Chrome

Google has released Chrome 90 today, April 14th, 2021, to the Stable desktop channel, and it includes security improvements, a new AV1 encoder, and the default protocol changed to HTTPS.

Chrome 90 fixes 37 security bugs, including a zero-day used at the Pwn2Own competition and publicly released Monday on Twitter.

Originally scheduled for release yesterday, it is believed Google pushed it back a day to fix the zero-day vulnerability.

Today, Google promoted Chrome 90 to the Stable channel, Chrome 91 as the new Beta version, and Chrome 92 will be the Canary version.

Windows, Mac, and Linux desktop users can upgrade to Chrome 90 by going to Settings -> Help -> About Google Chrome. The browser will then automatically check for the new update and install it when available.

HTTPS is now the default protocol

With the release of Chrome 90, any URL entered in the address bar that does not contain a protocol (https:// or https://) will automatically be considered to be an HTTPS connection.

For example, if you type example.com in the address bar and press entered, Google Chrome previously would attempt to connect to the URL using the http:// protocol.

With Chrome 90, Google has switched the default protocol to https:// to increase security while browsing the web. Furthermore, as many sites redirect HTTP connections to HTTPS connections, this new default will increase performance as browsers will no longer be redirected.

Illustrating the Google Chrome's change of default protocol
Illustrating Google Chrome's change of default protocol

However, there are some exceptions to this new rule.

In a blog post announcing this feature, Google noted that "IP addresses, single label domains, and reserved hostnames such as test/ or localhost/ will continue defaulting to HTTP."

This feature is currently rolling out to Chrome users, so it may not be available to everyone as of yet.

Continued NAT Slipstreaming protection

Chrome 90 includes additional protection from NAT Slipstreaming attacks by blocking FTP, HTTP, and HTTPS connected on port 554.

NAT Slipstreaming attacks abuse a router's Application Level Gateway (ALG) feature to gain access to any port on an internal network, potentially allowing threat actors to gain access to services that are normally secured by the router.

This port was previously blocked to prevent attacks but was opened again after Google received complaints from developers.

After performing further analysis of this port, Google has determined that it is used for only approximately 0.00003% of all requests.  Due to its low usage, Google is once again blocking it.

Google Chrome gets an AV1 Encoder

With Chrome 90, Google now includes an AV1 encoder to increase performance in videoconferencing software using WebRTC.

Google states that the benefits of the AV1 Encoder are:

  • Better compression efficiency than other types of video encoding, reducing bandwidth consumption and improve visual quality
  • Enabling video for users on very low bandwidth networks (offering video at 30kbps and lower)
  • Significant screen sharing efficiency improvements over VP9 and other codecs.

Google Tab Search continues to roll out

Google Chrome Tab Search feature continues to roll out in Chrome 90, with hopefully more users getting it without having to enable it via a flag.

The  Tab Search feature allows you to search through your open tabs among all open browser windows to find a specific page.

If you are like me and have 50+ tabs open at once, trying to find a particular page among all your open browser windows is a major pain.

With Tab Search, you can click on the little down arrow to the right of your tabs and search for a particular keyword found in a page's title or URL. Tab Search will then display a list of open tabs that match that search keyword and allow you to quickly select and make the the active one.

Google Chrome Tab Search feature
Google Chrome Tab Search feature

    Developer changes in Chrome 90

    This release brings numerous new APIs, trials, and changes to Google Chrome. Below we have listed the main developer changes:

    • There's a new value for the CSS overflow property.
    • The Feature Policy API has been renamed to Permissions Policy.
    • And there's a new way to implement and use Shadow DOM directly in HTML.
    • Clipboard: read-only files support
    • WebAssembly Exception Handling
    • URL protocol setter: New restrictions for file URLs
    • WebXR Depth API
    • WebXR AR Lighting Estimation

    For more details, be sure to check out the .

    Related Articles:

    Google fixes Chrome zero-days exploited at Pwn2Own 2024

    Microsoft again bothers Chrome users with Bing popup ads in Windows

    Google Chrome gets real-time phishing protection later this month

    Google paid $10 million in bug bounty rewards last year

    New Google Chrome feature blocks attacks against home networks