Planerar du en strategi för återgång till kontorsarbete? Se hur Chrome OS kan vara till hjälp.

Sidan du har begärt finns tyvärr inte på ditt språk för närvarande. Du kan välja ett annat språk längst ned på sidan eller översätta vilken webbsida du vill till valfritt språk direkt med hjälp av den inbyggda översättningsfunktionen i Google Chrome.

Chrome Enterprise release notes

Last updated on: October 19, 2021

For administrators who manage Chrome browser or Chrome OS devices for a business or school.

These Chrome 95 release notes contain Chrome Browser updates only. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 and will include all relevant security fixes on the Chrome 94 milestone.

We are in the process of improving the release notes and we would love to hear your feedback. Please fill out this survey to let us know what you think.

Chrome 95

Chrome browser updates Security User productivity/ Apps Management
Stricter parsing rules for Legacy Browser Support    
Origin Trial for reduced User-Agent strings    
Chrome deprecates WebAssembly cross-origin module sharing     
Explicit user prompts for Autofill addresses  
New Side Panel feature    
New and updated policies in Chrome browser    
Admin console updates Security User productivity/ Apps Management
New policies in the Admin console    
Upcoming Chrome browser updates Security User productivity/ Apps Management
Chrome on Android will no longer support Android Lollipop    
Apps shortcut in the bookmarks bar will default to off    
Network data will be migrated to a new folder on Windows    
Network service on Windows will be sandboxed    
New security events for BeyondCorp Enterprise Threat and Data Protection   
NewTabPageLocation enterprise policy on Incognito    
Feature flag to force the Chrome major version number to 100    
DNS-based HTTP to HTTPS redirect     
Chrome will begin deprecating the U2F Security Key API  
CORS Authorization mishandling    
Chrome will maintain its own default root store  
Chrome will remove legacy policies with non-inclusive names    
Chrome will no longer allow TLS 1.0 or TLS 1.1  
Different-origin iframes will no longer trigger JavaScript dialogs  
Upcoming Admin console updates Security User productivity/ Apps Management
Browser list data downloadable in CSV format    

 

DOWNLOAD Release notes (PDF)

↑ back to top

 

Chrome browser updates

   

 

  • Stricter parsing rules for Legacy Browser Support   back to top

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft Edge or Internet Explorer can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to IESiteListMode, Chrome interprets those rules in the same way as Edge and Internet Explorer. 

   

 

  • Origin Trial for reduced User-Agent strings   back to top

    Chrome 95 begins an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string appears in both the User-Agent HTTP request header and the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  This Origin Trial will run over the next six releases, until the reduced User-Agent starts a phased rollout. Subsequently, for sites that may need more time for migration, a deprecation Origin Trial will be available. Enterprises can opt in to the Origin Trial here when it is available. 

   

 

  • Chrome deprecates WebAssembly cross-origin module sharing  back to top

    Chrome 95 prevents WebAssembly module sharing between cross-origin but same-site environments. This allows agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec (Chrome Status).

    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy CrossOriginWebAssemblyModuleSharingEnabled is available to allow module sharing for cross-origin same-site environments. This policy will be removed in Chrome 97. 

   

 

  • Explicit user prompts for Autofill addresses   back to top

    In previous releases, when Autofill was enabled, Chrome saved detected addresses as users submitted forms. This update provides more transparency and control to the user by adding a save prompt, and giving the user the control to edit, save, update, or discard the detected address before it is stored. When the AutofillAddressEnabled policy is set to false, this feature is not enabled. 

   

 

  • New Side Panel feature   back to top

    Chrome on Windows, Mac, ChromeOS, and Linux, introduces a new side panel feature. This panel, opened by a toolbar icon, provides easier access to the Reading list and Bookmarks, in a vertical list. The side panel can be left open while the user browses. 

↑ back to top

   

 

  • New and updated policies in Chrome browser   back to top
     

    Policy

    Description

    BrowserLegacyExtensionPointsBlocked

    Setting the policy to Enabled or leaving it unset will enable ProcessExtensionPointDisablePolicy to block legacy extension points in the Browser process.

    BrowserSwitcherParsingMode

    This policy controls how Google Chrome interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and BrowserSwitcherExternalGreylistUrl.

    ContextAwareAccessSignalsAllowlist

    Enables Chrome Enterprise Platform Identity Connector for a list of URLs.  
    Setting this policy specifies which URLs should be allowed to be part of the attestation flow to get the set of signals from the machine.

    PrintPdfAsImageDefault

    Controls if Google Chrome makes the Print as image option default to set when printing PDFs.

    PrintPostScriptMode

    Controls how Google Chrome prints on Microsoft Windows.

 

↑ back to top

Admin console updates

   

 

  • New policies in the Admin console   back to top
     

    Policy Name

    Pages

    Supported on

    Category/Field

    SuggestLogoutAfterClosingLastWindow

    Managed Guest Session Settings

    Chrome OS

    Session settings / Display the logout confirmation dialog

    DeviceMinimumVersion

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates

    DeviceMinimumVersionAueMessage

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates Auto Update Expiration (AUE) message

    JavaScriptJitAllowedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Allow JavaScript to use JIT on these sites

    DefaultJavaScriptJitSetting

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT

    JavaScriptJitBlockedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Block JavaScript from using JIT on these sites

    RemoteDebuggingALlowed

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Security / Allow remote debugging

    DesktopSharingHubEnabled

    User & Browser Settings

    Chrome

    Content / Desktop sharing in the omnibox and 3-dot menu

 

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

 

Upcoming Chrome browser changes

   

 

  • Chrome on Android will no longer support Android Lollipop   back to top

    The last version of Chrome that will support Android Lollipop will be Chrome 95, and it includes a message to affected users informing them to upgrade their operating system. Chrome 96 will not support nor ship to users running Android Lollipop. 

   

 

  • Apps shortcut in the bookmarks bar will default to off   back to top

    As early as Chrome 96, Chrome will make the Apps shortcut in the bookmark bar default to off. Chrome will also update the current state for all users who have never changed their setting to the new default (off). 

   

 

  • Network data will be migrated to a new folder on Windows   back to top

    In Chrome 96, data that is needed by the network service, including cookies and other data files, will be migrated to a subdirectory underneath the current location called Network. This is to support the upcoming Network Sandbox (see below). This migration will happen automatically and transparently. No action is required, however, you might need to update any scripts that rely on the location of these files. 

   

 

  • Network Service on Windows will be sandboxed   back to top

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service (as early as Chrome 97). As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. An enterprise policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. Please consider testing the sandbox in your environment using these instructions and report any issues encountered. 

   

 

  • New security events to BeyondCorp Enterprise Threat and Data Protection   back to top

    Chrome 96 will add two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow admins to understand enterprise credential usage, to shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.
 

↑ back to top

   

 

  • NewTabPageLocation enterprise policy on Incognito   back to top

    Chrome 96 will fix a bug that prevents users from starting new Incognito sessions when the enterprise policy NewTabPageLocation is set to a chrome://… URL. In future, this policy will be ignored in Incognito mode. Users on Incognito will see the default new tab page. There’s no change in how the policy is applied on regular mode (non-Incognito windows). 

   

 

  • Feature flag to force the Chrome Major Version number to 100   back to top

    Starting in Chrome 96, users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number.  When Chrome went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries.  With this feature flag, we can uncover and address these issues before Chrome 100 rolls out.  We encourage admins to submit any issues encountered here

   

 

  • DNS-based HTTP to HTTPS redirect   back to top

    As early as Chrome 96, Chrome will query DNS for HTTPS records (alongside traditional A and AAAA queries). When a website has deployed an HTTPS DNS record and Chrome receives it, Chrome will always connect to the website via HTTPS (Chrome Status). 

   

 

  • Chrome will begin deprecating the U2F security key API   back to top

    The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn).  Beginning with Chrome 96, when sites make U2F API requests, users may see a prompt that includes a notice about the U2F API’s deprecation. In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.

    Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.

    Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.

    If you run a website that still uses this API, please refer to the deprecation announcement for more details. 

   

 

  • CORS Authorization mishandling   back to top

    When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response (Chrome Status). The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.

    Note that Authorization headers attached by Chrome during the authentication process are out of scope for this change. 

↑ back to top

   

 

  • Chrome will maintain its own default root store   back to top

    To improve user security, and provide a consistent experience across different platforms, Chrome, as early as Chrome 97, intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

   

 

  • Chrome will remove legacy policies with non-inclusive names   back to top

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy. Deprecated policies will be available in the Deprecated policies folder and deleted policies will be in the Removed policies folder in the GPO editor.

    This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97. Please ensure you're using the corresponding policy from the right column instead:
     

    Legacy Policy Name

    New Policy Name

    NativeMessagingBlacklist

    NativeMessagingBlocklist

    NativeMessagingWhitelist

    NativeMessagingAllowlist

    AuthNegotiateDelegateWhitelist

    AuthNegotiateDelegateAllowlist

    AuthServerWhitelist

    AuthServerAllowlist

    SpellcheckLanguageBlacklist

    SpellcheckLanguageBlocklist

    AutoplayWhitelist

    AutoplayAllowlist

    SafeBrowsingWhitelistDomains

    SafeBrowsingAllowlistDomains

    ExternalPrintServersWhitelist

    ExternalPrintServersAllowlist

    NoteTakingAppsLockScreenWhitelist

    NoteTakingAppsLockScreenAllowlist

    PerAppTimeLimitsWhitelist

    PerAppTimeLimitsAllowlist

    URLWhitelist

    URLAllowlist

    URLBlacklist

    URLBlocklist

    ExtensionInstallWhitelist

    ExtensionInstallAllowlist

    ExtensionInstallBlacklist

    ExtensionInstallBlocklist

    UserNativePrintersAllowed

    UserPrintersAllowed

    DeviceNativePrintersBlacklist

    DevicePrintersBlocklist

    DeviceNativePrintersWhitelist

    DevicePrintersAllowlist

    DeviceNativePrintersAccessMode

    DevicePrintersAccessMode

    DeviceNativePrinters

    DevicePrinters

    NativePrinters

    Printers

    NativePrintersBulkConfiguration

    PrintersBulkConfiguration

    NativePrintersBulkAccessMode

    PrintersBulkAccessMode

    NativePrintersBulkBlacklist

    PrintersBulkBlocklist

    NativePrintersBulkWhitelist

    PrintersBulkAllowlist

    UsbDetachableWhitelist

    UsbDetachableAllowlist

    QuickUnlockModeWhitelist

    QuickUnlockModeAllowlist

    AttestationExtensionWhitelist

    AttestationExtensionAllowlist

    PrintingAPIExtensionsWhitelist

    PrintingAPIExtensionsAllowlist

    AllowNativeNotifications

    AllowSystemNotifications

    DeviceUserWhitelist

    DeviceUserAllowlist

    NativeWindowOcclusionEnabled

    WindowOcclusionEnabled

     

    If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

 

↑ back to top

   

 

  • Chrome will no longer allow TLS 1.0 or TLS 1.1   back to top

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 98, it will no longer be possible to bypass the interstitial. 

   

 

  • Different-origin iframes will no longer trigger JavaScript dialogs   back to top

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. Once this deprecation launches, you can control the behavior with the enterprise policy SuppressDifferentOriginSubframeDialogs.

    You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag. 

 

Upcoming Admin console changes

   

 

  • Browser list data downloadable in CSV format   back to top

    As early as Chrome 97, a CSV format will be introduced as an option to download the browser list data from the Admin console. 

↑ back to top

Previous release notes 

 

 

Open all   |   Close all Chrome 94 OS

Chrome OS updates

 
  • Enhanced voices in select-to-speak

    Select-to-speak supports people who have challenges reading text content due to vision impairments and conditions like dyslexia, by allowing them to select pieces of text and hear them out loud. This enhancement gives select-to-speak the ability to produce realistic, natural-sounding voices as it speaks the text content.

     
  • Include desk labels when moving tabs

    If you use desks on Chrome OS, it's now easier to organize your browser tabs. Windows in the same desk appear together when you select Move tab to another window.

     
  • Document scanning in the camera app

    The camera app now supports document scanning. With document scanning, the camera can identify, capture, and crop your documents. You can also save your documents as a PDF or image.

     

Admin console updates

 
  • Extensions version pinning

    Chrome browser and Chrome OS admins can now pin extensions (and apps) to specific versions, either by self-hosting them or from the Chrome Webstore (based on an automatic hosting in Google Cloud Storage).  Learn more

     
  • Read-only delegated admin

    A new read-only delegated admin permission allows IT admins to grant read-only access to Chrome OS device info in their Google Admin console and in the Directory API.  Read-only access is useful for help desk admins, 3P partners, for reporting tools, and more!

     
  • Search by on-device policy name

    IT admins can now search by on-device policy name to the Admin console. For example, if an admin searches for ProxyPacUrl, they’ll see the corresponding setting, Proxy mode, in the Admin console. Admins can also use new info bubbles that appear next to a setting name to see the corresponding on-device policy name.

     
  • New policies in the Admin console
     

    Policy Name

    Pages

    Supported on

    Category/Field

    SuggestLogoutAfterClosingLastWindow

    Managed Guest Session Settings

    Chrome OS

    Session settings / Display the logout confirmation dialog

    DeviceMinimumVersion

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates

    DeviceMinimumVersionAueMessage

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates Auto Update Expiration (AUE) message

    JavaScriptJitAllowedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Allow Javascript to use JIT on these sites

    DefaultJavaScriptJitSetting

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT

    JavaScriptJitBlockedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Block JavaScript from using JIT on these sites

    TripleDESEnabled

    User & Browser Settings

    Chrome

    Chrome OS

    Android

    Security / 3DES cipher suites in TLS

    RemoteDebuggingAllowed

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Security / Allow remote debugging

    DesktopSharingHubEnabled

    User & Browser Settings

    Chrome

    Content / Desktop sharing in the omnibox and 3-dot menu


     
Chrome 94

Chrome browser updates

 
  • Chrome moves to a 4-week stable channel and introduces an 8-week extended stable channel 

    Chrome on mobile, Windows, Mac, and Linux moves from its 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. 

    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you can use the existing TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new major release every 8 weeks instead. You can find more details in our help center article. Note: If you decide to move to the extended stable channel, we recommend testing it out on a small set of machines or organizational units before deploying it on your entire fleet. Extended Stable is identical to Stable for the first 4 weeks of each cycle, so this sort of testing is most valuable in the last 4 weeks of the Extended Stable cycle.

    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 

     
  • Chrome on iOS can apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, MOBILECONFIG files can be downloaded and installed from Safari and Mail apps. Chrome on iOS now allows users to download these files. Users then have to manually install the profile from the Settings app.
     
  • Chrome deprecates WebSQL in third-party contexts

    Chrome 94 no longer uses WebSQL in third-party contexts, such as cross-origin iframes. A console message is printed each time a WebSQL database opens in a third-party context to alert developers of the upcoming removal. This change does not affect WebSQL in first-party contexts, but the eventual goal is to deprecate and remove all WebSQL.

    WebSQL in third-party contexts will be disabled in Chrome 97, but an enterprise policy will be made available to re-enable it. As of Chrome 101, WebSQL in third-party contexts will be removed entirely.

     
  • Chrome launches HTTPS-First mode (Android and desktop)

    HTTPS-First mode attempts to upgrade all page loads to HTTPS and displays a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible. Users see a warning before connecting to sites over HTTP.

    An enterprise policy, HttpsOnlyMode, is available to control the use of this mode.

     
  • Chrome blocks the MK external protocol

    Chrome now blocks the legacy external MK protocol for use with Internet Explorer. This protocol enables legacy web apps to extract information from compressed files. This is a legacy asynchronous pluggable protocol that is disabled by default in Internet Explorer. Chrome now blocks this protocol to mitigate potential malicious use.

     
  • Chrome / Citrix Workspace (self-service plugin) stability

    Recent versions of Citrix Workspace install a DLL on Windows that can interfere with the Chrome browser process. Only Windows 10 or 11 systems with Control-flow Enforcement Technology (CET) or Hardware-enforced Stack Protection (Intel 11th Gen and AMD Zen 3 CPUs) with Citrix Workspace installed and Client Protection enabled are affected. While we are working with Citrix to resolve this, please consider using Citrix Workspace with Client Protection Disabled as a temporary workaround.

     
  • PWAs can register as (platform level) URL handlers

    Chrome 94 runs an Origin Trial to allow Progressive Web Apps (PWAs) to register as URL handlers. This means that PWAs can be launched in response to URL link activations, including activations from native apps. PWAs can register to handle any HTTPS URL, not just URLs from their own app scope. If you’re interested in learning more about PWAs as URL handlers, please refer to this article.

     
  • Chrome sync ends support for Chrome 48 and earlier

    Chrome sync no longer supports Chrome 48 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome sync.

     
  • Chrome launches a sharing hub

    In Chrome 94, users can more easily share their current page, including Send to your devices, get a QR code for the current URL, and share to third-party websites. The option to Send to your devices is only available to signed-in users. If the user is not signed in, the option does not appear. You can control this feature using an enterprise policy called DesktopSharingHubEnabled.

     
  • Admins can enforce profile separation through enterprise policy

    Chrome 94 updates the dialog when users sign into a managed profile if the ManagedAccountsSigninRestriction policy is set. The new notice clarifies that a separate profile is required by the admin, and the choices for the user are simplified. Some users see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.

     
  • New enterprise policies for the Web Serial API

    The Web Serial API allows websites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policies could only control how the feature was blocked. In Chrome 94, SerialAllowAllPortsForUrls and SerialAllowUsbDevicesForUrls allow admins to grant a website access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.

     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience is available starting with Chrome 94.

     
  • Chrome updates Certificate Transparency log list via Component Updater

    Chrome 94 uses Component Updater to dynamically update the Certificate Transparency log list, separating these updates from full browser updates. This allows out-of-date clients to keep enforcing Certificate Transparency. Note that full browser updates still contain the transparency log list.

     
  • Chrome introduces tab grid bulk actions 

    Chrome for iOS adds an edit mode to the tab grid to allow easier management of open tabs. Users can select multiple tabs and then add them to the reading list, bookmarked, shared, or closed.

     
  • New onboarding experience for Chrome on iOS 

    Chrome 94 revamps the existing onboarding screens, separating the sign-up and sync features.

     
  • Chrome removes the UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. Chrome 94 removes this policy.

     
  • Chrome launches an API that allows sites to know when the user is active

    Chrome 94 launches the Idle Detection API, allowing websites to request to know if users are idle, allowing messaging apps to direct notifications to the best device. This was previously in Origin Trial and is now rolled out to Stable.

     
  • Chrome launches display-capture

    The display-capture permissions-policy allows sites to more safely embed documents in an iframe. It does so by controlling such documents’ access to screen-capture APIs. This permissions-policy’s default setting prevents screen-capture by cross-origin iframes. For websites that are non-compliant with the spec and need more time to implement the display-capture feature, an enterprise policy, named DisplayCapturePermissionsPolicyEnabled, allows selective bypassing of the display-capture permissions-policy. This enterprise policy will be removed after Chrome 100.

     
  • BeyondCorp Enterprise: custom warnings and bypass justifications

    Today BeyondCorp Enterprise shows generic, predefined warn and block messages when files are flagged due to DLP Rule violations or other Chrome Security events. Chrome 94 introduces the ability to provide more meaningful, customized warning messages to end users. Administrators can now customize these warning messages to make it meaningful, and also add a learn more link to such warnings.

     
  • Chrome launches What's New in Chrome

    What’s New in Chrome is a way for users to discover new features. Starting in Chrome 94, some users see a page that highlights a few features. What’s New in Chrome automatically displays as the focused tab. You can disable this feature by using the existing PromotionalTabsEnabled enterprise policy.

     

New and updated policies in Chrome browser

 
Policy Description

CrossOriginWebAssemblyModuleSharingEnabled

Specifies whether WebAssembly modules can be sent to another window or worker cross-origin. Cross-origin WebAssembly module sharing will be deprecated as part of the efforts to deprecate document.domain, see https://github.com/mikewest/deprecating-document-domain. This policy allows admins to re-enable cross-origin WebAssembly module sharing to offer a longer transition period in the deprecation process.

DisplayCapturePermissionsPolicyEnabled

The display-capture permissions-policy gates access to getDisplayMedia(), as per this spec: https://www.w3.org/TR/screen-capture/#feature-policy-integration. However, if this policy is Disabled, this requirement is not enforced, and getDisplayMedia() is allowed from contexts that would otherwise be forbidden. This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 100. It is intended to unblock Enterprise users whose application is non-spec compliant, but needs time to be fixed.

HttpsOnlyMode

Controls whether users can enable HTTPS-Only Mode in Settings. HTTPS-Only Mode upgrades all navigations to HTTPS.

LensRegionSearchEnabled

Leaving this policy unset or setting it to Enabled allows users to view and use the Google Lens region search menu item in the context menu.

ManagedAccountsSigninRestriction

Controls whether a managed account must be a primary account.

PrintPdfAsImageAvailability

Controls how Google Chrome makes the Print as image option available on Microsoft Windows and macOS when printing PDFs.

PrintRasterizePdfDpi

Controls print image resolution when Google Chrome prints PDFs with rasterization.

SameOriginTabCaptureAllowedByOrigins

Lets you set a list of URL patterns that can capture tabs with their same Origin.

ScreenCaptureAllowedByOrigins

Lets you set a list of URL patterns that can use Desktop, Window, and Tab Capture.

SerialAllowAllPortsForUrls

Allows you to list sites which are automatically granted permission to access all available serial ports.

SerialAllowUsbDevicesForUrls

Allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the vendor_id and product_id fields. Omitting the product_id field allows the given sites permission to access devices with a vendor ID matching the vendor_id field and any product ID.

TabCaptureAllowedByOrigins

Lets you set a list of URL patterns that can use Tab Capture.

WindowCaptureAllowedByOrigins

Lets you set a list of URL patterns that can use Window and Tab Capture.

Admin console updates

 
  • Search by on-device policy name in the Admin console

    Chrome 94 adds the ability to search by on-device policy name to the Admin console. Now when admins enter an on-device policy name, for example, ProxyPacUrl, into the search bar, they’ll see the corresponding setting, for example, Proxy mode, in the Admin console. Admins can also use new info bubbles that appear next to a setting name to see the corresponding on-device policy name.

     
On-device policy search
  • New channel option Extended Stable for Chrome Browser Cloud Management

    Chrome adds Extended Stable as a drop-down option for channel selection in the Chrome update section.

     

New policies in the Admin console

Policy Name Pages Supported on Category/Field

DesktopSharingHubEnabled

User & Browser Settings

Chrome Win/Mac/Linux

Content/Desktop sharing in the omnibox and 3-dot menu

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

 
  • Chrome 95 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft Edge or Internet Explorer can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge and Internet Explorer.

     
  • As early as Chrome 95, the network Service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.

     
  • Chrome 95 will conduct an Origin Trial for User-Agent Reduction

    Chrome 95 will be conducting an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string will appear in both the User-Agent HTTP request header as well as the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  The Origin Trial will last six milestones until the reduced User-Agent string becomes the default in Chrome, with a deprecation Origin Trial to continue receiving the full User-Agent string for those sites that still need more time to migrate. Enterprises can opt in to the Origin Trial here when it is available.

     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments. This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.

    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.

     
  • As early as Chrome 95, Apps shortcut in the bookmarks bar will default to off

    Chrome will make the Apps shortcut in the bookmark bar default to off and update the current state for all users who have never changed their setting to the new default (off).

     
  • Chrome 96 will add new security events to BeyondCorp Enterprise Threat and Data Protection (Password leak and login)

    Chrome 96 will add two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow administrators to understand enterprise credential usage and Shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.

     
  • Migrate to Open Screen Library Cast channel

    Chrome 96 will use a new implementation, Open Screen Library, to connect to devices that support Cast like Chromecast, Nest Hub and Android TV.  Chrome users will not observe any differences in how Cast works.

     
  • NewTabPageLocation enterprise policy on Incognito

    Chrome 96 will fix a bug that prevents users from starting new Incognito sessions when the enterprise policy NewTabPageLocation is set to a chrome://… URL. In future, this policy will be ignored in Incognito mode. Users on Incognito will see the default new tab page. There’s no change in how the policy is applied on regular mode (non-Incognito windows).

     
  • As early as Chrome 97, Chrome will no longer allow TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 97, it will no longer be possible to bypass the interstitial.

     
  • CORS Authorization mishandling

    When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.

    Please note that Authorization headers attached by Chrome during the authentication process are out of scope for this change.

     
  • As early as Chrome 97, Chrome will maintain its own default root store

    To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

     
  • Chrome 97 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.

    This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97. Please ensure you're using the corresponding policy from the right column instead:
     
    Legacy Policy Name New Policy Name

    NativeMessagingBlacklist

    NativeMessagingBlocklist

    NativeMessagingWhitelist

    NativeMessagingAllowlist

    AuthNegotiateDelegateWhitelist

    AuthNegotiateDelegateAllowlist

    AuthServerWhitelist

    AuthServerAllowlist

    SpellcheckLanguageBlacklist

    SpellcheckLanguageBlocklist

    AutoplayWhitelist

    AutoplayAllowlist

    SafeBrowsingWhitelistDomains

    SafeBrowsingAllowlistDomains

    ExternalPrintServersWhitelist

    ExternalPrintServersAllowlist

    NoteTakingAppsLockScreenWhitelist

    NoteTakingAppsLockScreenAllowlist

    PerAppTimeLimitsWhitelist

    PerAppTimeLimitsAllowlist

    URLWhitelist

    URLAllowlist

    URLBlacklist

    URLBlocklist

    ExtensionInstallWhitelist

    ExtensionInstallAllowlist

    ExtensionInstallBlacklist

    ExtensionInstallBlocklist

    UserNativePrintersAllowed

    UserPrintersAllowed

    DeviceNativePrintersBlacklist

    DevicePrintersBlocklist

    DeviceNativePrintersWhitelist

    DevicePrintersAllowlist

    DeviceNativePrintersAccessMode

    DevicePrintersAccessMode

    DeviceNativePrinters

    DevicePrinters

    NativePrinters

    Printers

    NativePrintersBulkConfiguration

    PrintersBulkConfiguration

    NativePrintersBulkAccessMode

    PrintersBulkAccessMode

    NativePrintersBulkBlacklist

    PrintersBulkBlocklist

    NativePrintersBulkWhitelist

    PrintersBulkAllowlist

    UsbDetachableWhitelist

    UsbDetachableAllowlist

    QuickUnlockModeWhitelist

    QuickUnlockModeAllowlist

    AttestationExtensionWhitelist

    AttestationExtensionAllowlist

    PrintingAPIExtensionsWhitelist

    PrintingAPIExtensionsAllowlist

    AllowNativeNotifications

    AllowSystemNotifications

    DeviceUserWhitelist

    DeviceUserAllowlist

    NativeWindowOcclusionEnabled

    WindowOcclusionEnabled


     
    If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

     
  • In Chrome 98, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 98. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy called ChromeAppEnabled will be available to extend support for them until June 2022.

     
  • As early as Chrome 98, different-origin iframes will no longer trigger JavaScript dialogs

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. Once this deprecation launches, you can control the behavior with the enterprise policy SuppressDifferentOriginSubframeDialogs.

    You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag.

     

Upcoming Admin console changes

 
  • Browser list data will be available for download in CSV format in the Admin console

    As early as Chrome 95, a CSV format will be introduced as an option to download the browser list data from the Admin console.

     
  • Chrome will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort, as early as chrome 95, we will launch a new policy that will automatically delete inactive browser information from Google servers.

    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value (Allowable range: 28 - 730 days).

     
Chrome 93

Chrome browser updates

 
  • SyncXHR policy is no longer available

    Chrome 93 removes the AllowSyncXHRInPageDismissal enterprise policy. Before updating to Chrome 93, web application owners must update all apps that previously relied on legacy platform behavior. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.

     
  • New RelaunchWindow policy

    The RelaunchWindow enterprise policy allows admins to specify a window of time when Chrome relaunches to force an update to apply. You can use this policy, in conjunction with RelaunchNotification, RelaunchNotificationPeriod, and RelaunchHeadsUpPeriod to control when Chrome relaunches to apply an update. RelaunchWindow helps you to minimize disruption and to force a relaunch outside of business hours. In Chrome 93, these policies are available in Group Policy. These policies will become available in the Admin console at a later date.

     
  • New JavaScript JIT setting policies 

    Chrome 93 introduces three new policies: 
    These policies allow Chrome's JavaScript engine to default to using the Ignition interpreter in a JIT-less mode for a set of enterprise-defined sites.

    Disabling the JavaScript JIT in this way may allow Chrome to render web content in a more secure configuration, as no executable permissions are needed for memory regions. However, disabling JIT has performance costs and currently disables some parts of JavaScript, including WebAssembly.

     
  • Full launch of Drive priority launchpad on New tab page

    To help users get work done faster, Chrome 93 shows the Drive files the user is more likely to need on the New tab page. This feature uses Drive’s existing priority API, which powers the Priority section of drive.google.com. Some users see this change in Chrome 93.

     
  • Publishing updates to extensions requires 2-Step Verification

    As part of the rollout of a set of updates and clarifications to the Chrome Web Store extension policies, the Chrome Web Store now requires 2-Step Verification on developer accounts before adding a new extension or updating an existing extension. This does not impact extensions that are self-hosted, sideloaded, or that are no longer being updated.

    Developer accounts belonging to organizations where the admin has disabled 2-Step Verification for their organization are exempt from this requirement.

     
  • Updates to the lock icon in the address bar 

    Some users might see a new icon replacing the lock in the address bar, which is shown on sites that support HTTPS. The new icon aims to improve the discoverability of the Page Info surface, which includes site-level security and privacy information and controls. A Not Secure indicator continues to appear on sites without HTTPS support. An enterprise policy, LockIconInAddressBarEnabled, is available to revert to the original lock icon. See our blog post Increasing HTTPS Adoption for more information.

     
  • New feature changes to the User-Agent Client Hints API updates

    Chrome 93 adds four feature changes to the User-Agent client hints API:
    • Adding a Sec-CH-UA-Bitness User Agent Client Hint to return the bitness of the platform, which might be useful, for example, for sending optimized binaries during a download.
    • Making Sec-CH-UA-Platform a low-entropy hint that is sent by default. Prior to this change, this hint would need to be requested.
    • Including low-entropy hints by default in UADataValues (returned by getHighEntropyValues()): if a hint moves from high to low-entropy, this prevents site compatibility issues.

    • Adding a toJSON method to NavigatorUAData. Instead of returning {}, JSON.stringify(navigator.userAgentData) is now useful.

    An enterprise policy UserAgentClientHintsEnabled is available to control this feature. This policy will be removed in Chrome 94. Developers can leave feedback at crbug.com/1241062 on any issues related to this feature.

     
  • Chrome on iOS adds a new way to sign in

    On iOS, when a user signs in to their Google Account on the web, they can sign in to Chrome with a Google Account that’s already saved on their device. This does not enable Chrome sync by default; the user can opt into that separately if they want sync enabled. You can control the behavior of sign-in on Chrome on iOS and other platforms using the BrowserSignIn policy.

     
  • Chrome performs sentiment measurement

    Chrome 93 performs sentiment measurement of users of Trusted Surface, Privacy Settings and Transactions. These surveys are delivered on the New tab page after the user has engaged with the feature. The delivery of these surveys can be disabled by disabling metrics via the MetricsReportingEnabled policy.

     
  • Chrome redesigns desktop page info surface

    Chrome 93 continues to redesign the desktop page info surface. The purpose of this redesign is to improve scalability by introducing modular subpages, toggles for permissions and restructuring the main view to surface the important information first.

     
  • Tab Groups in desktop Recently closed menu

    Chrome 93 allows users to see their tab groups in the Recently closed menu and helps alleviate worry about permanent loss of groups. This launch enables the whole group and individual tabs inside a group to restore from the Chrome desktop recently closed menu.

     
  • Save payment information to a Google Account 

    In Chrome 93, users who are signed in to their managed Google Account see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy. This was previously available on Android and desktop and is now also available on iOS.

     
  • URL protocol handlers in web manifests

    Chrome 93 is running an Origin Trial for URL protocol handlers in web manifests. This Origin Trial started in Chrome 92 and will end in Chrome 94. The handlers follow the PWA's lifecycle -- they are set up on PWA install, and removed on PWA uninstall. You can find out more in this article.

    Note: The Origin Trial started in Chrome 92 but was initially not part of the Chrome 92 blog post.

     
  • New Incognito Exit Point on Clear browsing data

    Chrome 93 introduces a new Close windows confirmation dialog which is displayed when a user selects Clear browsing data from the overflow menu or Chrome Actions on Omnibox while on Incognito mode. This dialog contains text explaining that Clear browsing data ends the Incognito session, and two call-to-action buttons: Close windows and Cancel.

     
  • Pausing quantum computer resistant security 

    Some devices behaved unexpectedly when Chrome offered quantum-resistant cryptography for TLS connections. We’re working with those companies to provide fixed firmware for their devices and have temporarily disabled this technology.

    For more details, see the Chromium Open Source Project.

     
  • 3DES TLS cipher suites are no longer supported

    Chrome 93 removes support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy was made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.

     
  • Ubuntu 16.04 is no longer supported

    Ubuntu 16.04 is past the end of standard support, and is no longer supported. The updated system requirements for Chrome are available here.

     
  • New and updated policies in Chrome browser
     

    Policy

    Description

    DefaultJavaScriptJitSetting

    Allows you to set whether Google Chrome runs the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.

    DesktopSharingHubEnabled

    Enable the sharing icon from the omnibox and the entry from the 3-dot menu.

    JavaScriptJitAllowedForSites

    Allows you to set a list of site URL patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.

    JavaScriptJitBlockedForSites

    Allows you to set a list of site URL patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.

    LockIconInAddressBarEnabled

    Controls the treatment for lock icon in the omnibox. From Chrome 93, there is a new omnibox icon for secure connections. If the policy is Enabled, Chrome uses the existing lock icon for secure connections. If the policy is Disabled or not set, Chrome uses the default icon for secure connections.

    RelaunchWindow

    Specify a target time window for the end of the relaunch notification period.

    RemoteDebuggingAllowed

    Controls whether users may use remote debugging.

Chrome OS updates

 
  • Enable Android applications to access Chrome OS certificates

    Previously Android applications could only access certificates provisioned within Android, but not those in Chrome OS. Admins can now enable Android apps to access Chrome OS user and device certificates.

    For more information, see the Help Center.

     
  • Regular online re-authentication for identity providers on the login and lock screen

    Regular online authentication provides additional security for organizations that require 2FA or MFA authentication and organizations that use third-party identity providers like Okta.

    As an admin, you can require regular online re-authentication on the login screen for users of third-party identity providers.  Chrome OS 93 expands this capability to re-authenticate using the lock screen and also extends re-authentication support to users of Google identity, including those using 2FA like Yubikeys or SMS.

    There are now three new controls to help manage online re-authentication: 
     
    1. SAML single sign-on unlock frequency
    2. Google online login frequency
    3. Google online unlock frequency
     

Admin console updates

 
  • Sending Extension Requests for Chrome browser Desktop and Chrome OS

    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a Request button so that you can see their requests from within the Admin console and take an action to allow or to block the extensions.  To enable the feature, please follow the steps in the Help Center.

     
  • Chrome Browser Cloud Management is available for Chrome-on-iOS

    Chrome Browser Cloud Management now supports Chrome-on-iOS.  The policies for Chrome-on-iOS can be seen at https://chromeenterprise.google/policies (then filter for iOS platform).  To get started, please visit the Help Center.

     
  • Chrome Browser Cloud Management Release Channel selector

    Admin console now has a release channel selector (Stable, Beta, Dev) for Chrome Browser Cloud Management on Windows, Mac, or Linux.  For more details, see the Help Center.

     

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome 94 is moving to a 4-week stable channel and introducing an 8-week extended stable channel 

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. Note that Chrome 94’s shorter development cycle means Chrome 93 will be live in the stable channel for less time as well; specific release dates for both milestones can be found on our schedule

    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. The option of Extended Stable will be added to the Target Channel Control in the Admin console in Chrome 94. You can find more details in our blog post at blog.chromium.org

    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 

    To provide commercial users with another dependably secure stable platform, Chrome OS will also introduce a new channel with a 6-month update cadence by Chrome 96. More details to be announced soon.

     

Upcoming Chrome browser changes

 
  • As early as Chrome 94, the browser list data will be available for download in CSV format in the Admin console

    Chrome will introduce the CSV format as an option to download the browser list data from the Admin console.

     
  • Chrome 94 on iOS will be able to apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, mobileconfig files can be downloaded and installed from Safari and Mail apps. Chrome will be able to download these files and continue to settings so the user can apply them.

     
  • Chrome 94 will support usage of Android phones as security keys

    When Chrome on a desktop or laptop is signed into the same account as Chrome on an Android phone, that phone can be used as a security key.

    This feature requires that the desktop has a Bluetooth Low Energy (BLE) adaptor. Communication between the devices is end-to-end encrypted with keys exchanged over BLE to prove proximity with the phone.

     
  • Chrome 94 will launch What's New in Chrome

    What’s New will be an effortless way for users to discover new features. Starting in Chrome 94 some users will see a page that highlights a few features. What’s New will automatically show as the focused tab. You can disable this feature by using the existing PromotionalTabsEnabled enterprise policy.

     
  • Chrome 94 will no longer allow insecure public pages to make requests to private or local URLs

    Non-secure contexts served from public IP addresses will no longer be able to make subresource requests to IP addresses belonging to a more private address space (as defined in Private Network Access). For example, http://public.example served on IP 1.2.3.4 will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You can control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies, which became available for testing in Chrome 92.

     
  • Ability for PWAs to be registered as (platform level) URL handlers

    Chrome 94 will run an Origin Trial to allow Progressive Web Apps (PWAs) to register as URL handlers. This means that PWAs can be launched in response to URL link activations, including activations from native apps. PWAs will be allowed to register to handle any https URL, not just URLs from their own app scope. If you’re interested in learning more about PWAs as URL handlers, please refer to this article.

     
  • Launching a sharing hub

    In Chrome 94, users will be able to more easily share their current page, including the ability to send the current page to their devices, get a QR code for the current URL, and share to third-party apps. You will be able to control this feature using an enterprise policy called DesktopSharingHubEnabled.

     
  • Chrome 94 will use updated language in managed profile sign-in notice

    Chrome 94 will update the notice when users sign into a managed profile. The new notice will have language clarifying that a separate profile is required and the available buttons will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.

     
  • Chrome 94 will add a new enterprise policy for the Web Serial API

    The Web Serial API allows sites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policy controls could only control how the feature was blocked. In Chrome 94, admins will be able to grant a site access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.

     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience will be available starting with Chrome 94.

     
  • Chrome 94 will launch HTTPS-First mode (Android and Desktop)

    HTTPS-First mode will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible, and that they will see a warning before connecting to sites over HTTP. An enterprise policy will exist to disable the use of this mode. 

     
  • Chrome 94 will update certificate transparency log list via component updater

    Chrome 94 will start using Component Updater to dynamically update the certificate transparency log list, separating these updates from full browser updates, and allowing out-of-date clients to keep enforcing Certificate Transparency.

     
  • Chrome 94 will introduce tab grid bulk actions 

    Chrome for iOS will add an edit mode to the tab grid to allow easier management of open tabs. Multiple tabs can be selected and then added to the reading list, bookmarked, shared, or closed.

     
  • As early as Chrome 94, Chrome will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort, we will launch a new policy that will automatically delete inactive browser information from Google servers.

    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value.

     
  • Chrome 94 will test Chrome Accuracy Check

    Chrome plans to remind users to evaluate the accuracy of information. Chrome Accuracy Check will show users tips for evaluating information quality for news sites when they might be helpful.

     
  • Chrome 94 will remove UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. This policy will be removed in Chrome 94.

     
  • Chrome 94 will add new Security Events to BeyondCorp Enterprise Threat and Data Protection (Password Leak and Login)

    Chrome 94 will add two new Security Events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow administrators to understand enterprise credential usage and Shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.
     
  • Chrome 94 will launch an API that allows sites to know when the user is active

    Chrome 94 will launch the Idle Detection API, allowing websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device. This was previously in Origin Trial and is now rolled out to Stable.

     
  • Chrome 94 will launch display-capture

    The display-capture permissions-policy allows sites to more safely embed documents in an iframe. The display-capture permissions-policy can be used to remove the capability of a document in an iframe initiating a screen-capture.  An enterprise policy will be created to control this feature - DisplayCapturePermissionsPolicyEnabled. This policy will be removed in Chrome 100.

     
  • Migrate to Open Screen Library Cast channel

    Chrome 95 will use a new implementation to connect to devices that support Cast like Chromecast, Nest Hub and Android TV.  Chrome users will not observe any differences in how Cast works.

     
  • Chrome 95 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft® Edge® or Internet Explorer® can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge® and Internet Explorer®.

     
  • In Chrome 95, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.

     
  • As early as Chrome 95, Chrome will no longer allow TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 95, it will no longer be possible to bypass the interstitial.

     
  • As early as Chrome 95, the network Service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.

     
  • Chrome 95 will conduct an Origin Trial for User-Agent Reduction

    Chrome 95 will be conducting an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string will appear in both the User-Agent HTTP request header as well as the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  The Origin Trial will last six milestones until the reduced User-Agent string becomes the default in Chrome, with a deprecation Origin Trial to continue receiving the full User-Agent string for those sites that still need more time to migrate. Enterprises can opt in to the Origin Trial here when it is available.

     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments.This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.

    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.

     
  • As early as Chrome 95, Apps shortcut in the Bookmarks Bar will default to off

    Chrome will make the Apps shortcut in the bookmark bar default to off and update the current state for all users to the new default (off).

     
  • As early as Chrome 97, Chrome may leverage MiraclePtr to improve security

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 97.

     
  • As early as Chrome 97, Chrome will maintain its own default root store

    To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

     
  • Chrome 97 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.

    This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97.  

    Please ensure you're using the corresponding policy from the right column instead:
     

    Legacy Policy Name

    New Policy Name

    NativeMessagingBlacklist

    NativeMessagingBlocklist

    NativeMessagingWhitelist

    NativeMessagingAllowlist

    AuthNegotiateDelegateWhitelist

    AuthNegotiateDelegateAllowlist

    AuthServerWhitelist

    AuthServerAllowlist

    SpellcheckLanguageBlacklist

    SpellcheckLanguageBlocklist

    AutoplayWhitelist

    AutoplayAllowlist

    SafeBrowsingWhitelistDomains

    SafeBrowsingAllowlistDomains

    ExternalPrintServersWhitelist

    ExternalPrintServersAllowlist

    NoteTakingAppsLockScreenWhitelist

    NoteTakingAppsLockScreenAllowlist

    PerAppTimeLimitsWhitelist

    PerAppTimeLimitsAllowlist

    URLWhitelist

    URLAllowlist

    URLBlacklist

    URLBlocklist

    ExtensionInstallWhitelist

    ExtensionInstallAllowlist

    ExtensionInstallBlacklist

    ExtensionInstallBlocklist

    UserNativePrintersAllowed

    UserPrintersAllowed

    DeviceNativePrintersBlacklist

    DevicePrintersBlocklist

    DeviceNativePrintersWhitelist

    DevicePrintersAllowlist

    DeviceNativePrintersAccessMode

    DevicePrintersAccessMode

    DeviceNativePrinters

    DevicePrinters

    NativePrinters

    Printers

    NativePrintersBulkConfiguration

    PrintersBulkConfiguration

    NativePrintersBulkAccessMode

    PrintersBulkAccessMode

    NativePrintersBulkBlacklist

    PrintersBulkBlocklist

    NativePrintersBulkWhitelist

    PrintersBulkAllowlist

    UsbDetachableWhitelist

    UsbDetachableAllowlist

    QuickUnlockModeWhitelist

    QuickUnlockModeAllowlist

    AttestationExtensionWhitelist

    AttestationExtensionAllowlist

    PrintingAPIExtensionsWhitelist

    PrintingAPIExtensionsAllowlist

    AllowNativeNotifications

    AllowSystemNotifications

    DeviceUserWhitelist

    DeviceUserAllowlist

    NativeWindowOcclusionEnabled

    WindowOcclusionEnabled



    If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

     
  • As early as Chrome 98, different-origin iframes will no longer trigger JavaScript dialogs

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag.

     
 
Chrome 92

Chrome browser updates

 

  • Chrome blocks ports 989 and 990

    Chrome 92 adds ports 989 (ftps-data) and 990 (ftps) to the restricted ports list and blocks traffic through them. This does not affect customers using standard ports, but custom configurations using non-standard ports may be affected.
    If you're affected by this change, you can use the ExplicitlyAllowedNetworkPorts enterprise policy to allow these specific ports in your environment. You can specifically allow ports 989 and 990 until February 2022.
     
  • Chrome adds FLoC controls to Privacy Sandbox settings 

    Last year, we announced a new initiative, known as Privacy Sandbox, to develop a set of open standards to fundamentally enhance privacy on the web. Chrome 92 adds controls to the Privacy Sandbox settings page to provide improved transparency and control for Federated Learning of Cohorts (FLoC). You can disable the complete Privacy Sandbox, including FLoC, by policy in general by blocking 3P cookies, or all cookies. Alternatively for specific sites, you can disable the sandbox by blocking cookies for a URL.
     
  • Chrome on Android includes a new on-device model for phishing detection

    Chrome on Android uses an on-device Machine Language (ML) model to better detect phishing attempts, and better protect users. As in earlier versions, Chrome displays a full-page interstitial warning if Chrome detects a possible phishing attempt.

    With this change, Chrome sends the following to the Safe Browsing service: 
    • the version of the model that was executed
    • the scores the model gave for each category
    • a boolean describing whether the new model was used to generate the scores

    You can control Safe Browsing using the SafeBrowsingProtectionLevel policy. This feature applies to users with the SafeBrowsingProtectionLevel policy set at protection level of 1 or greater.
     
  • Back/forward cache desktop full launch for all websites

    As a follow-up to a previous launch on Chrome for Android, Chrome 92 launches back/forward cache on desktop platforms. Back/forward cache is a browser optimization that enables instant back and forward navigations. You can temporarily disable this feature via the BackForwardCacheEnabled policy with Group Policy or in the Google Admin console. If you do so, please share details about the issue that led you to disable back/forward cache.
     
  • Magic Toolbar is now available on Chrome on Android 

    The Chrome toolbar on Android now includes a new customizable button that shows different shortcuts depending on what the user is most likely to need.
     
  • Publishing updates to extensions requires 2-Step Verification

    As part of the rollout of a set of updates and clarifications to the Chrome Web Store extension policies, the Chrome Web Store now requires 2-Step Verification on developer accounts prior to adding a new extension or updating an existing extension. This does not impact extensions that are self-hosted, sideloaded, or that are no longer being updated.
     
  • Chrome expands DNS HTTPS record queries for users using classic DNS 

    In previous versions, Chrome only queried and parsed DNS HTTPS records alongside the traditional A and AAAA records for users using Secure DNS. Chrome 92 expands this behavior to users using classic DNS. Chrome uses these records to improve privacy and performance of HTTPS web connections. You can temporarily disable these extra queries for users using classic DNS with the AdditionalDnsQueryTypesEnabled policy with Group Policy or in the Google Admin console. If you do so, please share details about issues that led you to use the policy as a workaround. Note that this policy has no effect for users using Secure DNS.
     
  • Different-origin iframes cannot trigger JavaScript dialogs

    Chrome 92 prevents iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.
    If you have any web apps affected by this change, you can use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 95.
     
  • SharedArrayBuffers need Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy 

    If your organization uses apps that leverage SharedArrayBuffers, those apps need to set Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in the HTTP header. Web apps not setting the appropriate policies can no longer access SharedArrayBuffers.
     
  • Android removes setting for “Show suggestions for similar pages”

    Chrome 92 on Android removes the end user setting for "Show suggestions for similar pages when a page can't be found" from the Sync and Google services settings. This setting was previously removed on Desktop.
    You can control the DNS probes associated with this feature with the AlternateErrorPagesEnabled enterprise policy. 
     
  • Drive priority launchpad on New Tab page

    To help users get work done faster, Chrome 92 shows the Drive docs the user is more likely to need on the New Tab page. This feature uses Drive’s existing priority API, which powers the Priority section drive.google.com. Some users see this change in Chrome 92 and a full launch is expected in Chrome 93.
     
  • Developers can change the name and icon of PWAs

    Developers can now update the name and icon for default Progressive Web Apps (PWAs) and PWAs installed using the ExtensionInstallForcelist enterprise policy.
     
  • Chrome trials the suppression of autofill suggestions

    In Chrome 92, we are conducting a short trial on a small randomly selected number of forms where the browser doesn't show autofill suggestions. The trial is limited to address and credit card forms. Passwords are not affected. You can opt out by using the ChromeVariations policy. Setting the policy to CriticalFixesOnly (value 1) allows only variations considered critical security or stability fixed to be applied to Google Chrome.
     
  • Google Lens replaces Search by Image on Chrome Desktop

    In Chrome 92, for Chrome users whose default search engine is set to Google, the Search with Google Lens context menu item replaces the Search Google for Image desktop context menu item. The new menu item sends users to a standalone Lens Web app. If desired, however, users can navigate to Google Image Search from Lens.
     
  • Chrome separates sign-in and sync on iOS 

    On iOS, Chrome 92 separates the Sync and Google services settings into two items: Sync and Google services. There is a new control in Google services, Allow Chrome sign-in, to disable Chrome sign-in (and therefore also sync).
     
  • Chrome displays a new warning text if a download might lead to account compromise 

    If a user initiates a download that Safe Browsing determined is associated with stealing cookies, some users on desktop platforms see a new warning, filename.exe could let attackers steal your personal information.
     
  • Incognito removes UI links to history

    Chrome does not save history in Incognito mode, but some platforms still show a link to history on the Incognito UI. On Android, to make it clear that Chrome is not saving history, the History menu item in Incognito windows temporarily links to an explainer page instead of linking to a user's history.
     
  • Chrome disables extensions removed from the Chrome Web Store

    Chrome disables extensions that were removed from the Chrome Web Store due to non-compliance with our Chrome Web Store policies. However, if an admin has force-installed an extension, Chrome does not disable it.
    Remember, if you need help with an extension that you manage, you can visit Chrome Web Store One Stop Support.
     

Chrome OS updates

 

  • Chrome improves Android and Linux app support for Desks
    http://crbug/1203496

    You can now assign Android and Linux apps to desks. Right-click on the app window to assign it to a specific desk or to all desks.
     
  • Chrome supports continuous dictation 
    http://crbug/1200667

    Dictation now allows you to continuously dictate your text and only times out if you stop talking.
     
  • Point Scanning for Switch Access 
    http://crbug/1167368

    Point Scanning is a new navigation mode for Switch Access. It allows users to select any spot on the screen and trigger an action. The user first presses their switch when the correct horizontal position is selected, and presses their switch again when the correct vertical position is selected.
     
  • Chrome adds further integrations to Tote
    http://crbug/1201265

    You can now quickly find downloads from your Android Apps and from your Chrome print to pdf functionality in Tote.
     
  • MultiPaste now available for Virtual Keyboard
    http://crbug/1175122

    Chrome OS makes its clipboard history, which launched in Chrome OS 89, accessible from the Virtual Keyboard in Chrome OS 91 and later.
     
  • Chrome 92 improves shortcuts for international keyboards
    http://crbug/1159454

    Chrome OS improves keyboard shortcuts for both international and US users; you can see these updates in the Shortcuts app.
     
  • Chrome OS Camera now supports PTZ Controls
    http://crbug/1186787

    You can now pan, tilt, or zoom your camera from the Chrome Camera app. This feature requires a camera with PTZ support.
     
  • Emoji picker for physical keyboards
    http://crbug/1152237

    Chrome OS includes a new emoji picker, with search functionality and multi-skintone support.
     
  • Chrome OS device help in launcher search
    http://crbug/1126816

    Quickly find help for your Chrome OS device by searching for it in launcher search.
     
  • Some protected content may no longer play on M89 and earlier
    Chrome known issues

    From August 3rd, some protected video and audio content may no longer play on M89 and earlier.
     

Admin console updates

 

  • Additional policies in the Admin console

 

Policy Name

Pages

Supported on

Category/Field

SystemFeaturesDisableMode

Managed Guest Session Settings

Chrome OS

User experience / Disabled system features visibility

SuppressDifferentOriginSubframeDialogs

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Content / Cross-origin JavaScript dialogs

EnterpriseHardwarePlatformAPIEnabled

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Hardware / Enterprise Hardware Platform API

LensCameraAssistedSearchEnabled

User & Browser Settings

Android

User experience / Google Lens camera assisted search

NearbyShareAllowed

User & Browser Settings

Chrome OS

Connected devices / Nearby share

SharedArrayBufferUnrestrictedAccessAllowed

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Network / SharedArrayBuffer

WebRtcIPHandling

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Network / WebRTC IP handling

FetchKeepaliveDurationSecondsOnShutdown

User & Browser Settings

Chrome

Power and shutdown / Keepalive duration / Fetch keepalive duration on Shutdown (in seconds)

CECPQ2Enabled

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Network / CECPQ2 post-quantum key-agreement for TLS

AudioProcessHighPriorityEnabled

User & Browser Settings

Chrome

Hardware / Audio process priority / Adjust the priority for the Chrome audio process

ExplicitlyAllowedNetworkPorts

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Network / Allowed network ports

AllowSystemNotifications

User & Browser Settings

Chrome

Security / System notifications

DefaultFileHandlingGuardSetting

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API

FileHandlingBlockedForUrls

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API / Block the File Handling API for these URLs

FileHandlingAllowedForUrls

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API / Allow the File Handling API for these URLs

BrowserThemeColor

User & Browser Settings

Chrome

General / Custom theme color / Hex color

PdfAnnotationsEnabled

User & Browser Settings

Chrome OS

Content / PDF Annotations

DeviceSystemWideTracingEnabled

Device Settings

Chrome OS

User and device reporting / System-wide performance trace collection

GaiaOfflineSigninTimeLimitDays

User Settings

Chrome OS

Security/Google online login frequency

 

  • New and updated policies (Chrome and Chrome OS)
     

Policy

Description

InsecurePrivateNetworkRequestsAllowed

Controls whether insecure websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.

CloudUserPolicyMerge

Allows policies associated with a Google Workspace account to be merged into machine-level policies.

GaiaLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen.

SamlLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via SAML can log in offline at the lock screen.

AdditionalDnsQueryTypesEnabled

Allow DNS queries for additional DNS record types.

PromptForDownloadLocation

Ask where to save each file before downloading.

DataLeakPreventionReportingEnabled

Enable data leak prevention reporting.

DataLeakPreventionRulesList

Sets a list of data leak prevention rules.

DeviceDebugPacketCaptureAllowed

Allow debug network packet captures.

SuggestLogoutAfterClosingLastWindow

Display the logout confirmation dialog.

TripleDESEnabled

Enable 3DES cipher suites in TLS.

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. Note that Chrome 94’s shorter development cycle means Chrome 93 will be live in the stable channel for less time as well; specific release dates for both milestones can be found on our schedule
    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. You can find more details on our blog post at blog.chromium.org
    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 
    To provide commercial users with another dependably secure stable platform, Chrome OS will also introduce a new channel with a 6-month update cadence by Chrome 96. More details to be announced soon.
     

Upcoming Chrome browser changes

 

  • Chrome 93 will no longer allow insecure public pages to make requests to private or local URLs

    Non-secure contexts served from public IP addresses will no longer be able to make subresource requests to IP addresses belonging to a more private address space (as defined in Private Network Access).
    For example, http://public.example served on IP 1.2.3.4 will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. Similarly, http://intranet.example served on IP 192.168.0.1 will not be able to make requests targeting localhost. You can control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies, which are available for testing in Chrome 92.
     
  • Chrome 93 will add a new enterprise policy for the Web Serial API

    The Web Serial API allows sites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policy controls could only control how the feature was blocked. In Chrome 93, admins will be able to grant a site access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.
     
  • New feature changes to the User-Agent Client Hints API updates

    Chrome 93 will add four feature changes to the User-Agent client hints API:
    • Adding a Sec-CH-UA-Bitness User Agent Client Hint to return the bitness of the platform, which might be useful, for example, for sending optimized binaries during a download.
    • Making Sec-CH-UA-Platform a low-entropy hint that is sent by default. Before this change, this hint would need to be requested.
    • Including low-entropy hints by default in UADataValues (returned by getHighEntropyValues()): if a hint moves from high to low-entropy, this prevents site compatibility issues.
    • Adding a toJSON method to NavigatorUAData. Instead of returning {}, JSON.stringify(navigator.userAgentData) will now be useful.
  • Chrome 93 will support using Android phones as security keys

    When Chrome on a desktop or laptop is signed into the same account as Chrome on an Android phone, that phone can be used as a security key.
    This feature requires that the desktop has a Bluetooth Low Energy (BLE) adaptor. Communication between the devices is end-to-end encrypted with keys exchanged over BLE to prove proximity with the phone.
     
  • Chrome 93 will use updated language in managed profile sign-in notice

    Chrome will update the notice when users sign into a managed profile. The new notice will have language clarifying that a separate profile is required and the available buttons will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.
     
  • Chrome 93 will test replacing the lock icon with a new icon

    Some users will see a new icon replacing the lock in the address bar, improving the discoverability of the Page Info surface, which includes site-level security and privacy information and controls. An enterprise policy, LockIconInAddressBarEnabled, will become available to revert to the original lock icon.
     
  • Chrome 93 will launch a sharing hub

    Users will be able to more easily share their current page, including the ability to send the current page to their devices, get a QR code for the current URL, and share to third party apps. You will be able to control this feature using an enterprise policy called DesktopSharingHubEnabled.
     
  • Chrome 93 will make Chrome Browser Cloud Management available on iOS

    The Chrome Enterprise team is working to support Chrome-on-iOS for Chrome Browser Cloud Management. If you are interested in testing this functionality out earlier in Chrome 92, please sign up for our Trusted Tester program.
     
  • Chrome 93 on iOS will be able to apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, mobileconfig files can be downloaded and installed from Safari and Mail apps. Chrome will be able to download these files and continue to settings so the user can apply them.
     
  • As early as Chrome 94, the network service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience will be available starting with Chrome 94.
     
  • Chrome 93 on iOS will prefer https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then fallback to http://example.com if required. For more information, see Chrome’s blog post, A safer default for navigation: HTTPS.
    Desktop and Android users already have this change, and iOS will be rolled out in Chrome 93.
     
  • Chrome 93 on iOS will add a new way to sign in

    On iOS, when a user signs in to their Google Account on the web, they can sign in to Chrome with a Google Account that’s already saved on their device. This does not enable Chrome sync by default; the user can opt into that separately if they want sync enabled.
    You can control the behavior of sign-in on Chrome on iOS and other platforms using the BrowserSignIn policy.
     
  • Chrome 93 will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort we will launch a new policy that will automatically delete inactive browser information from Google servers.
    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value.
     
  • Chrome 93 will introduce JavaScript JIT setting policies 

    Chrome 93 will introduce three new policies; 
    • DefaultJavaScriptJitSetting
    • JavaScriptJitAllowedForSites
    • JavaScriptJitBlockedForSites 
    These policies will allow you to switch Chrome's JavaScript engine to use the Ignition interpreter in a JIT-less mode, by default.
    Disabling JIT in this way may allow Chrome to render web content in a more secure configuration, as no executable permissions are needed for memory regions. However, disabling JIT has performance costs and disables some parts of JavaScript, including WebAssembly.
     
  • Chrome 93 will no longer support SyncXHR policy 

    Chrome 93 will remove the AllowSyncXHRInPageDismissal enterprise policy. Admins must update any apps that rely on the legacy web platform behavior before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • Chrome 93 will no longer support Ubuntu 16.04

    Ubuntu 16.04 is past the end of standard support, and will not be supported as of Chrome 93. The updated system requirements for Chrome are available here.
     
  • Chrome 93 will remove 3DES TLS cipher suites

    Chrome will remove support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy will be made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.
     
  • Chrome 94 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft® Edge® or Internet Explorer® can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge® and Internet Explorer®.
     
  • As early as Chrome 94, Chrome may leverage MiraclePtr to improve security

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 94.
     
  • In Chrome 94, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 94. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.
     
  • Chrome 94 will remove UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. This policy will be removed in Chrome 94.
     
  • As early as Chrome 95, Chrome will maintain its own default root store

    To improve user security, and to provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments. This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.
    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.
     
  • Chrome 95 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist blacklist). To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead:
     

Legacy Policy Name

New Policy Name

NativeMessagingBlacklist

NativeMessagingBlocklist

NativeMessagingWhitelist

NativeMessagingAllowlist

AuthNegotiateDelegateWhitelist

AuthNegotiateDelegateAllowlist

AuthServerWhitelist

AuthServerAllowlist

SpellcheckLanguageBlacklist

SpellcheckLanguageBlocklist

AutoplayWhitelist

AutoplayAllowlist

SafeBrowsingWhitelistDomains

SafeBrowsingAllowlistDomains

ExternalPrintServersWhitelist

ExternalPrintServersAllowlist

NoteTakingAppsLockScreenWhitelist

NoteTakingAppsLockScreenAllowlist

PerAppTimeLimitsWhitelist

PerAppTimeLimitsAllowlist

URLWhitelist

URLAllowlist

URLBlacklist

URLBlocklist

ExtensionInstallWhitelist

ExtensionInstallAllowlist

ExtensionInstallBlacklist

ExtensionInstallBlocklist

UserNativePrintersAllowed

UserPrintersAllowed

DeviceNativePrintersBlacklist

DevicePrintersBlocklist

DeviceNativePrintersWhitelist

DevicePrintersAllowlist

DeviceNativePrintersAccessMode

DevicePrintersAccessMode

DeviceNativePrinters

DevicePrinters

NativePrinters

Printers

NativePrintersBulkConfiguration

PrintersBulkConfiguration

NativePrintersBulkAccessMode

PrintersBulkAccessMode

NativePrintersBulkBlacklist

PrintersBulkBlocklist

NativePrintersBulkWhitelist

PrintersBulkAllowlist

UsbDetachableWhitelist

UsbDetachableAllowlist

QuickUnlockModeWhitelist

QuickUnlockModeAllowlist

AttestationExtensionWhitelist

AttestationExtensionAllowlist

PrintingAPIExtensionsWhitelist

PrintingAPIExtensionsAllowlist

AllowNativeNotifications

AllowSystemNotifications

DeviceUserWhitelist

DeviceUserAllowlist

NativeWindowOcclusionEnabled

WindowOcclusionEnabled

 

If you're managing Chrome via the Google Admin console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin console will manage the transition automatically.

 

Additional resources

Still need help?

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
Var det här till hjälp?
Hur kan vi förbättra den?
Sök
Rensa sökning
Stäng sökrutan
Googles appar
Huvudmeny
Sök i hjälpcentret
true
410864
false