the release cycle during the same release. As always, Chrome OS will prioritize the latest security updates, and maintain a high quality and stable experience for users, customers, partners, and developers.

     

Upcoming Chrome Browser changes

 
  • Chrome 91 will block port 10080 and add a policy for allowing specific ports

    Port 10080 will be added to the restricted ports list and traffic will be blocked through it. This should have no effect on customers using standard ports, but custom configurations using non-standard ports may be affected.

    If you're affected by this change, or other changes blocking ports for security reasons, Chrome will introduce an enterprise policy where you can allow specific ports in your environment.
     
  • Collapsed tab groups will be frozen in Chrome 91

    Chrome allows users to group tabs into collapsible groups, helping them stay organized and productive. In Chrome 91, those tabs will be frozen when the user collapses them, freeing up resources on the system. Chrome will not freeze tabs if they are playing audio, holding a web lock, holding an IndexedDB lock, connected to a USB device, capturing video or audio, being mirrored, or capturing a window or display.

     
  • Web apps will be able to run when the user logs into the OS in Chrome 91

    Users will be able to configure Progressive Web Apps to start automatically when they log into the OS. This allows some apps that the user expects to be always-on to behave as expected.

    You will be able to control which apps can start on OS login using the WebAppSettings enterprise policy.

     
  • Chrome will introduce initial_preferences in Chrome 91

    As part of Chrome's move to using more inclusive naming, Chrome will support an admin using a file to control the browser's initial preferences, named initial_preferences. This file behaves the same way as, and will eventually replace the master_preferences file that exists today. To minimize any disruption, master_preferences will continue to be supported in Chrome 90 and more notice will be given before support for master_preferences is removed.
     
  • Different-origin iframes will not be able to trigger javascript dialogs in Chrome 91

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.

    If you have any web apps affected by this change, you'll be able to use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 94.

    You can test apps in your environment for compatibility using Chrome 91 Canary, and Chrome 91 Beta on April 22.
     
  • Network state will be partitioned in Chrome 91

    At present, some network objects are shared globally for performance reasons, but this makes it possible to fingerprint users and track them across sites. To protect user privacy, Chrome will partition many network objects by topmost frame domain and iframe domain. A comprehensive description is available here.

    No impact is expected other than minor performance changes, but you can test the change in advance by using the command line flag:

    --enable-features=PartitionConnectionsByNetworkIsolationKey,PartitionExpectCTStateByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey

     
  • The BrowserSignIn enterprise policy will be available for Chrome 91 on iOS

    The BrowserSignIn policy allows you to either disable or force users to sign into Chrome browser. The IncognitoModeAvailability policy allows you to disable Incognito mode. Both of these policies will be available for Chrome 90 on iOS.
     
  • Quantum computer resistant security will be enabled in Chrome 91

    Chrome will start supporting a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages will fit in a single network frame.

    The CECPQ2Enabled policy can be set to disable this. It will also be disabled if the ChromeVariations policy is set to a non-default value. For more details on this rollout, see https://www.chromium.org/cecpq2

     
  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

     
  • Server certificates issued by the Camerfirma will no longer be accepted, no later than Chrome 91

    Websites that use server certificates issued by the Camerfirma Certification Authority will be distrusted in a future release of Chrome. Affected sites should have already been contacted by Camerfirma and have migration underway. Note that this does not affect client certificates, only those used for authentication of TLS servers.

     
  • Chrome 91 on iOS will warn users if they reuse their saved passwords on known phishing sites

    To better protect users from phishing schemes, Chrome warns users if it appears that they've entered a saved password on a known phishing site. In Chrome 91, this feature will be expanded to Chrome on iOS.

    You can control your organization's use of this feature using the PasswordManagerEnabled enterprise policy.

     
  • Chrome 91 will use updated table rendering

    Chrome is updating the way it renders tables on web pages. This change fixes known issues and brings Chrome closer to the behavior of other browsers, so impact is expected to be minimal. However, you should test important workflows in your environment for unexpected issues. A full explainer is available here.

    You can enable the new rendering behavior using chrome://flags/#enable-table-ng in Chrome 90 and above. If you experience any unexpected issues when testing with the flag enabled, please file a chromium bug.

     
  • Managed profile sign-in popup will be more clear, with changes as early as Chrome 91

    Chrome will update the notice when users sign into a managed profile. The new notice has more clear language and the available actions have been simplified. Some users will see a link to open Chrome in guest mode when they sign into a new profile that's different from the profile signed into Chrome.

     
  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 92

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

     
  • Lock in address bar will be replaced in Chrome 92

    The lock in the address bar will be replaced with a new icon. Chrome is moving to security messaging that highlights known security issues, and shows neutral messaging otherwise. Showing an icon that implies safety based solely on the connection's encryption may lead to a false sense of security.

     
  • The Network Service on Windows will be sandboxed as early as Chrome 92

    The network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third party code that is currently able to tamper with the Network Service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data loss Prevention software.You'll be able to disable the change with an enterprise policy when it becomes available.

     
  • Chrome will leverage MiraclePtr to improve security, as early as Chrome 93

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities related to memory safety. The Chrome team is gathering data on the performance cost of MiraclePtr in Chrome 91, but enterprises on the stable channel are excluded from MiraclePtr builds during this phase. A full release of MiraclePtr in Chrome may be as early as Chrome 93.
     
  • Chrome will maintain its own default root store as early as Chrome 92

    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores.We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.  
     
  • Chrome will launch a sharing hub in Chrome 92

    Users will be able to more easily share their current page in Chrome 92, including the ability to send the current page to their devices, get a QR code for the current URL,  screenshot and markup the current page, and share to third party apps.

    You'll be able to control this feature using an enterprise policy. 
     
  • UserAgentClientHintsEnabled will be removed in Chrome 93

    When Chrome introduced User-Agent Client Hints, some servers were not able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard.

    To give enterprises extra time updating these servers, the UserAgentClientHintsEnabled policy was introduced. This transition period will be ending with Chrome 93, and the policy will be removed. 
     
  • SyncXHR policy will no longer be supported on Chrome 93

    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications. 
     
  • LegacySameSiteCookieBehaviorEnabled will be removed in Chrome 93

    When same-site cookie behavior was introduced, Chrome included policies to give admins extra time to adjust the implementation of any enterprise apps that relied on the legacy cookie behavior. The first phase of the transition plan will end in Chrome 93, and LegacySameSiteCookieBehaviorEnabled will no longer take effect. You will still be able to opt specific sites into the legacy cookie behavior using LegacySameSiteCookieBehaviorEnabledForDomainList until Chrome 97. 
     
  • Legacy policies with non-inclusive names will be removed in Chrome 95

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome. 

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy. 

    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead: 
     
Legacy Policy Name New Policy Name
NativeMessagingBlacklist NativeMessagingBlocklist
NativeMessagingWhitelist NativeMessagingAllowlist
AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist
AuthServerWhitelist AuthServerAllowlist
SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist
AutoplayWhitelist AutoplayAllowlist
SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains
ExternalPrintServersWhitelist ExternalPrintServersAllowlist
NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist<
PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist
URLWhitelist URLAllowlist
URLBlacklist URLBlocklist
ExtensionInstallWhitelist ExtensionInstallAllowlist
ExtensionInstallBlacklist ExtensionInstallBlocklist
UserNativePrintersAllowed UserPrintersAllowed
DeviceNativePrintersBlacklist DevicePrintersBlocklist
DeviceNativePrintersWhitelist DevicePrintersAllowlist
DeviceNativePrintersAccessMode DevicePrintersAccessMode
DeviceNativePrinters DevicePrinters
NativePrinters Printers
NativePrintersBulkConfiguration PrintersBulkConfiguration
NativePrintersBulkAccessMode PrintersBulkAccessMode
NativePrintersBulkBlacklist PrintersBulkBlocklist
NativePrintersBulkWhitelist PrintersBulkAllowlist
UsbDetachableWhitelist UsbDetachableAllowlist
QuickUnlockModeWhitelist QuickUnlockModeAllowlist
AttestationExtensionWhitelist AttestationExtensionAllowlist
PrintingAPIExtensionsWhitelist PrintingAPIExtensionsAllowlist
AllowNativeNotifications AllowSystemNotifications
DeviceUserWhitelist DeviceUserAllowlist
NativeWindowOcclusionEnabled WindowOcclusionEnabled
 

If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
 

Upcoming Admin Console changes

 
  • Sending Extension Requests for Chrome Browser and Chrome OS

    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a “Request” button so that you can see their requests from within the Admin Console and take an action to allow or to block the extensions.

     
  • Sending Remote Commands for Chrome Desktop

    As an admin, you can use your Google Admin console to remotely send actions to managed Chrome Desktop Browsers (Win/Mac/Linux). For example, you will be able to delete browser cache or cookies remotely.

     
 
Chrome 89

Chrome Browser updates

 
  • Single words will not be treated as intranet locations by default

    By default, Chrome will improve user privacy and will reduce load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. That is, a user typing helpdesk will no longer be directed to https://helpdesk/.

    You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean http://intranetsite/ infobars.).

    Some users saw this change in Chrome 88; a full rollout is planned in Chrome 89.

  • Chrome will prefer https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then will fallback to http://example.com if required.

    Some users on Windows, Mac, Linux, and Android will see this change in Chrome 89, and all users should see this change in Chrome 90.

  • Users can search open tabs

    Users can search for open tabs across windows, as shown in this screenshot:

  • Enterprise realtime URL checking enabled by BeyondCorp Enterprise

    Chrome 89 will introduce new security capabilities enabled by BeyondCorp Enterprise allowing checking URLs for phishing attacks in realtime for BeyondCorp Enterprise customers.

  • Chrome profiles for separating users or accounts

    Chrome will add new features to help different users keep their browsing data like bookmarks, history, and settings separate.

    Users will be given the option to create a new Chrome profile and move their account over, when they sign in to a profile where another account is already signed in.

    If a user signs in with an account that is already signed in to another profile, they will be offered the option to switch. Users who have multiple profiles set up will see a profile picker on startup. 

    You can control whether Chrome offers to create or switch profiles with the SigninInterceptionEnabled enterprise policy and ProfilePickerOnStartupAvailability enterprise policies.
  • Certain features will be available to users who have signed in without having to enable Chrome Sync 

    Some users who have signed into Chrome may be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.

    You can control users' access to payment methods on Chrome on Android using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including passwords in SyncTypesListDisabled.
     
  • Chrome on Android will require the device to be certified

    Chrome on Android will only be able to run on devices that are Play Protect certified. This will affect all instances of Chrome including PWAs, but does not include WebView.

    Chrome on VMs and emulators will continue to work if an emulator is emulating an approved device or the emulator is Google-developed.

    See the Android Help Center article for details on how to verify a device’s certification status.  
     
  • Version pinning for self-hosted extensions & apps

    To increase the stability in high-reliability environments, Chrome 89 will facilitate the pinning of extensions and apps to a specific version. Administrators can self-host the extension or app of their choice, and instruct Chrome to use the update URL from the extension forcelist instead of the extension manifest. This will be via a new boolean parameter in ExtensionSettings policy. As a result, extensions & apps will not be updated via the updateURL that was originally configured in their manifest, and will stay on one specific version.  
     
  • Chrome introduces privacy-preserving APIs to replace some of the functionality of third-party cookies

    Several changes are coming in Chrome 89 to build a more private web. We originally announced these changes in the Chromium Blog.

    FLoC, an interest-based targeting API will be introduced as an origin trial. This API will allow working with cohorts—groups of users with similar interests. Users cannot be individually identified.

    An event-level conversion API will continue in the origin-trial stage for Chrome 89. This API will enable the correlation of an ad click on a website with a subsequent conversion on an advertiser site (a sale, a sign-up, etc). Users cannot be individually identified.

    Platform-provided trust tokens will be introduced to the ongoing Trust Token API Origin Trial. This experiment will be used to ascertain the value of tokens incorporating on-device state as a mechanism for anti-spam and anti-abuse systems, and to evaluate the feature’s performance relative to standard web-issued trust tokens. 

    First party sets will be introduced as an origin trial. This will allow a collection of related, commonly-owned domains to declare themselves as a first party set, so that browsers can consider this relationship when applying cross-site communication policies. 

    Schemeful Same-Site, which evolves the definition of same-site to include the URL scheme, will be fully rolled out and available to all audiences.

    User Agent Client Hints will also be fully rolled out and available to all audiences.

    See the chromium privacy sandbox page for details on these APIs and the privacy sandbox.
     
  • Chrome will require SSE3 for Chrome on x86

    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

  • Chrome introduces BrowsingDataLifetime and ClearBrowsingDataOnExitList policies

    Chrome will give you more control over data in your environment by introducing two policies that clear browsing data after a specified amount of time, or once Chrome has been closed: BrowsingDataLifetime and ClearBrowsingDataOnExitList. These policies will be useful for customers that have strict regulatory requirements around data being stored on client devices.

  • Metrics reporting can be disabled by the user even if admin has it turned on

    To improve user privacy, end users will be able to turn off metrics reporting for themselves, even if you have set MetricsReportingEnabled to true. If you set MetricsReportingEnabled to false, users will not be able to enable metrics.

  • Chrome introduces the Serial API

    The Serial API will provide a way for websites to read and write from a serial device through script. You can read an explainer on the Serial API here.

    You will be able to control access to the Serial API using the DefaultSerialGuardSetting policy. You can also use the SerialAskForUrls and SerialBlockedForUrls policies to control serial device access on a site-by-site basis.

  • Chrome on iOS introduces biometric authentication for Incognito tabs

    Users will have a setting to enable access control for their Incognito tabs. When this setting is turned on, users will be prompted to re-authenticate themselves with biometric authentication when they return to Incognito tabs after closing Chrome on iOS.

Chrome OS updates

 
  • Extended auto-update blockout windows 

    Already as of today, the Chrome OS auto update blockout window device policy allows admins to block updates for their kiosk devices during certain business hours. This helps to save bandwidth in cases where Chromebooks are located at sites with limited network connectivity. From Chrome 89 on (official launch March 9th, 2021), the auto update blockout window policy will be extended. (1) Instead of only applying to kiosk sessions, it will also apply to user sessions & managed guest sessions (MGS). (2) Instead of only influencing the start of an update download, it will also pause previously started updates during blockout windows.

    Due to the extended impact of the auto-update blockout window policy, an adjustment of your policy settings might be required to guarantee continuous updates of your devices.

  • Scaled Print Server Support 

    Admins will be able to assign any number of IPP based print servers to be remotely configured from the admin console. Users will select a specific print server to connect to if the user has more than 16 print servers assigned. If there are less than 16 configured, Chrome OS will automatically query all assigned print servers simultaneously.

  • Scanning support

    Chrome OS will support the scanning functionality of compatible multifunction printers. Access to the Scan app on Chrome OS can be controlled by Admins.
     
  • QR code scanning support

    You can now scan QR codes with the Chrome OS Camera app. Just point your camera at a QR code and the results will automatically be scanned.

  • Switch Access settings Improvements

    Switch Access settings will allow you to use any key or external switch and will make setting up your switches easier by replacing the drop down menu with just pressing the switch you want to use. 
  • Enhanced Screen Capture

    Chrome OS screen capture just got better. Screen capture functionality is now always accessible via quick settings. A new capture mode provides users with an intuitive UI to switch between functionality. After taking a partial screenshot, you can adjust the selection to perfect your capture. New screen recording functionality lets you capture and share motion.


     
  • Desk improvements

    Improvements for frictionless smart creation and management of multiple workspaces (restore desks for browser, send to desk, and virtual desk improvements).
     
  • Wi-Fi Sync improvements

    Wi-Fi Sync is now even more powerful, with added support for Wi-Fi network sharing between Chrome OS and Android.
     
  • Clipboard: visual clipboard history

    Chrome OS introduces an extended clipboard to quickly transfer multiple pieces of content. Transfer everything you need with speed and ease.
     
  • Tote: quick access to recent and important Files

    Quickly access your recent screenshots and downloads. Pin your important Files to launch, copy, or drag with one click.
     
  • Improved Media Controls

    Brings unified media controls to quick settings. Access all your media sources in one place quickly.
     
  • App icon refresh

    The icons for the built-in apps on your Chromebook have a fresh new look, making it easier for you to distinguish between the core essential apps (for example, Canvas, Explore) that are made for Chrome OS and third-party apps that you’ve downloaded.
     
  • Enhanced Select-to-speak to better support users with Dyslexia

    Improve the Select-to-speak accessibility service with navigation controls (play/pause, navigate sentences and paragraphs, adjust speed in context).


     

Admin console updates

 
  • Apps & Extension Usage Report

    The Apps & Extension Usage Report report will allow admins to get a comprehensive view of the apps and extensions installed across their fleet of ChromeOS and Chrome Desktop devices.  Refer to the View app and extension usage details article on how to enable it. 
     
  • Reports API

    The Reports API will allow you to generate reports that give you aggregate information on your managed Chrome OS device / Chrome Browser deployment.  Please see the documentation here on how to use it. 
     
  • Additional policies in the Admin console

    Many new policies will be available in the Admin console, including:
Policy Name Pages Supported on Category/Field
NTPContentSuggestionsEnabled User & Browser Settings Android Startup / New Tab page content suggestions
RestrictAccountsToPatterns User & Browser Settings Android User experience / Visible Accounts / Restrict accounts that are visible in Chrome to those matching one of the patterns specified
MediaRecommendationsEnabled User & Browser Settings Chrome OS, Windows, Mac, Linux User experience / Media Recommendations
AllowFileSelectionDialogs User & Browser Settings Windows, Mac, Linux User experience / File selection dialogs
AllowWakeLocks User & Browser Settings; Managed Guest Session Settings Chrome OS Power and shutdown / Wake locks
IntranetRedirectBehavior User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux Network / Intranet Redirection Behavior

 

  • New and updated policies (Chrome Browser and Chrome OS)

 

Policy Description

BrowsingDataLifetime

Browsing Data Lifetime Settings

ClearBrowsingDataOnExitList

Clear Browsing Data on Exit

EnableDeprecatedPrivetPrinting

Enable deprecated privet printing

ManagedConfigurationPerOrigin

Sets managed configuration values to websites to specific origins

PhoneHubTaskContinuationAllowed

Chrome OS only

Allow Phone Hub task continuation to be enabled

PhoneHubAllowed

Chrome OS only

Allow Phone Hub to be enabled

PhoneHubNotificationsAllowed

Chrome OS only

Allow Phone Hub notifications to be enabled

ProfilePickerOnStartupAvailability

Browser only

Profile picker availability on startup

RemoteAccessHostAllowRemoteAccessConnections

Browser only

Allow remote access connections to this machine

RemoteAccessHostMaximumSessionDurationMinutes

Browser only

Maximum session duration allowed for remote access connections

SigninInterceptionEnabled

Browser only

Enable signin interception

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome will move to a 4-week stable channel and will introduce an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly.

    No action will be required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to switch Chrome to an extended stable channel, with a new release every 8 weeks instead. More details can be found on our blog post at blog.chromium.org

    Chrome OS is also planning changes to the release cycle during the same release. As always, Chrome OS will prioritize the latest security updates, and maintain a high quality and stable experience for users, customers, partners, and developers.

Upcoming Chrome Browser changes

 
  • Chrome 90 will block port 554

    Port 554 will be added to the restricted ports list and traffic through it will be blocked. This should have no effect on customers using standard ports, but custom configurations (for example, delivering PAC scripts) using non-standard ports may be affected. You should instead use standard ports for your use case (for example, delivering PAC scripts via HTTPS through port 443).
     
  • Launch of PDF XFA forms in Chrome 90

    PDF XFA forms will be partially supported in Chrome 90, expanding the range of PDF documents that can open directly in Chrome.
     
  • Managed profile sign-in popup will be more clear in Chrome 90

    Chrome 90 will update the notice when users sign into a managed profile. The new notice will have more clear language and the available actions will be simplified.
     
  • Some permission requests will be less intrusive in Chrome 90

    Permission requests that the user is unlikely to allow will be automatically blocked. A less intrusive UI will allow the user to manage permissions for each site.

     
  • Chrome 90 will support Intel CET

    Chrome 90 will support Intel’s Control Flow Enforcement Technology (CET), known as Hardware-enforced Shadow Stacks on Windows. This will only affect Chrome running on hardware that supports CET. While no issues are expected, you can manage CET by manipulating Image File Execution Options (IFEO) through group policy.
     
  • Chrome 90 will introduce initial_preferences

    As part of Chrome's move to using more inclusive naming, Chrome will support an admin using a file to control the browser's initial preferences, named initial_preferences. This file will behave the same way as, and will eventually replace the master_preferences file that exists today. To minimize any disruption, master_preferences will continue to be supported in Chrome 90 and more notice will be given before support for master_preferences is removed.
     
  • AllowNativeNotifications updated to AllowSystemNotifications in Chrome 90

    As part of Chrome's move to using more inclusive policy names, AllowNativeNotifications will be renamed to AllowSystemNotifications. The existing AllowNativeNotifications policy will be available until Chrome 95.
     
  • Extension settings will load from the same place for all channels on Mac in Chrome 90

    All Chrome channels will read the extension policies from the same .plist file. For example, the extension Password Alert will always load its policies from com.google.Chrome.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist instead of com.google.Chrome.canary.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist in Chrome Canary.
     
  • Chrome will save data with Lite videos in Chrome 90

    To reduce the data-cost and improve the experience of videos on metered and limited data connections, Chrome on Android will reduce the effective bitrate of videos for Lite mode users on cellular connection. You will be able to control this feature using the DataCompressionProxyEnabled policy.
     
  • Data Saver: Chrome will compress public HTTPS images in Chrome 90

    Public HTTPS images will be compressed when Chrome lite mode is enabled, to further provide a rich web experience to users with unreliable internet connections.
     
  • Security key enterprise attestation in Chrome 90

    Chrome will support device-unique attestation of security keys without needing policy configured. This will be useful in situations where security keys are distributed by an enterprise to personnel who may use them on non-policy-managed computers. This will require specially-manufactured security keys—talk to your security key vendor if this sounds useful.
     
  • Launch WebXR capability - Depth Sensing API in Chrome 90

    The WebXR Depth Sensing API will allow Chrome to measure distance from the user’s device to real world geometry in the user’s environment. With this, Chrome will be able to power immersive experiences in WebXR-powered apps (e.g. for physics, and lifelike occlusion for augmented reality). You will be able to control access to WebXR and other augmented reality APIs using the WebXRImmersiveArEnabled enterprise policy.
     
  • Partition Network State in Chrome 90

    Today, some network objects are shared globally for performance reasons, but this makes it possible to fingerprint users and track them across sites. To protect user privacy, Chrome will partition many network objects by topmost frame domain and iframe domain. A comprehensive description is available here.

    No impact is expected other than minor performance changes, but you can test the change in advance by using the command line flag: 
    --enable-features=PartitionConnectionsByNetworkIsolationKey,PartitionExpectCTStateByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey
     
  • Legacy Browser Support for Edge in IE Mode will be available in Chrome 90

    For organizations accessing legacy web content in Microsoft Edge's IE mode, Chrome 90 will allow admins to configure Legacy Browser Support (LBS) to switch between Microsoft Edge in IE mode and Chrome. You can already use LBS to switch directly between Microsoft Internet Explorer and Chrome.
     
  • The Network Service on Windows will be sandboxed in Chrome 91

    The network service, already running in its own process, will be sandboxed on Windows in Chrome 90 to improve the security and reliability of the service. As part of this, third party code that is currently able to tamper with the Network Service will be prevented from doing so. This may cause problems when connecting to software such as:
    • Custom Authentication Packages.
    • Custom SSO (Single Sign-on) providers.
    • Custom Winsock Namespace/transport providers.
    • Data Loss Prevention software.
    • NTLM with Windows integrated authentication.

    Enterprises are encouraged to try the sandboxed network stack on Dev and Canary channel and report any issues via crbug.com. You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Lock in address bar will be replaced in Chrome 91

    The lock in the address bar will be replaced with a new icon. Chrome is moving to security messaging that highlights known security issues, and shows neutral messaging otherwise. Showing an icon that implies safety based solely on the connection's encryption may lead to a false sense of security.
     
  • Quantum computer resistant security will be enabled in Chrome 91

    Chrome will start supporting a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages will fit in a single network frame.
    The CECPQ2Enabled policy can be set to disable this. It will also be disabled if the ChromeVariations policy is set to a non-default value.

    For more details on this rollout, see CECPQ2
     
  • Insecure public pages will no longer be allowed to make requests to private or local URLs in Chrome 91

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
     
  • The address bar may show the domain rather than the full URL as early as Chrome 90

    To protect your users from some common phishing strategies, Chrome will test showing only the domain in the address bar for some users. This change will make it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change has been enabled for some users, with a potential full rollout in a later release.
     
  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy will allow you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.
     
  • Chrome will maintain its own default root store as early as Chrome 92

    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores.We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • SyncXHR policy will no longer be supported on Chrome 93

    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • Old policies with non-inclusive names will be removed in Chrome 95

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (e.g. whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    This transition period will end in Chrome 95. A full list of the policies to be removed will be provided closer to the removal date. If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
     

Upcoming Chrome OS changes

 
  • Deprecation of AMR and GSM audio codecs in Chrome OS 90

    AMR-NB, AMR-WB, and GSM audio codecs will be deprecated as part of this release. Affected users should file bugs here and may temporarily rollback this change via the use of chrome://flags/#deprecate-low-usage-codecs. Users with long-term need for these codecs may use stand-alone applications found in the Google Play Store.

Upcoming Admin Console changes

 
  • Sending Extension Requests for Chrome Browser and Chrome OS

    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a Request button so that you can see their requests from within the Admin Console and take an action to allow or to block the extensions.
     
  • Sending Remote Commands for Chrome Desktop

    As an admin, you can use your Google Admin console to remotely send actions to managed Chrome Desktop Browsers (Win/Mac/Linux). For example, you will be able to delete browser cache or cookies remotely.
 
Chrome 88

Chrome Browser updates

  • Chrome will warn about mixed content forms
    Web forms that load using HTTPS but submit their content using HTTP (unsecured) pose potential risk to user privacy. Chrome 85 and above shows a warning on such forms, letting the user know that the form is insecure. Chrome 88 will show an interstitial warning when the form is submitted, which stops any data transmission, so the user will be able to choose whether to proceed or cancel the submission. This was previously rolled out in Chrome 87 but was rolled back due to the way it interacted with redirects. It is being rolled out again in Chrome 88, but will only show warnings for forms that either submit directly to an http:// URL, or when a redirect to an http:// happens and the form data is exposed across the redirect. For example, 307 or 308 code redirects for POST method forms.





    You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy. To test this behavior before the rollout, use the Mixed Forms Interstitial Chrome flag.
     
  • Improved resource consumption for background tabs
    To save on CPU load and prolong battery life, Chrome will limit the power consumption of background tabs. Specifically, Chrome will allow the timers in the background tabs to only run once per minute. Network event handlers are not affected, which allows sites like Gmail or Slack® to continue delivering timely notifications in the background. Some users saw this feature in Chrome 87. It's now available to all users in Chrome 88.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.
     
  • Insecure downloads are blocked from secure pages, with changes through Chrome 88
    In Chrome 88 on Windows®, Mac®, and Linux®, downloads from insecure sources will no longer be allowed when started from secure pages. This change has been rolled out gradually, with different file types affected in different releases:

     

  • Executables—Users were warned in Chrome 84, and files were blocked in Chrome 85.
  • Archives—Users were warned in the Chrome developer console in Chrome 85, and files were blocked in Chrome 86.
  • Other non-safe types, for example, PDFs—Users were warned in the Chrome developer console in Chrome 86, and files were blocked in Chrome 87.
  • Other files—Users were warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

    Warnings on Android will lag behind desktop warnings by one release. For example, executables showed a warning starting in Chrome 85.

    The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.
  • The new tab page allows users to complete previously started workflows
    The Chrome new tab page will show cards to help users return to searches and workflows that were already in progress, like searching for recipes or price comparisons. Users are able to control and remove these cards.

    These cards appeared for some users in Chrome 87, and are now included in Chrome 88. You can control these cards using the NTPCardsVisible policy. 
     
  • Chrome introduces profiles for separating users or accounts
    Some users will be given the option to create a new Chrome profile and move their account over when they sign in to a profile where another account is already signed in. This allows different users to keep bookmarks, history, and settings separate. If a user signs in with an account that is already signed in to another profile, they’re offered to switch. Some users who have multiple profiles set up will see a profile picker on startup.

    You can control whether Chrome offers to create or switch profiles with the SigninInterceptionEnabled enterprise policy. In Chrome 89, you'll also be able to control the startup behavior for the profile picker with the ProfilePickerOnStartupAvailability enterprise policy.


    A wider release to more users is planned for a later release

  • Certain features are available to users who have signed in without having to enable Chrome Sync 
    Some users who have signed into Chrome might be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.

    On Chrome on Android, you can control a user's access to payment methods using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including "passwords" in SyncTypesListDisabled.
     
  • DTLS 1.0 has been removed
    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, has been removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted by using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.
     
  • Chrome supports manifest v3
    Chrome 88 supports extensions written in the new Manifest V3 format. Manifest V3 is a new platform that makes extensions more secure, performant, and privacy-respecting by default. There is no breaking change at this time; extensions using Manifest v2 will continue to function normally in Chrome 88.
     
  • Chrome is launching an origin trial for detecting idle state
    An early origin trial allows websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device.
     
  • Single words are no longer being treated as intranet locations by default

    By default, Chrome improves user privacy and reduces load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. For example, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You can control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.).
  • Chrome introduces a new permission chip UI
    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome now shows a less intrusive permissions chip in the address bar. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.




    This change will be rolled out gradually throughout Chrome 88.
     
  • The Legacy Browser Support extension has been removed from the Chrome Web Store
    Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it is disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here. The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.
     
  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site)
    Chrome 88 modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other which will restrict cookies using SameSite. For additional information please see the Schemeful Same-Site explainer. We recommend testing critical sites using the testing instructions.

    You may revert to the previous, legacy behavior, by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. These policies will be available at least until Chrome 93, with the domain list planned to be available longer. For more details, including availability, please see Cookie Legacy SameSite Policies.
     
  • Chrome 88 on Mac does not support OS X 10.10 (Yosemite)
    Chrome 88 does not support OS X 10.10 (OS X Yosemite). Chrome on Mac requires OS X 10.11 or later.
     
  • Popup on page unload policy is no longer supported on Chrome 88
    The AllowPopupsDuringPageUnload enterprise policies have been removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them immediately.
     
  • Chrome treats an empty string as an unset policy on Android for some policies in Chrome 88
    To integrate better with mobile management UEMs, Chrome on Android will not set list or dictionary policies from empty strings.
     
  • The BasicAuthOverHttpEnabled policy allows you to disable authentication over HTTP
    You can set the new BasicAuthOverHttpEnabled policy to disabled to disallow non-secure HTTP requests from using the Basic authentication scheme. If you do, only secure HTTPS will be allowed.

  • The Chrome Cleanup Tool can reset Chrome shortcuts
    When users run the Chrome Cleanup Tool, it will modify command line flags within Chrome shortcuts. This helps users restore Chrome to a safe state if malware has inserted malicious command line flags into the shortcut.

    You can control the Chrome Cleanup Tool using the ChromeCleanupEnabled policy, which will prevent this behavior.
     
  • Notifications will be suspended while presenting
    While Chrome is sharing a screen, web-notifications from Chrome will not show their content by default. They will be presented to the user after the screen sharing session ends or by manually revealing them via a notification action. Note that sharing a single window or tab does not affect the delivery of notifications from Chrome.
     
  • The microphone is visible beside the address bar for some users on Android
    The microphone button is visible in the top UI bar of Chrome for some users on Android. Users can to ask the Google Assistant to read the current page, or translate it to another language.

    When users interact with the microphone button, the URL of the current page is shared with Google. You can control this feature using the AudioCaptureAllowed policy.
     
  • Cloud Print is no longer supported
    The Google Cloud Print service is no longer supported on any Operating Systems.

    Chrome OS admins can select a print solution provider or migrate to the Chrome OS local and network printer solution. Admins of Windows®, Mac®, and Linux® operating systems can use the respective OS print workflow or engage with a print solution provider. Learn more about Cloud Print migration
     
  • Save to Drive is no longer supported
    Saving to Google Drive is no longer available from the Chrome print dialog on Mac®, Windows®, Linux® devices. Users can instead install the Save to Drive Chrome extension which has been updated to include this feature or print locally to PDF then upload the file to Google Drive through drive.google.com and select New > File upload. You can also set up automatic syncing between local files and Google Drive with Backup and Sync or Drive File Stream. More details on printing from Chrome are available here
     
  • FTP support has been removed
    Chrome 88 has removed support for FTP URLs. The legacy FTP implementation in Chrome no longer supports encrypted connections (FTPS), or proxies. Usage of FTP is very low, and more capable FTP clients are available on all affected platforms.

    More information is available here.

Chrome OS updates

  • WebAuthn using Fingerprint & PIN
    Tired of typing long passwords? Chrome OS now lets you sign in to supported websites without having to type your passwords for that website, if you have set up a PIN or fingerprint on your Chromebook. This feature, called Web Authentication, makes use of established protocols to make authentication into website simpler and more secure. Your Chromebook PIN/fingerprint are never shared with the websites requesting verification from your Chromebook and you don't have to worry about malicious attackers phishing for your passwords to websites.  If your organization has U2F enabled, the Webauthn feature will not work; U2F will be supported in a future release.
     
  • Autocorrect UI improvements
    For users with autocorrect enabled, we have improved the user interface with visual indications that autocorrects have happened, as well as new ways to undo them.
     
  • Magnifier Focus Following and Keyboard Support
    Chrome OS Magnifier can now be panned using the keyboard. Use Ctrl + Alt and the arrow key to pan the viewport.



     
  • Text app Screen Reader mode
    Text app now has a screen reader mode to support Chromevox users.
     
  • Improved switching between virtual desks
    Switching between virtual desks with the keyboard and touchpad is now faster and more responsive. You can double or triple tap the <Search> + [ or <Search> + ] shortcut to move between multiple desks.
     
  • Reverse Scrolling + Touchpad gesture consistency
    Touchpad gestures are now more consistent with your preference for Reverse Scrolling.
     
  • Chrome OS Camera now saves to a new location
    Photos and videos captured with the Chrome OS Camera app will now get saved to a new Camera folder under My files. Any previously captured photos/videos will remain in your Downloads folder.

Admin console updates

  • API for remote commands
    The Admin SDK Directory API now supports issuing remote commands to devices, including wipe users, remote powerwash, remote reboot (kiosk only), screenshot (kiosk only), and set volume (kiosk only). See the developer documentation for details.
     
  • Filter Chrome devices by version
    The Chrome device list now supports filtering by Chrome version.  Now you can quickly check which devices are up to date or out of date.
     
  • Bookmark Management improvements
    Admin Console has a new and improved bookmarks manager.  Enterprise admins can more easily create, delete, and move around hundreds or even thousands of bookmarks.  Details on the feature are described in the help center article.
     
  • New summary report for Chrome versions
    Admin Console has a new version report that shows the number of managed browsers and devices on each Chrome version.  Details on the feature are described in the help center article.
     
  • Group-based policy for printer management
    Group-based management is now available for printers. From the printers page, select a group, and then configure which printers are available to users in that group.
     
  • Kerberos credential manager
    As an admin, you can now enable Kerberos tickets on Chrome devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on. Details on the feature are described in the help center article.

Additional policies in the Admin console

Many new policies are available in the Admin console, including:

Policy name Pages Category/Field
AbusiveExperienceInterventionEnforce

User & Browser Settingsand then
Managed Guest Session Settings

Chrome Safe Browsing / Abusive Experience Intervention
AccessibilityImageLabelsEnabled User & Browser Settingsand then
Managed Guest Session Settings
Accessibility / Image descriptions
AdsSettingForIntrusiveAdsSites User & Browser Settingsand then
Managed Guest Session Settings
Chrome Safe Browsing / Sites with intrusive ads
AdvancedProtectionAllowed User & Browser Settings Security / Advanced Protection program
AuthAndroidNegotiateAccountType User & Browser Settings Network / Account type for HTTP Negotiate authentication / Account type
AutoOpenAllowedForURLs User & Browser Settingsand then
Managed Guest Session Settings
Content / Auto open downloaded files / Auto open URLs
AutoOpenFileTypes User & Browser Settingsand then
Managed Guest Session Settings
Content / Auto open downloaded files / Auto open files types
BackForwardCacheEnabled User & Browser Settings Content / Back-forward cache
BrowserNetworkTimeQueriesEnabled User & Browser Settings Other settings / Google time service
CACertificateManagementAllowed User & Browser Settings Security / User management of installed CA certificates
ClientCertificateManagementAllowed User & Browser Settings Security / User management of installed client certificates.
CommandLineFlagSecurity
WarningsEnabled
User & Browser Settings Security / Command-line flags
ContextualSearchEnabled User & Browser Settings User experience / Touch to search
DefaultFileSystemReadGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system read access
DefaultFileSystemWriteGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system write access
DefaultSerialGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / Serial Port API / Control use of the Serial Port API
DefaultWebUsbGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / WebUSB API / Can web sites ask for access to connected USB devices
DeviceAllowRedeemChromeOs
RegistrationOffers
Device Settings Other settings / Redeem offers through Chrome OS registration
DeviceQuirksDownloadEnabled Device Settings Other settings / Hardware profiles
DeviceShowLowDiskSpaceNotification Device Settings Other settings / Low disk space notification
DeviceWebBasedAttestation
AllowedUrls
Device Settings Sign-in settings / Single sign-on verified access / Allowed IdP redirect URLs
DNSInterceptionChecksEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / DNS interception checks enabled
ExtensionCacheSize Device Settings Other settings / Apps and extensions cache size / Cache size in bytes
ExternalProtocolDialogShow
AlwaysOpenCheckbox
User & Browser Settings Content / Show "Always open" checkbox in external protocol dialog
FileSystemReadAskForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system read access / Allow file system read access on these sites
FileSystemReadBlockedForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system read access / Block read access on these sites
FileSystemWriteAskForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system write access / Allow write access to files and directories on these sites
FileSystemWriteBlockedForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system write access / Block write access to files and directories on these sites
GloballyScopeHTTPAuthCacheEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / Globally scoped HTTP authentication cache
GSSAPILibraryName User & Browser Settings Network / GSSAPI library name / Library name or full path
HSTSPolicyBypassList User & Browser Settingsand then
Managed Guest Session Settings
Network / HSTS policy bypass list / List of hostnames that will bypass the HSTS policy check
InsecureFormsWarningsEnabled User & Browser Settingsand then
Managed Guest Session Settings
Content / Insecure forms
KerberosAccounts User & Browser Settings Kerberos / Kerberos tickets
KerberosEnabled User & Browser Settings Kerberos / Kerberos tickets
LookalikeWarningAllowlistDomains User & Browser Settingsand then
Managed Guest Session Settings
Chrome Safe Browsing / Suppress lookalike domain warnings on domains / Allowlisted Domains
MaxConnectionsPerProxy User & Browser Settings Network / Max connections per proxy / Maximum number of concurrent connections to the proxy server
MaxInvalidationFetchDelay User & Browser Settingsand then
Managed Guest Session Settings
Other settings / Policy fetch delay / Maximum fetch delay after a policy invalidation
NativeMessagingAllowlist User & Browser Settings User experience / Native Messaging allowed hosts / Native Messaging hosts not subject to the blocklist
NativeMessagingBlocklist User & Browser Settings User experience / Native Messaging blocked hosts / Prohibited Native Messaging hosts
NativeMessagingUserLevelHosts User & Browser Settings User experience / Native Messaging user-level hosts
NtlmV2Enabled User & Browser Settings Network / NTLMv2 authentication
OverrideSecurityRestrictions
OnInsecureOrigin
User & Browser Settingsand then
Managed Guest Session Settings
Security / Override insecure origin restrictions / Origin or hostname patterns to ignore insecure origins security restrictions
PaymentMethodQueryEnabled User & Browser Settingsand then
Managed Guest Session Settings
User experience / Payment methods
PrinterTypeDenyList User & Browser Settingsand then
Managed Guest Session Settings
Printing / Blocked printer types
PrintRasterizationMode User & Browser Settings Printing / Print rasterization mode
RequireOnlineRevocationChecks
ForLocalAnchors
User & Browser Settingsand then
Managed Guest Session Settings
Network / Require online OCSP/CRL checks for local trust anchors

SafeBrowsingForTrusted
SourcesEnabled

User & Browser Settings Chrome Safe Browsing / Safe Browsing for trusted sources
ShowAppsShortcutInBookmarkBar User & Browser Settings User experience / Apps shortcut in the bookmark bar
SignedHTTPExchangeEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / Signed HTTP Exchange (SXG) support
SpellcheckEnabled User & Browser Settingsand then
Managed Guest Session Settings
User experience / Spell check
SuppressUnsupportedOSWarning User & Browser Settingsand then
Managed Guest Session Settings
Security / Unsupported system warning
UserFeedbackAllowed User & Browser Settingsand then
Managed Guest Session Settings
User experience / Allow user feedback
WebRtcLocalIpsAllowedUrls User & Browser Settings Network / WebRTC ICE candidate URLs for local IPs / URLs for which local IPs are exposed in WebRTC ICE candidates.
WebUsbAskForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / WebUSB API / Allow these sites to ask for USB access
WebUsbBlockedForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / WebUSB API / Block these sites from asking for USB access
WPADQuickCheckEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / WPAD optimization


New and updated policies (Chrome Browser and Chrome OS)

Policy Description
BasicAuthOverHttpEnabled Non-secure HTTP connections are not permitted to use Basic authentication; HTTPS is required
NTPCardsVisible Show cards on the New Tab Page

ProfilePickerOnStartupAvailability
Browser only

Specifies whether the profile picker is enabled, disabled or forced at the browser startup

SigninInterceptionEnabled
Browser only

This settings enables or disables sign in interception
TargetBlankImpliesNoOpener Do not set window.opener for links targeting _blank


Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.


Upcoming Chrome Browser changes

  • Facilitated version pinning for self-hosted extensions & apps in Chrome 89

    To increase the stability in high-reliability environments, Chrome 89 facilitates the pinning of extensions and apps to a specific version. Administrators will be able to self-host the extension or app of their choice, and instruct Chrome to use the update URL from the extension forcelist instead of the extension manifest. This will be via a new boolean parameter in ExtensionSettings policy. As a result, extensions & apps will not be updated via the updateURL that was originally configured in their manifest, and will stay on one specific version.

  • Users will be able to search open tabs in Chrome 89
    Users will be able to search for open tabs across windows, as shown in this screenshot:

 

  • Chrome 89 will introduce privacy-preserving APIs to replace some of the functionality of third-party cookies
    An interest-based targeting API will be introduced as an origin trial. This API allows working with cohorts—groups of users with similar interests. Users cannot be individually identified.

    An event-level conversion API will continue in origin-trial stage for Chrome 89 This API enables the correlation of an ad click on a website with a subsequent conversion on an advertiser site, such as a sale, a sign-up, and so on. Users cannot be individually identified.

    See the chromium privacy sandbox page for details on these APIs and the privacy sandbox.
     
  • Some permission requests will be less intrusive in Chrome 89
    Permission requests that the user is unlikely to allow will be automatically blocked. A less intrusive UI will allow the user to manage permissions for each site.

 

  • Chrome 89 will require SSE3 for Chrome on x86
    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.
     
  • Chrome 89 will prefer https to http when not specified in the address bar
    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to google.com, Chrome will first attempt to navigate to https://google.com, then fallback to http://google.com if required.

    This change is planned for Windows, Mac, Linux, and Android in Chrome 89, and in Chrome 90 for iOS.
     
  • Chrome 89 will introduce the Serial API
    The Serial API provides a way for websites to read and write from a serial device through script. You can read an explainer on the Serial API here.

    You will be able to control access to the Serial API using the DefaultSerialGuardSetting policy. You can also use the SerialAskForUrls and SerialBlockedForUrls policies to control serial device access on a site-by-site basis.
  • Insecure public pages will no longer allowed to make requests to private or local URLs in Chrome 91
    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
     
  • Chrome will maintain its own default root store as early as Chrome 92
    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • The address bar might show the domain rather than the full URL as early as Chrome 90
    To protect your users from some common phishing strategies, Chrome will test showing only the domain in the address bar for some users. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change has been enabled for some users, with a potential full rollout in a later release.
     
  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91
    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.
     
  • SyncXHR policy will no longer be supported on Chrome 93
    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
 

Additional resources

Still need help?

Was this helpful?
How can we improve it?
Telusuri
Hapus penelusuran
Tutup penelusuran
Aplikasi Google
Menu utama
Search Help Center
true
410864
false