For administrators who manage Chrome browser or ChromeOS devices for a business or school.
- For emails about future releases, sign up here.
- To try out new features before they're released, sign up for the trusted tester program.
- Connect with other Chrome Enterprise IT admins through the Chrome Enterprise Customer Forum.
- Sign up to take the ChromeOS administrator credential exam.
- Get help and see additional resources below.
Table updated: November 6, 2024
Chrome 130
Chrome 130 release summary
Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Desktop toasts | ✓ | ||
Platform picker for screen sharing on macOS | ✓ | ||
New Account menu | ✓ | ||
PDF Viewer on Android | ✓ | ||
Tab freezing on Energy saver | ✓ | ||
Compression dictionary transport with Shared Brotli and Shared Zstandard | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Chrome on Android now supports third-party autofill and password providers | ✓ | ✓ | |
<meter> element fallback styles | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Chrome Enterprise Core changes | Security/ Privacy | User productivity/ Apps | Management |
Default change for GenAI policies | ✓ | ||
Support for user-level settings on Custom configurations | ✓ | ||
Audit-only URL navigation rules | ✓ | ||
Chrome Security Insights | ✓ | ✓ | |
Extension risk score Phase 2 | ✓ | ✓ | |
Chrome Enterprise Premium changes | Security/ Privacy | User productivity/ Apps | Management |
No updates in Chrome 130. | |||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Search and receive answers in your Chrome history with AI | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Asynchronous real-time Safe Browsing check | ✓ | ||
Remove non-standard GPUAdapter requestAdapterInfo() method | ✓ | ||
Deprecate Safe Browsing Extended reporting | ✓ | ||
Update Google Play Services to fix issues with on-device passwords | ✓ | ||
Entrust certificate distrust | ✓ | ||
Simplified sign-in and sync experience | ✓ | ✓ | |
User Link capturing on PWAs | ✓ | ✓ | |
Deprecation of CSS Anchor Positioning property inset-area | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Chrome PDF Viewer OCR | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Read aloud in Reading mode | ✓ | ||
Capture all screens | ✓ | ||
SafeBrowsing API v4 to v5 migration | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Deprecate mutation events | ✓ | ✓ | |
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming Chrome Enterprise Core changes | Security/ Privacy | User productivity/ Apps | Management |
GenAI Defaults policy | ✓ | ||
Chrome extension telemetry integration with Google SecOps | ✓ | ✓ | |
New managed profile list and reporting for signed-in users | |||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
Upcoming Chrome Enterprise Premium changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Data Controls: Clipboard | ✓ | ||
Screenshot protections | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser changes
- Desktop toasts
Chrome 130 introduces a new Toast pattern that will allow features to provide visual confirmation of user actions or a quick way to take a follow up action. For example, when adding something to a reading list, a Toast confirms that the item was added and offers a quick link to the reading list side panel. Toasts appear as a small chip that partially overlaps with the web contents and partially with the top toolbar of the browser.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: This will be enabled for an initial set of features in Chrome 130. Subsequent toasts will be rolled out independently by other teams utilizing the pattern.
- Platform picker for screen sharing on macOS
When screen sharing in Chrome on macOS X Sequoia, users can now select a window or screen to share using the updated platform picker. This new platform picker removes the need for assigning screen recording permission to Chrome and is consistent with screen sharing in other macOS applications.
The new picker will not be activated before the first update of macOS Sequoia, version 15.1 expected a month after the initial version of 15.0. Before that Chrome users might see a warning dialog that Chrome is not using the new picker API yet.
To test the new screen share picker experience:
- Update Chrome to version 129 or later.
- On your macOS, open the Terminal.
- At the prompt, type:
open -b com.google.Chrome --args -enable-features=UseSCContentSharingPicker
- To execute the command, on your keyboard, press Enter.
The feature can also be enabled in
chrome://flags
.- Chrome 130 on macOS
- New Account menu
Some users can now access a new Account menu by tapping on their avatar on the New tab page. The new Account menu allows them to sign out, switch accounts easily and resolve errors related to their account in Chrome. Existing policies like BrowserSignin and RestrictAccountsToPatterns can be used to determine which accounts a user can sign in or switch to.
- Chrome 130 on iOS
- PDF Viewer on Android
This feature provides the ability to view PDFs within Chrome browser UI. Prior to this change, users have to complete many steps to view a PDF document. These steps force them out of Chrome to view the PDF document. With this feature, PDFs will render seamlessly in Chrome. Users will still be able to download PDFs and open with other first- or third-party apps of choice.
- Chrome 130 on Android
- Tab freezing on Energy saver
When Energy saver is active, Chrome now freezes a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- the tab provides audio- or video- conferencing functionality (detected via microphone, camera or screen, window, or tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack).
- the tab controls an external device (detected using Web USB, Web Bluetooth, Web HID or Web Serial).
This will extend battery life and speed up Chrome through reduced CPU usage.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: The feature can be tested in Chrome 130 via the
#freezing-on-energy-saver
entry in about:flags. Alternatively, it can be tested with the#freezing-on-energy-saver-testing
which simulates that Energy saver is active and that all tabs use a lot of CPU (this allows verifying whether a tab is eligible for freezing and would be frozen if it used a lot of CPU). Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive). - Chrome 131 on ChromeOS, Linux, macOS, Windows: The feature will start rolling out to 1% of Stable in Chrome 131. It will gradually be ramped up to 100% of Stable. Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).
- Compression dictionary transport with Shared Brotli and Shared Zstandard
This feature adds support for using designated previous responses as an external dictionary for content encoding compressing responses with Brotli or Zstandard.
Enterprises might experience potential compatibility issues with enterprise network infrastructure that intercepts HTTPS traffic and is sensitive to unknown content encodings. The enterprise policy CompressionDictionaryTransportEnabled is available to turn off the compression dictionary transport feature.
- Chrome 130 on Windows, macOS, Linux, Android
- Keyboard-focusable scroll containers
Chrome 130 improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse can now focus clipped content using tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard-focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.Note: The previous rollout of this feature (started in Chrome 127) was stopped due to web compatibility issues, which should be fixed in the implementation shipping in Chrome 130.
- Chrome 130 on Windows, macOS, Linux, Android
- Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example,
git://example.com/path
. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.- Chrome 130 on Windows, macOS, Linux, Android
- Chrome on Android now supports third-party autofill and password providers
Until now, third-party autofill and password providers could be used in Chrome on Android via accessibility APIs. In Chrome 130, we're adding direct support for Android Autofill which means these providers now work with Chrome on Android without the need for accessibility APIs. This should improve the performance of Chrome on Android. To take advantage of this, users need to ensure they have their third party provider configured in Android settings. Then, in Chrome they'll need to open Settings > Autofill services and choose Autofill using another service. If users do not change both settings, they will continue to use Google to autofill their passwords, payment and address information.
- Chrome 130 on Android: The new setting will be available from Chrome 130. If users use the new setting it will take immediate effect. If the new setting is not used, users will continue to use either Google and a third party via accessibility (if installed). The support for accessibility APIs will be deprecated in early 2025, at which point the new settings will be honored for all users.
- <meter> element fallback styles
In Chrome 130,
<meter>
elements with appearance: none now have a reasonable fallback style that matches Safari and Firefox, instead of just disappearing from the page. Additionally, developers can now custom style the<meter>
elements.A feature flag
MeterAppearanceNoneFallbackStyle
is available inchrome://flags
until Chrome 133 to control this feature.- Chrome 130 on Windows, macOS, Linux, Android
- New policies in Chrome browser
Policy Description DataURLWhitespacePreservationEnabled DataURL Whitespace Preservation for all media types CloudProfileReportingEnabled Enable Google Chrome cloud reporting for managed profile
Chrome Enterprise Core changes
- Default change for GenAI policies
Starting with 130, we are changing the default setting for GenAI policies from switched off to allowed, without improving AI models, for Workspace for Education users. If you have devices enrolled in Chrome Enterprise Core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
For more details about the default settings, see Chrome—Generative AI features and policies.
- Support for user-level settings on Custom configurations
Custom configurations recently launched in Chrome 127 and this feature allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 15, Custom configurations will support applying settings at the user-level, in addition to device-level support. In order words, you will be able to enforce policies when users sign in to a managed Google account using Custom configurations.
- As early as October 15 2024, on Android, iOS, Linux, macOS, Windows: Feature rolls out
To get started, you can navigate to Chrome browser > Custom configurations in the Admin console; the Chrome Enterprise Core SKU is required to access this feature.
- Audit-only URL navigation rules
This feature lets customers create Chrome URL navigation rules with the Audit action. These rules allow admins to dry-run URL navigation rules before starting to show user warnings. They also allow admins to silently audit users’ navigation to restricted or sensitive URLs.
URL auditing is part of the existing real-time URL check connector policy, EnterpriseRealTimeUrlCheckMode, which can be turned on by Organizational Unit or by Group.
- Chrome 130 on ChromeOS, Linux, macOS, Windows
- Chrome Security Insights
You can now enable Chrome Security Insights to monitor insider risk and data loss with enhanced monitoring for Chrome activity. This feature is available for the following licenses:
- Chrome Enterprise Core
- Workspace Enterprise Standard
- Workspace Enterprise Plus.
For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature enabled for Chrome Enterprise Core
- Chrome 130 on ChromeOS, Linux, macOS, Windows: Feature enabled for EDU customers (except K-12)
- Risk score on the Chrome Apps and extensions usage report
This feature adds a new column in the Admin console for browser management that displays the risk assessment for installed extensions in the admin's environment. This new addition allows IT admins to quickly identify extensions with a high, medium or low risk score using the sorting and filtering functionality of the report.
- Currently available to Trusted Testers. You can sign up for our Trusted Tester program here.
- As early as October 15 on Linux, macOS, Windows: Addition of risk assessment to summary view.
Chrome Enterprise Premium changes
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Search and receive answers in your Chrome history with AI
Starting in Chrome 131, users will be able to search their browsing history and receive generated answers based on page contents. Initially, this feature will only be available to users in English in the US. Admins can control this feature by using the HistorySearchSettings policy. You have the following options for your organization:
- 0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models.
- 1 = Enable the feature for users, but do not send data to Google to train or improve AI models.
- 2 = Fully disable feature
For more information, see Search your history in Chrome with AI.
● Chrome 131 on Linux, Mac, Windows: the feature generates answers to your search queries.
- Ad-hoc code signatures for Progressive Web App shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
Administrators should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be enabled for this testing via
chrome://flags/#use-adhoc-signing-for-web-app-shims
. They can then install a Progressive Web Apps and ensure that it launches as expected.If there is an incompatibility between the feature and their current security policies, the enterprise policy, AdHocCodeSigningForPWAsEnabled, can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS: Feature disabled behind a flag (
chrome://flags/#use-adhoc-signing-for-web-app-shims
) so that enterprises can test for compatibility with their endpoint security tools, such as Santa (https://santa.dev/
). If it is not currently compatible they can disable the feature via the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated. - Chrome 131 on macOS: Feature will begin to roll out to Stable, starting at 1% rollout.
- Chrome 129 on macOS: Feature disabled behind a flag (
- Asynchronous real-time Safe Browsing check
Today, Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. In Chrome 122 and later on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, to improve Chrome's loading speed, real-time Safe Browsing checks no longer block page loads. We have evaluated the risk and put mitigations in place:
- For malware and 0-day attacks, local-blocklist checks will still be conducted in a synchronous manner so that malicious payloads are still blocked by Safe Browsing.
- For phishing attacks, we've looked at data and it is unlikely the user would have interacted with the page (for example, type a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows
- Chrome 131 on iOS
- Remove non-standard GPUAdapter requestAdapterInfo() method
The WebGPU working group decided it was impractical for
requestAdapterInfo()
to trigger a permission prompt so they’ve removed that option and replaced it with the GPUAdapter info attribute. This means that web developers can get the sameGPUAdapterInfo
value synchronously. For more information, see the previous Intent to Ship: WebGPU: GPUAdapter info attribute.- Chrome 131 on Windows, macOS, Linux, Android
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecation of Safe Browsing Extended Reporting. Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request
- Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Google Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 131 on Android
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 131 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 131 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after November 11, 2024.
- Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 131 on Linux, macOS, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- Deprecation of CSS Anchor Positioning property inset-area
The CSS working group (CSSWG) resolved to rename the inset-area property to position-area. For more details, see the CSSWG discussion on github. The new property name, position-area, as a synonym for inset-area shipped via this feature update described on Chrome Platform Status, describing the deprecation and removal of the inset-area property.
- Chrome 131 on Windows, macOS, Linux, Android
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, Mac, Linux: new post-quantum secure TLS key encapsulation mechanism X25519Kyber768 is enabled
- Chrome 131 on Windows, Mac, Linux: Switch to standard version of ML-KEM
- Chrome 141 on Windows, Mac, Linux: Remove enterprise policy PostQuantumKeyAgreementEnabled
- Chrome PDF Viewer OCR
Chrome Desktop now makes scanned PDFs more accessible. Using on-device OCR to maintain privacy (no content is sent to Google), Chrome automatically converts scanned PDFs, allowing you to select text, Ctrl+F, copy, and paste. The feature does not bypass secure PDFs. It will only OCR PDFs the user has access to. The solution unlocks PDF accessibility to Chrome users without any extra steps, making PDFs as accessible as the rest of the web.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without the user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 131.
- Chrome 125 on iOS: Feature rolls out
- Chrome 131 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 132 on Windows: Network Service sandboxed on Windows
- Read aloud in Reading mode
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will now include a Read aloud feature which allows users to hear the text they are reading spoken out loud. Users can choose different natural voices and speeds, and see visual highlights.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
- Capture all screens
This feature captures all the screens currently connected to the device using
getAllScreensMedia()
. CallinggetDisplayMedia()
multiple times requires multiple user gestures, burdens the user with choosing the next screen each time, and does not guarantee to the app that all the screens were selected.getAllScreensMedia()
improves on all of these fronts.This feature is only exposed behind the MultiScreenCaptureAllowedForUrls enterprise policy, and users are warned before recording even starts, that recording could start at some point. The API will only work for origins that are specified in the MultiScreenCaptureAllowedForUrls allowlist. Any origin not specified there, will not have access to it.
- Chrome 132 on ChromeOS
- SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.
If admins have any v4-specific URL allowlisting to allow network requests to
https://safebrowsing.googleapis.com/v4*
, these should be modified to allow network requests to the whole domain instead:safebrowsing.googleapis.com
. Otherwise, rejected network requests to the v5 API will cause security regressions for users.- Chrome 133 on Android, iOS, ChromeOS, LaCrOS, Linux, macOS, Windows: This will be a gradual roll-out.
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context.
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.
Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 133 on Windows, macOS, Linux, Android
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming Chrome Enterprise Core changes
- GenAI Defaults policy
Starting in 131, Chrome Enterprise Core will offer a policy to control the default behavior of multiple GenAI policies via our Trusted Tester program. You can sign up for our Trusted Tester program here. This policy will not impact any manually-set policy values for generative AI features. This policy will control the default settings for the following policies:
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- Only available to Trusted Testers. You can sign up for our Trusted Tester program here.
- Chrome extension telemetry integration with SecOps
We will begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps will analyze the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, LaCrOS, Linux, macOS, Windows
- New managed profile list and reporting for signed-in users
Chrome Enterprise Core will introduce a new Managed profile list and reporting in the Admin console. This feature will provide a list of profiles for managed users who sign in to Chrome using a Google Account. IT administrators will need to enable the new Chrome Profile Reporting policy to view more information about a managed profile. The reporting will include details on managed profiles such as the browser versions, policies applied (including conflicts), extensions installed, and more.
- Currently available on Android, Linux, macOS, Windows for the Trusted Tester program. You can sign up for our Trusted Tester program here.
- As early as Chrome 130 on Android, Linux, macOS, Windows
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy.
Upcoming Chrome Enterprise Premium changes
- Chrome Enterprise Data Controls: Clipboard
Admins can set data control rules in the Google Admin console to protect end users from data leakage on Chrome browser. Data Controls are lightweight rules set in the Google Admin console that allow admins to set a Chrome policy to control sensitive user actions such as copying and pasting sensitive data and taking screenshots or screen sharing.
This feature can be controlled via DataControlsRules policy. This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 128 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out
- Screenshot protections
Admins can prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. Admins create a DLP URL filtering rule to block users taking screenshots or screen sharing specific URLs or categories of URLs. This feature can be controlled via the same EnterpriseRealTimeUrlCheckMode policy that enables all real-time URL lookups.
This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out.
Chrome 129
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Tab compare | ✓ | ||
Chrome no longer support macOS 10.15 | ✓ | ✓ | |
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Certificate Manager on Windows and macOS | ✓ | ||
Chrome Security Insights | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Inactive tabs on Android | ✓ | ||
New option in HttpsOnlyMode policy | ✓ | ✓ | |
Screenshot protections | ✓ | ||
Sync tab group | ✓ | ||
Google Play Services fixes issues with on-device passwords | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Deprecation of non-standard declarative shadow DOM serialization | ✓ | ||
Rename inset-area to position-area | ✓ | ||
Clear local device data on sign out on iOS | ✓ | ||
Toolbar customization | ✓ | ||
Google Password Manager Passkey usage on ChromeOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Premium for file transfers on Managed Guest Sessions | ✓ | ||
Educators Appreciation wallpaper | ✓ | ||
Display brightness controls | ✓ | ||
Peripheral Welcome experience | ✓ | ||
Managed accounts no longer synced as secondary accounts on Android | ✓ | ✓ | |
Live Translate | ✓ | ||
Keyboard brightness controls | ✓ | ||
Keyboard shortcut for Select-to-Speak | ✓ | ||
PIN as an authentication factor | ✓ | ||
Automatic reload of sign-in screen | ✓ | ||
CSE Workspace file types now supported in Google Drive | ✓ | ||
Battery Icon updates | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Extension Risk Score on the Apps and Extensions Usage report | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Entrust certificate distrust | ✓ | ||
Fallback styles for <meter> element | ✓ | ||
Compression dictionary transport with Shared Brotli and Shared Zstandard | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Chrome extension telemetry integration with SecOps | ✓ |
✓ |
|
User Link capturing on PWAs | ✓ | ✓ | |
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Remove policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Generative AI wallpapers and video conference backgrounds | ✓ | ||
ChromeOS XDR window events | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome browser managed profile reporting | ✓ | ||
Default change for GenAI policies | ✓ | ||
GenAI control policy | ✓ | ||
Support for user-level settings on the Custom configurations page | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- Tab compare
Starting in Chrome 129 (US-only), we introduce Tab compare, a new feature that presents an AI-generated overview of products from across multiple tabs, all in one place. This feature is controlled through the TabCompareSettings policy. For more details, see our Tab compare article in the Chrome Enterprise and Education help center.
- Chrome 129 on Linux, macOS, Windows
- Chrome no longer supports macOS 10.15
Chrome 129 no longer supports macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 no longer supports macOS 10.15.
- Chrome 129 on macOS: Chrome no longer supports macOS 10.15
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This addresses problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and permits future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on macOS
- Certificate Manager on Windows and macOS
As early as Chrome 129, there is a new certificate management settings screen accessible from security settings on Windows and macOS. This replaces the link to Windows cert manager and macOS keychain, respectively, although these operating system surfaces are still accessible from the certificate management settings page.
The certificate manager displays certificates that are trusted or distrusted by Chrome, including the contents of the Chrome Root Store, and any certificates that have been imported from the underlying operating system. Users can access the page directly by navigating to chrome://certificate-manager.
A future release will introduce user and enterprise management of certificates added directly to Chrome.
- Chrome 129 on macOS, Windows
- Chrome Security Insights
You can now enable Chrome Security Insights, which allows you to monitor insider risk and data loss enhanced monitoring for Chrome activity if you have Chrome Enterprise Core and Workspace Enterprise Standard or Workspace Enterprise Plus with assigned licenses. For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature enabled for Chrome Enterprise Core
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Feature enabled for EDU customers (except K-12)
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecation of Safe Browsing Extended Reporting — Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request
- Inactive tabs on Android
In Chrome 129, old tabs will be hidden under a new Inactive Tabs section in the tab switcher on Chrome on Android. Chrome users can access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. These tabs will be deleted after being in this section for over 60 days.
- Chrome 129 on Android: Feature rolls out to 1%
- New option in HttpsOnlyMode policy
Ask Before HTTP (ABH), formerly named HTTPS Only/First Modes, is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.
In Chrome 129, we are adding a new middle-ground variant of ABH called balanced mode. This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible, such as when connecting to a single-label hostname like internal/.
We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.
To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia
- Screenshot protections
Screenshot protections allow Admins to prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. This feature is available to Chrome Enterprise Premium users only. This feature can be controlled via the same EnterpriseRealTimeUrlCheckMode Chrome Enterprise policy that enables all real-time URL lookups.
- Chrome 129 on ChromeOS, Linux, macOS, Windows
- Sync tab group
The tab groups on iOS are now saved. Closing a tab group no longer deletes it. For users syncing their tabs across devices, the groups also sync.
- Chrome 129 on iOS
- Google Play Services fixes issues with on-device passwords
Users with old versions of Google Play Services (<24w02) experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users need to update Play Services, otherwise they will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Password Manager.
- Chrome 129 on Android
- Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, macOS, Windows, Android
- Deprecation of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of the declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.
This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, macOS, Linux, Android
- Rename inset-area to position-area
The CSS working group (CSSWG) resolved to rename this property from `inset-area` to `position-area`. For more details, see the CSSWG discussion in Github. Chrome will support both the old and new property names for a few milestones, to help developers migrate to the new position-area name. We are shipping the new property name, `position-area`, as a synonym for `inset-area` in Chrome 129 along with the deprecation DevTrial for `inset-area`.
The `inset-area` property is currently planned for removal in Chrome 131.
- Chrome 129 on Windows, macOS, Linux, Android
- Clear local device data on sign out on iOS
Starting in Chrome 129, signing out from a managed account in an unmanaged browser deletes local browsing data that is saved on the device. Managed users are presented a confirmation dialog on sign-out explaining that unsaved data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.
The data that is deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 129 on iOS
- Toolbar customization
We are introducing a toolbar customization feature in Chrome 129, which allows desktop browser users to pin and unpin icons to their toolbar via a new side panel.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Rolls out gradually
- Google Password Manager Passkey usage on ChromeOS
Passkeys improve user security but until today have been slightly more difficult to use across devices. Now, users can save passkeys to Google Password Manager and use them across devices and platforms. This feature is already available on Windows, macOS, Linux and Android. It is now available on ChromeOS.
- Chrome 127 on Windows, Android and macOS
- Chrome 129 on Windows, Android, macOS and ChromeOS
- New and updated policies in Chrome browser
Policy Description TabCompareSettings Tab Compare settings AdHocCodeSigningForPWAsEnabled Ad-hoc code signing for Progressive Web App shims
ChromeOS updates
-
Chrome Enterprise Premium for file transfers on Managed Guest Sessions
In ChromeOS 129, organizations can extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS on Managed Guest Sessions.
For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
-
Educators Appreciation wallpaper
In ChromeOS 129, we have added a new wallpaper collection to celebrate and share our gratitude and support to educators around the world.
-
Chromebook users can now easily adjust display brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your screen brightness to the perfect level and turn the ambient light sensor on or off as needed in the Settings app. These updates make it simpler to use your device and help manage battery life.
-
Knowing that a peripheral has been successfully connected, configuring it, and finding its companion app are critical steps in the peripheral user journey. This release aims to deliver a high-quality Welcome Experience by letting users know their peripheral is successfully connected and inviting them to configure it and make the most of it.
-
Managed accounts no longer synced as secondary accounts on Android
Starting from ChromeOS version 129, we enhance the data security for Android on ChromeOS. Enterprise accounts that are added as secondary accounts in-session will no longer automatically be added to the Android on ChromeOS environment. This change does not affect consumer accounts, education accounts, or accounts that were previously added.
-
Chromebook Plus devices are getting Live Translate which will allow a user to translate captionable content from Live Captions into a language of their choice. If an English speaking user is having a conversation with a person with whom they don't share the same language, so long as Live Captions is supported for the language of the person they're speaking with, it can be translated into English. This also works for videos as well and can be used on YouTube to Live Translate a video to English.
-
Chromebook users can now easily adjust keyboard brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your keyboard brightness to the perfect level and turn the ambient light sensor on or off as needed. These updates make it simpler to use your device and help manage battery life. Meanwhile, if the Chromebook supports RGB, the Keyboard Settings page will have a direct link to the Personalization Hub's RGB color selection options.
-
Keyboard shortcut for Select-to-Speak
The Select-to-Speak keyboard shortcut (Search + s) now works when it is first pressed. You no longer need to enable it in Settings first. A dialog displays confirming that you want to turn on select to speak the first time you press the keyboard shortcut.
-
PIN as an authentication factor
This launch enables PIN as an authentication factor in all authentication surfaces across ChromeOS.
-
Automatic reload of sign-in screen
Starting from version 129, ChromeOS optimizes the support of 3P identity provider based logins. In the most common scenario, administrators show a permanent 3P identity provider login on the sign in screen. Many identity providers time out after a specific cadence, for example, 15 mins, leading to errors for the user. The new DeviceAuthenticationFlowAutoReloadInterval policy allows for a repeated refresh of 3P identity providers on the login screen, avoids timeouts, and therefore significantly increases the reliability of 3P identity provider logins.
-
CSE Workspace file types now supported in Google Drive
Client side encryption (CSE) is a Google Workspace and Drive feature that allows customers and users to encrypt files with customer provided keys so that data is encrypted and never stored on our servers in the clear. This launch provides basic CSE support in the Files app on ChromeOS. This includes making CSE files visible, opening CSE files in the browser and flagging non Google Workspace CSE files as unsupported.
-
We are launching an update to the battery icon to ensure that the battery state no longer covers the battery level. Now you can easily see how much battery you have left.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 130 on Android, Linux, macOS, Windows
- Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. If you have devices enrolled in Chrome Enterprise core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that will have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
- GenAI control policy
Starting with 130, Chrome Enterprise Core will include a policy to control the behavior of multiple GenAI policies. This will be a convenient feature, allowing Admins to control the default behavior of a set of policies in one place, for example, off by default. This policy will control the following policies:
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings (launching in Chrome 130)
- GenAIWallpaperSettings (launching in Chrome 130)
- Support for user-level settings on the Custom Configurations page
The Custom configurations page was recently launched in Chrome 127 and it allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 1st, Custom configurations will support applying settings at the user-level, in addition to machine-level support. In other words, you will be able to enforce policies when users sign in to a managed Google account using the Custom configurations page.
- As early as October 1st on Android, iOS, Linux, macOS, Windows: Feature rolls out for user policies
To get started, you can find the Custom configurations in the Admin console, under Chrome browser > Reports — you will need the Chrome Enterprise Core SKU:
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser updates
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, website or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- Fallback styles for <meter> elements
As early as Chrome 130, HTML5 <meter> elements with `appearance: none` will have a reasonable fallback style that matches Safari and Firefox instead of just disappearing from the page. In addition, developers will be able to custom style the <meter> elements.
A temporary policy MeterAppearanceNoneFallbackStyle will be available until Chrome 133 to control this feature.
- Chrome 130 on Windows, macOS, Linux, Android
- Compression dictionary transport with Shared Brotli and Shared Zstandard
This feature adds support for using designated previous responses, as an external dictionary for Brotli- or Zstandard-compressing HTTP responses.
Enterprises might experience potential compatibility issues with enterprise network infrastructure. The CompressionDictionaryTransportEnabled policy is available to turn off the compression dictionary transport feature.
- Chrome 130 on Windows, macOS, Linux, Android
- Keyboard-focusable scroll containers
Improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 130 on Windows, macOS, Linux, Android
- Support non-special scheme URLs
Chrome 130 will support non-special scheme URLs, for example, git://example.com/path, correctly. Previously, Chromium's URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL Standard. Now, Chromium's URL parser parses non-special URLs correctly, following the URL Standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android
- Chrome extension telemetry integration with Google SecOps
We will begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps will analyze the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, LaCrOS, Linux, macOS, Windows
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. Clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 131 on Linux, macOS, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- Chrome Third-Party Cookie Deprecation (3PCD)
On July 22nd, we announced a new path forward for Privacy Sandbox on the web. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.
For more details, see this Privacy Sandbox update.
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some enterprise network devices such as firewalls and proxies (TLS middleboxes) might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through at least Chrome 141 in 2025. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
Starting in Chrome 131, Chrome will switch the key encapsulation mechanism from the draft version of Kyber, to the final standard version of ML-KEM. Using any form of post-quantum key exchange (Kyber or ML-KEM) will continue to be controlled by the PostQuantumKeyAgreementEnabled policy.
For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, macOS, Linux
- Chrome 131
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators can use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming ChromeOS changes
-
In ChromeOS 130, window focus events will be available as part of Extended Threat Detection and Response (XDR) on ChromeOS. You will be able to bring windows into focus activities of devices in your managed fleet by simply updating XDR events in the Admin console!
-
Generative AI wallpapers and video conference backgrounds
As early as ChromeOS 130, we plan to introduce high-resolution, generative AI wallpapers and video-conference meeting backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 130 on Android, Linux, macOS, Windows
- Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. If you have devices enrolled in Chrome Enterprise core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that will have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
- GenAI control policy
Starting with 130, Chrome Enterprise Core will include a policy to control the behavior of multiple GenAI policies. This will be a convenient feature, allowing Admins to control the default behavior of a set of policies in one place, for example, off by default. This policy will control the following policies:
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings (launching in Chrome 130)
- GenAIWallpaperSettings (launching in Chrome 130)
- Support for user-level settings on the Custom Configurations page
The Custom configurations page was recently launched in Chrome 127 and it allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 1st, Custom configurations will support applying settings at the user-level, in addition to machine-level support. In other words, you will be able to enforce policies when users sign in to a managed Google account using the Custom configurations page.
- As early as October 1st on Android, iOS, Linux, macOS, Windows: Feature rolls out for user policies
To get started, you can find the Custom configurations in the Admin console, under Chrome browser > Reports — you will need the Chrome Enterprise Core SKU:
Chrome 128
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Search your history in Chrome with AI | ✓ | ||
Admin-configurable site search | ✓ | ✓ | |
Handling undecryptable passwords in Password Manager | ✓ | ||
Inactive Tabs | ✓ | ||
New PromotionsEnabled policy replaces PromotionalTabsEnabled | ✓ | ||
Revamped Chrome Safety Check on Android | ✓ | ||
Rust JSON Parser | ✓ | ||
Tab Groups on iPad | ✓ | ||
Updates for CookiePartitionKey of partitioned cookies | ✓ | ||
Deprecate CHIPS and Relaunch in WebView | ✓ | ||
Isolated Web Apps | ✓ | ||
Rename position-try-options to position-try-fallbacks | ✓ | ||
Google Calendar Card on the New tab page | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Snap groups on ChromeOS | ✓ | ||
Data processor mode: EU-wide rollout | ✓ | ||
Privacy Controls: Geolocation | ✓ | ||
ChromeOS privacy control reminders on app settings page | ✓ | ✓ | |
Store aggregated vitals data with one-year retention | ✓ | ||
OCR in ChromeOS Camera App | ✓ | ||
Magnifier follows Chromevox | ✓ | ||
Auto Gain Control enabled by default | ✓ | ||
APN management | ✓ | ||
Pinned notifications on ChromeOS | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome profile separation - new deployment guide | ✓ | ||
Chrome Enterprise Data Controls: Clipboard | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Tab compare | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Clear device data on sign out on iOS | ✓ | ||
Fallback styles for HTML5 <meter> element | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Certificate Manager on Windows and MacOS | ✓ | ||
New option in HttpsOnlyMode policy | ✓ | ✓ | |
Sync Tab Group | ✓ | ||
Update Google Play Services to fix issues with on-device passwords | ✓ | ||
Deprecate non-standard declarative shadow DOM serialization | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Rename inset-area to position-area | ✓ | ||
Entrust certificate distrust | ✓ | ||
Support non-special scheme URLs | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
User Link capturing on PWAs | ✓ | ✓ | |
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Chrome extension telemetry integration with Chronicle | ✓ | ✓ | |
Remove policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Update to keyboard shortcut for Select-to-speak | ✓ | ||
Chrome Enterprise Premium for file transfers on Managed Guest Sessions | ✓ | ||
ChromeOS XDR window events | ✓ | ||
Generative AI wallpapers and video conference backgrounds | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome browser managed profile reporting | ✓ | ||
Admin console widget for data controls | ✓ | ||
Default change for GenAI policies | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- Search your history in Chrome with AI
Starting in Chrome 128, users can search their browsing history based on page contents and not just the page title and URL. Initially, this feature is only available to users in English in the US. Admins can control this feature by using the HistorySearchSettings policy. You have the following options for your organization:
- 0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models.
- 1 = Enable the feature for users, but do not send data to Google to train or improve AI models.
- 2 = Fully disable feature
For more information, see Search your history in Chrome with AI.
- Chrome 128 on Linux, Mac, Windows
- Admin-configurable site search
Site search shortcuts are a way to use the address bar (Omnibox) as a search box for a specific site without navigating directly to the site’s URL, similar to how you can use the Omnibox to perform a broad Google search of the web. You can now create site shortcuts on behalf of your managed users, to shortcut to the most critical enterprise sites. You can control this feature using the SiteSearchSettings policy.
- Chrome 128 on ChromeOS, Linux, Mac, Windows: Available for Chrome Browser Core customers signed up for Trusted Tester starting Chrome 128, followed by gradual rollout for all Chrome Browser Enterprise customers a few weeks later
- Handling undecryptable passwords in Password Manager
Users sometimes end up with undecryptable passwords on their device, for example, if they've used third party software to move to a new device. We are launching a new policy called DeletingUndecryptablePasswordsEnabled that helps handle such passwords. When enabled, this policy deletes undecryptable passwords from the user's device, unless the UserDataDir policy is specified. When DeletingUndecryptablePasswordsEnabled is off, undecryptable passwords are untouched, but this will result in broken Password Manager functionality.
- Chrome 128 on iOS, Linux, Mac, Windows
- Inactive tabs
In Chrome 128, we now hide old tabs under a new Inactive Tabs section in the tab switcher on Chrome on Android. Chrome users can access the Inactive Tabs section to view all old tabs or close them using the new bulk tab functionality. These tabs will be deleted if inactive for over 60 days.
- Chrome 128 on Android: Rolls out to 1%
- New PromotionsEnabled policy replaces PromotionalTabsEnabled
In Chrome 128, new promotional OS-level notifications are shown to users. To include a larger number of promotional features under one policy, a new policy PromotionsEnabled has been created to replace PromotionalTabsEnabled, which will be deprecated in the future.
- Chrome 128 on ChromeOS, Linux, Mac, Windows: PromotionsEnabled will begin to roll out with Chrome 128. There is no flag.
- Revamped Chrome Safety Check on Android
Chrome 128 introduces a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a re-designed Safety Check page,
chrome://settings/safetyCheck
, with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online. For more information, see Manage Chrome safety and security.- Chrome 128 on Android
- Rust JSON Parser
As early as Chrome 128, Chrome will parse JSON using Rust, rather than C++. This will remove the risk of memory safety vulnerabilities in the JSON parser, improving security. This change should be transparent to users. There is a small risk of certain invalid JSON, which Chrome currently accepts, no longer being accepted, although the Rust parser remains extremely lenient.
In the event that Chrome doesn't accept the invalid JSON, this will lead to 500s or other application-level errors, not crashes. If Chrome no longer accepts some invalid JSON, the JSON should be aimed to be fixed.
- Chrome 128
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 128 on iOS
- Updates for CookiePartitionKey of partitioned cookies
Chrome 128 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.
If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 128 on Windows, Mac, Linux
- Deprecate CHIPS and relaunch in WebView
The WebViewClient supports a method,
shouldInterceptRequest
, which allows developers to intercept network activity and modify HTTP headers, etc. This API does not have access to the Cookie header and relies on the Android CookieManager API in order to query what cookies are available for a particular request URL. However, partitioned cookies are double-keyed on the top-level site and the site of the URL using the cookies.Currently, the CookieManager API provides no way for developers to query partitioned cookies correctly, and this will cause a mismatch between what the Java API returns and what frames in WebView will actually be in their Cookie header. After discussing this with the WebView team, we believe that the option that will minimize potential app breakage is to disable Cookies Having Independent Partitioned State (CHIPS) on WebView until we are able to ship support for the Cookie header to
shouldInterceptRequest
. We will release the changes toshouldInterceptRequest
in the next target SDK version (API level 36).Enterprise workflows that use WebView to load web content that relies on partitioned cookies will have their state cleared. WebView apps still have access to unpartitioned 3P cookies and cookies set with Partitioned after the change will revert to their legacy pre-CHIPS behavior until we relaunch the feature.
- Chrome 128 on Android
- Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provides stronger protections against server compromise and other tampering, which is necessary for developers of security-sensitive applications.
Rather than being hosted on live web servers and fetched over HTTPS, these IWAs are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the Chromium project explainer.
In this initial release, IWAs are only installable using a new policy, IsolatedWebAppInstallForceList, on enterprise-managed ChromeOS devices.
- Chrome 128 on ChromeOS
- Rename position-try-options to position-try-fallbacks
The CSS working group (CSSWG) resolved to rename this property, because fallbacks more accurately describe what this property controls. The word options is a bit unclear, since the styles outside of `position-try` blocks will be tested first, and if they result in a layout that fits within the containing block, none of the options will get used. So fallbacks is a better word to describe this behavior. For more details, see Github.
- Chrome 128 on Windows, Mac, Linux, Android
- Google Calendar Card on the New tab page
Enterprise users can now access their upcoming meetings directly from the New tab page with the new calendar card. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most. You can control cards on the New tab page with the NTPCardsVisible policy.
- Chrome 128 on Linux, Mac, Windows
- New and updated policies in Chrome browser
Policy Description DataControlsRules Sets a list of Data Controls rules PromotionsEnabled Enable showing promotional content SiteSearchSettings Provides a list of sites that users can quickly search using shortcuts in the address bar LensOverlaySettings Settings for the Lens Overlay feature ExtensionDeveloperModeSettings Control the availability of developer mode on extensions page QRCodeGeneratorEnabled Enable QR Code Generator PrintingLPACSandboxEnabled Enable Printing LPAC Sandbox HistorySearchSettings Settings for AI-powered History Search ChromeForTestingAllowed Allow Chrome for Testing ProvisionManagedClientCertificateForUser Enables the provisioning of client certificates for a managed user or profile StandardizedBrowserZoomEnabled Enable Standardized Browser Zoom Behavior DeletingUndecryptablePasswordsEnabled Enable deleting undecryptable passwords EnterpriseCustomLabel Set a custom enterprise label
- Removed policies in Chrome browser
Policy Description RemoteAccessHostTokenUrl URL where remote access clients should obtain their authentication token RemoteAccessHostTokenValidationUrl URL for validating remote access client authentication token EnterpriseBadgingTemporarySetting Control the visibility of enterprise badging RemoteAccessHostTokenValidationCertificateIssuer Client certificate for connecting to RemoteAccessHostTokenValidationUrl EnforceLocalAnchorConstraintsEnabled Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store. CertificateTransparencyEnforcementDisabledForLegacyCas Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
ChromeOS updates
-
In ChromeOS 128, Snap groups allow you to group windows on ChromeOS. A snap group is formed when you pair two windows for a split-screen. You can bring the windows back together, resize them simultaneously, or move them both as a group.
-
Data processor mode: EU-wide rollout
New data processor mode features and ChromeOS terms are available to the entire EU through the Google Admin console. For more details, see Overview of ChromeOS data processor mode.
As a ChromeOS administrator, you can now activate Data processor mode, which covers a set of ChromeOS features and services referred to as Essential Services.
-
Privacy on ChromeOS devices is now easier to manage by adding the ability to control geolocation access to the Settings > Privacy and security > Privacy controls page. Users can now set geolocation access to Allowed, Only allowed for system services, or Off, depending on their preference.
We allow users to block all apps or websites, or entire systems access to geolocation regardless of previously granted permissions, and provide users easy to use controls to re-enable them whenever it would be helpful.
We’ve added a new policy, GoogleLocationServicesEnabled. This controls the availability of geolocation on the device inside of user sessions. Unlike the now deprecated policy below, it affects the entire system, not just the Android VM (Arc).
Deprecation notice (6 months): ArcGoogleLocationServicesEnabled
This is being deprecated in favor of the added GoogleLocationServicesEnabled policy, as it covers the entire system and not just Android VM (Arc). Additionally, we are modifying the effect of the DefaultGeolocationSetting to no longer affect the system geolocation setting.
-
ChromeOS privacy control reminders on Apps settings page
To use the cameras and microphones on ChromeOS, you need to turn on both privacy controls and app permissions in two separate places.
We are making it easier for users to be aware of the states of the privacy controls and provide actionable reminders on the ChromeOS Apps settings page so that users have a smoother experience. To view the ChromeOS Apps settings page, click Settings >Apps > Manage your Apps, and select the desired app.
-
Store aggregated vitals data with one-year retention
From ChromeOS 128 onwards, we store aggregated vitals data for one-year retention to better track the progress over time. Vitals data includes Android app performance metrics, such as crash rate, and these metrics will help us improve Android app performance on ChromeOS devices.
-
Optical Character Recognition (OCR) enables text extraction from images captured in the ChromeOS Camera App by integrating an ML-powered text extraction service. ChromeOS 128 supports 77 languages; it also supports both horizontal and vertical detection. This allows copying and searching text from images, speaking text from images by screen reader, and creating searchable PDFs from images. By default, text detection in Photo mode is disabled and can be enabled from Settings > Text detection in preview.
-
Magnifier following ChromeVox is designed for people who are blind or have low vision. When you read text aloud using ChromeVox, the screen magnifier now automatically follows the words, so you never lose your place. To try this out, you can enable both Magnifier and ChromeVox in your settings. Zoom in to your preferred zoom level using Ctrl + Alt + Brightness up and Ctrl + Alt + Brightness down. A setting is available under the Magnifier settings to adjust this behavior.
-
Auto Gain Control enabled by default
Auto Gain Control (AGC) allows apps, such as video calling apps, to automatically optimize microphone volume for best audio quality. When auto gain control is enabled and in-use, a message appears in the quick settings panel to inform the user that the microphone gain slider is being overridden. AGC is enabled by default in ChromeOS 128. If you want to manually control the microphone volume even for apps that support AGC, you can go to Settings > Device > Audio and deselect Allow apps to automatically adjust mic volume.
-
For ChromeOS cellular-enabled devices, we have made it easier to view, manage, and add Access Point Names (APNs). We’ve also improved registration failure handling and messaging.
-
Pinned notifications on ChromeOS
ChromeOS notifications help to visually separate pinned notifications from other notifications. ChromeOS 128 significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference - we notify the user of an ongoing process rather than an instantaneous event.
Admin console updates
-
Chrome profile separation - new deployment guide
We have created a detailed deployment guide to help you control profile separation in your organization: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings and ProfileSeparationDomainExceptionList.
- Chrome 128 on Windows, Mac, Linux
-
Chrome Enterprise Data Controls: Clipboard
Data Controls are lightweight rules in the Admin console that set a Chrome policy to control security-sensitive user actions like file attachments, downloads, copy and paste actions, and printing. Chrome blocks or warns the user when these actions happen by applying those rules locally.
Chrome 128 releases the clipboard protection parts of Data Controls, that is, copy and paste actions. Other protections are planned in future releases.
You can control this feature with the DataControlsRules policy.
- Chrome 128 on ChromeOS, Linux, Mac, Windows
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser updates
- Tab compare
Starting in Chrome 129 (US-only), we will introduce Tab compare, a new feature that presents an AI-generated overview of products from across multiple tabs, all in one place. This feature will be controlled through the TabCompareSettings policy.
- Chrome 129 on Linux, Mac, Windows
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on Mac
- Clear device data on sign out on iOS
Starting in Chrome 129, signing out from a managed account in an unmanaged browser will delete browsing data that is saved on the device. Managed users will be presented a confirmation dialog on sign-out explaining that the data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.
The data that will be deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 129 on iOS
- Fallback styles for HTML5 <meter> elements
As early as Chrome 129, HTML5 <meter> elements with `appearance: none` will have a reasonable fallback style that matches Safari and Firefox instead of just disappearing from the page. In addition, developers will be able to custom style the <meter> elements.
A temporary policy MeterAppearanceNoneFallbackStyle will be available until Chrome 133 to control this feature.
- Chrome 129 on Windows, Mac, Linux, Android
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended Reporting
- Certificate Manager on Windows and MacOS
As early as Chrome 129, there is a new certificate management settings screen accessible from security settings on Windows and MacOS. This replaces the link to Windows cert manager and MacOS keychain, respectively, although these operating system surfaces are still accessible from the certificate management settings page.
The certificate manager displays certificates that are trusted or distrusted by Chrome, including the contents of the Chrome Root Store, and any certificates that have been imported from the underlying operating system. Users can access the page directly by navigating to
chrome://certificate-manager
.A future release will introduce user and enterprise management of certificates added directly to Chrome.
- Chrome 129 on Mac, Windows
- New option in HttpsOnlyMode policy
Ask Before HTTP (ABH) , formerly named HTTPS Only/First Modes, is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.
In Chrome 129, we are adding a new middle-ground variant of ABH called balanced mode. This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible, such as when connecting to a single-label hostname like internal/.
We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.
To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on Android, ChromeOS, Linux, Mac, Windows, Fuchsia
- Sync Tab Group
The tab groups on iOS will now be saved. Closing a tab group will no longer delete it. For users syncing their tabs across devices, the groups will also sync.
- Chrome 129 on iOS
- Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Password Manager.
- Chrome 129 on Android
- Deprecate of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `
getInnerHTML()
` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of the declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of thegetInnerHTML
API changed.This feature represents the deprecation of the previously shipped `
getInnerHTML()
` method. The replacement is called `getHTML()
`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.- Chrome 129 on Windows, Mac, Linux, Android
- Deprecate the includeShadowRoots argument on DOMParser
The
includeShadowRoots
argument was a never-standardized argument to theDOMParser.parseFromString()
function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standardincludeShadowRoots
argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android
- Rename inset-area to position-area
The CSS working group (CSSWG) resolved to rename this property from `
inset-area
` to `position-area
`. See the CSSWG discussion in Github.Chrome has decided to release an interoperable solution, by supporting both property names. We will ship the new property name, `
position-area
`, as a synonym for `inset-area
` first. Then after a suitable amount of time, we will remove `inset-area
`. The latter removal will be done under a separate Intent.- Chrome 129 on Windows, Mac, Linux, Android
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- Support non-special scheme URLs
Chrome 130 will support non-special scheme URLs correctly. Previously, Chromium's URL parser doesn't support non-special URLs. The parser parses non-special URLs as if they had an “opaque path”, which is not aligned with the URL Standard. Now, Chromium's URL parser parses non-special URLs correctly, following the URL Standard. For more details, see Support Non-Special Scheme URLs .
- Chrome 130 on Windows, Mac, Linux, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 130 on Windows: Network Service sandboxed on Windows
- Chrome Third-Party Cookie Deprecation (3PCD)
On July 22nd, we announced a new path forward for Privacy Sandbox on the web. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.
For more details, see this Privacy Sandbox update.
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, Mac, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 130 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context.
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.
Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Chrome extension telemetry integration with Chronicle
As early as Chrome 131, we will begin to collect relevant extension telemetry data from within Chrome, for managed profiles and devices, and send it to Chronicle. Chronicle will analyze the data to provide instant analysis and context on risky activity.
- Chrome 131 on ChromeOS, Linux, Mac, Windows
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming ChromeOS changes
-
Update to keyboard shortcut for Select-to-speak
On Chromebooks, the Select-to-speak keyboard shortcut (Search + s) now works when it is first pressed. As early as ChromeOS 129, you will no longer need to enable it first in Settings > Accessibility > Text-to-Speech > Select-to-speak. A dialog appears confirming that you want to turn on Select-to-speak the first time you press the keyboard shortcut.
-
Chrome Enterprise Premium for file transfers on Managed Guest Sessions
As early as ChromeOS 129, organizations will be able to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS on Managed Guest Sessions.
For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
-
In ChromeOS 130, window focus events will be available as part of Extended Threat Detection and Response (XDR) on ChromeOS. You will be able to bring windows into focus activities of devices in your managed fleet by simply updating XDR events in the Admin console!
-
Generative AI wallpapers and video conference backgrounds
As early as ChromeOS 130, we plan to introduce high-resolution, generative AI wallpapers and video-conference meeting backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.
Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- Chrome 130 on Android, Linux, Mac, Windows
- Admin console widget for data controls
A new settings widget in the Admin console allows users to configure data controls policies for specific URLs.
- Chrome 128 on ChromeOS, Linux, Mac, Windows
- Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. This doesn't impact age restrictions on access to any relevant GenAI features. The existing policies that will have the updated default setting are:
Chrome 127
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
App-bound encryption for cookies | ✓ | ||
Chrome Profile Separation - policy improvements | ✓ | ||
Enhanced Safe Browsing promos on iOS | ✓ | ||
Entrust certificate distrust | ✓ | ||
Generating insights for DevTools console warnings and errors | ✓ | ||
HTTPS-First Mode in Incognito | ✓ | ||
Migrate extensions to Manifest V3 before June 2025 | ✓ | ✓ | ✓ |
Policy to configure ACG for browser process | ✓ | ||
Simplified sign-in and sync experience on Android | ✓ | ||
Additional Safe Browsing telemetry about pages | ✓ | ||
Updated password management experience on Android | ✓ | ✓ | |
Watermarking | ✓ | ||
Automatic fullscreen content setting | ✓ | ||
Deprecate mutation events | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support for not condition in ServiceWorker static routing API | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome Enterprise Premium for file transfers on ChromeOS | ✓ | ||
ChromeOS video conferencing: DLC states for features | ✓ | ||
Audio Bluetooth telephony | ✓ | ||
OCR on Backlight | ✓ | ||
Firmware update instructions | ✓ | ||
Read Aloud in Reading Mode | ✓ | ||
Classroom Glanceables | ✓ | ||
PDF page deletion and reordering | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Configure ChromeOS User & browser settings with Google groups | ✓ | ||
Add managed browsers to groups for group-based policy management | ✓ | ||
Filter for popular and recently added settings with policy tags | ✓ | ||
Revamped ChromeOS device list and details | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Isolated Web Apps | ✓ | ||
Rust JSON parser | ✓ | ||
Clear device data on sign out on iOS | ✓ | ||
Attribution tags for search engine | ✓ | ||
Tab Groups on iPad | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
Rename position-try-options to position-try-fallbacks | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Deprecation of non-standard declarative shadow DOM serialization | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Third-party cookie access in Chrome | ✓ | ||
User Link capturing on PWAs | ✓ | ✓ | |
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Remove policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Snap Groups | ✓ | ||
Data processor mode: EU-wide rollout | ✓ | ||
Privacy Hub: Geolocation | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome browser managed profile reporting | ✓ | ||
Admin console widget for data controls | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- App-bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware running at the same privilege as Chrome that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
App-bound Encryption strongly binds encryption keys to the local machine so customers who are using Chrome with roaming profiles may want to consider disabling this security feature otherwise cookies will not be portable between workstations.
An enterprise policy, ApplicationBoundEncryptionEnabled, is available to disable application-bound encryption.
- Chrome 127 on Windows
- Chrome Profile Separation - policy improvements
Chrome profiles offer a user-friendly way to keep personal and work browsing data separate, simplifying the experience, preventing data breaches, and ensuring privacy and compliance. We have created three intuitive policies to help you control profile separation in your organization: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings and ProfileSeparationDomainExceptionList. These policies replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 127 on Windows, Mac, Linux
- Enhanced Safe Browsing promos on iOS
In Chrome 127, users who do not already have Enhanced Safe Browsing enabled see an infobar promoting Enhanced Safe Browsing on the Safe Browsing warning page. We also show a promotion for Enhanced Safe Browsing on the Chrome settings page, for users who do not already have Enhanced Safe Browsing enabled. These promos are not shown to users when the SafeBrowsingProtectionLevel enterprise policy is set to any value.
- Chrome 127 on iOS
- Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, website or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- Generating insights for DevTools Console warnings and errors
In Chrome 127, this Generative AI (GenAI) feature becomes available for managed Chrome Enterprise and Education users in supported regions: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise and Education users in supported regions.
- HTTPS-First Mode in Incognito
Starting in Chrome 127, as part of Chrome's move towards HTTPS by default, HTTPS-First Mode is enabled by default in Incognito mode. Users will see a warning before they navigate to sites over insecure HTTP. This can be controlled using the existing enterprise policies HttpsOnlyMode and HttpAllowlist.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows
- Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. Beginning June 2024, starting with Chrome 127 pre-stable versions, Chrome begins to gradually disable Manifest V2 extensions running in the browser.
You can use the ExtensionManifestV2Availability policy to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 127 on ChromeOS, Windows, Mac, Linux: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Policy to configure ACG for browser process
A new policy called DynamicCodeSettings is available in Chrome 127. Setting this policy to '1' switches on Arbitrary Code Guard (ACG) for the browser process. ACG prevents dynamic code being generated from within the browser process, which can help prevent potentially hostile code making unauthorized changes to the behavior of the browser process.
Switching on ACG might cause compatibility issues with third-party software that must run inside the browser process.
- Chrome 127 on Windows
- Simplified sign-in and sync experience on Android
Chrome 127 launches a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync is no longer shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As in earlier releases, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can still be disabled via BrowserSignin.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android
- Additional Safe Browsing telemetry about pages
When an Enhanced Safe Browsing user visits a page that triggers vibration, keyboard or pointer lock API, attributes of that page are now sent to Safe Browsing. If the telemetry is sent and the page seems to be malicious, users see a Safe Browsing warning and their keyboard or pointer is unlocked, if they were locked. If you'd like your users to avail of this feature, set MetricsReportingEnabled to true and set the SafeBrowsingProtectionLevel policy to 2.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled can now use and save passwords in their Google Account. Relevant policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 127 on Android
- Watermarking
This feature allows admins to overlay a watermark on top of a webpage if navigating to it triggers a specific Data loss Prevention (DLP) rule. It will contain a static string displayed as the watermark. Watermarking is available to Chrome Enterprise Premium customers only.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 127 on Linux, Mac, Windows: Feature rolls out
- Automatic Fullscreen content setting
A new Automatic Fullscreen content setting permits Element.requestFullscreen() without a user gesture, and permits browser dialogs to appear without exiting fullscreen.
The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (chrome://settings/content/automaticFullScreen) and the site info bubble. Users can allow Isolated Web Apps, and admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.
Combined with Window Management permission and unblocked popups (chrome://settings/content/popups), this unlocks valuable fullscreen capabilities:
- Open a fullscreen popup on another display, from one gesture
- Show fullscreen content on multiple displays from one gesture
- Show fullscreen content on a new display, when it's connected
- Swap fullscreen windows between displays with one gesture
- Show fullscreen content after user gesture expiry or consumption
- Chrome 127 on Windows, Mac, Linux
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. In Chrome 124, a temporary enterprise policy, MutationEventsEnabled, was introduced to re-enable deprecated or removed mutation events.Starting in Chrome 127, mutation event support is disabled by default , from around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
For more details, see this post on the Chrome developer blog. You can report any issues on the Chromium issue tracker.
- Chrome 127 on Windows, Mac, Linux, Android
- Keyboard-focusable scroll containers
Chrome 127 improves accessibility by making scroll containers focusable using sequential focus navigation.
In previous releases, the tab key did not focus scrollers unless tabIndex was explicitly set to 0 or more.
By making scrollers focusable by default, users who can't (or don't want to) use a mouse can now focus clipped content using keyboard tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 127 on Windows, Mac, Linux, Android
- Support for not condition in ServiceWorker static routing API
The ServiceWorker static routing API is an API used for routing the request to the network, the ServiceWorker fetch handler, or directly looking up from cache, and so on. Each route consists of a condition and a source, and the condition is used for matching the request.
For Chromium implementations, the or condition is only the supported condition. However, to write the condition more flexibly, supporting the not condition is expected, which matches the inverted condition inside.
- Chrome 127 on Windows, Mac, Linux, Android
- New and updated policies in Chrome browser
Policy Description Policy controls the dynamic code settings CSSCustomStateDeprecatedSyntaxEnabled Controls whether the deprecated :--foo syntax for CSS custom state is enabled KeyboardFocusableScrollersEnabled Enable keyboard focusable scrollers
- Removed policies in Chrome browser
Policy Description BlockTruncatedCookies Block truncated cookies UserAgentClientHintsGREASEUpdateEnabled Control the User-Agent Client Hints GREASE Update feature
ChromeOS updates
-
Chrome Enterprise Premium for file transfers on ChromeOS
Chrome Enterprise Premium is a zero trust solution that enables secure access to applications and resources, and offers integrated threat and data protection.
We are now allowing organizations to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS.
For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.
For more details, see Protect Chrome users with Chrome Enterprise Premium; this article contains detailed guidance for both IT administrators and users.
-
ChromeOS Video Conferencing: DLC States for features
ChromeOS 127 introduces a visual enhancement for Downloadable Content (DLC) in the video control panel. This release now adds status indicators for Noise Cancellation, Live Captions, Relighting, and Blur.
-
ChromeOS now supports call control buttons on compatible Bluetooth headsets, including answering, rejecting or terminating a call, and muting the microphone.
-
ChromeOS is launching a PDF OCR AI reader on Gallery, enabling reading for inaccessible documents, further filling the gap in accessibility for low vision and blind users that use a screen reader. ChromeOS leverages its machine learning models to extract, compartmentalize, and section PDF documents to make them more accessible on the Gallery app for ChromeVox users.
-
Firmware update app: Update Instructions for peripheral devices
The Firmware Updates app on ChromeOS now supports updating peripherals that require user action during the update, for example, unplugging and re-plugging the peripheral. When an update is available for one of these devices, the user will be guided with clear, step-by-step instructions. For most existing peripherals, the update experience remains unchanged.
-
As early as ChromeOS 127, Read Aloud will bring Google's high quality voices to Chrome Reading Mode for users to leverage Text to Speech to read content on the web. The goal of Read Aloud is to help people who have difficulty reading to understand long-form text. The new Read Aloud feature in Reading Mode on Chrome desktop allows users to hear the text they are reading, which improves focus and comprehension.
-
Students can now quickly view and access their upcoming Classroom assignments one click away on their Chromebook home screen. Users can see this new feature if they are logged into a Chromebook with an account where they are enrolled in active courses in Google Classroom. Users can find this feature by clicking on the date chip on the shelf of their Chromebook if they are logged into an account, where they will see the new panel which can view lists of their upcoming, due, missing and completed assignments.
Admin console updates
-
Configure ChromeOS User & browser settings with Google groups
Admins can now use Google groups to manage ChromeOS User & browser settings in the Admin console and API. Admins can use new or existing Google Groups to configure User & browser settings in their organizations. When admins need to configure a policy for a specific set of users–who might belong to different organizational units (OUs)–they can use the flexibility of groups without needing to reconfigure their OUs. To learn more, see Managing group-based policies.
Today, the majority of user settings are configurable by Groups, with most of the remaining settings available in the coming months. Available settings are automatically filtered and displayed when admins select a particular group.
-
Add managed browsers to groups for group-based policy management
Admins can now add managed Chrome browsers to Google groups, thereby allowing them to specify User & browser policies and extension settings for a group of browsers. Managed browsers can be assigned to multiple groups, which allows IT administrators to have more flexibility to manage Chrome browsers using cloud management.
-
Filter for popular and recently added settings with policy tags
The Admin console now provides options to filter settings by recently added and popular. With these new filters, you’ll be able to see our newest settings as well as see some of our most popular and relevant Chrome settings.
-
Revamped ChromeOS device list and details
The Admin console devices page redesigned with a proactive and actionable notification for your fleet of devices.
Notifications module: Easily identify and address device issues with the new Notifications module, providing an overview of ongoing problems in your fleet.
Centralized dashboards: Quickly access all the information and reports you need about your fleet, all in one convenient location – the Dashboards tab.
Revamped device list page: Find more detailed information about your devices with new tabs (General, OS, Hardware, Network, and Policy), device-specific notifications, and a new card design for improved readability.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.
Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.
In this initial release IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 128 on ChromeOS
- Rust JSON parser
As early as Chrome 128, Chrome will parse JSON using Rust, rather than C++. This will remove the risk of memory safety vulnerabilities in the JSON parser, improving security. This change should be transparent to users. There is a small risk that some invalid JSON (which Chrome currently accepts) no longer being accepted, although the Rust parser remains extremely lenient.
- Earliest Chrome 128: Chrome will parse JSON using Rust
- Clear device data on sign out on iOS
Starting in Chrome 128, signing out from a managed account in an unmanaged browser will delete browsing data that is saved on the device. Managed users will be presented a confirmation dialog on sign-out explaining that the data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.
The data that will be deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 128 on iOS
- Attribution tags for Search Engine
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at
chrome://settings/search
.Selections from this screen will have their search URL appended with an attribution tag for use by third party search engines to attribute traffic from selections originating from the search engine choice screen. This change will not be applied for Education-configured organizations or Enterprises with metrics or usage statistics turned off.
For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 128 on Android, iOS, ChromeOS, LaCrOS, Linux, Mac, Windows
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 128 on iOS
- Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 128 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.
If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use
SameSite=None
cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.- Chrome 128 on Windows, Mac, Linux
- Rename position-try-options to position-try-fallbacks
The CSS working group (CSSWG) resolved to rename this property, because fallbacks more accurately describe what this property controls. The word options is a bit unclear, since the styles outside of `position-try` blocks will be tested first, and if they result in a layout that fits within the containing block, none of the options will get used. So fallbacks is a better word to describe this behavior. For more details, see Github.
- Chrome 128 on Windows, Mac, Linux, Android
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on Mac
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended Reporting
- Deprecation of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.
This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, Mac, Linux, Android
- Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);- Chrome 129 on Linux, Mac, Windows, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 130 on Windows: Network Service sandboxed on Windows
-
Third-party cookie access in Chrome
On 22 July 2024, we announced a new path forward for the Privacy Sandbox on the web. Instead of deprecating third-party cookies, we plan to introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing. They would be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.
For more details, see this Privacy Sandbox update.
- User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, Mac, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 130 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context.
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.
Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android
- Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
For more detail, see this Chromium blog post.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming ChromeOS changes
-
As early as ChromeOS 127, Snap groups will allow you to group windows on ChromeOS. A snap group is formed when a user pairs two windows for a split-screen. The windows can then be brought back together, resized simultaneously, or moved as a group.
-
Data processor mode: EU-wide rollout
In ChromeOS 128, new data processor mode features and ChromeOS terms will be made available to the entire EU through the Google Admin console. For more details, see Overview of ChromeOS data processor mode.
As a ChromeOS administrator, you’ll have the option to activate Data processor mode, which covers a set of ChromeOS features and services referred to as Essential Services.
-
As early as ChromeOS 128, we will make privacy on Chromebooks easier to manage by adding the ability to control geolocation access to the privacy controls page. Users will be able to set geolocation access to Allowed, System Only, or Blocked depending on their preference.
We will allow users to block all apps or websites, or entire systems access to geolocation regardless of previously granted permissions, and provide users easy to use controls to re-enable them whenever it would be helpful.
Upcoming Admin console changes
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- Chrome 130 on Android, Linux, Mac, Windows
Chrome 126
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Extract text from PDFs for screen reader users | ✓ | ||
Memory Saver aggressiveness | ✓ | ||
Out of process iframe PDF viewer | ✓ | ||
Reactive prefetch on Desktop | ✓ | ||
Tab Groups on iPad | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Removing support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ✓ | |
Align navigator.cookieEnabled with spec | ✓ | ||
Search with Google Lens | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Extended auto-update opt-in | ✓ | ||
Digital zoom with super resolution | ✓ | ||
Set up new Chromebook with Android phone | ✓ | ||
Instant Hotspot | ✓ | ||
Enhanced firmware updates | ✓ | ✓ | |
Web apps to capture multiple surfaces | ✓ | ||
Captive portal for managed networks | ✓ | ✓ | |
Turn off overscroll behavior | ✓ | ||
Turn off cursor blink rate | ✓ | ||
Magnifier can follow Select to Speak focus | ✓ | ||
Supervised user extensions installation flow | ✓ | ||
Multi-calendar support | ✓ | ||
New policy to control Kiosk wake and sleep times | ✓ | ||
Locale expansion for Live Captions and Dictation | ✓ | ||
Show wildcard URLs in Data Controls reporting | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Custom configurations for IT admins | ✓ | ||
Interactive setup guides for Chrome Enterprise Core | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Entrust certificate distrust | ✓ | ||
App-bound encryption for cookies | ✓ | ||
Chrome extension telemetry integration with Chronicle | ✓ | ||
Generating insights for DevTools console warnings and errors | ✓ | ||
Migrate extensions to Manifest V3 before June 2025 | ✓ | ✓ | ✓ |
Network Service on Windows will be sandboxed | ✓ | ||
Simplified sign-in and sync experience on Android | ✓ | ||
Telemetry about pages that trigger keyboard and pointer Lock APIs | ✓ | ||
Updated password management experience on Android | ✓ | ✓ | |
Watermarking | ✓ | ||
Automatic fullscreen content setting | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
Deprecate mutation events | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Support for not condition in Service Worker static routing API | ✓ | ||
Ad-hoc code signatures for PWA shims on macOS | ✓ | ||
Deprecate Safe Browsing Extended reporting | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
User link capturing on PWAs | ✓ | ✓ | |
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Snap Groups | ✓ | ||
Read Aloud in Reading Mode | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Filter for popular and recently added settings with policy tags | ✓ | ||
Chrome browser managed profile reporting | ✓ | ||
Group based policy for Chrome browser | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
Third party cookies will be restricted in a future release of Chrome. Currently, they are restricted by default for 1% of Chrome users to allow sites to preview the user experience without third-party cookies. Most enterprises are excluded from this group automatically and admins can use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies if needed.
End users can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site when necessary. See this help article for more details on how to toggle these settings for the desired configuration. Bounce tracking protections are enforced when the bouncing site is not permitted to use 3P cookies, and are controllable with the same policies. Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
- Extract text from PDFs for screen reader users
Chrome browser now launches an optical character recognition (OCR) AI reader for PDFs, creating a built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.
This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, Mac, Windows: Already fully launched on ChromeOS. Ramping up from 50% Canary/Dev/Beta to Stable on Linux, Mac, and Windows.
- Memory Saver aggressiveness
Memory Saver is a feature that deactivates unused tabs to free up memory on a user's device. There is an existing policy, HighEfficiencyModeEnabled, which allows administrators to control the Memory Saver feature. A new policy called MemorySaverModeSavings allows you to configure how aggressive the Memory Saver is when deciding to deactivate tabs. Choose the conservative option to deactivate fewer tabs or the aggressive one to get the most memory savings.
- Chrome 126 on ChromeOS, LaCrOS, Linux, Mac, Windows: The feature will roll out gradually to all platforms.
- Out of process iframe PDF viewer
In Chrome 126, some users use an out-of-process iframe (OOPIF) architecture for the PDF viewer. This is the new PDF viewer architecture, as it is simpler and makes adding new features easier. An enterprise policy, PdfViewerOutOfProcessIframeEnabled, is available to revert to using the original PDF viewer architecture.
- Chrome 126 on Linux, Mac, Windows
- Reactive prefetch on Desktop
This feature enables prefetching of subresources during a navigation, to speed up navigations and load new pages faster. The subresources prefetched are predicted by a Google-owned service, and the browser shares the URL of pages being navigated to with this service, to retrieve predictions. You can control this feature using the UrlKeyedAnonymizedDataCollectionEnabled policy.
- Chrome 126 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 126 on iOS
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome starts to directly support accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome using a compatibility shim in Microsoft Windows. This change improves the user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and it improves third-party apps that use Windows's UI Automation accessibility framework. Chrome users now find reduced memory usage and processing overhead when using accessibility tools. It also eases development of software using assistive technologies.
Administrators can use the UiAutomationProviderEnabled enterprise policy, introduced in Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they can fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
- Removing support for UserAgentClientHintsGREASEUpdateEnabled
Chrome 126 removes the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year.
- Chrome 124 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Align navigator.cookieEnabled with spec
navigator.cookieEnabled
currently indicates if the user agent attempts to handle cookies in a given context. A change in Chrome, shipping as part of third-party cookie deprecation (3PCD), would cause it to indicate whether unpartitioned cookie access is possible (causing it to return false in most cross-site iframes). We should restore the prior behavior ofnavigator.cookieEnabled
which indicated only if cookies were enabled or disabled for the site and rely on the cross-vendor functiondocument.hasStorageAccess
to indicate if unpartitioned cookie access is possible.- Chrome 126 on Windows, Mac, Linux, Android
- Search with Google Lens
As early as Chrome 126, users will be able to search any images or text they see on their screen with Google Lens. To use this feature, go to a website and click Search with Google Lens on the on-focus omnibox chip, on the right-click menus, or on the 3-dot menu. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the searchbox. Admins can control the feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged.
We are rolling out this feature gradually in Chrome 126 and we plan to launch fully in Chrome 127.
- Chrome 126 on ChromeOS, Linux, Mac, Windows: Rollout of the feature at 1% Stable and LensOverlaySettings becomes available
- Chrome 127: Rollout to 100% stable
- New and updated policies in Chrome browser
Policy Description LensOverlaySettings Settings for the Lens Overlay feature MemorySaverModeSavings Change Memory Saver Mode Savings ProvisionManagedClientCertificateForUser Enables the provisioning of client certificates for a managed user or profile
PdfViewerOutOfProcessIframeEnabled Use out-of-process iframe PDF Viewer
ChromeOS updates
-
Extended auto-update opt-in and policy
ChromeOS provides 10 years of OS updates for security, stability, and performance improvements. Most devices will receive these updates automatically. For a subset of older devices, users and administrators can now opt in to extended updates to get a full 10 years of support.
For details, see our Help Center article.
-
Digital zoom with super resolution
The built-in Camera app now supports zooming on cameras that do not have optical zoom motors, including the built-in camera. On selected high-performance Chromebooks, AI-based super resolution may be applied to further enhance the images.
-
Set up new Chromebook with Android phone
You can now set up a new Chromebook using your Android phone. By establishing a secure connection between your phone and the Chromebook, you can automatically transfer your Wi-Fi and Google Account login information without needing to manually enter your passwords. This is available for unmanaged users only.
-
ChromeOS 126 supports firmware updates on a wide variety of additional peripherals. This significantly reduces the overhead and time needed to make new firmware updates available.
-
Web apps to capture multiple surfaces
Web apps can now capture multiple surfaces at once. This feature introduces a new API getAllScreensMedia() that allows developers to request several surfaces at once (instead of only one with getDisplayMedia()). This API auto-accepts capture requests, for managed sessions only, guarded by policies that have to be explicitly set by the device owners and with clear usage indicators so that users are aware of capturing at all times. For details, see our Help Center article.
-
Captive portal for managed networks
Given that captive portal detection is always disabled for managed networks, administrators are unable to configure the ChromeOS device to auto connect to captive portal networks or to detect that the captive portal exists. If they do make the captive portal network managed, users have to manually open a browser and connect to an HTTP site that can then be redirected to a portal sign in page. We’ve added a new policy, CaptivePortalAuthenticationIgnoresProxy, which allows admins to force portal detection.
-
A new setting is available to turn on and off the swipe gesture to navigate between pages. This feature is also known as overscroll or overscrolling pages. This setting is found under Settings > Accessibility > Cursor and touchpad > Use a swipe gesture to navigate between pages.
-
A new setting is available to turn off the blinking text cursor under Settings > Accessibility > Keyboard and text input > Text cursor blink rate. Customers with photosensitive seizure triggers and cognitive differences may want to turn off the blinking text cursor.
-
Magnifier to follow Select to Speak
Magnifier following Select to Speak is a feature designed for people who have low vision, but may be beneficial for anyone who enjoys reading text at larger sizes. When you read text aloud using Select to Speak, the screen magnifier will automatically follow the words, so you never lose your place. To try this out you can enable both Magnifier and Select to Speak in your settings. Zoom in to your preferred zoom level using Ctrl + Alt + Brightness up and Ctrl + Alt + Brightness down. Select the text you want to read out and press the Select to Speak play button, or Search + S. A setting is available under the Magnifier settings to adjust this behavior.
-
Supervised user extensions installation
For supervised accounts managed via Family Link, we are separating the parental control for Permissions for sites, extensions, and apps to give parents more granular control. Parents now have two options to choose from: Permissions for apps and Extensions. The impact on supervised accounts is that a parent can now allow extensions installations with or without approval. Previously, parents could block extensions but had no way to allow them without approval.
-
We are launching multi-calendar support to allow users view all events from multiple calendars that they have selected within their Google Calendar.
-
New policy to control Kiosk wake and sleep times
ChromeOS 126 introduces a new kiosk device policy that allows Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.
-
Locale expansion for Live Captions and Dictation
ChromeOS 126 expands support for live captions from 1 to 6 languages and dictation from 1 to 18 locales. We now use a new voice recognition model that provides additional battery savings.
Live captions on ChromeOS can be used on videos played with the Gallery player app, in YouTube, in Google Meet, in Zoom, or social media sites. To see or change your current live captions language, select Settings > Audio and captions > Live Caption > Manage languages. For more information on live captions, see this Help Center article.
Dictation is available on Google Docs, or in any other text input by enabling dictation in the taskbar, clicking the Mic button, and speaking. To see or change your dictation language, select Settings > Accessibility > Keyboard and text input > Dictation > Language. For more information on dictation, see this Help Center article.
-
Show wildcard URLs in Data Controls reporting
ChromeOS Data Control rules allow admins to define source and destination URLs as a wildcard (*) value. ChromeOS data control events are reported under the Chrome audit report and can be viewed in the Admin console or other platforms through the Chrome Reporting Connector. When examining log events, the URL that triggered the rule is now reported, instead of the wildcard.
Admin console updates
-
Custom configurations for IT admins
The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as normal_installed. This feature is available for browsers enrolled at the machine-level.
- As early as Chrome 126 on Android, iOS, Linux, MacOS, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, MacOS, Windows: Feature rolls out
-
Interactive setup guides for Chrome Enterprise Core
The Chrome Enterprise team introduces new interactive setup guides for browser management in the Admin console, where administrators can choose a journey they’re interested in and get hands-on training in related Chrome setup guides. For example, the guides can be used to learn how to:
- Create test organizational units
- Turn on reporting
- Enroll browsers
- Apply browser policies
- Configure extension settings
- Create an admin user
These guides are ideal for new administrators or for administrators who wish to learn new journeys.
- As early as Chrome 126: Feature rolls out
- New policies in Admin console
Policy Name Pages Supported on Category/Field DeviceExtendedAutoUpdateEnabled Device ChromeOS Device update settings LocalUserFilesAllowed Users & Browser ChromeOS User experience ScreenCaptureLocation Users & Browser ChromeOS User experience
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Entrust certificate distrust
In response to sustained compliance failures, Chrome is changing how publicly-trusted TLS server authentication, that is, website, certificates issued by Entrust will be trusted by default in Chrome 127 and greater on Windows, macOS, ChromeOS, Android, and Linux. iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.
Specifically:
- TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after October 31, 2024, will no longer be trusted by default.
- on or before October 31, 2024, will be unaffected by this change.
Should a Chrome user or enterprise explicitly trust any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, explicit trust is conveyed through a Windows Group Policy Object, the SCT-based constraints described above will be overridden and certificates will function as they do today.
For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.
To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.
- App-bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
An enterprise policy, ApplicationBoundEncryptionEnabled, is available to disable application-bound encryption.
- Chrome 127 on Windows
- Chrome extension telemetry integration with Chronicle
We plan to collect relevant extension telemetry data from within Chrome, for managed profiles and devices, and send it to Chronicle. Chronicle will analyze the data to provide insight and context on risky activity.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Generating insights for DevTools console warnings and errors
In Chrome 125, a new Generative AI (GenAI) feature became available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise and Education users in supported regions.
- Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. Beginning June 2024, starting with Chrome 127 pre-stable versions, Chrome will gradually disable Manifest V2 extensions running in the browser. An enterprise policy, ExtensionManifestV2Availability , can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year, June 2025, at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can report any issues you encounter.
- Chrome 127 on Windows: Network Service sandboxed on Windows
- Simplified sign-in and sync experience on Android
Chrome will launch a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android
- Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhanced Safe Browsing user visits a page that triggers keyboard or pointer lock API, attributes of that page will be sent to Safe Browsing.
If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.- Chrome 127 on Android
- Watermarking
This feature will allow admins to overlay a watermark on top of a web page if navigating to it triggers a specific DLP rule. It will contain a static string displayed as the watermark. Watermarking will be available to Chrome Enterprise Premium customers.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 127 on Linux, Mac, Windows: Feature rolls out
- Automatic Fullscreen content setting
A new Automatic Fullscreen content setting permits
Element.requestFullscreen()
without a user gesture, and permits browser dialogs to appear without exiting fullscreen.The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (
chrome://settings/content/automaticFullScreen
) and the site info bubble. Users can allow Isolated Web Apps, and enterprise admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.Combined with Window Management permission and unblocked popups (
chrome://settings/content/popups
), this unlocks valuable fullscreen capabilities:- Open a fullscreen popup on another display, from one gesture
- Show fullscreen content on multiple displays from one gesture
- Show fullscreen content on a new display, when it's connected
- Swap fullscreen windows between displays with one gesture
- Show fullscreen content after user gesture expiry or consumption
- Chrome 127 on Windows, Mac, Linux
- Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 127 will add a cross-site ancestor bit to the keying of the partitioned cookie's
CookiePartitionKey
. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use
SameSite=None
cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.- Chrome 127 on Windows, Mac, Linux
- Deprecate mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail. Report any issues here.
- Chrome 127 on Windows, Mac, Linux, Android
- Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless
tabIndex
is explicitly set to 0 or more.By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.- Chrome 127 on Windows, MacOS, Linux, Android
- Support for not condition in Service Worker static routing API
The Service Worker static routing API is an API used for routing the request to the network, the Service Worker fetch handler, or directly looking up from cache, and so on. Each route consists of a condition and a source, and the condition is used for matching the request.
For Chromium implementations, the or condition is the only supported condition. However, to write the condition more flexibly, supporting the not condition is expected, which matches the inverted condition inside.
- Chrome 127 on Windows, Mac, Linux, Android
- Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.
This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 128 on Mac
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 128 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended reporting
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15
- User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 129 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- Deprecate the includeShadowRoots argument on DOMParser
The
includeShadowRoots
argument was a never-standardized argument to theDOMParser.parseFromString()
function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 129, the non-standardincludeShadowRoots
argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android
- Insecure form warnings on iOS
Chrome 125 blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it will display a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without user's explicit approval. A policy called InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically.
These checks protect the user's private network. Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the InsecureFormsWarningsEnabled policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
Please see this blog post for more detail.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android
Upcoming ChromeOS changes
-
As early as ChromeOS 127, Snap groups will allow you to group windows on ChromeOS. A snap group is formed when a user pairs two windows for a split-screen. The windows can then be brought back together, resized simultaneously, or moved as a group.
-
As early as ChromeOS 127, Read Aloud will bring Google's high quality voices to Chrome Reading Mode for users to leverage Text to Speech to read content on the web. The goal of Read Aloud is to help people who have difficulty reading to understand long-form text. The new Read Aloud feature in Reading Mode on Chrome desktop allows users to hear the text they are reading, which improves focus and comprehension.
Upcoming Admin console changes
- Filter for popular and recently added settings with policy tags
The Admin console will soon provide options to filter settings by recently added and popular. With these new filters, you’ll be able to see our newest settings as well as see some of our most popular and relevant Chrome settings.
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, Mac, Windows: Feature rolls out
- Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.- As early as Chrome 127 on Android, Linux, MacOS, Windows: Early Trusted Tester access
- As early as Chrome 130 on Android, iOS, Linux, MacOS, Windows: Feature rolls out
- Group based policy for Chrome browser
As an administrator, you will be able to use Google groups to add managed Chrome browsers to groups and set User & browser policies and Extension settings to a group of browsers. Managed browsers can be assigned to multiple groups, which allows IT administrators to have more flexibility to manage Chrome browsers using cloud management.
- As early as Chrome 126 on Android, Linux, MacOS, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, MacOS, Windows: Feature rolls ou
Chrome 125
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Automatic deep file scanning for Enhanced Safe Browsing users | ✓ | ||
Chrome Desktop support for Windows ARM64 | ✓ | ||
Chrome updater changes | ✓ | ||
Chrome Security Insights | ✓ | ✓ | ✓ |
Chrome bandwidth updates | ✓ | ||
Extensions Safety Check | ✓ | ||
Insecure form warnings on iOS | ✓ | ||
Legacy Browser Support for Edge upgraded to Manifest V3 | ✓ | ||
Remove enterprise policy used for Base URL inheritance | ✓ | ||
Send download reports without explicit user decision | ✓ | ✓ | |
Tab Groups on Tab Grid | ✓ | ||
UI Automation accessibility framework provider on Windows | ✓ | ||
Update Google Play Services to fix issues with account passwords | ✓ | ||
Extending Storage Access API (SAA) to non-cookie storage | ✓ | ||
Interoperable mousemove default action | ✓ | ||
Remove window-placement alias for permission and permission policy descriptors | ✓ | ||
Default Search Engine choice screen | ✓ | ✓ | |
Generating insights for Chrome DevTools Console warnings and errors | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
SAML always-on VPN fix | ✓ | ||
ChromeOS Passpoint settings | ✓ | ||
ChromeOS Audio Bluetooth telephony | ✓ | ||
Add PrivateIP to DoH with identifiers | ✓ | ||
Gallery video playback speed control UI | ✓ | ||
Reduce Animations toggle for ChromeOS | ✓ | ||
Captive Portal sign-in window | ✓ | ||
Install dialog for PWAs | ✓ | ||
Warn users before disconnecting Bluetooth HID | ✓ | ✓ | |
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Inactive browser deletion in Chrome Enterprise Core | ✓ | ✓ | |
ChromeOS device enrollment and token generation redesign | ✓ | ||
New ZTE pre-provisioning token features | ✓ | ||
Expanded token management features | ✓ | ✓ | |
URL-keyed anonymized data collection in Managed Guest Session | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Deprecate Safe Browsing Extended reporting | ✓ | ||
Extract text from PDFs for screen reader users | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Removing support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Tab Groups on iPad | ✓ | ||
Telemetry about pages that trigger keyboard and pointer Lock APIs | ✓ | ||
Updated password management experience on Android | ✓ | ✓ | |
Watermarking | ✓ | ||
Align navigator.cookieEnabled with spec | ✓ | ||
Automatic fullscreen content setting | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
App-bound encryption for cookies | ✓ | ||
Chrome extension telemetry integration with Chronicle | ✓ | ||
Migrate extensions to Manifest V3 before June 2025 | ✓ | ✓ | ✓ |
Simplified sign-in and sync experience on Android | ✓ | ||
Deprecate mutation events | ✓ | ||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
User link capturing on PWAs | ✓ | ✓ | |
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ✓ | |
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
New policy to control Kiosk wake and sleep times | ✓ | ||
Show wildcard URLs in Data Controls Reporting | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Policy parity: Custom Configurations for IT admins | ✓ | ||
Interactive setup guides for Chrome Enterprise Core | ✓ | ||
Legacy Technology report | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
Third party cookies will be restricted in a future release of Chrome. Currently, they are restricted by default for 1% of Chrome users to allow sites to preview the user experience without third-party cookies. Most enterprises are excluded from this group automatically and admins can use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies if needed.
End users can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site when necessary. See this help article for more details on how to toggle these settings for the desired configuration. Bounce tracking protections are enforced when the bouncing site is not permitted to use 3P cookies, and are controllable with the same policies. Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
- Automatic deep file scanning for Enhanced Safe Browsing users
Deep scanning of downloads for Enhanced Safe Browsing users has been launched since Chrome 91. At that time, users had to consent to each file they wanted deep-scanned automatically. Starting in Chrome 125, users no longer have to do that. Deep scanning is performed automatically as part of the improved protections offered by Enhanced Safe Browsing. Admins wishing to disable this feature can ensure their users are not in Enhanced Safe Browsing mode at all with the SafeBrowsingProtectionLevel policy, or disable deep scans with SafeBrowsingDeepScanningEnabled.
- Chrome 125 on LaCrOS, Linux, Mac, Windows: Feature rolls out
- Chrome Desktop support for Windows ARM64
Chrome rolled out support for Windows ARM64. Enterprise installers are coming soon, and the ARM64 version can be downloaded at google.com/chrome. If you encounter any issues, file a bug here. At this time, other versions of Chrome running on ARM64 devices will not be automatically upgraded. Please re-install Chrome if you're running on an ARM64 device.
- Chrome 125 on Windows: New Enterprise installers will be available towards mid-May
- Chrome updater changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for
GoogleUpdate.exe
on Windows changes and it is renamedupdater.exe
. Note that the previous path continues to persist until the transition is fully completed.GoogleUpdate.exe
is also modified to point toupdater.exe
.* Previous:
%PROGRAMFILES(X86)%\Google\Update\GoogleUpdate.exe
* Current:%PROGRAMFILES(X86)%\Google\GoogleUpdater\<VERSION>\updater.exe
- Chrome 125 on Windows: These changes appear on Windows
- Chrome Security Insights
If you have Chrome Enterprise Core (Chrome Browser Cloud Management) and Workspace Enterprise Standard or Workspace Enterprise Plus with assigned licenses, you can now enable Chrome Security Insights. This tool allows you to monitor insider risk and data loss for Chrome activity. For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, Mac, Windows
- Chrome bandwidth updates
Chrome introduces a new mechanism for updating certain Chrome components, which might result in extra bandwidth used within your fleet. You can control this with the GenAILocalFoundationalModelSettings policy.
- Chrome 125 on Linux, Mac, Windows
- Extensions Safety Check
The Extensions Safety Check notifies users about extensions that might contain malware, policy violations, and extensions that have been unpublished long ago. It provides an interface for users to review these extensions and decide to keep or remove each flagged extension.
To expand the usefulness and the scope of this feature, Chrome 125 adds new triggers so that other potentially risky extensions can also be reviewed by users. There are two new extension types that we now flag for the user to review.
- Extensions that are not installed from the Chrome Web Store
- Extensions that violate store policy by using deceptive installation tactics and are considered unwanted software
Any extensions that are force-installed, installed by policy, version-pinned or blocked by policy are ignored and not flagged by these trigger criteria.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: During rollout, the two new triggers will be added to the extension safety check found on the
chrome://extensions/
page
- Chrome 125 on ChromeOS, Linux, Mac, Windows: During rollout, the two new triggers will be added to the extension safety check found on the
- Insecure form warnings on iOS
Chrome 125 blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it displays a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed
- Legacy Browser Support for Edge upgraded to Manifest V3
Legacy Browser Support for Edge is upgraded to Manifest V3. This is a major update with a possibility for bugs, so you can try the Beta version of this extension today. We encourage you to test it in your environment. If you encounter any issues, file a bug here.
- Chrome 125 on Linux, Mac, Windows: Microsoft Edge Add-ons Store doesn't support gradual rollouts, so this will roll out 0%=>100% in one step. Target release date is May 30th, so ~2 weeks into Chrome 125's lifecycle.
- Remove enterprise policy used for Base URL inheritance
In Chrome 114, we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. Chrome 125 removes the temporary NewBaseUrlInheritanceBehaviorAllowed policy.
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Send download reports without explicit user decision
The Client Safe Browsing Report is a telemetry report sent to Safe Browsing when a warning is shown in Chrome. Today, download reports are sent when users discard or bypass a download warning. Based on the learnings from the initial tailored warning experiment, many download warnings are not explicitly discarded or bypassed. Reports are not sent for these warnings, so Safe Browsing doesn't have visibility on the effectiveness of these warnings. This feature aims to close this telemetry gap by sending reports when the download is auto-discarded or the browser is closed.
- Chrome 125 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Tab Groups on Tab Grid
Chrome for iPhone users can create and manage tab groups on their tab grids. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 125 on iOS
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Starting in Chrome 125, administrators can use the UiAutomationProviderEnabled enterprise policy to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
- Update Google Play Services to fix issues with account passwords
Users with old versions of Google Play Services might be unable to access the passwords saved to their Google accounts. These users now see warnings to update Google Play Services in the password management surface to access their account passwords again. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 125 on Android
- Extending Storage Access API (SAA) to non-cookie storage
Chrome extends the Storage Access API to allow access to unpartitioned cookie and non-cookie storage in a third-party context. The current API only provides access to cookies, which have different use-cases than non-cookie storage. The API can be used as follows (JS running in an embedded iframe):
// Request a new storage handle via rSA (this should prompt the user)
let handle = await document.requestStorageAccess({all: true});
// Write some cross-site localstorage
handle.localStorage.setItem("userid", "1234");
// Open or create an indexedDB that is shared with the 1P context
let messageDB = handle.defaultBucket.indexedDB.open("messages");
The same flow would be used by iframes to get a storage handle when their top-level ancestor successfully called
rSAFor
, just that in this case thestorage-access
permission was already granted and thus therSA
call would not require a user gesture or show a prompt, allowing for hidden iframes accessing storage.- Chrome 125 on Windows, Mac, Linux, Android
- Interoperable mousemove default action
Canceling
mousemove
does not prevent text selection or drag-and-drop. Chrome allowed cancelingmousemove
events to prevent other APIs like text selection (and even drag-and-drop in the past). This does not match other major browsers; nor does it conform to the W3 UI Events specification.With this feature, text selection is no longer the default action of
mousemove
. Text selection and drag-and-drop can still be prevented through cancelingselectstart
anddragstart
events respectively, which are spec-compliant and fully interoperable.- Chrome 125 on Windows, Mac, Linux, Android
- Remove window-placement alias for permission and permission policy descriptors
Chrome 125 removes the window-placement alias for permission and permission policy descriptors. All instances of window-placement are replaced with window-management, which better describes the related API functionality. This is a follow-up to Window Management API feature enhancements and renaming from Multi-Screen Window Placement API; for more details, see Chrome Platform Status.
- Chrome 125 on Windows, Mac, Linux
- Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at
chrome://settings/search
.For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Chrome 125 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.
- Generating insights for Chrome DevTools Console warnings and errors
In Chrome 125, a new Generative AI (GenAI) feature becomes available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise & Education users in supported regions.
- New and updated policies in Chrome browser
Policy Description EnterpriseLogoUrl Enterprise Logo URL: URL to an image that is used as an enterprise badge for the profile. EnterpriseBadgingTemporarySetting Control the visibility of enterprise badging. ApplicationBoundEncryptionEnabled Enable Application-bound encryption UiAutomationProviderEnabled Enable the browser's UI Automation accessibility framework provider on Windows ToolbarAvatarLabelSettings Managed toolbar avatar label setting
ChromeOS updates
-
To better support Enterprise customers who use VPN in always-on strict mode, where no user traffic can get to the internet except via the VPN, and SAML authentication, we've added a new policy AlwaysOnVpnPreConnectUrlAllowlist. This policy allows you to specify URLs users are allowed to go to before the VPN has connected, so that your SAML services are reachable to authenticate the user to the VPN via the system browser.
-
You can now view and manage Wi-Fi Passpoint in ChromeOS Settings. You can view and remove your installed passpoint subscription under the passpoint detailed page.
-
ChromeOS Audio Bluetooth telephony
ChromeOS now supports call control buttons on compatible Bluetooth headsets, including answering, rejecting or terminating a call, and muting the microphone.
-
Add PrivateIP to DoH with identifiers
A network identifier was added to the secure DNS URI templates with identifiers policy. Admins can now configure a new placeholder in the DNS URI templates, which is replaced with the device local IP addresses when the users are connected to managed networks.
-
Gallery video playback speed control UI
ChromeOS Gallery video player now has a playback speed menu to control the playback rate.
-
Reduce Animations toggle for ChromeOS
A reduced animations setting is now available on ChromeOS. This setting is available under Accessibility > Display and Magnification > Reduced Animations. Customers who experience motion sickness, distractions or other types of discomfort when seeing animations can benefit from changing this setting.
-
ChromeOS 125 allows easier captive portal sign-in with a dedicated window. The window opens as a tabless popup window; the URL is shown but it is not editable.
-
ChromeOS 125 enables an installation dialog for web apps. This feature unblocks web app installation scenarios and is part of the work to create a more predictable, accessible, and trustworthy install surface for web apps.
-
Warn users before disconnecting Bluetooth HID
In ChromeOS 125 and later, Chromeboxes and Chromebases display a notification to prevent unintended Bluetooth device disconnections. This notification appears when you attempt to disable Bluetooth while only Human Interface Devices (HIDs) like keyboards or mice connected via Bluetooth are active.
Admin console updates
-
Inactive browser deletion in Chrome Enterprise Core
Starting in April 2024 until June 2024, the Inactive period for browser deletion policy has started to roll out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time has a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days are deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period is 730 days and the minimum value is 28 days (learn more).
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
-
ChromeOS device enrollment and token generation redesign
Beginning in April 2024, the zero-touch enrollment experience has been enhanced with a new enrollment entry point, token creation guide, the ability to specify SKU and partner permissions and improved token management
-
New ZTE pre-provisioning token features
Pre-provisioning tokens have gained the following features:- Support for Kiosk & Signage Upgrade by allowing zero-touch enrollment pre-provisioning tokens to be created using either Chrome Enterprise Upgrade or Kiosk & Signage Upgrade
- Ability for pre-provisioning partners to specify custom fields (asset ID, location, and user)
- Multiple tokens per organizational unit
-
Expanded token management features
The Enrollment Tokens page has been updated with the following features:- The page has been added to the left navigation panel for easier access
- Tokens are now filterable based on status, creation user, annotation and upgrade type
- A new button allows admins to copy the token and Customer ID with one click
- Additional columns provide more information about the token
-
URL-keyed anonymized data collection in Managed Guest Session
The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, is available in the Admin console. This policy will be enforced starting June 1st and will remain disabled until then.
- New policies in Admin console
Policy Name Pages Supported on Category/Field DevToolsGenAiSettings Users & Browsers Chrome
ChromeOSGenerative AI UiAutomationProviderEnabled Users & Browsers Chrome Accessibility ContextualGoogleIntegrationsEnabled Users & Browsers ChromeOS User experience ContextualGoogleIntegrationsConfiguration Users & Browsers ChromeOS User experience ApplicationBoundEncryptionEnabled Users & Browsers Chrome Security DeviceExtensionsSystemLogEnabled Device ChromeOS User and device reporting EnterpriseBadgingTemporarySetting Users & Browser Chrome General EnterpriseLogoUrl Users & Browser Chrome General ToolbarAvatarLabelSettings Users & Browser Chrome General DeviceDlcPredownloadList Device ChromeOS Other settings
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 126 on iOS, ChromeOS, Linux, MacOS, Windows: Deprecation of Safe Browsing Extended Reporting
- Extract text from PDFs for screen reader users
Chrome browser is launching an Optical character recognition (OCR) AI reader for PDFs, creating the first browser built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.
This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, MacOS, Windows
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 125 on Windows: Network Service sandboxed on Windows.
- Removing support for UserAgentClientHintsGREASEUpdateEnabled
Deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year and then eventually remove it.
- Chrome 124 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 126 on Android
- Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhances Safe Browsing user visits a page that triggers keyboard or pointer lock API, attributes of that page will be sent to Safe Browsing. If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 126 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.- Chrome 126 on Android
- Watermarking
This feature will allow admins to overlay a watermark on top of a webpage if navigating to it triggers a specific DLP rule. It will contain a static string displayed as the watermark. Watermarking will be available to Chrome Enterprise Premium customers.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 126 on Linux, Mac, Windows: Feature rolls out
- Align navigator.cookieEnabled with spec
navigator.cookieEnabled
currently indicates if “the user agent attempts to handle cookies” in a given context. A change in Chrome, shipping as part of third-party cookie deprecation (3PCD), would cause it to indicate whether unpartitioned cookie access is possible (causing it to return false in most cross-site iframes). We should restore the prior behavior ofnavigator.cookieEnabled
which indicated only if cookies were enabled or disabled for the site and rely on the cross-vendor functiondocument.hasStorageAccess
to indicate if unpartitioned cookie access is possible.- Chrome 126 on Windows, Mac, Linux, Android
- Automatic fullscreen content setting
A new Automatic Fullscreen content setting permits
Element.requestFullscreen()
without a user gesture, and permits browser dialogs to appear without exiting fullscreen.The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (
chrome://settings/content/automaticFullScreen
) and the site info bubble. Users can allow Isolated Web Apps, and enterprise admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.Combined with Window Management permission and unblocked popups (
chrome://settings/content/popups
), this unlocks valuable fullscreen capabilities:- Open a fullscreen popup on another display, from one gesture
- Show fullscreen content on multiple displays from one gesture
- Show fullscreen content on a new display, when it's connected
- Swap fullscreen windows between displays with one gesture
- Show fullscreen content after user gesture expiry or consumption
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 125 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.
If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) or use the Cross-Origin Resource Sharing (CORS) to ensure that embedded iframes have access to the same cookies as the top level domain.- Chrome 126 on Windows, Mac, Linux
- Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless
tabIndex
is explicitly set to 0 or more.By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.- Chrome 127 on Windows, MacOS, Linux, Android
- App-Bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
An enterprise policy ApplicationBoundEncryptionEnabled is available to disable Application Bound Encryption.- Chrome 127 on Windows
- Chrome extension telemetry integration with Chronicle
Collect relevant extension telemetry data from within Chrome (managed profiles + devices) and send it to Chronicle. Chronicle will analyze the data to provide instant analysis and context on risky activity.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows
- All extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Simplified sign-in and sync experience on Android
Chrome will launch a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android
- Intent to deprecate: mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail.
- Chrome 127 on Windows, Mac, Linux, Android
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Earliest in Chrome 127 on Linux, MacOS, Windows: We will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.
However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.
Please see this blog post for more detail.
- Chrome 124 on Windows, Mac, Linux
- Chrome 128 on Android
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems to continue to use Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on macOS: Chrome no longer supports macOS 10.15
- Deprecate the includeShadowRoots argument on DOMParser
The
includeShadowRoots
argument was a never-standardized argument to theDOMParser.parseFromString()
function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 124, the non-standard
Instead of:includeShadowRoots
argument needs to be deprecated and removed. All usage should shift accordingly:(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
document.parseHTMLUnsafe(html);
- Chrome 129 on Windows, Mac, Linux, Android
- Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:
1. Checks whether the request has been initiated from a secure context
2. Sends a preflight request, and checks whether B responds with a header that allows private network access.
There are already features for subresources and workers, but this one is for navigation requests specifically. The above checks are made to protect the user's private network. Since this feature is the warning-only mode, we do not fail the requests if any of the checks fails. Instead, a warning will be shown in the DevTools, to help developers prepare for the coming enforcement.- Chrome 130 on Windows, Mac, Linux, Android
Upcoming ChromeOS changes
-
New policy to control Kiosk wake and sleep times
As early as ChromeOS 126, we will introduce a new kiosk device policy that will allow Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.
-
Show wildcard URLs in Data Controls reporting
ChromeOS Data Control rules allow admins to define source and destination URLs as a wildcard ( * ) value. ChromeOS data control events are reported under the Chrome audit report and can be viewed in the Google Admin console or other platforms through the Chrome Reporting Connector. When examining log events, the URL that triggered the rule is now reported, instead of the wildcard.
Upcoming Admin console changes
- Policy parity: Custom Configurations for IT admins
The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core in the Admin console, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as “normal_installed”.
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, Mac, Windows: Feature rolls out
- Interactive setup guides for Chrome Enterprise Core
The Chrome Enterprise team is introducing new interactive setup guides for browser management in the Admin console, where administrators can choose a journey they’re interested in exploring and get hands-on training directly in Chrome Setup Guides. For example, the guides can be used to learn how to:- Creating test organizational units
- Turn on reporting
- Enroll browsers
- Apply browser policies
- Configure extension settings
- Create an admin user
- As early as Chrome 125: Trusted Tester access
- As early as Chrome 126: Feature rolls out
- Legacy Technology report
As early as Chrome 127, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.- As early as Chrome 127 on Linux, MacOS, Windows: Legacy Technology report will be available in the Admin console.
Chrome 124
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Enterprise Premium product launch | ✓ | ✓ | |
Chrome Browser Cloud Management is now Chrome Enterprise Core | ✓ | ✓ | |
Watermarking (trusted tester) | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Two Chrome extensions will be upgraded to Manifest V3 | ✓ | ✓ | |
Chrome Installer/Updater changes | ✓ | ||
Bookmarks and reading list improvements on Android | ✓ | ||
Default Search Engine choice screen | ✓ | ✓ | |
Deprecate enterprise policy used for throttling | ✓ | ||
Chrome Desktop support for Windows ARM64 | ✓ | ||
Remove enterprise policy used for GREASE | ✓ | ||
Deprecate and remove Web SQL | ✓ | ||
Chrome bandwidth updates | ✓ | ||
Form controls support direction value in vertical writing mode | ✓ | ||
Remove enterprise policies used for TLS handshake and RSA key usage | ✓ | ||
Shadow root cloneable attribute | ✓ | ||
Local passwords stored in Play services on Android | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Save to Drive and to Photos | ✓ | ||
Device bound session credentials google.com prototype | ✓ | ||
Windows ClearType Text Tuner integration | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
WebHID permission delegation | ✓ | ||
WiFi QoS on ChromeOS | ✓ | ||
Scanning DLC | ✓ | ||
Increase the max size for the mouse pointer slider | ✓ | ||
Fast Pair for HID | ✓ | ||
Extension Cache Invalidation for managed guest login screen | ✓ | ||
Instant reboot in Managed Guest Session | ✓ | ||
ChromeOS carrier lock | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Inactive browser deletion in Chrome Enterprise Core | ✓ | ||
New filter on the App details page | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
UI Automation accessibility framework provider on Windows | ✓ | ||
Keyboard-focusable scroll containers | ✓ | ||
Interoperable mousemove default action | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Telemetry about pages that trigger keyboard and pointer lock APIs | ✓ | ||
Extending Storage Access API (SAA) to non-cookie storage | ✓ | ||
Remove window-placement alias for permission and permission policy descriptors | ✓ | ||
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies | ✓ | ||
Extract text from PDFs for screen reader users | ✓ | ||
Deprecate Safe Browsing Extended reporting | ✓ | ||
Remove enterprise policy used for Base URL inheritance | ✓ | ||
App-Bound encryption for cookies | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
User link capturing on PWAs | ✓ | ||
All extensions must be updated to leverage Manifest V3 by June 2025 | ✓ | ✓ | ✓ |
Remove enterprise policy used for legacy same site behavior | ✓ | ||
Chrome will no longer support MacOS 10.15 | ✓ | ||
Deprecate the includeShadowRoots argument on DOMParser | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Passpoint settings | ✓ | ||
New policy to control Kiosk wake and sleep times | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Policy parity: Custom Configurations for IT admins | ✓ | ||
Legacy Technology report | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Enterprise Premium product launch
Chrome Enterprise Premium is now available, providing a centralized solution for robust endpoint security, privacy, and control (setup guide). IT and security teams gain extensive network visibility and can easily deploy advanced protection features. Learn more.
- Chrome Browser Cloud Management is now Chrome Enterprise Core
Chrome Enterprise’s cloud management offers a centralized tool for configuring and managing browser policies, settings, apps, and extensions across Chrome – no matter the operating system, device, or location. Learn more.
- Chrome 124 on Linux, MacOS, Windows: Trusted Tester access
- Chrome 126 on Linux, MacOS, Windows: feature rolls out
- Watermarking (trusted tester)
This Chrome Enterprise Premium feature allows admins to overlay a watermark on top of a web page if navigating to it triggers a specific Data Loss Prevention (DLP) rule. You can specify a static string to be displayed as the watermark.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 124 on Linux, MacOS, Windows: Trusted Tester access
- Chrome 126 on Linux, MacOS, Windows: Feature rolls out
- Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 120 started to restrict third-party cookies by default for 1% of Chrome users to facilitate testing, and subsequent releases will ramp up to 100% of users as early as Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group also see new Tracking Protection user controls. You can try out these changes in Chrome 120 or higher by enabling
chrome://flags/#test-third-party-cookie-phaseout
.This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users are excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out managed browsers ahead of the experiment. This gives enterprises time to make the changes required to avoid relying on this policy or on third-party cookies.
We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to False to re-enable third-party cookies for all sites but this prevents users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue to receive third-party cookies.
For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this help article for more details on how to toggle these settings for the desired configuration.
Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.
Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
- Permissions prompt for Web MIDI API
The Web MIDI API connects to and interacts with Musical Instrument Digital Interface (MIDI) Devices. There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (see related Chromium bug). To address this problem, the W3C Audio Working Group decided to place an explicit permission on general Web MIDI API access. Originally, the explicit permission was only required for advanced Web MIDI usage in Chrome, including the ability to send and receive system exclusive (SysEx) messages, with gated access behind a permissions prompt. We now intend to expand the scope of the permission to regular Web MIDI API usage.
In Chrome 124, all access to the Web MIDI API requires a user permission. No policies are available to control these changes. If you encounter any issues, file a bug here.
- Chrome 124 on Windows, MacOS, Linux, Android
- Two Chrome extensions to be upgraded to Manifest V3
Two extensions will soon be updated to use Manifest V3: User-Agent Switcher, and Chrome Reporting.
This is a major update with a possibility for bugs, so you can try the Beta version of these extensions today. We encourage you to test them in your environment. If you encounter any issues, file a bug here.
- User-Agent Switcher for Chrome - Beta
- Chrome Reporting Extension - Beta
The User-Agent Switcher URL parser changed, so make sure your existing user agent substitutions work with the new version.
- Chrome 124: Both extensions receive an update, on their Stable version around April 30, 2024.
- Chrome Installer/Updater changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for GoogleUpdate.exe on Windows changes and it is renamed updater.exe. Note that the previous path continues to persist until the transition is fully completed. GoogleUpdate.exe is also modified to point to updater.exe.
* Previous:
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
* Current:C:\Program Files (x86)\Google\GoogleUpdater\<VERSION>\updater.exe
- Chrome 124 on Windows: These changes appear on Windows.
- Bookmarks and reading list improvements on Android
On Chrome 124 on Android, some users who sign in to Chrome from the Bookmark Manager can use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncTypesListDisabled, EditBookmarksEnabled, ManagedBookmarks and ShoppingListEnabled continue to work as before, to configure whether users can use and save items in their Google Account.
- Chrome 124 on Android: Feature rolls out.
- Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.
For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Starting Chrome 124 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.
- Deprecate enterprise policy used for throttling
The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy in Chrome 124. To read the discussions around the throttling issue (and its resolution), see this Chromium issue report.
- Chrome 124: Policy is removed.
- Chrome Desktop support for Windows ARM64
Chrome is rolling out support for Windows ARM64. We are working on publishing the Enterprise installers. You can continue to test the Canary channel and Beta channel and report bugs there. Note that this is subject to change based on overall stability, as well as feedback from customers. If you encounter any issues, file a bug here.
- Chrome 124 on Windows (ARM): New Enterprise installers will be available towards the end of April or early May.
- Remove enterprise policy used for GREASE
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will be removed in Chrome 126.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated.
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed.
- Deprecate and remove Web SQL
With SQLite over WASM as its official replacement, we plan to remove Web SQL entirely. This will help keep our users secure.
The Web SQL database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 124: on ChromeOS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 124, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.
- Chrome bandwidth updates
Chrome rolls out a new mechanism for updating certain Chrome components that might result in extra bandwidth used within your fleet. You can control this with the GenAILocalFoundationalModelSettings policy.
- Chrome 124 on Windows, MacOS, Linux
- Form controls support direction value in vertical writing mode
The CSS property writing-mode allows elements to go vertical, but users cannot set the direction in which the value changes. With this feature, we are allowing the form control elements (meter, progress and range input type) to have vertical writing mode and choose the form control's value direction. If direction is rtl, the value is rendered from bottom to top. If direction is ltr, the value is rendered from top to bottom. For more information, see this Chrome for Developers blog post.
- Chrome 124 on Windows, MacOS, Linux, Android
- Remove enterprise policies used for TLS handshake and RSA key usage
In Chrome 114, we introduced InsecureHashesInTLSHandshakesEnabled to control the use of legacy insecure hashes during the TLS handshake process. In Chrome 116, we introduced RSAKeyUsageForLocalAnchorsEnabled to control some server certificate checks. In Chrome 124, both InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies are removed.
Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies will be removed.
- Shadow root cloneable attribute
The shadow root clonable attribute enables individual control over whether a shadow root is cloneable (via standard platform cloning commands such as
cloneNode()
). Imperative shadow roots can now be controlled via a parameter toattachShadow({clonable:true})
. Declarative shadow roots can be controlled via a new attribute,<template shadowrootmode=open shadowrootclonable>
.Breakage can occur if you are:
a) using declarative shadow DOM
b) cloning templates that contain DSD and
c) expecting those clones to contain cloned shadow roots- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows
- Local passwords stored in Play services on Android
Chrome changes the way local (not syncable) passwords are stored. Previously, they were stored in the Chrome profile. Now they are migrated to the local password storage of the Google Play services similarly to how the Google account passwords are already stored. It also changes the management UI for them to be provided by Google Play services. The Chrome policy PasswordManagerEnabled is still valid but it doesn't control the behavior outside the Chrome binary. Thus, the new password management UI allows users to import or add passwords there manually.
- Chrome 123 on Android: The feature kicks-in for users without local passwords
- Chrome 124 on Android: All local passwords are migrated to the Google Play services.
- X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. This cipher will be used for both TLS 1.3 and QUIC connections.
- Chrome 124 on Windows, MacOS, Linux
- Save to Drive and to Photos
You can directly save a file or document image from the web to your Drive, as well as an image to your Google Photos. You can now change the account to which the file is going to be saved. The relevant policies to control these features are ContextMenuPhotoSharingSettings and DownloadManagerSaveToDriveSettings.
- Chrome 124 on iOS
- Device Bound Session Credentials google.com prototype
The Device Bound Session Credentials project is intended to move the web away from long-lived bearer credentials like cookies, which can be stolen and reused, to credentials that are either short-lived or cryptographically bound to a device. The feature aims at protecting users against credential theft which is typically performed by malware running on the user's device.
The current launch is a proof-of-concept targeting google.com website. In the future, we plan to standardize this approach for other websites and web browsers (Github).
Enterprise admins can control the feature state by using the BoundSessionCredentialsEnabled boolean policy.
- Chrome 124 on Windows: Planned 1% rollout on Chrome stable for google.com cookie binding for the general population. A temporary BoundSessionCredentialsEnabled policy is introduced in this milestone.
- Windows ClearType Text Tuner integration
This feature tracks the work to support picking the contrast and gamma values from the Windows ClearType Text Tuner setting and applying them to Skia text rendering. This ensures that users' text rendering preferences are respected on Windows devices.
- Chrome 124 on Windows, MacOS, Linux
- New and updated policies in Chrome browser
Policy Description MutationEventsEnabled Re-enable deprecated/removed Mutation Events BoundSessionCredentialsEnabled Bind Google credentials to a device AutomaticFullscreenAllowedForUrls Allow automatic fullscreen on these sites AutomaticFullscreenBlockedForUrls Block automatic fullscreen on these sites CloudProfileReportingEnabled Enable Google Chrome cloud reporting for managed profile PrefixedVideoFullscreenApiAvailability Manage the deprecated prefixed video fullscreen API's availability
- Removed policies in Chrome browser
Policy Description WebSQLAccess Force WebSQL to be enabled InsecureHashesInTLSHandshakesEnabled Insecure Hashes in TLS Handshakes Enabled RSAKeyUsageForLocalAnchorsEnabled Check RSA key usage for server certificates issued by local trust anchors GetDisplayMediaSetSelectAllScreensAllowedForUrls Enables auto-select for multi screen captures ThrottleNonVisibleCrossOriginIframesAllowed Allows enabling throttling of non-visible, cross-origin iframes
ChromeOS updates
-
Chrome Apps now enables WebHID features in Chrome App Webview, for VDI and Zoom HID support.
-
ChromeOS 124 now includes a new Quality of Service (QoS) feature that ensures better traffic prioritization of video conferencing and gaming applications on congested Wi-Fi networks. As a result, users can experience smoother video play with less buffering. In this initial release, this feature is not available for managed users.
-
To optimize the size of ChromeOS updates, we now download the required driver once the user signs in and connects a scanner that requires a driver. The driver downloads automatically without any prompt that the user needs to answer. A notification appears to indicate that external drivers are being installed and when installation is complete.
-
Increase the max size for the mouse pointer slider
We have expanded the mouse cursor sizes. You can adjust the cursor size by going into settings, accessibility, cursor and touchpad, and sliding the slider to your preferred size. This can be helpful for people who have low vision, for teachers who want students to follow along during a lesson while presenting, for people who are presenting on a video call, or if you just want to have a larger mouse cursor.
-
Fast Pair is now available for mice on ChromeOS. You can now bring a Fast Pair-compatible mouse close to your ChromeOS device, and be prompted to pair it with one click. For details, see our Help Center article.
-
Extension Cache Invalidation for managed guest login screen
From ChromeOS 124, the ExtensionInstallForcelist policy supports the rollback of extensions for managed guest sessions and the login screen. This gives admins the option to rollback extensions in case of an erroneous rollout of a new version.
-
Instant reboot in Managed Guest Session
ChromeOS 124 introduces a UI for admins to initiate an instant reboot action for Managed Guest Sessions.
-
ChromeOS now supports carrier lock for mobile providers that want to provide subsidized devices to users. On all cellular enabled devices, carriers can lock the device to only allow connection to approved SIM profiles (both eSIM and physical SIM). Locked devices get enrolled to a carrier lock server and when the contract ends, the carrier simply releases the lock and the user is notified on their device. Note that in addition to being blocked for using unauthorized SIM profiles, dev mode is blocked on carrier locked devices.
Admin console updates
-
Inactive browser deletion in Chrome Enterprise Core
Starting in April 2024 until May 2024, for Chrome Enterprise Core, the Inactive period for browser deletion policy will start rolling out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days will be deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days (learn more).
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
-
New filter on the App details page
Introducing a new filter for All users and browsers on the App Details page. This filter allows IT admins to easily view all the managed browsers and managed users where a specific extension or app is installed.
- New policies in Admin console
Policy Name Pages Supported on Category/Field AutomaticFullscreenAllowedForUrls Users & browsers
MGSAndroid
Chrome
ChromeOSUser experience AutomaticFullscreenBlockedForUrls Users & browsers
MGSAndroid
Chrome
ChromeOSUser experience MutationEventsEnabled Users & browsers
MGSAndroid
Chrome
ChromeOS
Android WebviewLegacy site compatibility PrefixedVideoFullscreenApiAvailability Users & browsers
MGSAndroid
Chrome
ChromeOS
FuschiaLegacy site compatibility
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows' UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Administrators may use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Window: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
- Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless
tabIndex
is explicitly set to 0 or more.By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a
<textarea>
.- Chrome 125 on Windows, MacOS, Linux, Android
- Interoperable mousemove default action
Chrome allowed canceling
mousemove
events to prevent other APIs like text selection (and even drag-and-drop in the past). This does not match other major browsers; nor does it conform to the UI (event spec).Through this feature, text selection will no longer be the default-action of mousemove. Text selection and drag-and-drop can still be prevented through canceling
selectstart
anddragstart
events respectively, which are spec compliant and fully interoperable.- Chrome 125 on Windows, MacOS, Linux, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 125 on Windows: Network Service sandboxed on Windows.
- Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhances Safe Browsing user visits a page that triggers keyboard or pointer lock APIs, attributes of that page will be sent to Safe Browsing.
If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 125 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Extending Storage Access API (SAA) to non-cookie storage
We propose an extension of the Storage Access API (backwards compatible) to allow access to unpartitioned (cookie and non-cookie) storage in a third-party context, and imagine the API mechanics to be roughly like this (JS running in an embedded iframe):
// Request a new storage handle via rSA (this should prompt the user)
let handle = await document.requestStorageAccess({all: true});
// Write some cross-site localstorage
handle.localStorage.setItem("userid", "1234");
// Open or create an indexedDB that is shared with the 1P context
let messageDB = handle.defaultBucket.indexedDB.open("messages");
The same flow would be used by iframes to get a storage handle when their top-level ancestor successfully called
rSAFor
, just that in this case thestorage-access
permission was already granted and thus therSA
call would not require a user gesture or show a prompt, allowing for hidden iframes accessing storage.
- Remove window-placement alias for permission and permission policy descriptors
Chrome 124 removes thewindow-placement
alias for permission and permission policy descriptors. All instances ofwindow-placement
are replaced withwindow-management
, which better describes the related API functionality. This is a follow-up to Multi-Screen Window Placement API feature enhancements; for more details, see Chrome Platform Status.- Chrome 125 on Windows, MacOS, Linux
- Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 125 adds a cross-site ancestor bit to the keying of the partitioned cookie's
CookiePartitionKey
. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use
SameSite=None
cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) or use the Cross-Origin Resource Sharing (CORS) to ensure that embedded iframes have access to the same cookies as the top level domain.- Chrome 126 on Windows, MacOS, Linux
- Extract text from PDFs for screen reader users
Chrome browser is launching an Optical character recognition (OCR) AI reader for PDFs, creating the first browser built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.
This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, MacOS, Windows
- Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 126 on iOS, ChromeOS, Linux, MacOS, Windows: Deprecation of Safe Browsing Extended Reporting
- Remove enterprise policy used for Base URL inheritance
In Chrome 114 we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. In Chrome 125, the temporary NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Chrome 125 on Android, ChromeOS, Linux, MacOS, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- App-Bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
An enterprise policy ApplicationBoundEncryptionEnabled will be available to disable Application Bound encryption.
- Chrome 125 on Windows
- Intent to deprecate: mutation events
Synchronous mutation events, including
DOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation events will stop functioning in Chrome 127, around July 30, 2024.
- User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Earliest in Chrome 127 on Linux, MacOS, Windows: We will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature:
- All extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Chrome will no longer support MacOS 10.15
Chrome will no longer support MacOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems to continue to use Chrome browser. Running on a supported operating system is essential to maintaining security. If run on MacOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support MacOS 10.15.
- Chrome 129 on MacOS: Chrome no longer supports MacOS 10.15
- Deprecate the includeShadowRoots argument on DOMParser
The
includeShadowRoots
argument was a never-standardized argument to theDOMParser.parseFromString()
function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 124, the non-standard
Instead of:includeShadowRoots
argument needs to be deprecated and removed. All usage should shift accordingly:(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
document.parseHTMLUnsafe(html);
- Chrome 129 on Windows, Mac, Linux, Android
Upcoming ChromeOS changes
-
As early as ChromeOS 125, you will be able to view and manage Wi-Fi Passpoint in ChromeOS Settings. You will be able to view and remove your installed passpoint subscription under the passpoint detailed page.
-
New policy to control Kiosk wake and sleep times
As early as ChromeOS 125, we will introduce a new kiosk device policy that will allow Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.
Upcoming Admin console changes
- Policy parity: Custom Configurations for IT admins
The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core in the Admin console, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as “normal_installed”.
- As early as Chrome 125 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Feature rolls out
- Legacy Technology report
As early as Chrome 127, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.- As early as Chrome 127 on Linux, MacOS, Windows: Legacy Technology report will be available in the Admin console.
Chrome 123
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Generative AI features | ✓ | ||
Resume tabs | ✓ | ✓ | |
Chrome on Android and iOS: cross-device resumption | ✓ | ||
Resume the last opened tab on any device | ✓ | ||
Change in behavior of the JavaScript JIT policies | ✓ | ||
Chrome Sync ends support for Chrome 81 and earlier | ✓ | ✓ | |
New idle timeout policies on iOS | ✓ | ||
Cross-profile password reuse detection | ✓ | ||
Telemetry for permission prompts and accepting notification permissions | ✓ | ||
ServiceWorker static routing API | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Local passwords stored in Play services | ✓ | ||
Zstd content encoding | ✓ | ||
Force Sign-in flows revamp | ✓ | ||
Google Update changes | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Flex Bluetooth migration | ✓ | ||
Customizing keyboard shortcuts | ✓ | ||
Mouse button customization | ✓ | ||
Faster Split Screen setup | ✓ | ||
ChromeOS Tether Hotspot | ✓ | ||
Per-app language preferences on Android | ✓ | ||
New natural-sounding voices for text-to-speech | ✓ | ||
Data Processor mode rollout for Norway and Belgium | ✓ | ||
Per-app privacy settings | ✓ | ||
Enhanced Android security for new enterprise customers | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Enhanced Settings page experience | ✓ | ||
Remote log collection for ChromeOS devices | ✓ | ||
Inactive browser deletion in Chrome Browser Cloud Management | ✓ | ||
Chrome crash report | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Default Search Engine choice screen | ✓ | ||
User link capturing on PWAs - Windows, MacOS and Linux | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Three Chrome extensions will be upgraded to Manifest V3 | ✓ | ✓ | |
Bookmarks and reading list improvements on Android | ✓ | ||
Deprecate enterprise policy used for throttling | ✓ | ||
Chrome Desktop support for Windows ARM64 | ✓ | ||
Remove enterprise policy used for GREASE | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Form controls support direction value in vertical writing mode | ✓ | ||
Remove enterprise policies used for TLS handshake and RSA key usage | ✓ | ||
Shadow root cloneable attribute | ✓ | ||
Remove enterprise policy used for Base URL inheritance | ✓ | ||
Intent to deprecate: mutation events | ✓ | ||
Remove enterprise policy used for legacy same site behavior | ✓ | ||
All extensions must be updated to leverage Manifest V3 by June 2025 | ✓ | ||
Chrome will no longer support macOS 10.15 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Record GIFs with Screen capture | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Legacy Technology report | ✓ | ||
Policy parity: Custom Configurations for IT admins | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 120 started to restrict third-party cookies by default for 1% of Chrome users to facilitate testing, and subsequent releases will ramp up to 100% of users as early as Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group also see new Tracking Protection user controls. You can try out these changes in Chrome 120 or higher by enabling
chrome://flags/#test-third-party-cookie-phaseout
.This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users are excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out managed browsers ahead of the experiment. This gives enterprises time to make the changes required to avoid relying on this policy or on third-party cookies.
We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.
For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this Help Center article for more details on how to toggle these settings for the desired configuration.
Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.
Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
- Generative AI features
In Chrome 122, 3 Generative AI (GenAI) features became available for managed users that have signed into Chrome browser: Tab Organizer, Create themes, and Help me write (not available on ChromeOS). Initially, these 3 features are only available to users (18+) in English in the USA. Admins can control these by using the TabOrganizerSettings, CreateThemesSettings and HelpMeWriteSettings policies.
Starting in Chrome 123, we will gradually roll out these features and some users will no longer need to opt in to Experimental AI to use the features if admins set the policies to enabled.
- Chrome 122 on ChromeOS, Linux, Mac, Windows: GenAI features (Tab Organizer, Create themes) become available to managed users in the USA. Users need to turn on Experimental AI.
- Chrome 123 on ChromeOS, Linux, Mac, Windows: Features (Tab Organizer, Create themes) become available to managed users in the USA. Some users will have the feature enabled by default; others will still be able to manually opt in via the Experimental AI settings page. In both cases, the features will not be available if disabled via policy.
- Resume tabs
Chrome 123 introduces a new card on the New tab page, which helps users continue with tab suggestions from other devices. Using the NTPCardsVisible policy, admins can control this feature, and other cards on the New tab page.
- Chrome 123 on ChromeOS, Linux, Mac, Windows
- Chrome on Android and iOS: cross-device resumption
To help users resume tasks originating from other devices, Chrome now provides cross-device tab suggestions on the New tab page or Home surfaces on Chrome on Android and Chrome on iOS.
- Chrome 123 on Android, iOS: Feature launches
- Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome now offers users a quick shortcut to resume that tab. Admins can control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 123 on iOS: Feature launches
- Change in behavior of the JavaScript JIT policies
As early as Chrome 122, enabling the DefaultJavaScriptJitSetting policy and disabling JavaScript JIT no longer resulted in WebAssembly being fully disabled. The V8 optimizing JIT will continue to be disabled by setting this policy. This allows Chrome to render web content in a more secure configuration.
- Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, ChromeOS, Linux, MacOS, Windows: The change will be implemented.
- New idle timeout policies on iOS
Enterprises are now able to enforce taking an action after Chrome has been idle for some amount of time on iOS devices. Admins can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout. The setting will be available as a platform policy and will be available per user profile at a future date.
- Chrome 123 on iOS: Policies available on iOS.
- Cross-profile password reuse detection
Previously, password reuse detection of corporate credentials was only detectable in the corporate profile. In Chrome 123, password reuse detection will detect corporate credential reuse across all non-Incognito profiles on the managed browser.
- Chrome 123: Feature rolls out to enterprises that have MetricsReportingEnabled set to enabled.
- Telemetry for permission prompts and accepting notification permissions
When Enhanced Protection is turned on, and a user visits a page that prompts the user to accept a notification permission, attributes of that page might be sent to Safe Browsing. If the telemetry is sent and the page is deemed dangerous, users will see a Safe Browsing warning.
When Enhanced Protection or Safe Browsing Extended Reporting is turned on, and a user accepts a notification permission for a blocklisted page, this event will be sent to Safe Browsing.
These features can be controlled by the SafeBrowsingProtectionLevel and SafeBrowsingExtendedReportingEnabled policies.
- Chrome 123 Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Feature rolls out to enterprises that have MetricsReportingEnabled set to enabled.
- ServiceWorker static routing API
This API allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Chrome 123 on Windows, Mac, Linux, Android
- Private network access checks for navigation requests: warning-only mode
Before a website navigates to a destination site in a user's private network, Chrome will do the following:
1. Checks whether the original navigation request has been initiated from a secure context.
2. Sends a preflight request, and checks whether the destination site responds with a header that allows private network access.
The above checks are made to protect the user's private network. Since this feature operates in warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in DevTools Chrome console, to help developers prepare for the coming enforcement. To read about these changes, see Private Network Access (PNA) for Navigation Requests. To learn more, see the PNA specification.
- Chrome 123 on Android (except for WebView), ChromeOS, Linux, MacOS, Windows: Warning-only mode.
- Earliest Chrome 130 on Android (except for WebView), ChromeOS, Linux, MacOS, Windows: Requests will fail.
- Local passwords stored in Play services
Chrome changes the way local (not syncable) passwords are stored. Previously they were stored in the Chrome profile. Now they are gonna be migrated to the local password storage of the Google Play services similarly to how the Google account passwords are already stored. It also changes the management UI for them to be provided by Google Play services. The Chrome policy PasswordManagerEnabled is still valid but it doesn't control the behavior outside the Chrome binary. Thus, the new password management UI allows users to import or add passwords there manually.
- Chrome 123 on Android: The feature kicks-in for users without local passwords
- Chrome 124 on Android: All local passwords are migrated to the Google Play services.
- Zstd content encoding
Chrome is adding support for Zstandard (zstd) as a data compression mechanism. Supporting zstd content encoding in the browser allows sites to spend less time and CPU or power on compression on their servers, resulting in reduced server costs. A temporary enterprise policy ZstdContentEncodingEnabled is available to turn off the zstd content encoding feature.
- Chrome 123 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Support for zstd is added.
- Force sign-in flows revamp
When the BrowserSignin policy is set to Force users to sign-in to use the browser, users now sign in to Chrome browser by following the standard sign-in procedure through the Profile Picker.
Previously, the Force sign-in flow had a specific UI dialog that did not follow typical Chrome style or standards. Now the flows are aligned with the regular sign-in flows. We’ve also improved error handling by displaying sign-in errors in a regular dialog with actionable buttons.
- Chrome 123 on Mac, Windows: Full launch
- Google Update changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for GoogleUpdate.exe on Windows will change and will be named updater.exe. Note that the previous path will continue to persist until the transition is fully completed.
- Previous: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
- Current: C:\Program Files (x86)\Google\GoogleUpdater\VERSION\updater.exe
- New and updated policies in Chrome browser
Policy Description WebAnnotations Allow detecting plain text entities in web pages (on iOS only) IdleTimeout Delay before running idle actions (now also available on iOS) IdleTimeoutActions Actions to run when the computer is idle (now also available on iOS) ChromeForTestingAllowed Allow Chrome for Testing RemoteAccessHostAllowPinAuthentication Allow PIN and pairing authentication methods for remote access hosts RemoteAccessHostAllowUrlForwarding Allow remote access users to open host-side URLs in their local client browser DownloadManagerSaveToDriveSettings Allow saving files directly to Google Drive
ChromeOS updates
- ChromeOS Flex Bluetooth migration
In ChromeOS 123, ChromeOS Flex will upgrade to the Floss Bluetooth stack. As part of this upgrade, the listed devices no longer support Bluetooth functionality. If Bluetooth functionality is critical for these devices, we recommend moving these devices to the LTS channel to extend the Bluetooth functionality through to October 2024.
- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420
If your devices are unable to connect to Bluetooth after updating to ChromeOS 123, switch the Chrome flag Use Floss instead of BlueZ to Disabled.
- Customizing keyboard shortcuts
Using shortcuts boosts productivity, and we all have our favorites. In ChromeOS 123, with shortcut customization, you will be able to assign your preferred key combination to personalize your shortcuts. Whether you want them to be easier to do with one hand, simpler to remember, or identical to the ones you're familiar with, this feature will simplify your day-to-day workflows.
- Mouse button customization
Mouse button customization on Chromebook helps users complete quick actions with the click of a button. If your mouse has more than two buttons, you can now assign those to a set list of actions such as taking a screenshot, muting and unmuting, inserting emojis, and so on. You can also select a key combination to assign to your buttons any action performed by a keyboard shortcut.
- Faster Split Screen setup
Chromebooks provide a variety of ways to arrange the windows on your screen to help make you more productive — one of which is Split Screen. Just as it sounds, Faster Split Screen setup offers a quicker way to set up your window layout by showing an overview of your open windows on the other side of the screen. With Faster Split Screen, once you snap (or lock) a window in place on one side, you can choose an already-open window from Overview to snap into the other side, or select something from the shelf (the row of apps located at the bottom or side of your screen).
- ChromeOS Tether Hotspot
Hotspot is now available on ChromeOS! You can now share your cellular network on your Chromebook as a hotspot to other devices without an internet connection! Enable your first hotspot by opening Network Settings and toggling on Hotspot. In ChromeOS 123, we only support T-Mobile in the US but we are working to add other networks in future releases.
- Per-app language preferences on Android
You can now change to your preferred language for your Android apps. These new settings are available in Settings > Apps > Manage your apps > App language.
- New natural-sounding voices for text-to-speech
In ChromeOS 123, we’ve added new natural sounding TTS voices that work offline and are available in 31 languages.
- Data Processor mode rollout for Norway and Belgium
In August 2023, data processor mode for ChromeOS was launched in the Netherlands to give organizations more transparency and control over data sent to, and processed by Google. As interest in this space increased recently, we are making data processor mode generally available in additional countries, starting with Norway and Belgium. This product is available in the Admin console through Device > Chrome > Compliance. For more information, see our Help Center article.
- Per-app privacy settings
ChromeOS 123 makes privacy controls on Chromebooks easier to manage by consolidating app permissions and privacy controls. This gives users more transparency by showing what apps need access to privacy sensors, and how app permissions are affected by privacy control states. Now with the per-app permissions, for microphone and camera, instead of going to two separate places (privacy controls and app settings), users can directly go to privacy settings to view what apps need access to these sensors and modify app permissions.
- Enhanced Android security for new enterprise customers
ChromeOS 123 enhances the default app security level for enterprise customers. On new enterprise domains, ChromeOS now deactivates Android apps for unaffiliated ChromeOS users by default. Unaffiliated ChromeOS users are users on unmanaged devices or on devices that are managed by a different domain than the user.
Existing enterprise domains will not be affected by this change. Any new or existing education customer will not be affected.
Enterprise customers who want to change the default setting, see our Help Center article.
Admin console updates
- Enhanced Settings page experience
Starting in March 2024, all admins will use our updated Settings page experience–that means you’ll no longer be able to use the legacy Settings page experience. Most of you already use the updated experience. This just means that admins will no longer be able to access the legacy view, but you'll still have access to all the same functionality in the updated view.
- Remote log collection for ChromeOS devices
If you experience problems with a managed ChromeOS device, you can troubleshoot by capturing additional logs from the Device details page in the Admin console.You can remotely collect logs for following use cases :
- Kiosk devices
- Affiliated and unaffiliated signed-in users
- Managed guest sessions
- Login and Locked screen
For more information, see this Help Center article, Remote log collection for ChromeOS devices.
- Inactive browser deletion in Chrome Browser Cloud Management
The Inactive period for browser deletion policy is now available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.
Starting in April 2024 until May 2024, the Inactive period for browser deletion policy will start rolling out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days will be deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
- Chrome crash report
In Chrome 123, you can visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report helps you proactively identify potential Chrome issues within your organization.
- Chrome 121 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 123 on Linux, MacOS, Windows: Feature rolls out
- New policies in Admin console
Policy Name Pages Supported on Category/Field ShortcutCustomizationAllowed User/MGS ChromeOS 123+ User accessibility DeleteKeyModifier User/MGS ChromeOS 123+ User accessibility HomeAndEndKeysModifier User/MGS ChromeOS 123+ User accessibility InsertKeyModifier User/MGS ChromeOS 123+ User accessibility PageUpAndPageDownKeysModifier User/MGS ChromeOS 123+ User accessibility F11KeyModifier User/MGS ChromeOS 123+ User accessibility F12KeyModifier User/MGS ChromeOS 123+ User accessibility ChromeForTestingAllowed User ChromeOS 123+ User experience DownloadManagerSaveToDriveSettings User ChromeOS 123+ User experience
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.
For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Later this year on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.
- User link capturing on PWAs - Windows, MacOS and Linux
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
Some issues were discovered with the current implementation, so we will not launch this feature in Chrome 123 as initially announced. We definitely plan to launch link capturing this year (bug).
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Future milestone in 2024 on Linux, MacOS, Windows: We will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).
- Permissions prompt for Web MIDI API
The Web MIDI API connects to and interacts with Musical Instrument Digital Interface (MIDI) Devices. There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (see related Chromium bug). To address this problem, the W3C Audio Working Group decided to place an explicit permission on general Web MIDI API access. Originally, the explicit permission was only required for advanced Web MIDI usage in Chrome, including the ability to send and receive system exclusive (SysEx) messages, with gated access behind a permissions prompt. We now intend to expand the scope of the permission to regular Web MIDI API usage.
In Chrome 124, all access to the Web MIDI API will require a user permission. No policies will be available to control these changes. If you encounter any issues, file a bug here.
- Chrome 124 on Windows, MacOS, Linux, Android
- Three Chrome extensions will be upgraded to Manifest V3
Three extensions will soon be updated to use Manifest V3: Legacy Browser Support for Edge, User-Agent Switcher, and Chrome Reporting.
This is a major update with a possibility for bugs, so you can try the Beta version of these extensions today. We encourage you to test them in your environment. If you encounter any issues, file a bug here.
- Legacy Browser Support for Microsoft Edge - Beta
- User-Agent Switcher for Chrome - Beta
- Chrome Reporting Extension - Beta
The User-Agent Switcher URL parser changed, so make sure your existing user agent substitutions work with the new version.
- Chrome 124: All three extensions receive an update, on their stable version around April 30, 2024.
- Bookmarks and reading list improvements on Android
On Chrome 124 on Android, some users who sign in to Chrome from the Bookmark manager will be able to use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncTypesListDisabled, EditBookmarksEnabled, ManagedBookmarks and ShoppingListEnabled will continue to work as before, to configure whether users can use and save items in their Google Account.
- Chrome 124 on Android: Feature rolls out.
- Deprecate enterprise policy used for throttling
The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy by Chrome 124. The discussions around the throttling issue (and its resolution) can be found in this Chromium bug.
- Chrome 124: Policy is removed.
- Chrome Desktop support for Windows ARM64
Chrome is rolling out support for Windows ARM64. We are working on publishing the Enterprise installers. You can continue to test the Canary channel and report bugs there. Note that this is subject to change based on overall stability, as well as feedback from customers. If you encounter any issues, file a bug here.
- Chrome 124 on Windows (ARM): New Enterprise installers are available.
- Remove enterprise policy used for GREASE
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated.
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed.
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 124 on Windows: Network Service sandboxed on Windows.
- Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 124: on ChromeOS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 124, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.
- Form controls support direction value in vertical writing mode
The CSS property writing-mode allows elements to go vertical, but users cannot set the direction in which the value changes. With this feature, we are allowing the form control elements (meter, progress and range) input type to have vertical writing mode and choose the form control's value direction. If direction is rtl, the value is rendered from bottom to top. If direction is ltr, the value is rendered from top to bottom. For more information, see this Chrome for Developers blog post.
- Chrome 124 on Windows, Mac, Linux, Android
- Remove enterprise policies used for TLS handshake and RSA key usage
In Chrome 114, we introduced InsecureHashesInTLSHandshakesEnabled to control the use of legacy insecure hashes during the TLS handshake process. In Chrome 116, we introduced RSAKeyUsageForLocalAnchorsEnabled to check RSA key usage for server certificates issued by local trust anchors. In Chrome 124, both InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies will be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies will be removed.
- Shadow root cloneable attribute
The shadow root clonable attribute enables individual control over whether a shadow root is cloneable (via standard platform cloning commands such as `
cloneNode()`
). Imperative shadow roots can now be controlled via a parameter to`attachShadow({clonable:true})`
. Declarative shadow roots can be controlled via a new attribute,`<template shadowrootmode=open shadowrootclonable>`
.Breakage can occur if you are:
- using declarative shadow DOM
- cloning templates that contain DSD and
- expecting those clones to contain cloned shadow roots
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows
- Remove enterprise policy used for Base URL inheritance
In Chrome 114 we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. In Chrome 125 the temporary NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Chrome 125 on Android, ChromeOS, Linux, MacOS, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Intent to deprecate: mutation events
Synchronous mutation events, including
DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation events will stop functioning in Chrome 127, around July 30, 2024.
- Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- All extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
- Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems to continue to use Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on MacOS: Chrome no longer supports macOS 10.15
Upcoming ChromeOS changes
- Record GIFs with Screen capture
As early as ChromeOS 124, Screen capture will let you record your screen in .GIF format to easily capture, share, and play the recording inline in chat, slides, docs, and more.
Upcoming Admin console changes
- Legacy Technology report
As early as Chrome 124, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 124 on Linux, MacOS, Windows: Legacy Technology report will be available in the Admin console.
- Policy parity: Custom Configurations for IT admins
The Custom Configurations page allows IT admins to configure Chromium policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Browser Cloud Management in the Admin console, either using the Settings page or the Custom Configurations page.
- As early as Chrome 124 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 125 on Android, iOS, Linux, Mac, Windows: Feature rolls out
Chrome 122
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Generative AI features | ✓ | ||
Simplified sign-in and sync experience on iOS | ✓ | ✓ | |
SharedImages for PPAPI Video Decode | ✓ | ||
New download URLs for Chrome browser (Enterprise) | ✓ | ||
New V8 security setting | ✓ | ||
Read aloud | ✓ | ||
Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed | ✓ | ||
Asynchronous server-side Safe Browsing check | ✓ | ||
Improved download warnings on the Chrome Downloads page | ✓ | ||
Skip unload events | ✓ | ||
Autofill: security code updates | ✓ | ||
Removing unenrollment from Unified Password Manager | ✓ | ||
Chrome on iOS: bottom address bar | ✓ | ||
DefaultSearchProvider policy changes | ✓ | ||
Change in behavior of the JavaScript JIT policies | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Content scanning with BCE | ✓ | ||
Battery Saver | ✓ | ||
Enhanced SAML reauthentication flows | ✓ | ||
Badge-based authentication | ✓ | ||
Edit your recordings with Screencast | ✓ | ||
IkeV2 VPN support | ✓ | ✓ | |
Mandatory extensions in Incognito | ✓ | ✓ | |
New look for ChromeOS media player | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Inactive browser deletion in Chrome Browser Cloud Management | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Default Search Engine choice screen | ✓ | ||
User link capturing on PWAs - Windows, MacOS and Linux | ✓ | ||
Resume tabs | ✓ | ||
Chrome on Android or iOS: cross-device resumption | ✓ | ||
Resume the last opened tab on any device | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome Sync ends support for Chrome 81 and earlier | ✓ | ✓ | |
Deprecate and remove WebSQL | ✓ | ||
IdleTimeout and IdleTimeoutActions Policies on iOS | ✓ | ||
Cross Profile Password Reuse Detection | ✓ | ||
Telemetry for permission prompts and accepting notification permissions | ✓ | ||
ServiceWorker static routing API | ✓ | ||
Private network access checks for navigation requests: warning-only mode | ✓ | ||
Bookmarks and reading list improvements on Android | ✓ | ||
Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Flex Bluetooth Migration | ✓ | ||
Customizing keyboard shortcuts | ✓ | ||
Record GIFs with Screen capture | ✓ | ||
Faster Split Screen setup | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Enhanced Settings page experience | ✓ | ||
Chrome crash report | ✓ | ||
Legacy Technology report | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 120 started to restrict third-party cookies by default for 1% of Chrome users to facilitate testing, and subsequent releases will ramp up to 100% of users as early as Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group also see new Tracking Protection user controls. You can try out these changes in Chrome 120 or higher by enabling
chrome://flags/#test-third-party-cookie-phaseout
.This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users are excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out managed browsers ahead of the experiment. This gives enterprises time to make the changes required to avoid relying on this policy or on third-party cookies.
We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.
For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this help article for more details on how to toggle these settings for the desired configuration.
Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.
Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.
The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
- Generative AI features
Starting in Chrome 122, there are 3 Generative AI (GenAI) features that are now also available for managed users that have signed into Chrome browser:
- Tab organizer: Chrome can automatically suggest tab groups for users based on the URL and title of opened websites. To use this feature, right-click on a tab, and select Organize similar tabs.
- Create themes with AI: Chrome lets users create a unique Chrome theme (a combination of a color and a wallpaper image) using GenAI. To use the feature, open a new tab, and at the bottom right, click Customize Chrome. On the side panel, select Change theme > Create with AI. Users can then choose from preset options for subject, mood, style, and color.
-
Get help writing on the web with AI: This feature helps users write with more confidence and kickstart the writing process in free-form text fields on the web. To use this feature, right-click on a text field, and select Help me write (not available on ChromeOS).
Initially, these 3 features are only available to users in English in the US. Admins can control these by using the TabOrganizerSettings, CreateThemesSettings and HelpMeWriteSettings policies. For each feature, you have the following options for your organization:
- 0 = Enable the feature and send data to help improve AI models
- 1 = Enable the feature but don’t send data to help improve AI models
- 2 = Fully disable feature
You can find more information in the Tab group suggestions, Create themes, and Help me write help center articles.
- Simplified sign-in and sync experience on iOS
Starting in Chrome 122, existing users on iOS with Chrome sync turned on now experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync no longer appears as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 117: no longer shows Chrome sync as a separate feature for users who didn't have Chrome sync enabled at the time.
- Chrome 122: no longer shows Chrome sync as a separate feature for users who had Chrome sync enabled by migrating them to an equivalent state.
- SharedImages for PPAPI video decoder
Chrome 122 removes the PPAPISharedImagesForVideoDecoderAllowed policy, used to control the recent refactor for VideoDecoder APIs in PPAPI plugin. This policy was introduced on a temporary basis in Chrome 119.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
- New download URLs for Chrome browser (Enterprise)
From February 8th, the main download pages for Chrome Browser Enterprise (Windows and MacOS) change to:
- Windows https://chromeenterprise.google/download/?modal-id=download-chrome-demo#windows-download
- MacOS https://chromeenterprise.google/download/?modal-id=download-chrome-demo#mac-download
To avoid disruption, enterprises that leverage automation to download Chrome need to change their scripts to capture these URL changes.
- New V8 security setting
Chrome 122 adds a new setting on
chrome://settings/security
to disable the V8 JIT optimizers, to reduce the attack surface of Chrome browser. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The enterprise policies have been available since Chrome 93.- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Read aloud
Read aloud allows users of Chrome on Android to listen to web pages using text to speech technology. Users can now access this feature via the overflow menu and control playback via audio controls.
Read aloud sends the page URL to Google servers to power playback, and users who use it need to enable the settings menu item Make searches and browsing better.
Setting the ListenToThisPageEnabled policy to true allows users to have eligible web pages read aloud using text-to-speech. This is achieved by server side content distillation and audio synthesis. Setting to false disables this feature, and if this policy is set to default or left unset, Read aloud is enabled.
- Chrome 122 on Android: Feature launches
- Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed
Chrome 122 removes the temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed, which was made available in Chrome 116 to give enterprises time to address possible breakage related to Chrome Apps webview usage changes.
- Chrome 122 on Linux, MacOS, Windows, ChromeOS: Enterprise Policy ChromeAppsWebViewPermissiveBehaviorAllowed removed
- Asynchronous server-side Safe Browsing check
Today Safe Browsing checks are on the blocking path of page loads, meaning that users cannot see the page until the checks are complete. To improve Chrome's loading speed, checks with the server-side Safe Browsing list no longer block page loads in Chrome 122.
We have evaluated the risk and put mitigations in place:
1) To protect against direct exploits against the browser, local list checks are still conducted in a synchronous manner so that malicious payloads cannot run until the local list check is complete.
2) To protect against phishing attacks, we've looked at data and concluded that it is unlikely the user would have significantly interacted with the page (for example, typed a password) by the time we show a warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows: Feature launches
- Improved download warnings on the Chrome Downloads page
To help reduce consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia: Feature launches
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.
In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which allow you to selectively keep the behavior unchanged.
- Chrome 117 on ChromeOS, Linux, MacOS, Windows: Dev Trial
- Chrome 119 on ChromeOS, Linux, MacOS, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 122 -132 on ChromeOS, Linux, MacOS, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)
- Chrome 122 unload handlers will be gradually skipped for 1% of users on top-50 sites, as proposed here.
- Autofill: security code updates
In Chrome 122, payments autofill allows you to save security codes for local and server cards to improve user experience. Security codes are only saved if a user consents to saving it. Users always have the option to turn security code saving off in Chrome Settings.
- Chrome 122 on Android, MacOS: feature rolls out
- Removing unenrollment from Unified Password Manager
Chrome 122 removes unenrollment from Unified Password Manager on Android. When Google Play Services responds with an error users lose access to Password Manager features (password saving or updating, password generation) until the error is resolved. For some errors, there is an error message with an action button to resolve the problem. Other issues are supposed to be temporary (for example, during Google Play Services update).
- Chrome 122 on Android: feature rolls out
- Chrome on iOS: bottom address bar on iPhone
We recently launched a customizable address bar that allows users to choose between a top and a bottom address bar on iPhone. The address bar position picker screen is now added to the First Run Experience.
- Chrome 122 on iOS: feature rolls out
- DefaultSearchProvider policy changes
In Chrome 122, we are making some changes to the DefaultSearchProvider* policies. We have removed the DefaultSearchProviderIconURL on all platforms because Chrome now uses the favicon image provided by the search engine. DefaultSearchProviderKeyword and DefaultSearchProviderNewTabURL are not supported on iOS and Android, alongside (but support continues on) Linux, Mac OS and Windows. We fixed the supported platform set to reflect this.
- Change in behavior of the JavaScript JIT policies
In Chrome 122, enabling the DefaultJavaScriptJitSetting policy and disabling JavaScript JIT no longer results in WebAssembly being fully disabled. The V8 optimizing JIT continues to be disabled by setting the DefaultJavaScriptJitSetting policy. This allows Chrome to render web content in a more secure configuration.
- New and updated policies in Chrome browser
Policy Description InsecureFormsWarningsEnabled Enable warnings for insecure forms (now available on iOS) ListenToThisPageEnabled Enable read aloud (text distillation and text-to-speech synthesis) for web pages
- Removed policies in Chrome browser
Policy Description PPAPISharedImagesForVideoDecoderAllowed Allow Pepper to use shared images for video decoding. ChromeAppsWebViewPermissiveBehaviorAllowed Restore permissive Chrome Apps webview behavior DefaultSearchProviderIconURL Default search provider icon (removed on all platforms) DefaultSearchProviderKeyword Default search provider keyword (removed on Android and iOS only) DefaultSearchProviderNewTabURL Default search provider new tab page URL (removed on Android and iOS only)
ChromeOS updates
- Content scanning with BCE
ChromeOS data controls are a set of controls that are applied by the admin, which protect users from data leakage on endpoints using a Data Loss Prevention (DLP) layer in ChromeOS. For details, see this help center article. BeyondCorp Enterprise (BCE) enables continuous and real-time end-to-end protection. Content scanning with BCE is a new way to evaluate and enforce data controls restrictions on file transfers based on signals from BeyondCorp Enterprise.
- Battery Saver
As early as ChromeOS 122, Battery Saver is available to reduce brightness on both display and keyboard backlight, throttle display refresh rate and available compute budget, and also turn off certain energy-intensive background functions to allow users squeeze more battery life out of their devices. This helps when users need that last couple minutes to finish a task and don't have a charger handy. When enabled, Battery Saver switches on automatically when the user's battery level reaches 20%. You can control this feature using the BatterySaverModeAvailability enterprise policy.
- Enhanced SAML reauthentication flows
To optimize the sign-on experience of our customers, we've introduced certain internal changes to our SAML single sign-on implementation. These changes will impact customers with misconfigured SAML settings.
In particular if you set the policy LoginAuthenticationBehavior to Redirect to SAML IdP by default, ensure that the Single Sign-on policy is set to Enable SAML, otherwise your SAML-based IdP won’t be loaded anymore.
- Badge-based authentication
From ChromeOS 122, certain third-party Identity Management Providers (IdPs) can use badge authentication on ChromeOS devices. Users can simply start a session with a badge tap, and leave the session with another badge tap. The solution is focused on frontline workers in various industries including retail, hospitality, and manufacturing.
In ChromeOS 122, we are starting with the Ilex Card Management System, but we aim to add additional reader and authentication partners in the upcoming months. If you want to learn more, see Set up badge-based authentication.
- Edit your recordings with Screencast
With ChromeOS Screencast, users can create and share transcribed screen recordings. As early as ChromeOS 122, users can trim their screencasts sentence-by-sentence, add and remove paragraph breaks, mute segments of their recordings, and title sections to make long recordings easier to navigate.
- IKEv2 VPN support
ChromeOS 122 includes new options in the Admin console for Internet Key Exchange Protocol Version 2 (IKEv2) VPN protocol.
- Mandatory extensions in Incognito
Admins can now specify if there are certain extensions that users must turn on to use Incognito mode. There is a new toggle in Admin console > Apps & extensions that can be applied for individual extensions. This allows enterprises that have debugging or multi-account use cases that rely on Incognito mode to safely leave it enabled across their managed fleet. If they want to use Incognito mode, users need to turn on Allow in Incognito for all required enterprise extensions.
- New look for ChromeOS media player
ChromeOS media player will soon have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.
Admin console updates
- Inactive browser deletion in Chrome Browser Cloud Management
As early as March 2024, the Inactive period for browser deletion policy will automatically delete browser data in the Admin console for managed browsers that have not contacted the server for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. All enrolled browsers that have been inactive for more than 540 days will be deleted from your account shortly after the release of this policy. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
- As early as Chrome 122: The Inactive period for browser deletion policy UI will be available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.
- New policies in Admin console
Policy Name Pages Supported on Category/Field AlwaysOnVpnPreConnectUrlAllowlist User/MGS ChromeOS 122+ Network DeviceSwitchFunctionKeysBehaviorEnabled Device ChromeOS 122+ Other settings HelpMeWriteSettings User Chrome/ChromeOS 121+ Generative AI CreateThemesSettings User Chrome/ChromeOS 121+ Generative AI TabOrganizerSettings User Chrome/ChromeOS 121+ Generative AI
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at
chrome://settings/search
.For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.
Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Later this year on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users
- User link capturing on PWAs - Windows, MacOS and Linux
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it more seamless to move between the browser and installed web apps. When the user clicks on a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. Clicking on the chip either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking on a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click on a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 123 on Linux, MacOS, Windows: Based on the outcome of the experiment in Chrome 121, we will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).
- Resume tabs
Chrome 123 will introduce a new card on the New tab page, which will help users continue with tab suggestions from other devices. Using the NTPCardsVisible policy, admins will be available to control this feature.- Chrome 123 on ChromeOS, Linux, Mac, Windows
- Chrome on Android and iOS: cross-device resumption
To help users resume tasks originating from other devices, Chrome will provide cross-device tab suggestions on the New tab page or Home surfaces on Chrome on Android and Chrome on iOS. This component will be displayed within the existing continue browsing card on Start and the Magic Stack on Chrome on Android and Chrome on iOS.
- Chrome 123 on Android, iOS: Feature launches
- Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.- Chrome 123 on iOS: Feature launches
- Permissions prompt for Web MIDI API
The Web MIDI API connects to and interacts with Musical Instrument Digital Interface (MIDI) Devices. There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (see related Chromium bug). To address this problem, the W3C Audio Working Group decided to place an explicit permission on general Web MIDI API access. Originally, the explicit permission was only required for advanced Web MIDI usage in Chrome, including the ability to send and receive system exclusive (SysEx) messages, with gated access behind a permissions prompt. We now intend to expand the scope of the permission to regular Web MIDI API usage.
In Chrome 123, all access to the Web MIDI API will require a user permission. No policies will be available to control these changes. If you encounter any issues, file a bug here.
- Chrome 123 on Windows, MacOS, Linux, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 123 on Windows: Network Service sandboxed on Windows
- Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, ChromeOS, Linux, MacOS, Windows: The change will be implemented.
- Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 123: on ChromeOS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 123, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.
- IdleTimeout and IdleTimeoutActions policies on iOS
Enterprises are now able to enforce taking an action after Chrome has been idle for some amount of time on iOS devices. Admins can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout. The setting will be available as a platform policy and will be available per profile at a future date.
- Chrome 123 on iOS: policies available on iOS
- Cross-profile password reuse detection
Previously, password reuse detection of corporate credentials was only detectable in the corporate profile. In Chrome 123, password reuse detection will detect corporate credential reuse across all non-Incognito profiles on the managed browser.
- Chrome 123: feature rolls out
- Telemetry for permission prompts and accepting notification permissions
When Enhanced Protection is turned on, and a user visits a page that prompts the user to accept a notification permission, attributes of that page might be sent to Safe Browsing. If the telemetry is sent and the page is deemed dangerous, users will see a Safe Browsing warning.
When Enhanced Protection or Safe Browsing Extended Reporting is turned on, and a user accepts a notification permission for a blocklisted page, this event will be sent to Safe Browsing.
These features can be controlled by the SafeBrowsingProtectionLevel and SafeBrowsingExtendedReportingEnabled policies.
- Chrome 123 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia
- ServiceWorker static routing API
This API allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Chrome 123 on Windows, Mac, Linux, Android
- Private network access checks for navigation requests: warning-only mode
Before a website navigates to a destination site in a user's private network, Chrome will do the following:
1. Checks whether the original navigation request has been initiated from a secure context.
2. Sends a preflight request, and checks whether the destination site responds with a header that allows private network access.
The above checks are made to protect the user's private network. Since this feature operates in warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in DevTools Chrome console, to help developers prepare for the coming enforcement. To read about these changes, see Private Network Access (PNA) for Navigation Requests. To learn more, see the PNA specification.
- Chrome 123 on Android (except for WebView), ChromeOS, Linux, MacOS, Windows
- Bookmarks and reading list improvements on Android
On Chrome 124 on Android, some users who sign in to Chrome from the bookmark manager will be able to use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncTypesListDisabled, EditBookmarksEnabled, ManagedBookmarks and ShoppingListEnabled will continue to work as before, to configure whether users can use and save items in their Google Account.
- Chrome 124 on Android: Feature rolls out
- Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed
The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy by Chrome 124. The discussions around the throttling issue (and its resolution) can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=958475.
- Chrome 124: Policy is removed
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, includingDOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disabled Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- ChromeOS Flex Bluetooth Migration
In ChromeOS 123, ChromeOS Flex will be upgrading to the Floss Bluetooth stack. As part of this upgrade the following devices will no longer support Bluetooth functionality. If Bluetooth functionality is critical for these devices, we recommend moving these devices to the LTS channel to extend the Bluetooth functionality through to October 2024.- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420
If your devices are unable to connect to Bluetooth after updating to ChromeOS 123, switch the Chrome flag Use Floss instead of BlueZ to Disabled.
- Customizing keyboard shortcuts
Using shortcuts boosts productivity, and we all have our favorites. As early as ChromeOS 123, with shortcut customization, you will be able to assign your preferred key combination to personalize your shortcuts. Whether you want them to be easier to do with one hand, simpler to remember, or identical to the ones you're familiar with, this feature will simplify your day-to-day workflows.
- Record GIFs with Screen capture
As early as ChromeOS 124, Screen capture will let you record your screen in .GIF format to easily capture, share, and play the recording inline in chat, slides, docs, and more.
- Faster Split Screen setup
Chromebooks provide a variety of ways to arrange the windows on your screen to help make you more productive — one of which is Split Screen. Just as it sounds, Faster Split Screen Setup will offer a quicker way to set up your window layout by showing an overview of your open windows on the other side of the screen. With Faster Split Screen, once you "snap" (or lock) a window in place on one side, you can choose an already-open window from Overview to snap into the other side, or select something from the shelf (the row of apps located at the bottom or side of your screen).
Refer to the ChromeOS release schedule for release dates and updates.
Upcoming Admin console changes
- Enhanced Settings page experience
Starting in March 2024, all admins will use our updated Settings page experience–that means you’ll no longer be able to use the legacy Settings page experience. Most of you already use the updated experience. This just means that admins will no longer be able to access the legacy view, but you'll still have access to all the same functionality in the updated view.
- Chrome crash report
As early as Chrome 123, you will be able to visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report will help you proactively identify potential Chrome issues within your organization.
This feature is now released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.- Chrome 121 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 123 on Linux, MacOS, Windows: Feature rolls out
- Legacy Technology report
As early as Chrome 123, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.- As early as Chrome 123 on Linux, MacOS, Windows
Chrome 121
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets | ✓ | ✓ | |
Tab organizer | ✓ | ||
Create themes with AI | ✓ | ||
Safer encrypted archives for Standard Safe Browsing users | ✓ | ||
User Link Capturing on PWAs - Windows, MacOS and Linux | ✓ | ||
Side Panel Navigation: Pinning or unpinning | ✓ | ||
Autofill: display in server cards and local cards | ✓ | ||
Autofill: changes in card verification | ✓ | ||
CSS Highlight Inheritance | ✓ | ||
Chrome user policies for iOS | ✓ | ||
Skip unload events | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Flex End of Device Support | ✓ | ||
Enable dictation using the keyboard | ✓ | ||
ChromeVox Accessibility service | ✓ | ||
No more onboarding messages for Assistant | ✓ | ||
New trackpad gesture on ChromeOS | ✓ | ||
Integrate the DLP events rule Id and name into the security investigation tool | ✓ | ||
Enterprise DataControls (DLP) file restrictions | ✓ | ||
Borderless printing | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Configure IP address on device with Ethernet adapter | ✓ | ✓ | |
Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store | ✓ | ||
Chrome crash report | ✓ | ||
Fix for certain Android WiFi certificates | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Default Search Engine choice screen | ✓ | ||
Get help writing on the web with AI | ✓ | ||
Simplified sign-in and sync experience | ✓ | ✓ | |
Permissions prompt for Web MIDI API | ✓ | ||
SharedImages for PPAPI Video Decode | ✓ | ||
V8 security setting | ✓ | ||
Read aloud | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed | ✓ | ||
Asynchronous server-side Safe Browsing check | ✓ | ||
Improved download warnings on the Chrome Downloads page | ✓ | ||
Resume the last opened tab on any device | ✓ | ||
Chrome Sync ends support for Chrome 81 and earlier | ✓ | ✓ | |
Deprecate and remove WebSQL | ✓ | ||
Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Flex Bluetooth Migration | ✓ | ||
New look for ChromeOS media player | ✓ | ||
App disablement by Admin in MGS | ✓ | ||
Battery Saver | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Inactive browser deletion in Chrome Browser Cloud Management | ✓ | ||
Legacy Technology report | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 121 restricts third-party cookies by default for 1% of Chrome users to facilitate testing, and plans to ramp up to 100% of users from Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group will also see new Tracking Protection user controls. You can try out these changes in Chrome 121 or higher by enabling
chrome://flags/#test-third-party-cookie-phaseout
.This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users should be excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This gives enterprises time to make the changes required to not rely on this policy or third-party cookies.
We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.
For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this help article for more details on how to toggle these settings for the desired configuration.
Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.
Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial for continued access to third-party cookies for a limited period of time.
The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.
For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
- Rename FirstPartySets policies to RelatedWebsiteSets
The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in policy behavior. Administrators should use the new policies RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/
- Tab organizer
Tab organizer is a GenAI-powered feature where Chrome automatically suggests and creates tab groups for users based on the URL and title of opened websites. To use this feature, right-click on a tab, and select Organize similar tabs.
Starting in Chrome 121, a limited set of signed-in users in the US can turn on Tab organizer in Chrome settings. This feature is initially available to unmanaged users only, and is inaccessible to managed Chrome Enterprise & Education users in Chrome 121. To learn more, read this blog post. In the coming weeks, we will provide more details about Tab organizer in the Chrome Enterprise & Education help center.
In advance of this feature rolling out to managed users, Admins can control Tab organizer using the TabOrganizerSettings policy. You have the following options for your organization:
0 = Enable the feature and send data to help improve AI models
1 = Enable the feature but don’t send data to help improve AI models
2 = Fully disable feature
- Create themes with AI
Create themes with AI in Chrome lets users create a unique Chrome theme (a combination of a color and a wallpaper image) using GenAI. To use the feature, open a new tab, and at the bottom right, click Customize Chrome. On the side panel, select Change theme > Create with AI. Users can then choose from preset options for subject, mood, style, and color.
Starting in Chrome 121, a limited set of signed-in users in the US can create themes with AI by turning on the feature in Chrome settings. This feature is initially available to unmanaged users only, and is inaccessible to managed Chrome Enterprise & Education users in Chrome 121. To learn more, read this blog post. In the coming weeks, we will provide more details about Create themes with AI in the Chrome Enterprise & Education help center.
In advance of this feature rolling out to managed users, Admins can control Create themes with AI using the CreateThemesSettings policy. You have the following options for your organization:
0 = Enable the feature and send data to help improve AI models
1 = Enable the feature but don’t send data to help improve AI models
2 = Fully disable feature
- Safer encrypted archives for Standard Safe Browsing users
On some encrypted archive downloads, Chrome prompts Standard Safe Browsing users for a password (not shared with Google and cleared after retrieving the metadata). This collects more metadata about the download (such as contained file hashes and executable signatures), which is sent to Google for better quality verdicts. The password remains local and not shared with Google. You can control this feature with the SafeBrowsingDeepScanningEnabled policy.
- Chrome 121 on Linux, MacOS, Windows
- User Link Capturing on PWAs - Windows, MacOS and Linux
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it more seamless to move between the browser and installed web apps. When the user clicks on a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. Clicking on the chip either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking on a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click on a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar; clicking on the chip launches the app. A flag is available to control this feature:
chrome://flags/#enable-user-link-capturing-pwa
. - Chrome 123 on Linux, MacOS, Windows: Based on the outcome of the experiment in Chrome 121, we will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).
- Chrome 121 on Linux, MacOS, Windows: When some users click on a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar; clicking on the chip launches the app. A flag is available to control this feature:
- Side Panel Navigation: Pinning or unpinning
As early as Chrome 121, Chrome removes the side panel icon in favor of evolving the side panel navigation to offer customization through toolbar pinning. This allows for efficient direct access to a suite of panels. You can open most side panel features through the Chrome menu ().
- Chrome 121 on Chrome OS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Autofill: display in server cards and local cards
Autofill helps users seamlessly fill out their card information into payment forms. Credit or debit cards, which can be autofilled, are stored on the Chrome client. There are 2 types: Server cards and Local cards. A server card only has the last 4 digits and the expiry date of the card whereas a local card has all the digits of a card along with the expiry date.
There are instances when a local and server card of the same card exist on the same client. When that happens, Chrome typically dedupes the server card and only offers the local card for autofilling. With this change, the opposite is true, and server card usage is now offered to users instead. This brings the security and usability benefits of GPay server cards to users with duplicate cards, as well as makes the experience more consistent across devices.
- Chrome 121 on Chrome OS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Autofill: security code updates
In Chrome 121, to improve user experience, payments autofill now unmasks card information using Google’s industry leading verification methods instead of relying on security codes to verify and unmask cards. Users can choose to turn on device unlock if they want to add an extra layer of security for unmasking their card.
- Chrome 121 on Android, MacOS
- CSS Highlight Inheritance
With CSS Highlight Inheritance, the CSS Highlight pseudo classes, such as :
:selection
and::highlight
, inherit their properties through the pseudo highlight chain, rather than the element chain. The result is a more intuitive model for inheritance of properties in highlights. Specifically, when any supported property is not given a value by the cascade, its specified value is determined by inheritance from the corresponding highlight pseudo-element of its originating element’s parent element. For more details, see the Highlight Pseudo-elements specification.- Chrome 121 on Windows, MacOS, Linux, Android
- Chrome user policies for iOS
With Chrome user policies for iOS, admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device, including personal devices.
In Chrome 120, we began rollout but rolled back due to a non-impacting bug. Starting in Chrome 121, managed end-users start to see a management notice stating that their organization manages the account they are signing into. Admins can turn on this functionality in the Admin console under the Chrome on iOS setting. For more information, see Set Chrome policies for users or browsers.
- Chrome 120 on iOS: Started rollout to 5%, rolled back due to non-impacting bug
- Chrome 121 on iOS: Begin gradual rollout, targeting 100% by M122
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.
In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, MacOS, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, MacOS, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 121 -131 on Chrome OS, Linux, MacOS, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)
- New and updated policies in Chrome browser
Policy Description AllowChromeDataInBackups Allow backup of Google Chrome data CloudUserPolicyMerge Enables merging of user cloud policies into machine-level policies (now available on iOS) ProfileReauthPrompt Prompt users to re-authenticate to the profile HelpMeWriteSettings Allow help me write feature TabOrganizerSettings Allow tab organization feature CreateThemesSettings Create themes with AI
- Removed policies in Chrome browser
Policy Description ChromeRootStoreEnabled Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates ContextAwareAccessSignalsAllowlist Enable the Chrome Enterprise Device Trust Connector attestation flow for a list of URLs WebRtcAllowLegacyTLSProtocols Allow legacy TLS/DTLS downgrade in WebRTC OffsetParentNewSpecBehaviorEnabled Control the new behavior of HTMLElement.offsetParent SendMouseEventsDisabledFormControlsEnabled Control the new behavior for event dispatching on disabled form controls AttestationEnabledForDevice Enable remote attestation for the device
ChromeOS updates
- ChromeOS Flex End of Device Support
As of January 01, 2024, devices scheduled to end support in 2023 will no longer be supported. Decertified devices include those listed below; for the full list of devices ending support you can review our Certified models list.- HP Compaq 6005 Pro
- HP Compaq Elite 8100
- Lenovo ThinkCentre M77
- HP ProBook 6550b
- HP 630
- Dell Optiplex 980
The devices will continue to receive ChromeOS Flex updates but these updates will no longer be tested or maintained by the Flex team. We recommend that customers upgrade to newer ChromeOS Flex certified models or ChromeOS devices to benefit from new features and security improvements. You can learn more about supported devices in our help center.
- Enable dictation using the keyboard
Logitech keyboards with a dictation button and other keyboards using the Search + D shortcut now turn on the Dictation accessibility feature if it is off. If Dictation is already on, then the key (and the shortcut) will activate Dictation. When enabling dictation, a dialog will appear to inform users they are about to enable Dictation, certain speech files might be downloaded and how to use the dictation feature once it is enabled.
- ChromeVox Accessibility service
Users of App Streaming on Chromebooks will now be able to use ChromeVox to navigate the streaming Android app. The streaming Android app's accessibility tree is streamed in tandem with the app itself and can be interacted with using ChromeOS screen reader capabilities.
- No more onboarding messages for Assistant
ChromeOS 121 removes the welcome or onboarding messages offered to a new user when launching Assistant on ChromeOS for the first time. This is a deprecation.
- New trackpad gesture on ChromeOS
ChromeOS 121 launches a new trackpad gesture to help users dismiss notification popups in the notification center.
- Integrate the DLP events rule Id and name into the security investigation tool
ChromeOS Data Control events will have additional fields to enrich admin insights in the security investigation tool.
- Enterprise DataControls (DLP) file restrictions
In ChromeOS 121, ChromeOS Data Controls enable IT and Security teams to protect important business and customer data. It is available for events like copy and paste, screen capture, screen sharing, and printing. IT administrators can create an information protection strategy with rules based on the data source, destination and user.
We now have new functionality to control what users can do with files on ChromeOS devices through source and destination based rules.
Admin console updates
- Configure IP address on device with Ethernet adapter
The Admin console setting Allow IP address to be configured on the device (ChromeOS only) and Allow users to modify these values (in DNS settings) is now also respected for Ethernet adapters.
- Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store
In Chrome 121, new information on the Apps & Extensions usage report is available to help you identify if an extension was recently removed from the Chrome Web Store via a new notifications column and a new Chrome Web Store column that represents the listing status of an extension. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.- Chrome 120 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 121 on Linux, MacOS, Windows: Feature rolls out
Extensions & apps usage report:
App Details page:
- Chrome crash report
As early as Chrome 122, you will be able to visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report will help you proactively identify potential Chrome issues within your organization.
This feature is now released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 121 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 122 on Linux, MacOS, Windows: Feature rolls out
- Fix for certain Android WiFi certificates (early Feb 2024)
Required as of Android 13, for certain WiFi configurations using enterprise authentication (802.1X), a new required field, called DomainSuffixMatch, was added for additional security. Before updating your fleet to Android 13, you need to edit the new field of that network's settings, Server Certificate Authority, to add at least one Server Certificate Domain Suffix Match. The device will only connect to the WiFi network if the server certificate presented by the remote end has a Subject CommonName or DNS Name SubjectAlternativeName (SAN) that matches the provided suffix.
- New policies in Admin console
Policy Name Pages Supported on Category/Field AllowChromeDataInBackups User & Browser Chrome (iOS) Other Settings OopPrintDriversAllowed User & Browser Chrome (Linux, MacOS, Windows) Printing
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Default Search Engine choice screen
Starting Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.
As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Chrome 122 on iOS, Chrome OS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.
- Get help writing on the web with AI
In Chrome 122, we’ll roll out an experimental GenAI-powered feature to help users write on the web. This tool can help users write with more confidence and kickstart the writing process for users in free-form text fields on the web.
Starting in Chrome 122, a limited set of signed-in users in the US will be able to turn on Help me write in Chrome settings. In Chrome 122, this feature will initially be available to unmanaged users only, and will be inaccessible to managed Chrome Enterprise & Education users. To learn more, read this blog post. In the coming weeks, we will provide more details about Help me write in the Chrome Enterprise & Education help center.
Admins will be able to control Help me write using the HelpMeWriteSettings policy. You will have the following options for your organization:
0 = Enable the feature and send data to help improve AI models
1 = Enable the feature but don’t send data to help improve AI models
2 = Fully disable feature
- Simplified sign-in and sync experience
Starting in Chrome 122, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.- Chrome 117: sunset Chrome sync for users who didn't have Chrome sync enabled at the time.
- Chrome 122: sunset Chrome sync for users with Chrome sync enabled by migrating them to an equivalent state.
- Permissions prompt for Web MIDI API
There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for advanced MIDI usage (System Exclusive (SysEx) messages) in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.
Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.- Chrome 122 on Windows, MacOS, Linux, Android
- SharedImages for PPAPI Video Decode
Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
- V8 security setting
Add a setting on chrome://settings/security to disable the V8 JIT optimizers, in order to reduce the attack surface of Chrome. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The setting rolls out in Chrome 122. The enterprise policies have been available since Chrome 93.- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
- Read aloud
Read aloud will allow users of Chrome on Android to listen to web pages via text to speech technology. Users will be able to access this feature via the overflow menu and control playback via audio controls.
Read aloud will send the page URL to Google servers to power playback, and users who use it will need to enable the settings menu item "make searches and browsing better".
Setting the ListenToThisPageEnabled policy to true will allow users to have eligible web pages read aloud using text-to-speech. This is achieved by server side content distillation and audio synthesis. Setting to false disables this feature, and if this policy is set to default or left unset, Read aloud will be enabled.- Chrome 122 on Android: Feature launches
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.- Chrome 122 on Windows: Network Service sandboxed on Windows
- Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed
In Chrome 116, Chrome Apps webview usage have the following restrictions:
Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the window.open call in the originating webview to be invalidated. A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed was made available to give enterprises time to address possible breakage related to these changes. This policy will be removed in Chrome 122.- Chrome 122 on Linux, MacOS, Windows, ChromeOS: Enterprise Policy ChromeAppsWebViewPermissiveBehaviorAllowed removed
- Asynchronous server-side Safe Browsing check
Today Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. To improve Chrome's loading speed, checks with the server-side Safe Browsing list will no longer block page loads after Chrome 122.
We have evaluated the risk and put mitigations in place:- To protect against direct exploits against the browser, local list checks will still be conducted in a synchronous manner so that malicious payloads cannot run until the local list check is completed.
- To protect against phishing attacks, we've looked at data and concluded that it is unlikely the user would have significantly interacted with the page (e.g. typed a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows: Feature launches
- Improved download warnings on the Chrome Downloads page
To help reduce consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia: Feature launches
- Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.- Chrome 123 on iOS: Feature launches
- Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, MacOS, Windows: The change will be implemented.
- Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 123: on Chrome OS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 123, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.
- Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed
The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy by Chrome 124. The discussions around the throttling issue (and its resolution) can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=958475.
- Chrome 124: ThrottleNonVisibleCrossOriginIframesAllowed is removed
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, includingDOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disabled Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- ChromeOS Flex Bluetooth Migration
ChromeOS Flex will be upgrading to the Floss bluetooth stack in ChromeOS 122. As part of this upgrade the following devices will no longer support bluetooth functionality, if bluetooth functionality is critical for these devices we recommend moving these devices to the LTS channel to extend the bluetooth functionality through to October 2024.- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420
- New look for ChromeOS media player
ChromeOS media player will soon have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.
- App disablement by Admin in MGS
Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.
- Battery Saver
As early as ChromeOS 122, Battery Saver will be available to reduce brightness on both display and keyboard backlight, throttle display refresh rate and available compute budget, and also turn off certain energy-intensive background functions to allow users squeeze more battery life out of their devices. This will help when they need that last couple minutes to finish a task and don't have a charger handy. The feature will automatically be enabled when the user's battery level reaches 20%.
Upcoming Admin console changes
- Inactive browser deletion in Chrome Browser Cloud Management
As early as Chrome 124, the Inactive period for browser deletion policy will automatically delete browser data in the Admin console for managed browsers that have not contacted the server for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. All enrolled browsers that have been inactive for more than 540 days will be deleted from your account shortly after the release of this policy. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
- As early as Chrome 122: The Inactive period for browser deletion policy UI will be available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.
- Legacy Technology report
As early as Chrome 122, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 122 on Linux, MacOS, Windows
Chrome 120
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Default Search Engine choice screen | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets | ✓ | ✓ | |
Chrome Web Store: UX Improvements | ✓ | ||
Revamped Safety Check on Desktop | ✓ | ||
Chrome Desktop responsive toolbar | ✓ | ||
Chrome on Android no longer supports Android Nougat | ✓ | ||
Package tracking (iOS only) | ✓ | ||
Unprefix -webkit-background-clip for text and make it an alias | ✓ | ||
Chrome user policies for iOS | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Migrate away from data URLs in SVGUseElement | ✓ | ✓ | |
Password Manager: password sharing | ✓ | ✓ | |
Remove recommended support from multiple policies | ✓ | ||
Save images to Google Photos on iOS | ✓ | ||
Remove same-origin blanket enforcement in CSPEE | ✓ | ||
Close requests for CloseWatcher, <dialog>, and popover="" | ✓ | ||
Deprecate and remove Theora support | ✓ | ||
Unmanaged device signals consent | ✓ | ||
Printing interactions moved to a service process | ✓ | ||
URL-Based Permission Suggestions Service | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
New controls for mouse scroll acceleration | ✓ | ||
Enhanced Alt + click behavior | ✓ | ||
XDR Authentication Events | ✓ | ||
Pinch-to-Resize PiP | ✓ | ||
New look for Emoji Picker | ✓ | ||
Keyboard Shortcuts - Enabling F11-F12 keys | ✓ | ||
Deprecate support for legacy ChromeOS media containers and codecs | ✓ | ||
ChromeOS Virtual Desk button | ✓ | ||
App Details in App Management | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Generative AI features | ✓ | ||
Safer encrypted archives for Standard Safe Browsing users | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
User Link Capturing on PWAs - Windows, Mac and Linux | ✓ | ||
Side Panel Navigation: Pinning/Unpinning | ✓ | ||
SharedImages for PPAPI Video Decode | ✓ | ||
Skip unload events | ✓ | ||
Resume the last opened tab on any device | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Chrome Sync ends support for Chrome 81 and earlier | ✓ | ✓ | |
Deprecate and remove WebSQL | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Extensions must be updated to leverage Manifest V3 by June 2025 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Flex End of Device Support | ✓ | ||
ChromeOS Flex Bluetooth Migration | ✓ | ||
Set the screensaver duration | ✓ | ||
New look for ChromeOS media player | ✓ | ||
Integrate the DLP events into the security investigation tool | ✓ | ||
ChromeOS Data Controls file restrictions | ✓ | ||
Enhanced notifications for pinned apps | ✓ | ||
New ChromeOS sync options | ✓ | ✓ | |
App disablement by Admin in MGS | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Inactive browser deletion in Chrome Browser Cloud Management | ✓ | ||
Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store | ✓ | ||
Legacy Technology report | ✓ | ||
Chrome crash report | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Default Search Engine choice screen
Starting Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.
As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available atchrome://settings/search
. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: 1% users might start getting the choice screen with Chrome 120. 100% by Chrome 122 for applicable users.
- Chrome Third-Party Cookie Deprecation (3PCD)
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA. The facilitated testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked will have bounce tracking mitigations take effect, so that their state is cleared for sites that get classified as a bounce tracker. Most enterprise users should be excluded from this experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This will give enterprises time to make the changes required to not rely on this policy or third-party cookies.
We plan to provide more tooling (such as the Legacy Tech Report) to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.
For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the User Bypass control (the “eye icon” in the omnibox) to temporarily re-enable third-party cookies for 90 days on a given site when necessary. Enterprise admin policies override User Bypass controls, for example, setting BlockThirdPartyCookies policy to true will disable third-party cookies for all sites and prevent users from using this User Bypass control.
Bounce tracking protections are also covered by the same policies as cookies and enforced when the bouncing site is not permitted to have/receive 3P cookies. Thus, setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, will prevent bounce tracking mitigations from deleting state for sites.
Enterprise SaaS integrations used in a cross-site context for non-advertising use cases will be able to register for the third-party cookie deprecation trial for continued access to third-party cookies for a limited period of time.
The heuristics feature will grant temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns such as identity provider pop ups and redirects.
For more details on how to prepare, provide feedback and report potential site issues, refer to the Mode B: 1% third-party cookie deprecation blog section and the Preparing for the end of third-party cookies blog.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
- Rename FirstPartySets policies to RelatedWebsiteSets
The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in the policies’ behavior. Administrators should use the new policies RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/
- Chrome 120 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Chrome Web Store: UX improvements
The Chrome team is unveiling a redesigned Chrome Web Store that simplifies the process of finding and managing extensions. Alongside a refreshing, modern interface, the store introduces new extension categories, including AI-powered extensions and Editors' spotlight. These enhancements will be gradually rolled out over the coming months.
Users can temporarily switch back to the original store layout by clicking the three dots next to their profile avatar and selecting Revert to original store. This temporary option will be disabled in January 2024 and cannot be centrally controlled by administrators.
Enterprises will continue to have access to their enterprise policies within the new Chrome Store UX.
The revamped Chrome Web Store will also feature a dedicated section for extensions specific to your domain. For more details on publishing private extensions, see Enterprise Publishing Options.
Note that there is a known issue with ExtensionSettings, where the
blocked_install_message
does not appear correctly in the redesigned Chrome Store UX that we are working on fixing.
- Revamped Safety Check on Desktop
In Chrome 120, we begin to roll out a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome Desktop responsive toolbar
Chrome Desktop customers across devices and input modes (for example, Mouse or Touch) now experience a toolbar that seamlessly responds to changing window sizes. This happens when users manually select and resize a window or use OS-specific window management tools in addition to an overflow menu.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome on Android no longer supports Android Nougat
The last version of Chrome that supports Android Nougat is Chrome 119, and it includes a message to affected users informing them to upgrade their operating system.
Chrome 120 does not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Package tracking (iOS only)
Users can enable a new package tracking feature that results in estimated delivery dates and package status appearing in a new card on the New tab page. This feature is only supported for en-US users and only for packages fulfilled via FedEx and USPS. If needed, you can turn off the feature using a new policy called ParcelTrackingEnabled.
- Chrome 120 on iOS: feature launches
- Unprefix -webkit-background-clip for text and make it an alias
Chrome allows the use of the unprefixed version forbackground-clip: text
and makes-webkit-background-clip
an alias forbackground-clip
. Also, it drops support for non-suffixed keywords (content, padding and border)..
- Chrome 120 on Windows, Mac, Linux, Android
- Chrome user policies for iOS
With Chrome user policies for iOS, admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device, including personal devices.
Starting in Chrome 120, to bring consistency to iOS, managed end-users start to see a management notice stating that their organization manages the account they are signing into. In Chrome 121, admins can turn on this functionality in the Admin console under the Chrome on iOS setting. For more information, see Set Chrome policies for users or browsers.
- Chrome 120 on iOS: Feature starts gradual roll out.
- Chrome profile separation: new policies
Three new policies are now available to help you configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationDomainExceptionList. These policies take precedence over ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 120 on Linux, Mac, Windows
- Migrate away from data URLs in SVGUseElement
The SVG spec was recently updated to remove support fordata: URLs
inSVGUseElement
. This improves security of the Web platform as well as compatibility between browsers as Webkit does not supportdata: URLs
inSVGUseElement
. To read more, see this blog post.
Assigningdata: URLs
inSVGUseElement
can lead to Cross-Site Scripting (XSS) and Trusted Types bypass.
For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable support fordata: URLs
inSVGUseElement
.
- Chrome 120 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for
data: URLs
inSVGUseElement
- Chrome 120 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for
- Password Manager: password sharing
Password Manager allows users to share their passwords with members of their Google Family Group (as configured in their Google Account). Users can only share one password at a time. It is not possible to share passwords in bulk. The shared password cannot be updated or revoked by the sender.
As an enterprise admin, you can use the PasswordSharingEnabled policy to switch off the share feature for all users.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Remove recommended support from multiple policies
Some policies can be applied as recommended, allowing admins to set an initial value that users can later change. In Chrome 119, recommended support was removed from multiple policies that users had no way of configuring.
Any affected policies that were previously set as recommended now need to be set as mandatory to ensure they continue to take effect.
- Chrome 119 on Linux, Mac, Windows: Recommended support is being removed from the PrintPdfAsImageDefault enterprise policy.
- Chrome 120 on Android, Linux, Mac, Windows: Recommended support is being removed from the following enterprise policies:
- PasswordDismissCompromisedAlertEnabled
- Save images to Google Photos on iOS
When a signed-in user long-presses on an image in Chrome, they can save it directly to Google Photos. They have the option to save it to any account logged in on the device. You can use the ContextMenuPhotoSharingSettings policy to turn on this feature.
- Chrome 119 on iOS: Users can directly save images to Google photos
- Chrome 120 on iOS: A new policy, ContextMenuPhotoSharingSettings , is introduced to control this functionality
- Remove same-origin blanket enforcement in CSPEE
Chrome 120 removes a special treatment for same-origin iframes from CSP Embedded Enforcement.
This aligns the behavior of CSP Embedded Enforcement for cross-origin iframes and same-origin iframes. To read more, see ChromeStatus.
- Chrome 120 on Windows, Mac, Linux, Android
- Close requests for CloseWatcher, <dialog>, and popover=""
Close requests are a new concept where a user requests to close something currently open, using the Esc key on desktop or the back gesture or button on Android. Integrating Close requests into Chromium comes with two changes:
- CloseWatcher, a new API for directly listening and responding to close requests.
- Upgrades to
<dialog>
andpopover=""
to use the new close request framework, so that they respond to the Android back button.
- Chrome 120 on Windows, Mac, Linux, Android
- Deprecate and remove Theora support
Chrome 120 deprecates and removes support for the Theora video codec in Chrome desktop, due to emerging security risks. Theora's low (and now often incorrect) usage no longer justifies support for most users. Ogg containers will remain supported. Our plan is to begin escalating experiments turning down Theora support in Chrome 120. If users encounter problems playing specific videos, they can reactivate support viachrome://flags/#theora-video-codec
if needed until Chrome 123. You can find more info in Chrome Status.
- Chrome 120 on ChromeOS, LaCrOS, Windows, Mac, Linux
- Unmanaged device signals consent
This feature introduces a new consent popup dialog, which collects users' consent on whether they allow Chrome to collect device signals from their device.
The dialog is only displayed for users who satisfy the following conditions:- user is managed
- user's current device is unmanaged
- user's admin enabled the device trust service
- user's admin did not specifically disable this feature and its corresponding policy
- Chrome 120 on Linux, Mac, Windows
- Printing interactions moved to a service process
In Chrome 120, some users have the printing interactions with the operating system performed in a separate service process. Moving these interactions out of the browser process improves browser stability. It also improves the responsiveness of the Print Preview user interface. An enterprise policy OopPrintDriversAllowed is available to revert to making platform printing interactions from the browser process.
- URL-Based Permission Suggestions Service
Chrome is upgrading its Permission Suggestions Service. Earlier the requests to Chrome servers for permission suggestion service didn't contain URLs. Now Chrome will add URL based signals to the suggestion service. Earlier admins could disable sending requests to Chrome by setting the SafeBrowsingProtectionLevel policy to 1, 0 or unset. After this update the SafeBrowsingProtectionLevel policy will no longer enable/disable the Permission Suggestion Service.
The Permission Suggestions Service is now gated behind the existing URL-keyed anonymized data collection policy: UrlKeyedAnonymizedDataCollectionEnabled.
- Chrome 120 on ChromeOS, Linux, Mac, Windows: 1% stable experiment
- New and updated policies in Chrome browser
Policy Description ExtensionInstallTypeBlocklist Blocklist for install types of extensions ParcelTrackingEnabled Allows users to track their packages on Chrome (available on iOS) RelatedWebsiteSetsOverrides Override Related Website Sets RelatedWebsiteSetsEnabled Enable Related Website Sets DataUrlInSvgUseEnabled Data URL support for SVGUseElement ContextMenuPhotoSharingSettings Allow saving images directly to Google Photos (available on iOS) FeedbackSurveysEnabled Specifies whether in-product Google Chrome surveys are shown to users NativeHostsExecutablesLaunchDirectly Force Windows executable Native Messaging hosts to launch directly IPv6ReachabilityOverrideEnabled Enable IPv6 reachability check override PasswordSharingEnabled Enable sharing user credentials with other users PrivateNetworkAccessRestrictionsEnabled Specifies whether to apply restrictions to requests to more-private network endpoints
ChromeOS updates
- New controls for mouse scroll acceleration
ChromeOS 120 adds new controls to let users disable mouse scroll acceleration and adjust the speed of the scrolling.
- Enhanced Alt + click behavior
You can configure right-click behavior using the keyboard and touchpad. You can also configure settings for actions such as Home, End, and Page Up, in the Customize keyboard keys subpage.
- XDR Authentication Events
Authentication events (login/out lock/unlock) can now be enabled as part of Extended Detection and Response (XDR) on ChromeOS. Once rollout is complete, XDR systems will be able to use these events to provide insights on the device security posture.
- Pinch-to-Resize PiP
Picture-in-Picture (PiP) windows can now be resized with a pinch. Simply place two fingers on the window and pinch them together or spread them apart to find the perfect size for your screen.
- New look for Emoji Picker
ChromeOS 120 brings a new dynamic color palette to the floating Emoji and GIF Picker.
- Keyboard Shortcuts - Enabling F11-F12 keys
Most ChromeOS keyboards lack F11 and F12 keys, which are expected functionality in many applications. This proposal adds options to remap F11 and F12 keys in the Keyboard key remapping section in Settings.
- Deprecate support for legacy ChromeOS media containers and codecs
Deprecated support for MPEG4 Part 2 video codec and AVI container in ChromeOS 120. Users needing this functionality may temporarily re-enable support usingchrome://flags/#cros-legacy-media-formats
until ChromeOS 125, after which support will be removed.
- ChromeOS Virtual Desk Button (Bento Button)
Bento Button is a shelf button that's available for all users who utilize virtual desks. The button will allow quick access to desk operations for desk visualizing, desk switching, desk creation and desk ordering. If the user has previously saved desks, they would be able to go to the desk library as well.
- App Details in App Management
Settings now include additional details about installed apps. Navigate to Settings > Apps > Manage your apps, select an app to view the app's storage usage, version number, and information about how it was installed.
- ChromeOS Flex end of device support
As of January 01, 2024, devices scheduled to end support in 2023 will no longer be supported. Decertified devices include those listed below; for the full list of devices ending support you can review our Certified models list.- HP Compaq 6005 Pro HP
- Compaq Elite 8100
- Lenovo ThinkCentre M77
- HP ProBook 6550b
- HP 630
- Dell Optiplex 980
The devices will continue to receive ChromeOS Flex updates but these updates will no longer be tested or maintained by the Flex team. We recommend customers upgrade to newer ChromeOS devices to benefit from new features and security improvements.
Admin console updates
- New policies in Admin console
Policy Name Pages Supported on Category/Field PowerManagementIdleSettings (screen dim, screen off, idle actions) User, MGS ChromeOS Power and shutdown - Idle settings ScreenLockDelays User, MGS ChromeOS Power and shutdown - Idle settings LidCloseAction User, MGS ChromeOS Power and shutdown - Idle settings ChromeOsLockOnIdleSuspend (lock screen on lid close) User, MGS ChromeOS Power and shutdown - Idle settings NativeHostsExecutablesLaunchDirectly User Chrome Browser Other settings ExtensionInstallTypeBlocklist Additional app settings Chrome Browser Additional app settings ContextMenuPhotoSharingSettings User Chrome for iOS Content settings PrivateNetworkAccessRestrictionsEnabled User, MGS ChromeOS, Chrome Browser, Chrome for Android Network settings DeviceFlexHwDataForProductImprovementEnabled Device ChromeOS Other settings IPv6ReachabilityOverrideEnabled User ChromeOS, Chrome Browser, Chrome for Android Network settings DataUrlInSvgUseEnabled User, MGS ChromeOS, Chrome Browser, Chrome for Android Security
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Generative AI features
In Chrome 115, Google introduced its first Generative AI (GenAI) integration in the Search Side Panel. As early as Chrome 121, additional GenAI features will be rolled out to Chrome. You’ll be able to opt in through a newchrome://settings
page. Enterprise policies will be available at roll-out to control these features. More details will be shared in upcoming milestones.
- (Earliest) Chrome 121 on ChromeOS, Linux, Mac, Windows
- Safer encrypted archives for Standard Safe Browsing users
Standard Safe Browsing users will be prompted for a password to some encrypted archive downloads. This will be used to collect more metadata about the download (such as contained file hashes and executable signatures), which will be sent to Google for better quality verdicts. The password will remain local. You can control this feature with the SafeBrowsingDeepScanningEnabled policy.
- Chrome 121 on Linux, Mac, Windows
- Permissions prompt for Web MIDI API
There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for advanced MIDI usage (System Exclusive (SysEx) messages) in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.
Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 121 on Windows, Mac, Linux, Android
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 121 on Windows: Network Service sandboxed on Windows
- User Link Capturing on PWAs - Windows, Mac and Linux
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome will make it more seamless to move between the browser and installed web apps. When the user clicks on a link that could be handled by an installed web app, Chrome will add a chip in the address bar to suggest switching over to the app. Clicking on the chip would either launch the app directly, or open a grid of apps that can support that link. For some users, clicking on a link will always automatically open the app.
- Chrome 121 on Linux, Mac, Windows: When some users click on a link, it will always open in an installed PWA, while some users will see the link open in a new tab with a chip in the address bar clicking on which will launch the app. This is an experiment to determine if users prefer having links launched by default. The experiment will run on Canary/Dev/Beta and 1% of Stable.
- Chrome 123 on Linux, Mac, Windows: Based on the outcome of the experiment in Chrome 121, we will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).
- Side Panel Navigation: Pinning/Unpinning
As early as Chrome 121, the side panel icon is being removed in favor of evolving the side panel navigation to offer customization through toolbar pinning. This will allow for efficient direct access to a suite of panels.
- Chrome 121 on Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- SharedImages for PPAPI Video Decode
Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.
In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which will allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, Mac, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 121 -131 on Chrome OS, Linux, Mac, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)
- Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 122 on iOS: Feature launches
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, Mac, Windows: The change will be implemented.
- Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Chrome 123: on Chrome OS, LaCrOS, Linux, Mac, Windows: Starting in Chrome 123, the policy WebSQLAccess, which allows for WebSQL to be available, will no longer be available.
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, includingDOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome will gradually disabled Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- ChromeOS Flex End of Device Support
As of the 1st Jan 2024, devices scheduled to end support in 2023 will no longer be supported. Devices include those detailed below, for the full list of devices ending support please review our certified devices list .
- HP Compaq 6005 Pro
- HP Compaq Elite 8100
- Lenovo ThinkCentre M77
- HP ProBook 6550b
- HP 630
- Dell Optiplex 980
The devices will continue to receive ChromeOS Flex updates but these updates will no longer be tested or maintained by the Flex team.
We recommend customers look to upgrade to newer ChromeOS devices to benefit from new features and security improvements.
- ChromeOS Flex Bluetooth Migration
ChromeOS Flex will be upgrading to the Floss bluetooth stack in ChromeOS 121. As part of this upgrade the following devices will no longer support bluetooth functionality.
- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420
- Set the screensaver duration
As early as ChromeOS 120, you will be able to set the duration for screensaver while charging. Users can now choose how long their screensaver runs while their device is charging (not on battery). You can control this using a new enterprise policy. The default setting is Forever, and can be reduced using drop-down options.
- New look for ChromeOS media player
As early as ChromeOS 121, the media player will have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.
- Integrate the DLP events rule Id and name into the security investigation tool
ChromeOS Data Control events, for Data Loss Prevention (DLP), will have additional fields to enrich admin insights in the security investigation tool.
- ChromeOS Data Controls file restrictions
In ChromeOS 121, ChromeOS Data Controls, for DLP, will enable IT and Security teams to protect important business and customer data. It will be available for events like copy and paste, screen capture, screen sharing, and printing. IT administrators will be able to create an information protection strategy with rules based on the data source, destination and user.
We will have new functionality to control what users can do with files on ChromeOS devices through source and destination based rules.
- Enhanced notifications for pinned apps
As early as ChromeOS 121, you will be able to visually separate pinned notifications from other notifications. We will change the visual specs, buttons, and notification text to fit within fixed size bubbles. This significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference in purpose (notifying the user of an ongoing process rather than an instantaneous event).
- New ChromeOS sync options
ChromeOS will soon deliver an updated device setup experience that lets users customize sync settings for apps, settings, wi-fi networks, and wallpaper.
- App disablement by Admin in MGS
Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.
Upcoming Admin console changes
- Inactive browser deletion in Chrome Browser Cloud Management
As early as Chrome 123, the Inactive period for browser data deletion policy will be added to the Admin Console and it will automatically delete browsers that have not contacted the server for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 18 months. All enrolled browsers that have been inactive for more than 18 months will be deleted from your account shortly after the release of this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.
Note. Shortening the period significantly will cause more enrolled browsers to be considered inactive and deleted, and should be done with caution. To mitigate this, you can set the Device Token Management policy value to “Delete token” ahead of time, which allows deleted browsers to automatically re-enroll in Chrome Browser Cloud Management the next time the browser restarts (if the enrollment token is still valid). You can find the Device Token Management policy here.
- As early as Chrome 121: The Inactive period for browser data deletion policy UI will be available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.
- Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store
As early as 121, Chrome is adding new information on the Apps & Extensions usage report to help you identify if an extension was recently removed from the Chrome Web Store via a new notifications column and a new Chrome Web Store column that represents the listing status of an extension. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.
This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 120 on Linux, Mac, Windows: Trusted Tester program
- Chrome 121 on Linux, Mac, Windows: Feature rolls out
Apps & Extensions usage report:
App Details page:
- Legacy Technology report
As early as Chrome 121, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, SameSite cookie changes, older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation goes into effect.
This feature will be released in our Trusted Tester program as early as Chrome 120. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 121 on Linux, Mac, Windows
- Chrome crash report
As early as Chrome 122, you will be able to visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report will help you proactively identify potential Chrome issues within your organization.
This feature will be released in our Trusted Tester program as early as Chrome 121. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 121 on Linux, Mac, Windows: Trusted Tester program
- Chrome 122 on Linux, Mac, Windows: Feature rolls out
Chrome 119
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome release schedule changes | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Native Client support updates | ✓ | ||
Remove Sanitizer API | ✓ | ||
Tab groups can be saved, recalled, and synced | ✓ | ||
Deprecate non-standard shadowroot attribute for declarative shadow DOM | ✓ | ||
Shifting UI strings in Chrome from Clear to Delete when getting rid of data | ✓ | ||
DevTools internal errors reported to Chrome internal crash reporting | ✓ | ||
Skip unload events | ✓ | ||
SharedImages for PPAPI Video Decode | ✓ | ||
Remove Authorization header upon cross-origin redirect | ✓ | ||
Dedicated setting for Permission Suggestions Service | ✓ | ||
Hash-prefix real-time lookups | ✓ | ||
Remove recommended support from multiple policies | ✓ | ||
Standard-compliant URL host punctuation characters | ✓ | ||
Save images to Google Photos on iOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Privacy Hub | ✓ | ||
ChromeOS Admin templates | ✓ | ||
Using Drive offline on Chromebook Plus | ✓ | ✓ | |
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Default Search Engine choice screen | ✓ | ||
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets | ✓ | ✓ | |
Revamped Safety Check on Desktop | ✓ | ||
Chrome Desktop responsive toolbar | ✓ | ||
Chrome on Android will no longer support Android Nougat | ✓ | ||
Chrome Third-Party Cookie Deprecation | ✓ | ||
Package tracking (iOS only) | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Display banner allowing to resume last tab from other devices | ✓ | ||
Resume the last opened tab on any device | ✓ | ||
Unprefix -webkit-background-clip for text and make it an alias | ✓ | ||
Chrome user policies for iOS | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Migrate away from data URLs in SVGUseElement | ✓ | ✓ | |
Password Manager: password sharing | ✓ | ✓ | |
Permissions prompt for Web MIDI API | ✓ | ||
IP Protection Phase 0 for Chrome | ✓ | ||
Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store | ✓ | ||
Legacy Technology Report | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Chrome Sync ends support for Chrome 81 and earlier | |||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Set the screensaver duration | ✓ | ||
New controls for mouse scroll acceleration | ✓ | ||
Enhanced Alt + click behavior | ✓ | ||
New look for ChromeOS media player | ✓ | ||
Enhanced notifications for pinned apps | ✓ | ||
New ChromeOS sync options | ✓ | ✓ | |
App disablement by Admin in MGS | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be moved forward by one week. For example, Chrome 119 has its early stable release on October 25 instead of Nov 1. Beta releases will also be moved forward by one week starting in Chrome 119.
For more details, see the Chrome Release Schedule.
- Chrome 119 on Android, iOS, ChromeOS, Linux, Mac, Windows
- Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Chrome 123: on Chrome OS, LaCrOS, Linux, Mac, Windows: Starting in Chrome 123, the policy WebSQLAccess, which allows for WebSQL to be available will no longer be available.
- Native Client support updates
Chrome 119 removes a temporary enterprise policy, NativeClientForceAllowed, which allowed Native Client to continue to be used.
- Chrome 117 on Linux, Mac, Windows: Removes Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removes NativeClientForceAllowed policy.
- Remove Sanitizer API
To prevent the current Sanitizer API from becoming entrenched, we plan to remove the current implementation. We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.
The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the standards discussion has meanwhile moved on and the proposed API shape has changed substantially.
- Chrome 119 on Windows, Mac, Linux, Android
- Tab Groups can be saved, recalled, and synced
Users can now save tab groups, which allows them to close and re-open the tabs in the group, as well as sync them across devices. You can disable syncing Tab Groups using the SyncTypesListDisabled policy.
- Chrome 119 on ChromeOS, Linux, Mac, Windows
- Deprecate non-standard shadowroot attribute for declarative Shadow DOM
The standards-trackshadowrootmode
attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 (ChromeStatus). The older, non-standardshadowroot
attribute is now deprecated. During the deprecation period, both attributes are functional, however the shadowroot attribute does not enable the new streaming behavior, whereasshadowrootmode
allows streaming of content. There is a straightforward migration path: replaceshadowroot
withshadowrootmode
.
The oldshadowroot
attribute is deprecated as of Chrome 112, and it will be removed (no longer supported) in Chrome 119. Chrome 119 goes to Stable on October 31, 2023.
- Chrome 119 on Windows, Mac, Linux, Android
- Shifting UI strings in Chrome from Clear to Delete when getting rid of data
Chrome is updating settings text to reflect delete instead of clear when referring to the destruction of data. We expect this change to improve users’ understanding of the associated effect on data. Users who intend to get rid of data should feel reassured that the data is actually deleted, not just cleared from one view but possibly accessible elsewhere.
- Chrome 119 on Android, iOS, ChromeOS, Mac, Windows: The earliest milestone that users may see these changes is 119.
- DevTools internal errors reported to Chrome internal crash reporting
To improve Chrome's stability, DevTools internal errors are now reported through Chrome's existing crash reporting pipeline. This provides visibility of the stability of Chrome DevTools. Admins can control all crash reporting, including these errors, using the MetricsReportingEnabled enterprise policy.
- Chrome 119 on ChromeOS, Linux
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.
In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which will allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, Mac, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 120-131 on Chrome OS, Linux, Mac, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)
- SharedImages for PPAPI Video Decode
Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
-
Remove Authorization header upon cross-origin redirect
The Fetch standard has been updated to remove Authorization header on cross origin redirects. Chrome 119 implements this change to the specification. Prior to Chrome 119, when a cross origin redirect, such as fromfoo.test
tobar.test
, happened with an Authorization header, Chrome preserved the Authorization header andbar.test
could receive the header. Starting Chrome 119, Chrome removes Authorization headers when cross origin redirects happen, meaning thatbar.test
no longer receives the Authorization header.- Chrome 119 on ChromeOS, Windows, Mac, Linux, Android
- Dedicated setting for Permission Suggestions Service
The settings page for notification and geolocation permissions now has an additional option to explicitly enable the Permission Suggestions Service. Permission Suggestions Service is an already existing feature, but it didn’t have its dedicated setting. It was tied to standard Safe Browsing settings being enabled. Now the users can choose between four different states:- Always show the notification/geolocation permission prompt
- Let Permission Suggestion Service quieten unwanted notification/geolocation requests (new)
- Always quieten notification permission requests
- Always block notifications/geolocation permission requests
- DefaultNotificationsSetting
- NotificationsAllowedForUrls and NotificationsBlockedForUrls
- DefaultGeolocationSetting
- Chrome 119 on Linux, Mac, Windows
- Hash-prefix real-time lookups
For standard Safe Browsing protection users, visited URLs now have their safety checked in real time instead of against a less frequently updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, the feature can be disabled through the policy SafeBrowsingProxiedRealTimeChecksAllowed.
- Chrome 119 on Android, iOS, Chrome OS, LaCrOS, Linux, Mac, Windows
- Remove recommended support from multiple policies
Some policies can be applied as recommended, allowing administrators to set an initial value which end-users can later change. Beginning in Chrome 119, recommended support will be removed from multiple policies which end-users currently have no way of configuring.
Any affected policies that were previously set as recommended will need to be set as mandatory to ensure they continue to take effect.
- Chrome 119 on Linux, Mac, Windows: Recommended support is being removed from the PrintPdfAsImageDefault enterprise policy.
- Chrome 120 on Android, Linux, Mac, Windows: Recommended support is being removed from the following enterprise policies:
- Standard-compliant URL host punctuation characters
Chrome 119 continues our efforts to make Chrome's handling of URL host punctuation characters standard-compliant. Here is a summary of changes in Chrome 119:
Notation:
- 'ESC': Allowed, but Chrome escapes it, which is non-compliant.
- '-': Allowed.
- '0': Forbidden. URL will be invalid if the host contains a forbidden character.
Warning:
- SPACE and ASTERISK are still non-compliant.
- Chrome 119 on Windows, Mac, Linux, Android
- Save images to Google Photos on iOS
When a signed-in user long-presses on an image in Chrome, they can save it directly to Google Photos. They have the option to save it to any account logged in on the device.
- Chrome 119 on iOS: Users can directly save images to Google photos
- Chrome 120 on iOS: A policy is introduced to control this functionality
- New and updated policies in Chrome browser
Policy Description SafeBrowsingDeepScanningEnabled Allow download deep scanning for Safe Browsing-enabled users SafeBrowsingProxiedRealTimeChecksAllowed Allow Safe Browsing Proxied Real Time Checks (now also available on Android)
ChromeOS updates
- Privacy Hub
Users can now manage their camera and microphone settings across the operating system from one place in Settings>Security and Privacy>Privacy controls. Now it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.
- ChromeOS Admin templates
With App Launch Automation, admins can now configure groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.
You can turn on this feature using the#app-launch-automation
flag, and then create templates in the Admin console.
- Using Drive offline on Chromebook Plus devices
Enterprise users on Chromebook Plus devices can now easily make all of their files in the My Drive section of Google Drive available offline. You can control this using the DriveFileSyncAvailable enterprise policy.
Admin console updates
- New policies in Admin console
Policy Name Pages Supported on Category/Field PPAPISharedImagesForVideoDecoderAllowed User & Browser, MGS ChromeOS Content SafeBrowsingDeepScanningEnabled User & Browser Chrome (Linux, Mac, Windows), ChromeOS Chrome Safe Browsing
DriveFileSyncAvailable User & Browser ChromeOS Content ProfileSeparationDataMigrationSettings User & Browser Chrome (Linux, Mac, Windows) Sign-In Settings ProfileSeparationDomainExceptionList User & Browser Chrome (Linux, Mac, Windows) Sign-In Settings ProfileSeparationSettings User & Browser Chrome (Linux, Mac, Windows) Sign-In Settings ShowDisplaySizeScreenEnabled User & Browser ChromeOS Sign-In Settings ShowTouchpadScrollScreenEnabled User & Browser ChromeOS Sign-In Settings DeviceEphemeralNetworkPoliciesEnabled Device ChromeOS Other Settings
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Default Search Engine choice screen
As early as Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.
As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: 1% users will start getting the choice screen with Chrome 120. 100% by Chrome 122.
- Rename FirstPartySets enterprise policies to RelatedWebsiteSets
The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in the policies’ behavior. The new policies become available from Chrome 120. Administrators should use them going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/
- Chrome 120 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Revamped Safety Check on Desktop
We plan to introduce a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome Desktop responsive toolbar
As early as Chrome 120, Chrome Desktop customers across devices and input modes (for example, Mouse or Touch) will experience a toolbar that seamlessly responds to changing window sizes, when users manually select and resize a window or use OS-specific window management tools.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome on Android will no longer support Android Nougat
The last version of Chrome that supports Android Nougat is Chrome 119, and it includes a message to affected users informing them to upgrade their operating system.
Chrome 120 will not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Chrome Third-Party Cookie deprecation
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA. This will allow sites to meaningfully preview what it's like to operate in a world without third-party cookies. Most enterprise users will be excluded from this experiment group automatically. But for the few that might be affected, admins will be able to use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This will give enterprises time to make the changes required to not rely on this policy or third-party cookies.
We plan to provide more tooling to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.
For more details on how to prepare, provide feedback and report potential site issues, refer to the Mode B: 1% third-party cookie deprecation blog section and the Preparing for the end of third-party cookies blog.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
- Package tracking (iOS only)
Users will be able to enable a new package tracking feature that results in estimated delivery dates and package status appearing in a new card on the New tab page. This feature is only supported for en-US users and only for packages fulfilled via FedEx and USPS. If needed, you will be able to turn off the feature using a new policy called ParcelTrackingEnabled.
- Chrome 120 on iOS: feature launches
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 120 on Windows: Network Service sandboxed on Windows
- Display banner allowing to resume last tab from other devices
To help signed-in users resume tasks when they have to switch devices immediately, Chrome will offer to pick up tabs recently used on the previous device. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 120 on iOS: Feature launches
- Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 120 on iOS: Feature launches
- Unprefix -webkit-background-clip for text and make it an alias
Chrome will allow the use of the unprefixed version forbackground-clip: text
and will make-webkit-background-clip
an alias forbackground-clip
. Also, it drops support for non-suffixed keywords (content, padding and border) for better round-trip with alias.
- Chrome 120 on Windows, Mac, Linux, Android
- Chrome user policies for iOS
Admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device. This functionality already exists on Windows, Mac, Linux, ChromeOS and Android. We are in the process of bringing this functionality to iOS.
- Chrome 120 on iOS: The earliest milestone for this capability is 120.
- Chrome profile separation: new policies
Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will be simpler to use and will replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 120 on Linux, Mac, Windows
- Migrate away from data URLs in SVGUseElement
The SVG spec was recently updated to remove support for data: URLs inSVGUseElement
. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs inSVGUseElement
. You can read more in this blog post.
Assigning a data: URL inSVGUseElement
can cause XSS. And this also led to a Trusted Types bypass.
For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable Data URL support forSVGUseElement
.
- Chrome 120 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVGUseElement
- Password Manager: password sharing
Password Manager allows users to share their passwords with members of their Google Family Group (as configured in their Google Account). Users can only share one password at a time. It is not possible to share passwords in bulk. The shared password cannot be updated or revoked by the sender.
Enterprise admins can use the PasswordSharingEnabled policy to switch off the share feature for all their employees.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia
- Permissions prompt for Web MIDI API
There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for the advanced MIDI usage, for example, system exclusive (SysEx) message in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.
Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 121 on Windows, Mac, Linux, Android
- IP Protection Phase 0 for Chrome
As early as Chrome 122, Chrome might route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information is available in this explainer on GitHub. Enterprise policies will be in place to allow admins to turn off the feature before it’s launched.
- Chrome 122 on ChromeOS, Linux, Mac, Windows, Android
- Apps & Extensions Usage report: Highlight extensions removed from the Chrome Web Store
As early as 122, Chrome is adding new information on the Apps & Extensions Usage Report to help you identify if an extension was recently removed from the Chrome Web Store. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.
- Chrome 122 on LaCrOS, Linux, Mac, Windows
- Legacy Technology report
As early as Chrome 122, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, SameSite cookie changes, or older security protocols like TLS 1.0/1.1. This gives admins the ability to work with developers to plan required tech migrations before the deprecation goes into effect. If you’re interested in helping us test this feature, you can sign up for our Trusted Tester program here.
- Chrome 122 on LaCrOS, Linux, Mac, Windows
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, Mac, Windows: The change will be implemented.
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, includingDOMSubtreeModified
,DOMNodeInserted
,DOMNodeRemoved
,DOMNodeRemovedFromDocument
,DOMNodeInsertedIntoDocument
, andDOMCharacterDataModified
, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post , the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 98 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Future milestone on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- Set the screensaver duration
As early as ChromeOS 120, you will be able to set the duration for screensaver while charging. Users can now choose how long their screensaver runs while their device is charging (not on battery). You can control this using a new enterprise policy. The default setting is Forever, and can be reduced using drop-down options.
- New controls for mouse scroll acceleration
ChromeOS 120 will add new controls to let users disable mouse scroll acceleration and adjust the speed of the scrolling.
- Enhanced Alt + click behavior
In ChromeOS 120, you will be able to configure right-click behavior using the keyboard and touchpad. You can also configure settings for actions such as Home, End, and Page Up, in the Customize keyboard keys subpage.
- New look for ChromeOS media player
As early as ChromeOS 121, the media player will have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.
- Enhanced notifications for pinned apps
As early as ChromeOS 121, you will be able to visually separate pinned notifications from other notifications. We will change the visual specs, buttons, and notification text to fit within fixed size bubbles. This significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference in purpose (notifying the user of an ongoing process rather than an instantaneous event).
- New ChromeOS sync options
ChromeOS will soon deliver an updated device setup experience that lets users customize sync settings for apps, settings, wi-fi networks, and wallpaper.
- App disablement by Admin in MGS
Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.
Chrome 118
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Remove ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Remotely disable malicious off-store extensions | ✓ | ||
Remove RendererCodeIntegrityEnabled policy | ✓ | ||
Support for passkeys in iCloud Keychain on macOS | ✓ | ✓ | |
Hash-prefix real-time lookups | ✓ | ||
Updates to the red Safe Browsing interstitials | ✓ | ✓ | |
Form controls support vertical writing mode | ✓ | ||
Block all cookies set via JavaScript that contain control characters | ✓ | ||
Clearer Safe Browsing protection level settings text and images | ✓ | ||
WebUSB in Extension Service Workers | ✓ | ||
Include chrome.tabs API calls in extension telemetry reports | ✓ | ||
Remove non-standard appearance keywords | ✓ | ||
Enrollment for Privacy Sandbox | ✓ | ||
Discounts shown on product pages and on Quests on the New Tab Page | ✓ | ||
Encrypted archive deep scanning for Enhanced Safe Browsing users | ✓ | ||
Flag for enabling the chrome://policy/test page | ✓ | ||
TLS Encrypted Client Hello (ECH) | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Password recovery | ✓ | ||
Tabbed PWAs | ✓ | ||
Printer setup assistance | ✓ | ||
Imprivata integration v4 | ✓ | ✓ | |
Touch text editing redesign | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome release schedule changes | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Native Client support updates | ✓ | ||
Migrate away from data URLs in SVG <use> element | ✓ | ✓ | |
Network Service on Windows will be sandboxed | ✓ | ||
Display banner allowing to resume last tab from other devices | ✓ | ||
Remove Sanitizer API | ✓ | ||
Tab groups can be saved, recalled, and synced | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Private Network Access restrictions for automotive | ✓ | ||
Deprecate non-standard shadowroot attribute for declarative shadow DOM | ✓ | ||
Remove support for UserAgentClientHintsGREASEUpdateEnabled | ✓ | ||
Default Search Engine choice screen | ✓ | ||
Shifting UI strings in Chrome from Clear to Delete when getting rid of data | ✓ | ||
DevTools internal errors will be reported to Chrome internal crash reporting | ✓ | ||
SharedImages for PPAPI Video Decode | ✓ | ||
Private Aggregation API bundled enhancements | ✓ | ✓ | |
Remove Authorization header upon cross-origin redirect | ✓ | ||
Revamped Safety Check on Desktop | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Desktop Responsive Toolbar | ✓ | ||
Chrome on Android will no longer support Android Nougat | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
IP Protection Phase 0 for Chrome | ✓ | ||
Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Privacy Hub | ✓ | ||
ChromeOS Admin templates | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
URL-keyed anonymized data collection in Kiosk mode | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Remove ForceMajorVersionToMinorPositionInUserAgent policy
Chrome 118 removes the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we can now remove this policy. If you have any feedback about this policy removal, or are aware of intranet functionality that depends on the policy, comment on this bug.- Chrome 118 on Android, ChromeOS, Linux, Mac, Windows: Remove ForceMajorVersionToMinorPositionInUserAgent policy
- Remotely disable malicious off-store extensions
When Enhanced Safe Browsing is enabled, where users have a malicious off-store extension installed, the extension is disabled when the decision is entered on the Safe Browsing servers via either manually or by an automated detection system.- Chrome 118 on ChromeOS, Linux, Mac, Windows: Feature launches
- Remove RendererCodeIntegrityEnabled policy
The Renderer Code Integrity security feature is no longer controlled by the RendererCodeIntegrityEnabled policy; it is now switched on by default. We recommend that you verify any potential incompatibilities with third party software by no longer using the policy in advance of this release. To report any issues you encounter, submit a bug here.- Chrome 118 on Windows: This policy is deprecated and will no longer take effect
- Support for passkeys in iCloud Keychain on macOS
Chrome on macOS ≥ 13.5 now supports creating and using passkeys from iCloud Keychain. When signing in using WebAuthn, passkeys from iCloud Keychain are listed as options once the user has granted Chrome the needed permission. If permission has not been granted, a generic iCloud Keychain option appears that prompts for permission before showing iCloud Keychain passkeys. If permission is denied, the iCloud Keychain can still be used, but it has to be manually selected each time.
When a site asks to create a platform passkey, Chrome might default to creating the passkey in iCloud Keychain based on whether iCloud Drive is in use and whether WebAuthn credentials from the current profile have been recently used. This can be controlled with a setting on chrome://password-manager/settings, and with the enterprise policy CreatePasskeysInICloudKeychain.- Chrome 118 on Mac: Chrome 118 supports iCloud Keychain. Whether Chrome defaults to creating platform passkeys in iCloud Keychain can be altered by Chrome Variations during the lifetime of 118.
- Hash-prefix real-time lookups
For standard Safe Browsing protection users, visited URLs now have their safety checked in real time, instead of less frequently using an updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, you can control this feature using the SafeBrowsingProxiedRealTimeChecksAllowed policy.- Chrome 118 on iOS, ChromeOS, LaCrOS, Linux, Mac, Windows
- Updates to the red Safe Browsing interstitials
In Chrome 118, users see minor updates to the red Safe Browsing interstitials. The main body text now includes an explicit recommendation from Chrome and site ID is specified in the details section instead of the main body. The danger icon replaces the previous warning icon, and styling is now consistent with the latest product standards. These changes improve user comprehension of warnings.- Chrome 118 on Android, iOS, ChromeOS, LaCrOS, Linux, Mac, Windows
- Form controls support vertical writing mode
The CSS property writing-mode should be enabled for form controls elements as it allows lines of text to be laid out horizontally or vertically and it sets the direction in which blocks progress.
With this feature, we are allowing the form control elements select, meter, progress, button, textarea and input to have vertical-rl or vertical-lr writing mode. As needed for Web compatibility, we now begin to slowly roll out the change for a number of form controls in 118, and we will continue in future milestones.
You can control this feature with the following command line flags:
--enable-features= FormControlsVerticalWritingModeSupport
--enable-features= FormControlsVerticalWritingModeTextSupport- Chrome 118 on Windows, Mac, Linux, Android
- Block all cookies set via JavaScript that contain control characters
Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis.
You can control this feature using the --disable-features=BlockTruncatedCookies or the BlockTruncatedCookies enterprise policy, which will be available for several milestones in case this change causes any breakage.- Chrome 118 on Windows, Mac, Linux, Android
- Clearer Safe Browsing protection level settings text and images
In Chrome 118, some users see new text describing the Safe Browsing protection level on both the Security Settings page and the Privacy Guide. The update clarifies the Enhanced Protection level by adding a table and linking to a help center article where users can learn more. The new table helps users understand the trade-offs when selecting that option versus choosing the other options. The descriptions for Standard Protection, No Protection and the password compromise warnings toggle have been simplified to make the options clearer. The Safe Browsing protection level is an existing feature, still controlled by the SafeBrowsingProtectionLevel policy.- Chrome 118: Some users see the updated text and images on the Chrome Security Settings page and on the Privacy Guide.
- WebUSB in Extension Service Workers
Web developers can use the WebUSB API when responding to extension events by exposing WebUSB API to Service Workers registered by browser extensions. This API is not yet exposed to Service Workers registered by sites but the implementation experience gained by supporting the API for extensions will be valuable for such a future project.- Chrome 118 on Windows, Mac, Linux, ChromeOS
- Include chrome.tabs API calls in extension telemetry reports
When you switch on Enhanced Safe Browsing, Chrome now collects telemetry information about chrome.tabs API calls made by extensions. This information is analyzed on Google servers and further improves the detection of malicious and policy violating extensions. It also allows better protection for all Chrome extension users. You can turn off this functionality along with the extension telemetry feature by setting SafeBrowsingProtectionLevel to any value other than 2, which turns off Enhanced Safe Browsing.- Chrome 118 on ChromeOS, Linux, Mac, Windows: Feature launches
- Remove non-standard appearance keywords
Since only standard appearance keywords should be supported, Chrome 118 removes appearance (and -webkit-appearance) keywords, including:
* inner-spin-button
* media-slider
* media-sliderthumb
* media-volume-slider
* media-volume-sliderthumb
* push-button
* searchfield-cancel-button
* slider-horizontal
* sliderthumb-horizontal
* sliderthumb-vertical
* square-button
Note that value slider-vertical will not be removed as part of this patch; it is used for allowing <input type=range> vertical. It will be removed once feature FormControlsVerticalWritingModeSupport is enabled in Stable.
Previously, if using any of the above keywords, a console warning appeared, but the keyword was recognized as a valid value. With the feature enabled, the appearance property will be ignored and set to the empty string. As needed for Web compatibility, we will progressively remove the appearance keywords based on their counter usages on Chrome Status Metrics.
For Chrome 118, we start with the following keywords, currently at page load usage below 0.001%:
* media-slider at 0.000361
* media-sliderthumb at 0.000187%
* media-volume-slider at 0.000143%
* media-volume-sliderthumb at 0.000109%
* sliderthumb-horizontal at 0.000182%
* sliderthumb-vertical at 0.000014%
- Chrome 118 on Windows, Mac, Linux, Android
- Enrollment for Privacy Sandbox
As the Privacy Sandbox relevance and measurement APIs start ramping up for general availability, we want to make sure these technologies are used as intended and with transparency. The APIs include Attribution Reporting, the Protected Audience API, Topics, Private Aggregation and Shared Storage. Privacy Sandbox is introducing a new Developer Enrollment process for Privacy Sandbox relevance and measurement APIs. Chrome will fetch the enrolled-sites list from the enrollment server (via component updater) and use it to gate access to the Privacy Sandbox APIs.- Chrome 118 on Windows, Mac, Linux, Android
- Discounts shown on product pages and on Quests on the New tab page
Starting in Chrome 118, users sometimes see discounts, shown as annotations on page visits, in the Quests cards shown on the New tab page. Clicking through on the discount shows the relevant information on the product page. Quests as a whole are controlled by the NTPCardsVisible policy. Users also sometimes see discounts directly on the product page, available through an icon in the Omnibox.- Chrome 118 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Encrypted archive deep scanning for Enhanced Safe Browsing users
Google Chrome offers deep scanning of some suspicious downloads to users who have opted in to Enhanced Safe Browsing. This sends the file content to Safe Browsing for a real-time evaluation of the file's safety. Starting in Chrome 118, deep scans of encrypted archives, for example, ZIP and RAR files, prompt the user to provide the archive password along with the file content. This is necessary for Safe Browsing to provide a useful verdict about the contents of the archive. Enterprises who do not want to see this prompt can prevent users from enabling Enhanced Safe Browsing with the SafeBrowsingProtectionLevel policy. Starting in Chrome 119, enterprises who want to switch off file deep scans while still enabling Enhanced Safe Browsing can do so with the SafeBrowsingDeepScanningEnabled policy.- Chrome 118 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Flag for enabling the chrome://policy/test page
The#enable-policy-test-page
flag allows admins and developers to use thechrome://policy/test
page to more easily test policies on the Beta, Dev, Canary channels.- Chrome 118 on Android, iOS, ChromeOS, Linux, Mac, Windows
- TLS Encrypted Client Hello (ECH)
The TLS Encrypted ClientHello (ECH) extension allows clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating tochrome://flags
and enabling the#encrypted-client-hello
flag. If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.- Chrome 118 on Chrome OS, Linux, Mac, Windows: Rolled out to 100% of users
- New and updated policies in Chrome browser
Policy Description BlockTruncatedCookies Block truncated cookies CompressionDictionaryTransportEnabled Enable compression dictionary transport support CreatePasskeysInICloudKeychain Control whether passkey creation will default to iCloud Keychain. LegacyTechReportAllowlist Specifies URLs that allow legacy technology report SafeBrowsingProxiedRealTimeChecksAllowed Allow Safe Browsing Proxied Real Time Checks
ChromeOS updates
- Password recovery
ChromeOS users who have forgotten their password can now recover their account along with all associated local data. Gone are the days where all local data is lost when a password has been forgotten! You can control this feature with the RecoveryFactorBehavior policy.
- Tabbed PWAs
Developers can now choose to display their Progressive Web App (PWA) in tabbed mode, allowing users to manage and navigate multiple documents within a single window using a familiar tab strip. Developers should also specify a home tab where appropriate, which provides a consistent place for users to access documents and settings.
- Printer setup assistance
To simplify a user's printing journey, ChromeOS provides more in context help when it comes to using their printer: an easier way to save printers, new set up instructions and help content, printer status directly integrated on the settings page. Moreover, we now also provide users an easy route to manage their printer when they face issues with it while trying to print.
- Imprivata integration v4
For caregivers, Imprivata OneSign compatibility with Google ChromeOS devices and the Chrome browser means fast, secure access, and better cost efficiency. This fourth version of Imprivata integration, Imprivata v4, adds deployment, stability, and workflow improvements. It improves support for assigned devices by allowing for Imprivata sign-in to ChromeOS user sessions. In addition, ChromeOS 118 now supports all 12 languages of Imprivata and SPINE workflows.
Admin console updates
- New policies in Admin console
Policy Name Pages Supported on Category/Field ForcePermissionPolicyUnloadDefaultEnabled User, Managed Guest Session Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOS
Legacy site compatibility SafeBrowsingSurveysEnabled User, MGS Chrome (Linux, Mac, Windows)
ChromeOS
Chrome safe browsing EmojiPickerGifSupportEnabled User, MGS Chrome (Linux, Mac, Windows)
ChromeOSUser experience ColorCorrectionEnabled User, MGS ChromeOS User accessibility CreatePasskeysInICloudKeychain User, MGS Chrome (Mac) Content SafeBrowsingProxiedRealTimeChecksAllowed User, MGS Chrome (Linux, Mac, Windows)
ChromeOS,
Chrome (iOS and iPadOS)
Chrome safe browsing
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.- Chrome 119 on Android, iOS, ChromeOS, Linux, Mac, Windows
- Deprecate and remove WebSQL
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebsQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team. With SQLite over WASM as its official replacement, we want to remove WebSQL entirely.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117, the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting with Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Native Client support updates
Native Client NaCl support was removed from extensions on Windows, macOS, and Linux. A temporary enterprise policy is available, NativeClientForceAllowed, which allows Native Client to continue to be used.- Chrome 117 on Linux, Mac, Windows: Removal of Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removal of NativeClientForceAllowed policy
- Migrate away from data URLs in SVG <use> element
The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. You can read more in this blog post.
For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable Data URL support for SVG <use> element.
- Chrome 119 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVG <use> element
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.- Chrome 119 on Windows: Network Service sandboxed on Windows
- Display banner allowing to resume last tab from other devices
Help signed in users resume tasks when they have to switch devices immediately by offering to pick up tabs recently used on the previous device. Admins can control this feature via the existing enterprise policy called SyncTypesListDisabled.- Chrome 119 on iOS: Feature launches
- Remove Sanitizer API
The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the standards discussion has meanwhile moved on and the proposed API shape has changed substantially. To prevent the current API from becoming entrenched, we plan to remove the current implementation. We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.- Chrome 119 on Windows, Mac, Linux, Android
- Tab Groups can be saved, recalled, and synced
Users will be able to save tab groups, which will allow them to close and re-open the tabs in the group, as well as sync them across devices. You can disable syncing Tab Groups using the SyncTypesListDisabled policy.- Chrome 119 on ChromeOS, Linux, Mac, Windows
- Chrome profile separation: new policies
Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will be simpler to use and will replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.- Chrome 119 on Linux, Mac, Windows: New profile separation policies available: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.
- Private Network Access restrictions for automotive
This ships Private Network Access restrictions to Android Automotive (if BuildInfo::is_automotive), including: Private Network Access preflight requests for subresources and Private Network Access for Workers. Note that the two above features were shipped in warning only mode, but these features will enforce the restriction, that is, failing the main request if restrictions are not satisfied.- Chrome 119 on Android
- Deprecate non-standard shadowroot attribute for declarative shadow DOM
The standards-trackshadowrootmode
attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 (ChromeStatus). The older, non-standardshadowroot
attribute is now deprecated. During the deprecation period, both attributes are functional, however theshadowroot
attribute does not enable the new streaming behavior, whereasshadowrootmode
allows streaming of content. There is a straightforward migration path: replaceshadowroot
withshadowrootmode
.The old
shadowroot
attribute is deprecated as of Chrome 112, and it will be removed (no longer supported) in Chrome 119, which goes to Stable on November 1, 2023.- Chrome 119 on Windows, Mac, Linux, Android
- Remove support for UserAgentClientHintsGREASEUpdateEnabled
Deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year and then eventually remove it.- Chrome 119 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed
- Default Search Engine choice screen
As early as Chrome 119, enterprise end-users may be prompted to choose their default search engine within Chrome.
As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.- Chrome 119 on iOS, ChromeOS, LaCrOS, Linux, Mac, Windows: 1% users will start getting the choice screen with Chrome 119. 100% by Chrome 122
- Shifting UI strings in Chrome from Clear to Delete when getting rid of data
Chrome is updating settings text to reflect delete instead of clear when referring to the destruction of data. We expect the change will improve user comprehension. Users who intend to get rid of data should feel reassured that the data is actually deleted and not just cleared from one view but accessible elsewhere.- Chrome 119 on Android, iOS, ChromeOS, Mac, Windows: The earliest milestone that users may see these changes is 119.
- DevTools internal errors will be reported to Chrome internal crash reporting
To improve Chrome's stability, DevTools internal errors will be reported through Chrome's existing crash reporting pipeline. This will provide visibility into the stability of the Chrome DevTools. Admins can control all crash reporting, including these errors, using the MetricsReportingEnabled enterprise policy.- Chrome 119 on ChromeOS, Linux, Mac, Windows
- SharedImages for PPAPI Video Decode
The PPAPISharedImagesForVideoDecoderAllowed policy controls the recent refactor for VideoDecoder APIs in PPAPI plugin. The migration only affects internal implementation details and should not change any behavior. However, this policy can be used in case any PPAPI applications do not work as expected.When the policy is left unset or set to Enabled, the browser will decide which implementation is used.
When the policy is set to Disabled, Chrome will use the old implementation until the policy expires.
NOTE: Only newly-started renderer processes will reflect changes to this policy while the browser is running.
- Chrome 119 on ChromeOS, LaCrOS: Escape hatch policy introduced.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.
- Private Aggregation API bundled enhancements
We're planning a few bundled changes to Private Aggregation:
- Null report fixes: Currently reports with no contributions are inadvertently dropped. This change ensures that, when a context ID is specified, a null report is sent even if budget is denied. Separately, it fixes a bug causing budget to always be denied for null reports.
- Debug mode eligibility changes: Currently, debug mode is always available. This change only allows debug mode for callers that are allowed access to third-party cookies, silently dropping the debug mode otherwise. Note that this will allow debug mode to automatically sunset when third-party cookies are deprecated.
- Padding report payloads: To avoid the payload size being dependent on the number of contributions, we will pad it with 'null' contributions to a fixed length. Note that this change will also affect Attribution Reporting reports.
- Reducing delay: When a context ID is specified, we remove the randomized 10-60 minute delay, which is superfluous as a report is always sent in this case. Instead, we just wait until the Shared Storage operation timeout.
- Chrome 119 on Windows, Mac, Linux, Android
- Remove Authorization header upon cross-origin redirect
The Fetch standard has been updated to remove Authorization header on cross origin redirects. Chrome should follow the spec change.- Chrome 119 on Windows, Mac, Linux, Android
- Revamped Safety Check on Desktop
We plan to introduce a new proactive Safety Check that regularly checks the browser for safety related issues and informs users when there's anything that needs their attention. Our Safety Check launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Permissions prompt for Web MIDI API
This feature gates the Web MIDI API access behind a permissions prompt. Today, the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.- Chrome 120 on Windows, Mac, Linux, Android
- Desktop Responsive Toolbar
As early as Chrome 120, Chrome Desktop customers across form factors and input modalities (e.g. Mouse, Touch) will experience a toolbar that seamlessly responds to changing window sizes albeit by manually selecting and dragging a window smaller/larger or using operating system specific window management tools.- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows
- Chrome on Android will no longer support Android Nougat
The last version of Chrome that will support Android Nougat will be Chrome 119, and it includes a message to affected users informing them to upgrade their operating system. Chrome 120 will not support nor ship to users running Android Nougat.- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Chrome Third-Party Cookie Deprecation (3PCD)
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA, to allow sites to meaningfully preview what it's like to operate in a world without third-party cookies (3PCs). Most enterprise end users will be excluded from this experiment group automatically. But for the few that may be affected, enterprise admins will be able to utilize an enterprise policy to opt out their managed browsers ahead of the experiment and give enterprises time to make necessary changes to not rely on this policy or third party cookies.
We plan to provide more details about this policy and provide more tooling to help identify 3PC use cases. In the meantime, refer to the Mode B: 1% third-party cookie deprecation blog section for more details on how to prepare, provide feedback and report potential site issues.- Chrome 120 on ChromeOS, Linux, Mac, Windows
1% of global traffic has third party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
- IP Protection Phase 0 for Chrome
As early as Chrome 122, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) can be found in the explainer. Enterprise policies will be in place to allow admins to disable the feature before it’s launched.- Chrome 122 on ChromeOS, Linux, Mac, Windows, Android
- Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store
Chrome is adding new information on the Apps & Extensions Usage Report to help you identify if an extension was recently removed from the Chrome Web Store. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.- Chrome 122 on LaCrOS, Linux, Mac, Windows
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post , the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:- Chrome 98 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
Future milestone on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- Privacy Hub
Later this year, users will be able to manage their camera and microphone settings across the operating system from one place in Settings. This way it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.
- ChromeOS Admin templates
App Launch Automation can be configured by Administrators in the Admin console to contain groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can: get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.
Upcoming Admin console changes
- URL-keyed anonymized data collection in Kiosk mode
The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, will soon be supported in the Admin console. This policy will be enforced starting October 1st and will remain disabled until then.
Chrome 117
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Skip unload events | ✓ | ||
Chrome no longer supports macOS 10.13 and macOS 10.14 | ✓ | ||
Update to lock icon | ✓ | ||
Network service is sandboxed on Linux and ChromeOS | ✓ | ||
TLS Encrypted Client Hello (ECH) | ✓ | ||
User surveys related to SafeBrowsing warnings | ✓ | ||
Simplified onboarding experience | ✓ | ||
Warnings on insecure downloads | ✓ | ||
Service Worker static routing API | ✓ | ||
Chrome browser integration with Symantec Endpoint DLP | ✓ | ||
Require X.509 key usage extension for RSA certificates chaining to local roots | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Updates to Clear Browsing Data on Android | ✓ | ||
Allow users to review and optionally remove potentially unsafe extensions | ✓ | ||
New Chrome Desktop visual refresh in Chrome 117 | ✓ | ||
Native Client support updates | ✓ | ||
Deprecate and remove WebSQL | ✓ | ||
Revamp permission usage or lockage indicators | ✓ | ||
Price tracking | ✓ | ||
Price insights on Chrome desktop | ✓ | ||
Auth on entry to Password Manager on iOS | ✓ | ||
Improved download warnings | ✓ | ||
Storage Access API with prompts | ✓ | ||
Chrome on Android trackpad support | ✓ | ||
Port overflow check in URL setters | ✓ | ||
Deprecate TLS SHA-1 server signatures | ✓ | ||
URL standard-compatible IPv4 embedded IPv6 host parser | ✓ | ||
Form-filler accessibility mode | ✓ | ||
Clear client hints via Clear-Site-Data header | ✓ | ||
Remove WebRTC getStats datachannelIdentifier -1 | ✓ | ||
Remove WebRTC getStats encoderImplementation/decoderImplementation unknown | ✓ | ||
Unship callback-based legacy getStats() in WebRTC | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS battery state sounds | ✓ | ||
Avoid content control escapes on the login or lock screen | ✓ | ||
Emoji Picker with GIF support | ✓ | ||
ChromeOS gets a makeover | ✓ | ||
ChromeOS Personalization App | ✓ | ||
Color correction settings on ChromeOS | ✓ | ||
Tabbed PWAs on ChromeOS | ✓ | ||
System answer cards in Launcher search | ✓ | ||
Nudge managed users towards enrolling non-ZTE devices | ✓ | ✓ | |
Replacing the Bluetooth stack on ChromeOS | ✓ | ||
Time-lapse recording | ✓ | ||
Enhanced options in clipboard history | ✓ | ||
ChromeVox dialog changes | ✓ | ||
Steam enabled on all capable devices | ✓ | ||
Up Next Calendar view with Join video call integration | ✓ | ||
Adaptive Charging | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Printing reports now available in Chrome Management Reports API | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome will introduce a chrome://policy/test page | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Remove ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Remotely disable malicious off-store extensions | ✓ | ||
Remove RendererCodeIntegrityEnabled policy | ✓ | ||
Support for passkeys in iCloud Keychain on macOS | ✓ | ✓ | |
Hash-prefix real-time lookups | ✓ | ||
Red interstitial facelift | ✓ | ✓ | |
Form controls support vertical writing mode | ✓ | ||
Block all cookies set via JavaScript that contain control characters | ✓ | ||
Clearer Safe Browsing protection level settings text and images | ✓ | ||
WebUSB in Extension Service Workers | ✓ | ||
Include chrome.tabs API calls in extension telemetry reports | ✓ | ||
Remove non-standard appearance keywords | ✓ | ||
Chrome release schedule changes | ✓ | ||
Permissions prompt for Web MIDI API | ✓ | ||
Migrate away from data URLs in SVG <use> element | ✓ | ✓ | |
Chrome Browser Cloud Management: Crash report | ✓ | ||
IP protection Phase 0 for Chrome | ✓ | ||
Display banner to allow resume last tab from other devices | ✓ | ||
Remove Sanitizer API | ✓ | ||
Tab groups can be saved, recalled, and synced | ✓ | ||
Chrome profile separation: new policies | ✓ | ||
Chrome on Android will no longer support Android Nougat | ✓ | ||
Replace dangling markup in target name to _blank | ✓ | ||
Private Network Access restrictions for automotive | ✓ | ||
Deprecate non-standard shadowroot attribute for declarative shadow DOM | ✓ | ||
Chrome Third-Party Cookie Deprecation (3PCD) | ✓ | ||
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation events | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Privacy Hub | ✓ | ||
ChromeOS Admin templates | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
URL-keyed anonymized data collection in Kiosk mode | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy, which will allow you to selectively keep the behavior unchanged.- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial.
- Chrome no longer supports macOS 10.13 and macOS 10.14
Chrome will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.- Chrome 117 on Mac: Chrome no longer supports macOS 10.13 and macOS 10.14.
- Update to lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can enable the tune icon pre-release in Chrome for Desktop if you enable Chrome Refresh 2023 atchrome://flags#chrome-refresh-2023
, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
We will also replace the icon on Android. On iOS, the lock icon is not tappable, so we will be removing the icon. You can read more in this blog post.- Chrome 117 on Linux, Mac, Windows: The new icon is scheduled to launch in Chrome 117.
- Network service is sandboxed on Linux and ChromeOS
The network service is sandboxed on Linux and ChromeOS to improve security. On Linux, it's possible that third party software (likely data loss prevention or antivirus software) is injecting code into Chrome's processes and will be blocked by this change. This may result in Chrome crashing for your users.
If this happens, you should work with the vendor of the third party software to stop it from injecting code into Chrome's processes. In the meantime, you will be able to use the NetworkServiceSandboxEnabled policy to defer the sandboxing. This is a temporary measure intended to help enterprises surprised by the change; the policy will be removed in a future version of Chrome.- Chrome 117 on Chrome OS, Linux: The network service sandboxed on Linux and ChromeOS to improve security.
- TLS Encrypted Client Hello (ECH)
The TLS Encrypted ClientHello (ECH) extension enables clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating tochrome://flags
and enabling the#encrypted-client-hello
flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- User surveys related to SafeBrowsing warnings
After a user adheres to or bypasses a SafeBrowsing warning, Chrome may ask them about their satisfaction with the experience. You can control this with the SafeBrowsingSurveysEnabled policy.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Simplified onboarding experience
Some users may see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, EnableSyncConsent, RestrictSigninToPattern and SyncTypesListDisabled will continue to be available as before to control whether the user can sign into Chrome and turn on sync. The PromotionalTabsEnabled policy can be used to skip the onboarding altogether. DefaultBrowserSettingEnabled is respected in the same way as before.- Chrome 117 on Linux, Mac, Windows
- Warnings on insecure downloads
Chrome will begin showing warnings on some downloads if those files were downloaded over an insecure (i.e. not HTTPS) connection. These warnings do not prevent downloading and can be bypassed by the user. Enterprises can test their downloads by enabling warnings viachrome://flags/#insecure-download-warnings
. Enterprises can also disable warnings for sites that can not deliver files securely by adding the downloading site to InsecureContentAllowedForUrls.- Chrome 117 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia: Chrome shows warnings on some downloads.
- Service Worker static routing API
Chrome releases the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: Origin Trial for Service Worker static routing API.
- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Release of the Service Worker static routing API.
- Chrome browser integration with Symantec Endpoint DLP
This feature provides a secure native integration that transfers content (file or text) between Chrome and Broadcom’s Symantec DLP agent without the need for deploying an extension. When a CBCM or CDM managed user performs an action that sends data via Chrome, Symantec Endpoint DLP can monitor for data exfiltration and apply allow/block controls based on customer's DLP policies.- Chrome 117 on Windows
- Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: The RSAKeyUsageForLocalAnchorsEnabled policy is added.
- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Chrome begins enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates.
- Simplified sign-in and sync experience
Chrome launches a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies. As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.- Chrome 117 on iOS: Simplified sign-in and sync experience launches on iOS.
- Updates to Clear browsing data on Android
Chrome enhances the browser data deletion controls by making it easier and quicker for users to complete their ‘Clear browsing data’ journeys, while maintaining the granular controls for advanced data deletion needs.- Chrome 117 on Android
- Allow users to review and optionally remove potentially unsafe extensions
A new review panel will be added inchrome://extensions
, which appears whenever there are potentially unsafe extensions that need the user's attention, such as extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There is also a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page. As an administrator, you can preemptively control the availability of potentially unsafe extensions using the ExtensionUnpublishedAvailability policy.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- New Chrome Desktop visual refresh in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale personalization and customization experiences in Chrome by enabling customers proximate access to tools and actions.. The menu will be updated in phases starting in Chrome 117.- Chrome 117 on Linux, Mac, Windows: Rollout starts for all users.
- Native Client support updates
We will remove Native Client NaCl support from extensions on Windows, macOS, Linux. An enterprise policy will be available, NativeClientForceAllowed, which will allow Native Client to continue to be used.- Chrome 117 on Linux, Mac, Windows: Removal of Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removal of NativeClientForceAllowed policy.
- Deprecate and remove WebSQL
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database. Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebsQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team. With SQLite over WASM as its official replacement, we want to remove WebSQL entirely.- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Revamp permission usage or blockage indicators
In-use activity indicators are visual cues that let users know that an origin is actively using a permission-gated feature. They can be used to indicate things like whether geolocation is accessed, or video and audio are being captured. Chrome is changing the life cycle of the activity indicators, updating how long they appear in the address bar.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Price tracking
Starting in Chrome 117, when users bookmark a price-trackable product, price tracking will be enabled by default when available. Users will be able to disable price tracking per item, and administrators can disable the feature entirely with the ShoppingListEnabled policy.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Price insights on Chrome desktop
Some users will see a chip in the address bar which enables them to see price information about a product they're shopping for.- Chrome 117 on Chrome OS, Linux, Mac, Windows
- Auth on entry to Password Manager on iOS
To improve security, re-auth is now required when entering Google Password Manager on Chrome on iOS. Previously, re-auth was required only when viewing password details or notes. The device unlock method will be offered, i.e. FaceID, TouchID, or Passcode. If a Passcode is not set-up, the user will be prompted to do so.- Chrome 117 on iOS: Re-auth required anytime when entering Google Password Manager on Chrome on iOS.
- Improved download warnings
To help reduce cookie theft and other consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.- Chrome 117 on LaCrOS, Linux, Mac, Windows: Strings, icons, and colors, as well as warning messages for some downloads, will be updated.
- Storage Access API with prompts
Allow frames to request access to third-party cookies through the Storage Access API (SAA) when third-party cookies are blocked.- Chrome 117 on Chrome OS, LaCrOS, Linux, Mac, Windows: Support the Storage Access API by implementing all the behaviors listed in the specification, i.e. with user prompts, and additionally having its own user-agent-specific behaviors.
- Chrome on Android trackpad support
Chrome on Android now has advanced keyboard and trackpad or mouse support, similar to desktop Chrome.- Chrome 117 on Android: Enabled shortcuts for web content edit, cursor movements and media.
- Port overflow check in URL setters
The port value is now checked when setting url.port. All the values that overflow the 16-bit numeric limit are no longer valid. For instance the following script behaves differently after the change:``` u = new URL("http://test.com"); u.port = 65536; console.log(u.port); ```
Before the change, the output is 65536. After the change, the output will be 80.- Chrome 117 on Windows, Mac, Linux, Android
- Deprecate TLS SHA-1 server signatures
Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. SHA-1 can be temporarily re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled enterprise policy. This policy will be removed in Chrome 123.- Chrome 117 on Windows, Mac, Linux, Android
- URL standard-compatible IPv4 embedded IPv6 host parser
The behavior of parsing IPv4 embedded IPv6 host parser will be updated to strictly follow the web URL standard: https://url.spec.whatwg.org/#concept-ipv6-parser The introduced restrictions on the IPv6 address are: * The embedded IPv4 address shall always consist of 4 parts. Addresses with less than 4 parts like http://[::1.2] will be no longer valid. The feature is a part of the URL interop 2023.- Chrome 117 on Windows, Mac, Linux, Android
- Form-Filler Accessibility Mode
This feature improves performance by providing a subset of the full accessibility API to form-filler apps.- Chrome 117 on Android: A subset of the full accessibility API is provided to form-filler apps.
- Clear client hints via Clear-Site-Data header
Websites will now be able to clear the client hints cache using `Clear-Site-Data: “clientHints
”`. Client hints will also now be cleared when cookies, cache, or * are targeted by the same header. This is because if the user clears cookies in the UI client hints are already cleared as well, the client hints cache is a cache, and to be consistent with wildcard targets respectively.- Chrome 117 on Windows, Mac, Linux, Android
- Remove WebRTC getStats datachannelIdentifier -1
The WebRTC getStats API exposes a dataChannelIdentifier property. It will no longer provide the value "-1" in cases where statistics are queried before the datachannel connection is established. Instead, the dictionary member will be omitted. This follows the general pattern not to return meaningless information described in this article.- Chrome 117 on Windows, Mac, Linux, Android
- Remove WebRTC getStats encoderImplementation or decoderImplementation unknown
The WebRTC getStats API exposes the encoder and decoder implementation names for outbound and inbound video:https://w3c.github.io/webrtc-stats/#dom-rtcoutboundrtpstreamstats-encoderimplementation
It will no longer provide the value unknown in cases where statistics are queried before a video frame was encoded or decoded. Instead, the dictionary member will be omitted. This follows the general pattern not to return meaningless information described in this article.- Chrome 117 on Windows, Mac, Linux, Android
- Unship callback-based legacy getStats() for WebRTC
RTCPeerConnection has two versions ofgetStats()
, one that is spec-compliant returning the report via resolving a promise, and one that is non-standard returning a very different report via a callback as the first argument. The callback-based one will soon be removed. Removal target: Chrome 117. A deprecation trial is available Chrome 113- Chrome 121 for apps that need more time. In the Chrome 114+ the method will throw an exception in Canary/Beta unless using the trial.- Chrome 117 on Windows, Mac, Linux, Android
- New and updated policies in Chrome browser
Policy
Description
Enable the network service sandbox (now available on Linux).
Control new behavior for the cancel dialog produced by the
beforeunload
event.Controls whether
unload
eventhandlers can be disabled.
Allow accessibility performance filtering.
Allow Safe Browsing surveys.
ChromeOS updates
- ChromeOS battery state sounds
In Chrome 117, audible sounds now indicate battery status. Users can turn on and off these sounds and Admins can control them using the DeviceLowBatterySoundEnabled policy.When the device is not plugged in, you hear warning sounds if:
- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you hear an information beep when:
- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level - 80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.
- Avoid content control escapes on the login or lock screen
Administrators can now control and limit the available content on end-users login and lock screens when identity federation is used with a third party identity provider (using SAML or OIDC). This is achieved by introducing two new policies to block or allow external URLs on login and lock screens, DeviceAuthenticationURLAllowlist and DeviceAuthenticationURLBlocklist. As a result, you can prevent content control escapes.
- Emoji Picker with GIF support
The emoji picker now supports GIFs. Search and find the perfect GIF to express yourself.For managed devices, this feature is switched off by default.
- ChromeOS gets a makeover
Thanks to Google Material 3, Google’s new design platform, ChromeOS 117 brings with it:- A new set of themes which dynamically update to reflect your wallpaper and style.
- A new look for almost all system surfaces with updated text, menus, icons or elements.
You can control the new look using the ChromeOS Personalization App.
- ChromeOS Personalization App
With this launch, your ChromeOS now has accent colors that match your wallpapers, creating a unique theme for your device. The accent colors also adapt to the light and dark modes.
- Color correction settings on ChromeOS
ChromeOS now has built-in color correction settings that make it easier for users to see colors on their screens. In ChromeOS Accessibility settings, under Display and Magnification, you can enable color filters for protanopia, deuteranopia or tritanopia, or to view the display in grayscale. Users can use a slider to customize the filters' intensity to meet their needs.
- System answer cards in Launcher search
When users search for the status of their OS version, battery, RAM, storage, or CPU, in Launcher, they can now see that information previewed in the search results.
- Nudge managed users towards enrolling non-ZTE devices
This feature enables administrators to demand managed users to enroll their non-zero touch devices by introducing a new user policy, UserEnrollmentNudging, which can be configured to require enrollment of the given user. If the policy is enabled and the managed user misses the enrollment step and performs first sign in on the device, a pop-up is shown suggesting to either switch to enrollment flow or use another email for sign-in, essentially preventing the managed user from signing in without enrollment.
- Replacing the Bluetooth stack on ChromeOS
Starting in ChromeOS 117, and gradually applying to all ChromeOS devices, this Bluetooth software change brings the Android Bluetooth stack, Fluoride, to ChromeOS. The transition happens seamlessly on login, preserving existing paired devices, and should work with Bluetooth devices today with no interruptions. If you experience issues, please file feedback and, if necessary, disable the new stack via chrome://flags/#bluetooth-use-floss.
- Time-lapse recording
The built-in Camera App now supports Time-Lapse recording. To use the feature, open the Camera App, select Video, then Time-Lapse. Recording can continue for as long as there is available storage space. Camera app determines the right speed for the time-lapse video based on duration recorded, to ensure your video always looks great.
- Enhanced options in clipboard history
Enhancements to Clipboard History menu including introducing new entry points, ways to discover the feature and simplifying feature comprehension making it easier to discover and use. You can now see more detail for items in your clipboard history and can access clipboard history items nested directly in context menus. For users discovering Clipboard History for the first time, we are also introducing educational information to help with understanding this feature.
- ChromeVox dialog changes
We’ve made some changes to the initial out-of-the-box experience (OOBE) dialog that explains what ChromeVox is, who might benefit from activating ChromeVox and requires pressing space instead of offering an on-screen button. With this update, we hope to reduce the number of users who inadvertently activate ChromeVox.
- Up Next Calendar view with Join video call integration
See your upcoming events directly from the calendar view and join any digital meetings directly with the new Join button.
- Adaptive Charging
Adaptive Charging is a new ChromeOS power management feature. Devices with Adaptive Charging enabled via Settings charge to 80% and then complete charging to 100% based on an ML model’s prediction for when the user will unplug their device. Reducing the time a device spends at 100% charge helps preserve the battery's health and ability to hold a charge over the lifetime of the device.
Admin console updates
- Printing reports now available in Chrome Management Reports API
Chrome 117 includes additional endpoints to Chrome Management Reports API that allow access to printing reports. The new endpoints provide per-user and per-printer summary printing reports, as well as a listing of all print jobs submitted to managed printers. The data provided by the new endpoints corresponds to the data in the Print Usage page of the Admin console. This update exposes the same data in the third-party Reports API.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Chrome will introduce a chrome://policy/test page
chrome://policy/test
will allow customers to test out policies on the Beta, Dev, Canary channels. If there is enough customer demand, we will consider bringing this functionality to the Stable channel.- Chrome 118 on Android, iOS, Chrome OS, Linux, Mac, Windows
- Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.- Chrome 118 on Windows: Network Service sandboxed on Windows
- Remove ForceMajorVersionToMinorPositionInUserAgent policy
Chrome plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy. If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.- Chrome 118 on Android, Chrome OS, Linux, Mac, Windows: Removal of ForceMajorVersionToMinorPositionInUserAgent policy
- Remotely disable malicious off-store extensions
When Enhanced Safe Browsing is enabled, users found to have a malicious off-store extension installed will have it disabled when the decision is entered on the Safe Browsing servers via either manually or by an automated detection system.- Chrome 118 on Chrome OS, Linux, Mac, Windows: Feature launches
- Remove RendererCodeIntegrityEnabled policy
The RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.- Chrome 118 on Windows: This policy is deprecated and will no longer take effect
- Support for passkeys in iCloud Keychain on macOS
Chrome on macOS ≥ 13.5 will gain support for creating and using passkeys from iCloud Keychain. When signing in using WebAuthn, passkeys from iCloud Keychain will be listed as options once the user has granted Chrome the needed permission. If permission has not been granted then a generic "iCloud Keychain" option will appear that will prompt for permission before showing iCloud Keychain passkeys. If permission is denied then iCloud Keychain can still be used, but will have to be manually selected each time. When a site asks to create a platform passkey, Chrome might default to creating the passkey in iCloud Keychain based on whether iCloud Drive is in use and whether WebAuthn credentials from the current profile have been recently used. This can be controlled with a setting on chrome://password-manager/settings, and with the enterprise policy CreatePasskeysInICloudKeychain.- Chrome 118 on Mac: The ability to use iCloud Keychain will be enabled in Chrome 118. Whether Chrome defaults to creating platform passkeys in iCloud Keychain may be altered by Finch during the lifetime of 118.
- Hash-prefix real-time lookups
For standard Safe Browsing protection users, visited URLs now have their safety checked in real time instead of against a less frequently updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, the feature can be disabled through the policy SafeBrowsingProxiedRealTimeChecksAllowed.- Chrome 118 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: This will start with a 1% rollout and then proceed to 100% of users.
- Red interstitial facelift
In Chrome 118, users will see minor updates to the red Safe Browsing interstitials. The main body text will include an explicit recommendation from Chrome and site ID will be specified in the details section instead of the main body. The warning icon will be replaced by the danger icon and styling will be updated to be consistent with the latest product standards. These changes will improve user comprehension of warnings.- Chrome 118 on Android, iOS, Chrome OS, LaCrOS, Linux, Mac, Windows
- Form Controls support vertical writing mode
CSS property writing-mode should be enabled for form controls elements as it will allow lines of text to be laid out horizontally or vertically and it sets the direction in which blocks progress. With this feature, we are allowing the form control elements select, meter, progress, button, textarea and input to have vertical-rl or vertical-lr writing mode. As needed for Web compatibility, we will slowly rollout the change for a number of form controls in 118 and continue in future milestones.- Chrome 118 on Windows, Mac, Linux, Android
- Block all cookies set via JavaScript that contain control characters
Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis. This change can be disabled using the `--disable-features=BlockTruncatedCookies` or the BlockTruncatedCookies enterprise policy, which will exist for several milestones in case this change causes any breakage.- Chrome 118 on Windows, Mac, Linux, Android
- Clearer Safe Browsing protection level settings text and images
In Chrome 118, some users will see new text describing the Safe Browsing protection level on both the Security Settings page and the Privacy Guide. The update clarifies the Enhanced Protection level by adding a table and linking to a help center article where users can learn more. The new table helps users understand the trade-offs when selecting that option versus choosing the other options. The descriptions for Standard Protection, No Protection and the password compromise warnings toggle have been simplified to make the options clearer. The Safe Browsing protection level is an existing setting and continues to be controlled by the SafeBrowsingProtectionLevel policy value.- Chrome 118: Some users will see the updated text and images on the Chrome Security Settings page and on the Privacy Guide.
- WebUSB in Extension Service Workers
Allows web developers to use WebUSB API when responding to extension events by exposing WebUSB API to Service Workers registered by browser extensions. This API will not yet be exposed to Service Workers registered by sites but the implementation experience gained by supporting the API for extensions will be valuable for such a future project.- Chrome 118 on Windows, Mac, Linux
- IP Protection Phase 0 for Chrome
As early as Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) will be provided in the near future.
- Include chrome.tabs API calls in extension telemetry reports
When you enable Enhanced Safe Browsing, Chrome will now collect telemetry information about chrome.tabs API calls made by extensions. This information is analyzed on Google servers and further improves the detection of malicious and policy violating extensions. It will also allow better protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2 (ie. disable Enhanced Safe Browsing).- Chrome 118 on Chrome OS, Linux, Mac, Windows: Feature launches
- Remove non-standard appearance keywords
Since only standard appearance keywords should be supported, we are removing the appearance (and -webkit-appearance) keywords that shouldn't be supported anymore:* inner-spin-button
* media-slider
* media-sliderthumb
* media-volume-slider
* media-volume-sliderthumb
* push-button * searchfield-cancel-button
* slider-horizontal * sliderthumb-horizontal
* sliderthumb-vertical
* square-button
Note that value slider-vertical will not be removed as part of this patch; it is used for allowing <input type=range> vertical. It will be removed once feature FormControlsVerticalWritingModeSupport is enabled in Stable.
Previously, if using any of the above keywords, a console warning will be shown, but the keyword will be recognized as a valid value. With the feature enabled, the appearance property will be ignored and set to the empty string. As needed for Web compatibility, we will progressively remove the appearance keywords based on their counter usages on Chrome Status Metrics. For release 118, we will start with the following keywords, currently at page load usage below 0.001%:
* media-slider at 0.000361
* media-sliderthumb at 0.000187%
* media-volume-slider at 0.000143%
* media-volume-sliderthumb at 0.000109%
* sliderthumb-horizontal at 0.000182%
* sliderthumb-vertical at 0.000014%
- Chrome 118 on Windows, Mac, Linux, Android
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.- Chrome 119 on Android, iOS, Chrome OS, Linux, Mac, Windows
- Permissions Prompt for Web MIDI API
This feature gates the Web MIDI API access behind a permissions prompt. Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.- Chrome 119 on Windows, Mac, Linux, Android
- Migrate away from data URLs in SVG <use> element
The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. You can read more in this blog post.For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available temporarily to re-enable Data URL support for SVG <use> element.
- Chrome 119 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVG <use> element
- Chrome Browser Cloud Management: Crash report
The Crash Report is a new Chrome Browser Cloud Management report in the Admin console where IT admins can find a chart to easily visualize the number of crash events over time, based on the versions of Chrome that are running.- Chrome 119 on Android, iOS, Linux, Mac, Windows: Crash Report launched in Chrome Browser Cloud Management
- Display banner to allow resume last tab from other devices
Help signed in users resume tasks when they have to switch devices during an immediate transition by offering to pick up tabs recently used on the previous device. Admins can control this feature via the existing enterprise policy called SyncTypesListDisabled.- Chrome 119 on iOS: Feature launches
- Remove Sanitizer API
The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. It is a cross-browser standardization effort starting in Q2/2020. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the discussion has meanwhile moved on and the proposed API shape has changed substantially. In order to prevent the current API from becoming entrenched we would like to remove the current implementation.We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.
- Use counters: The Sanitizer API is currently used on 0.000000492% of page visits.
- Old vs new API: * Old explainer, API as implemented in "MVP" since Chrome 105:
https://github.com/WICG/sanitizer-api/blob/e72b56b361a31b722b4e14491a83e2d25943ba58/explainer.md *
- New explainer (still in progress):
https://github.com/WICG/sanitizer-api/blob/main/explainer.md
- Chrome 119 on Windows, Mac, Linux, Android
- Tab Groups can be saved, recalled, and synced
Users will be able to save tab groups, which will allow them to close and re-open the tabs in the group, as well as sync them across devices.- Chrome 119 on Chrome OS, Linux, Mac, Windows
- Chrome profile separation: new policies
Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will basically be replacements for ManagedAccountsSigninRestriction, EnterpriseProfileCreationKeepBrowsingData.- Chrome 119 on Linux, Mac, Windows: New profile separation policies available: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.
- Replace dangling markup in target name to `_blank`
This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation.- Chrome 119 on Windows, Mac, Linux, Android
- Private Network Access restrictions for automotive
This ships Private Network Access restrictions to Android Automotive (if BuildInfo::is_automotive), including: - Private Network Access preflight requests for subresources and Private Network Access for Workers. See Note that the two above features were shipped in warning only mode, but this features will enforce the restriction, i.e. failing the main request if restrictions are not satisfied.- Chrome 5 on Windows, Mac, Linux
- Chrome 119 on Android
- Deprecate non-standard `shadowroot` attribute for declarative shadow DOM
The standards-track `shadowrootmode` attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 [1]. The older, non-standard `shadowroot` attribute is now deprecated. During the deprecation period, both attributes are functional, however the `shadowroot` attribute does not enable the new streaming behavior, whereas `shadowrootmode` allows streaming of content. There is a straightforward migration path: replace `shadowroot` with `shadowrootmode`. The old `shadowroot` attribute is deprecated as of Chrome Chrome 112, and it will be removed (no longer supported) in Chrome 119, which goes to Stable on November 1, 2023. [1] https://chromestatus.com/feature/5161240576393216- Chrome 119 on Windows, Mac, Linux, Android
- Chrome on Android will no longer support Android Nougat
The last version of Chrome that will support Android Nougat will be Chrome 119, and it includes a message to affected users informing them to upgrade their operating system. Chrome 120 will not support nor ship to users running Android Nougat.- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat
- Chrome Third-Party Cookie Deprecation (3PCD)
In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA, to allow sites to meaningfully preview what it's like to operate in a world without third-party cookies (3PCs). Most enterprise end users will be excluded from this experiment group automatically. But for the few that may be affected, enterprise admins will be able to utilize an enterprise policy to opt out their managed browsers ahead of the experiment and give enterprises time to make necessary changes to not rely on this policy or third party cookies. We plan to provide more details about this policy and provide more tooling to help identify 3PC use cases. In the meantime, refer to the 'Mode B: 1% third-party cookie deprecation' blog section for more details on how to prepare, provide feedback and report potential site issues.- Chrome 120 on Chrome OS, Linux, Mac, Windows
1% of global traffic has third party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.
- Chrome 120 on Chrome OS, Linux, Mac, Windows
- Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.- Chrome 127 on Android, Chrome OS, Linux, Mac, Windows: Removal of LegacySameSiteCookieBehaviorEnabledForDomainList policy
- Intent to deprecate: Mutation events
Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.- Chrome 127 on Android, Chrome OS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Extensions must be updated to leverage Manifest V3
Extensions must be updated to leverage Manifest V3 back to top Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post (https://developer.chrome.com/blog/more-mv2-transition/) the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. For more information on the Manifest timeline: https://developer.chrome.com/docs/extensions/migrating/mv2-sunset/- Chrome 98 on Chrome OS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on Chrome OS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on Chrome OS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
Future milestone on Chrome OS, LaCrOS, Linux, Mac, Windows: Removal of ExtensionManifestV2Availability policy.
Upcoming ChromeOS changes
- Privacy Hub
Later this year, users will be able to manage their camera and microphone settings across the operating system from one place in Settings. This way it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.
- ChromeOS Admin templates
App Launch Automation can be configured by Administrators in the Admin console to contain groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can: get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.
Upcoming Admin console changes
- URL-keyed anonymized data collection in Kiosk mode
The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, will soon be supported in the Admin console. This policy will be enforced starting October 1st and will remain disabled until then.
Chrome 116
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Enterprises can sign up for security fix notifications | ✓ | ||
Chrome increases release velocity with security improvements planned for each week | ✓ | ||
Share Sheet migration | ✓ | ||
Google Search side panel | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Improving performance: Memory Saver and Energy Saver modes | ✓ |
✓ |
|
Anti-phishing telemetry expansion | ✓ | ||
Enabling BFCache for pages that set Cache-Control: no-store | ✓ | ||
Idle Timeout policies on Desktop | ✓ | ||
OS-native Passkey changes on Windows 11 | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Data processor mode on ChromeOS (including Chrome browser running on managed ChromeOS) | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
ChromeOS OCR in PDFs for screen reader users | ✓ | ||
Move ChromeVox settings pages to ChromeOS settings | ✓ | ||
Customizing input peripherals per device settings | ✓ | ||
Managing Android App permissions | ✓ | ||
ChromeOS Kerberos integration enhancements | ✓ | ||
Commercial launch of screensaver | ✓ | ||
Enhanced autocorrect features | ✓ | ||
Additional input method support for Linux apps | ✓ | ||
URL-keyed anonymized data collection in Kiosk mode | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Extensions Review panel | ✓ | ||
Native Client Support updates | ✓ | ||
Updates to Clear Browsing Data on Android | ✓ | ||
Skip unload events | ✓ | ||
Require X.509 key usage extension for RSA certificates chaining to local roots | ✓ | ||
Network service will be sandboxed on Linux and ChromeOS | ✓ | ||
Bounce Tracking mitigations | ✓ | ||
Restricting the use of --load-extension | ✓ | ||
Service Worker static routing API | ✓ | ||
Enable access to WebUSB API from extension service workers | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
IP Protection Phase 0 for Chrome | ✓ | ||
Web MIDI permission prompt | ✓ | ||
Network service will be sandboxed on Windows | ✓ | ||
Removal of the RendererCodeIntegrityEnabled policy | ✓ | ||
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ||
New Chrome Desktop visual refresh in Chrome 117 | ✓ | ||
Update to the lock icon | ✓ | ||
Storage Access API with Prompts | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | ✓ |
Removal ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Chrome release schedule changes | ✓ | ||
Chrome 119 to phase out support for Web SQL | ✓ | ||
Migrate away from data URLs in SVG <use> element | ✓ | ✓ | |
Chrome profile separation | ✓ | ✓ | |
Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Warnings on insecure downloads | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS battery state sounds | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Enterprises can sign up for security fix notifications
Using this sign-up form, you can opt in to receive email notifications whenever there's a Chrome release that contains high or critical security fixes, including zero-day fixes. Chrome uses a fast release cycle to keep you ahead of bad actors, and so you can expect such a release approximately every week. By default, Chrome applies updates automatically when they're made available, so no action is required from admins who keep Chrome's default update behavior. You can read more about Chrome updates strategies for enterprises here.
- Chrome increases release velocity with security improvements planned for each week
In Chrome 115 and previous releases, Chrome maintained a four-week release cycle with a minor release halfway between each major release containing security improvements and minor bug fixes. Major releases continue to be planned for approximately every four weeks, but starting in Chrome 116, minor releases are now planned every week. This allows us to deliver security improvements even faster. If you have auto-updates turned on (the default behavior of Chrome, and our recommendation), then no action is required. Chrome might still release some unplanned updates in response to critical fixes, zero-day fixes, or other unforeseen circumstances. If you want to be notified of the security fixes contained in each release of Chrome, you can sign up for notifications here. Read more about Chrome Security and why we're making this change in our blog post.
- Share Sheet migration
Chrome is migrating Share functionality from its custom share sheet to the Android system share sheet for Android U+ users. In this migration, we’ve deprecated some functionality such as stylized cards for shared highlights and a redundant button for short (non full-page) screenshots. On Pre-U Android, Chrome still shows the custom share sheet and users can navigate to the system share sheet using the More (...) button.
- Google Search side panel
Chrome is introducing the Search side panel, a new contextual side panel experience that allows users to delve into the content of the page they're currently viewing. The new side panel gives users new tools to get more context about the page they're viewing. We launched the Search side panel to some users in Chrome 115 and subsequently plan to roll out to all users in Chrome 116. You can control access to the Search side panel using the GoogleSearchSidePanelEnabled policy.
- X25519Kyber768 key encapsulation for TLS
As early as Chrome 116, Chrome introduces a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. This cipher will be used for both TLS and QUIC connections.
- Improving performance: Memory Saver and Energy Saver modes
In Chrome 108, we introduced features designed to improve the performance of Chrome and extend battery life under the following enterprise policies: TabDiscardingExceptions, BatterySaverModeAvailability and HighEfficiencyModeEnabled. In Chrome 116, we expand the capabilities of the Memory Saver feature to help users further understand and use tab discarding to their benefit.Users with Memory Saver enabled (policy HighEfficiencyModeEnabled) now have increased visibility of discarded tabs in the tab strip and more insight into memory usage of active and inactive tabs.
Additionally, this release makes the management of exceptions (policy TabDiscardingExceptions) more intuitive for users who have access to manage their own exceptions:
1. In settings, users can add exceptions based on currently open tabs (in addition to manual entry which exists today)
2. In the page action chip of a discarded tab, users can opt the site out from future discarding.
- Anti-phishing telemetry expansion
In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers, which will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishing pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.
- Enabling BFCache for pages that set Cache-Control: no-store
Documents with a Cache-Control: no-store header (CCNS) are blocked from entering BFCache. Chrome 116 will start BFCaching these documents, except for the ones with sensitive information (Github).The AllowBackForwardCacheForCacheControlNoStorePageEnabled policy controls if a page with
Cache-Control: no-store
header can be stored in back/forward cache. The website setting this header might not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.If the policy is enabled or unset, the page with
Cache-Control: no-store
header might be restored from back/forward cache unless the cache eviction is triggered, for example, when there is HTTP-only cookie change to the site.If the policy is disabled, the page with
Cache-Control: no-store
header will not be stored in back/forward cache.
- Idle Timeout policies on Desktop
In Chrome 116, admins can now enforce taking an action, for example, closing the browser, clearing cookies or moving to the profile picker, after Chrome has been idle for some amount of time. You can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout.
- OS-native Passkey changes on Windows 11
An update to Windows 11 later in 2023 adds support for cross-device passkeys flows in Windows webauthn.dll v6. Chrome 116 recognizes this version of Windows and stops offering its own cross-device support in Chrome UI, deferring to Windows instead. This results in users seeing a different UI, as shown below. This can be tested with Chrome 116 running on Windows Insider Dev Build 23486 or later.
- New and updated policies in Chrome browser
Policy Description NativeClientForceAllowed Forces Native Client (NaCl) to be allowed to run. SafeSitesFilterBehavior Control SafeSites adult content filtering (now on Android) PostQuantumKeyAgreementEnabled Enable post-quantum key agreement for TLS UserContextAwareAccessSignalsAllowlist Enable the Chrome Enterprise Device Trust Connector attestation flow for a list of URLs on Managed Profiles RSAKeyUsageForLocalAnchorsEnabled Check RSA key usage for server certificates issued by local trust anchors AllowBackForwardCacheForCacheControlNoStorePageEnabled Allow pages with Cache-Control: no-store header to enter back/forward cache
ChromeOS updates
- Data processor mode on ChromeOS (including Chrome browser running on managed ChromeOS)
In ChromeOS 116, ChromeOS is releasing a data processor mode for a suite of ChromeOS features and services called Essential Services, switching Google’s role from that of a data controller over personal data, to primarily that of a data processor. Features and services for which Google remains solely a data controller are called “Optional Services”. IT admins who manage ChromeOS devices used by managed Dutch Education accounts will see these new terms and features available to select from August 18, 2023.
These are the new tools available in data processor mode for ChromeOS:- Data processor mode landing page in the Admin console
- The ability to turn-on/off individual Optional Services
- Tools to assist customers with Data Subject Access Requests (DSARs)
- A tool to assist customers with data subject deletion requests
- Removal of permissive Chrome Apps webview behaviors
As early as Chrome 116, Chrome Apps webview usage have the following restrictions:- Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
window.open
call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed is available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, you can restore the previous behavior from Chrome 112 and earlier by navigating tochrome://flags
and disablingchrome://flags/#enable-webview-tag-mparch-behavior
.
This change was originally scheduled for Chrome 113, but was postponed. Previous release notes mentioned a change to the handling of SSL errors within webviews, but this is no longer part of this change. - Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
- ChromeOS OCR in PDFs for screen reader users
Through Optical Character Recognition (OCR), users can convert images to text, so that they can access and read them.
- ChromeVox settings move to ChromeOS setting
In Chrome 116, you now access the existing settings for ChromeVox under the ChromeOS Accessibility settings pages.
- Customizing input peripherals per device settings
Users can now manage settings for their input peripherals, such as their mouse and keyboard, at the device level and apply different values for different devices. This provides more control over the peripheral experience on ChromeOS.
- Managing Android App permissions
In Chrome 116, users have a better view of what data Android apps can access by reviewing allowed app permissions on the Apps page in ChromeOS Settings. Now, users can see a detailed view of the data an Android app can access on the Apps page in Settings, and they can easily manage those permissions.
- ChromeOS Kerberos integration enhancements
Starting with M116, we streamline the end user configuration flows for ChromeOS Kerberos customers. Many users use Kerberos on ChromeOS to access corporate resources. The new UI enhancements guide users through the configuration of their Kerberos accounts in a guided flow, similar to Password Manager. For details, see this help center article.
- Commercial launch of screensaver
With M116, ChromeOS represents your organization even better. The commercial launch of screensaver for the login screen or MGS lock screen allows admins to customize the appearance of idle devices. Newly added admin settings include the abilities to turn on/off the screensaver, to provide a list of screensaver images, and to customize idle times.
- Enhanced autocorrect features
We've enhanced Autocorrect in ChromeOS! Autocorrect is now enabled by default for English in compatible apps, automatically fixing typos, spelling, and other errors. In addition to the new Autocorrect for physical keyboards, this update also enhances the performance of the virtual keyboard's Autocorrect and other Assistive features.
- Additional input method support for Linux apps
Linux on ChromeOS now supports complex input methods, such as Japanese and Korean. This means that you can now use the same input methods that you're already using in Chrome to type in your Linux applications. Not all applications are supported yet, but support for additional applications is coming soon.
Admin console updates
- New policies in Admin console
RSAKeyUsageForLocalAnchorsEnabled User, MGS CrOS, Chrome, Android Legacy Site Compatibility AllowBackForwardCacheForCacheControlNoStorePageEnabled User, MGS CrOS, Chrome, Android Security PostQuantumKeyAgreementEnabled User, MGS CrOS, Chrome, Android Security PhysicalKeyboardPredictiveWriting User, MGS CrOS User Experience PhysicalKeyboardAutocorrect User, MGS CrOS User Experience
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Extensions Review panel
A new review panel will be added in chrome://extensions, which will appear whenever there are potentially unsafe extensions that need the user's attention. The initial launch will highlight extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There will also be a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page.
The ExtensionsUnpublishedAvailability policy will disable extensions that have been unpublished by the developer or violate Chrome Web Store policy. Note that these extensions might also appear in the Extensions Module's review panel but only if they are not installed by policy. The user can choose to remove or keep them.
- Native Client Support updates
As early as Chrome 117, we will remove Native Client NaCl support from extensions on Windows, macOS, Linux. An enterprise policy will be available, NativeClientForceAllowed, which will allow Native Client to continue to be used until Chrome 119.
- Updates to Clear Browsing Data on Android
We’re making it easier to find and use the browsing data deletion tools that Chrome offers.
We’re adding more entry points to Clear Browsing Data, including on the main Chrome menu. We’re also introducing a new quick deletion affordance to enable users to quickly delete their recent history. We’ll maintain and further enhance the more granular ‘Advanced’ Clear Browsing Data page on Privacy Settings.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years.
As early as Chrome 117, to further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).
- Network service will be sandboxed on Linux and ChromeOS
As early as Chrome 117, the network service will be sandboxed on Linux and ChromeOS to improve security. On Linux, it's possible that third party software (likely data loss prevention or antivirus software) is injecting code into Chrome's processes and will be blocked by this change. This may result in Chrome crashing for your users.
If this happens, you should work with the vendor of the third party software to stop it from injecting code into Chrome's processes. In the meantime, you will be able to use the NetworkServiceSandboxEnabled policy to defer the sandboxing. This is a temporary measure intended to help enterprises surprised by the change; the policy will be removed in a future version of Chrome.
- Bounce Tracking mitigations
As early as Chrome 116, Chrome will launch bounce tracking mitigations. Bounce tracking mitigations will only take effect when the policy is set to true (Block 3rd party cookies). You can use the BlockThirdPartyCookies policy to control this feature. Alternatively, if 3rd party cookies are blocked by default you can exempt specific sites by using the CookiesAllowedForUrls policy.
- Restricting the use of --load-extension
The--load-extension
command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116,--load-extension
will be ignored for users that have enabled Enhanced Safe Browsing.
- Service Worker static routing API
Chrome 116 will release the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Enable access to WebUSB API from extension service workers
As early as Chrome 117, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Simplified sign-in and sync experience
Starting in Chrome 117, some users may experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- IP Protection Phase 0 for Chrome
Beginning in Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) will be provided in the near future.
- Web MIDI permission prompt
Starting in Chrome 118, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.
Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure user access to the API.
- Network Service on Windows will be sandboxed on Windows
As early as Chrome 118, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Removal of the RendererCodeIntegrityEnabled policy
As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- New Chrome Desktop visual refresh in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale personalization and customization experiences in Chrome by enabling customers proximate access to tools and actions. The menu will be updated in phases starting in Chrome 117.
- Update to the lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch in Chrome 117 as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary for Desktop if you enable Chrome Refresh 2023 atchrome://flags#chrome-refresh-2023
, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
We will also replace the icon on Android. On iOS, the lock icon is not tappable, so we will be removing the icon.
You can read more in this blog post.
- Storage Access API with Prompts
The Storage Access API provides a means for authenticated cross-site embeds to check their blocking status and request access to storage if they are blocked. Targeting Chrome 117 for Desktop, we will support the Storage Access API by implementing all the behaviors listed in the specification, i.e. with user prompts, and additionally having its own user-agent-specific behaviors.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Removal ForceMajorVersionToMinorPositionInUserAgent policy
Chrome 118 plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy.
If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.
- Chrome release schedule changes
Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.
- Chrome 119 to phase out support for Web SQL
Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.
The timeline for the deprecation will be:
- Chrome 115 - Deprecation message added
- Chrome 117 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.
An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.
- Migrate away from data URLs in SVG <use> element
The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. We expect to remove support for data: URLs in SVG <use> element in Chrome 119, scheduled to ship in November 2023. You can read more in this blog post. For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available temporarily to re-enable Data URL support for SVG <use> element.
- Chrome profile separation
As early as Chrome 119, three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.
- Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will now be removed in Chrome 127.
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, including `DOMSubtreeModified`, `DOMNodeInserted`, `DOMNodeRemoved`, `DOMNodeRemovedFromDocument`, `DOMNodeInsertedIntoDocument`, and `DOMCharacterDataModified`, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer. Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
- Warnings on insecure downloads
Chrome will begin showing warnings on some downloads if those files were downloaded over an insecure connection, that is, not HTTPS. These warnings do not prevent downloading and can be bypassed by the user. Enterprises can test their downloads by enabling warnings viachrome://flags/#insecure-download-warnings
. Enterprises can also disable warnings for sites that can not deliver files securely by adding the download site to InsecureContentAllowedForUrls.
Upcoming ChromeOS changes
- ChromeOS battery state sounds
As early as Chrome 117, we will add audible sounds to indicate battery status. Users will be able to turn on and off these sounds and Admins will be able to control them through policies.
When the device is not plugged in, you will hear warning sounds if:- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you will hear an information beep when:- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level - 80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.
Chrome 115
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Google Search side panel | ✓ | ||
Secure DNS auto-upgrade for some Quad9Secure DNS users | ✓ | ||
HTTP requests upgraded to HTTPS | ✓ | ||
Support for Encrypted Client Hello (ECH) | ✓ | ||
Disable extensions unpublished from Chrome Web Store | ✓ | ||
Updates to initial_preferences | ✓ | ||
Bookmarks and reading list improvements on iOS | ✓ | ||
Update for secure DNS queries on Cox ISP servers | ✓ | ||
Reading mode | ✓ | ||
Removal of SHA1 in server signatures in TLS | ✓ | ||
Policy Sync dependency handling | ✓ | ||
Skia renderer for PDF rendering | ✓ | ✓ | |
One Time Permissions desktop | ✓ | ||
Privacy Sandbox Developer enrollment form | ✓ | ||
Update on BrowsingDataLifetime policy | ✓ | ||
Set Up Chrome module for iOS | ✓ | ||
Carousel on the new tab page | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
App Streaming on ChromeOS | ✓ | ||
Floating windows on ChromeOS | ✓ | ||
Pause cast for cast moderator | ✓ | ||
Enhanced signature options for PDF toolkit | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ||
Expand Language Packs to Text-to-Speech | ✓ | ||
New keyboard Shortcut app | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New Chrome Browser Cloud Management card | ✓ | ||
ChromeOS Settings page redesign | ✓ | ||
Chrome Setup Guides | ✓ | ||
Printing reports now available in Chrome Management Reports API | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Improving performance: Memory Saver and Energy Saver modes | ✓ | ||
Anti-phishing telemetry expansion | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Enabling BFCache for pages that set Cache-Control: no-store | ✓ | ||
Idle Timeout policies | ✓ | ||
Windows 11 changes affecting Chrome in ~September | ✓ | ||
Native Client Support updates | ✓ | ||
Skip unload events | ✓ | ||
Extensions Review panel | ✓ | ||
Require X.509 key usage extension for RSA certificates chaining to local roots | |||
Bounce Tracking mitigations | ✓ | ✓ | |
Restricting the use of --load-extension | ✓ | ||
Service Worker static routing API | ✓ | ||
Enable access to WebUSB API from extension service workers | ✓ | ||
Simplified sign-in and sync experience | ✓ | ||
Web MIDI permission prompt | ✓ | ||
Removal of the RendererCodeIntegrityEnabled policy | ✓ | ||
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ✓ | |
New Chrome Desktop refresh and Chrome menu in Chrome 117 | ✓ | ||
Update for lock icon | ✓ | ✓ | |
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
Removal ForceMajorVersionToMinorPositionInUserAgent policy | ✓ | ||
Chrome 119 to phase out support for Web SQL | ✓ | ||
Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy | ✓ | ||
Intent to deprecate: Mutation Events | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS battery state sounds | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Google Search side panel
In Chrome 115, Google introduces the Search side panel, a new contextual side panel experience that allows users to delve into the content of the page they're currently viewing. The new side panel features a search box that allows text-based and visual queries, questions related to the page, and links to more details about the current site. We launch the Search side panel to some users in Chrome 115 and subsequently plan to roll out to all users in Chrome 116. You can control access to the Search side panel using the GoogleSearchSidePanelEnabled policy.
- Secure DNS auto-upgrade for some Quad9Secure DNS users
Starting in Chrome 115, for a small subset of Chrome users, secure DNS queries are used instead of insecure DNS queries to perform host name resolution using Quad9 Secure (9.9.9.9) DNS servers. This change affects behavior for a given client under the following conditions only:- The client is running on a system that has been configured to use the Quad9 Secure (9.9.9.9) DNS servers.
- The DnsOverHttpsMode enterprise policy is set to “Automatic” (the default value is “Off”).
- The ChromeVariations policy is set to enable all variations.
- The client is randomly selected to be part of the 1% of clients where this behavior is enabled.
- HTTP requests upgraded to HTTPS
As early as Chrome 115, some users might see HTTP requests automatically upgraded to HTTPs. Any page that can't load via HTTPS is automatically reverted back to HTTP. For standard server configurations, this shouldn't have any visible effect, but it improves your users' security.
Some server configurations might cause issues, for example, if different content is served via HTTP and HTTPS. Users can bypass the automatic upgrading by explicitly navigating to an
http://
URL in the Omnibox, or by changing the Insecure Content site setting to enabled, accessible via Page Info andchrome://settings/content
. You can control this behavior with the HttpsUpgradesEnabled policy, and allowlist specific sites with the HttpAllowlist policy.In the long term, you should ensure that your organization's servers support HTTPS and serve the same content on both HTTP and HTTPS. If you don't intend to support HTTPS (for example, on an intranet behind a firewall), servers shouldn't respond to port 443, and firewalls should close the connection rather than leave it hanging. You can test HTTPS upgrading in your environment by enabling
chrome://flags#https-upgrades
. If you come across any issues, you can report them to us.Starting in Chrome 115, Chrome automatically enables HTTPS-First Mode based on the user's browsing history. It automatically enables the HTTPS-First Mode interstitial on sites that regularly load over HTTPS. Sites that regularly use plaintext HTTP are unaffected. In practice, this change protects users from downgrade attacks, but is invisible to users.
- Support for Encrypted Client Hello (ECH)
Chrome 115 starts rolling out support for ECH on sites that opt in, as a continuation of our network-related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS. This change was originally planned for Chrome 107, but had to be postponed.
If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag.
On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- Disable extensions unpublished from Chrome Web Store
In Chrome 115, we release the Enterprise policy ExtensionUnpublishedAvailability to allow you to disable extensions that have been unpublished from the Chrome Web Store.
- Updates to initial_preferences
We’ve removed the following fields from the initial_preferences sample file:
- Removed from example because they're no longer valid:
sync_promo.show_on_first_run_allowed
suppress_first_run_bubble
suppress_first_run_Default_browser_prompt
- Removed from example because they can be controlled by a recommended policy:
homepage
homepage_is_newtabpage
show_home_button
session
bookmark_bar
import_* except for import_bookmarks_from_file
make_chrome_default_*
- Removed from example because they're not applicable to enterprise usage, or only applicable for user-level install:
ping_delay
do_not_launch_chrome
do_no_register_for_update_launch
- Removed from example because they're no longer valid:
- Bookmarks and reading list improvements on iOS
On Chrome 115 on iOS, some users who sign in to Chrome from bookmark manager or reading list surfaces can now use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncDisabled, SyncTypesListDisabled, EditBookmarksEnabled and ManagedBookmarks continue to work as before, to configure whether users can use and save items in their Google Account.
- Update for secure DNS queries on Cox ISP servers
For clients running on systems that use the Cox ISP DNS servers, if the DnsOverHttpsMode policy is set to Automatic, Chrome uses secure DNS queries instead of insecure DNS queries, starting in Chrome 115 (and in earlier versions, starting on May 16, 2023, if the ChromeVariations policy is set to enable all variations).
- Reading mode
As more content is read online, Chrome 115 adds a new feature to help improve the online reading experience. Introducing reading mode, a new feature on Chrome browser, which enhances the reading experience on the web for everyone. Reading mode reduces distracting elements through a resizable and customizable reader view in the Chrome browser side panel, enabling readers to focus on the primary content. Users can also customize the font, text size, spacing, theme or background color, and more, making for a more cohesive, intuitive, and comfortable reading experience.
- Removal of SHA1 in server signatures in TLS
Chrome 115 removes support for signature algorithms using SHA-1 for server signatures during the TLS handshake. SHA1, which has known collisions, has been deprecated by the IETF, and should be avoided, where possible.
This does not affect SHA-1 support in server certificates, which was already removed. SHA-1 in client certificates continues to be supported. Enterprises that rely on SHA1 signature schemes in TLS can use the InsecureHashesInTLSHandshakesEnabled policy to continue to accept SHA1 in server signatures.
- Policy Sync dependency handling
Currently, we require admins to set SyncDisabled for any data-deletion policy (BrowsingDataLifetime, ClearBrowsingDataOnExitList). In Chrome 115, we automatically disable sync for the respective data types and no longer require admins to additionally set the SyncDisabled policy. We will gradually roll out this feature behind a flag. You can enable this behavior atchrome://flags#data-retention-policies-disable-sync-types-needed
.
- Skia renderer for PDF rendering
Chrome 115 adds a new enterprise policy, PdfUseSkiaRendererEnabled, to override user choice on whether to enable Skia renderer. When Skia renderer is enabled, it switches the PDF render device from AGG (Anti-Grain Geometry) to Skia. Skia renderer provides enhanced technical support and uses different algorithms for drawing graphics. Any resulting visual differences are expected to be very minor.
- One Time Permissions desktop
When users are prompted for a permission they can currently select Allow or Deny, both options are stored permanently. This feature adds an Allow this time option for geolocation, camera and microphone permissions. This fine-tunes the permission granted to a newly introduced session, which we believe more accurately represents a one-time permission session, without affecting any common scenarios. In Chrome 115, we start slowly rolling out this feature to a subset of users.
- Privacy Sandbox Developer enrollment form
To access the Privacy Sandbox relevance and measurement APIs on Chrome and Android, developers need to enroll with the Privacy Sandbox. The developer enrollment process verifies companies before they can use the APIs, as an additional layer of protection for user privacy. As part of this enrollment process, we require developers to agree to restrictions around the usage of these services to prevent re-identification of users across sites.
- Update on BrowsingDataLifetime policy
We have updated the documentation for BrowsingDataLifetime to state that download_history and hosted_app_data are not supported on Android.
- Set Up Chrome module for iOS
On iOS, some new users in Chrome 115 see the new Set Up Chrome module. This module provides options, in the center of the new tab page, to allow new users to view and complete items that help them set up and get the most out of Chrome, on their own time. The items listed in the module are optional, and the module displays temporarily for up to a few weeks after installing the app. At this time, this is only available for iOS.
- Carousel on the Google New tab page
A new carousel on the Google New tab page allows users to swipe between certain modules. This is a limited-availability feature for some new users. The carousel can display in two ways:
- With the Most Visited Sites and Shortcuts module, or
- With the Shortcuts module.
For example, a user might see Most Visited Sites but can swipe to see Shortcuts.
- New and updated policies in Chrome browser
Policy Description ExtensionUnpublishedAvailability Control availability of extensions unpublished on the Chrome Web Store. SafeSitesFilterBehavior Filter top level sites (but not embedded iframes) for adult content (now available on Android). PdfUseSkiaRendererEnabled Use the default renderer based on the field trial configuration. GoogleSearchSidePanelEnabled Enable Google Search Side Panel on all web pages.
- Removed policies in Chrome browser
Policy Description ForceEnablePepperVideoDecoderDevAPI Enable support for the PPB_VideoDecoder(Dev) API. PPAPISharedImagesSwapChainAllowed Allow modern buffer allocation for Graphics3D APIs PPAPI plugin. UseMojoVideoDecoderForPepperAllowed Allow Pepper to use a new decoder for hardware accelerated video decoding.
ChromeOS updates
- App Streaming on ChromeOS
As early as ChromeOS 115, App Streaming enhances the Phone Hub experience, by allowing users to see and interact with streamed apps running on their Pixel phone. When a user receives a mirrored conversation notification from their Pixel phone, a simple tap on that notification kicks off an app stream directly to the user's ChromeOS desktop. This is part of a Google-wide ambient computing effort.
- Pause cast for cast moderator
While using cast moderator, sometimes users need a quick way to pause what they are casting. In ChromeOS 115, with Pause cast, you can now pause what you cast to the shared screen on a still image, while you do something else on your computer.
In ChromeOS Quick Settings or from Chrome browser Cast menu, select Pause to display the last casted screen on the cast receiver. While paused, other actions you perform on your computer are NOT cast to the cast receiver. When cast is resumed, your computer starts mirroring to the cast receiver again.
- Enhanced signature options for PDF toolkit
In ChromeOS 115, the Gallery PDF toolkit makes it easier for users to sign their documents, allowing for the creation of a free-hand signature that is saved in the app for subsequent use. Gallery is the ChromeOS media multi-tool that provides users with fast, consistent, and discoverable ways to view, tweak, and route various media types.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Passpoint streamlines Wi-Fi access and eliminates the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits. Wi-Fi Passpoint is now supported on ChromeOS through supported Android applications. Wi-Fi Passpoint is a set of Wi-Fi mechanisms defined by the Wi-Fi Alliance that facilitate and automate the provisioning and configuration of secure Wi-Fi networks while also minimizing user intervention. Once provisioned, whenever a compatible and secured Wi-Fi network is in range, ChromeOS can automatically connect to it without the need for user interaction.
- Expand Language Packs to Text-to-Speech
Some Google Text-to-Speech voices that were previously preinstalled are now downloaded over the network when they are needed. This frees up some space on the ChromeOS device.
- New keyboard Shortcut app
The new Shortcut App offers a new navigation and taxonomy, easier in-app search functionalities and a refreshed shortcut visualization.
Admin console updates
- Chrome Settings page redesign
We’ve heard your feedback, and we’re excited to share that all admins now see a redesigned experience across Users & browsers, Device, and Managed guest session settings pages to make it easier to manage policies. Look out for:
- A more scannable, read-only table to view setting configurations across your organization.
- Dedicated policy views for admins to focus on individual settings.
- Updated policy descriptions that pull directly from live Help Center content; no more toggling between windows to learn more about a policy. This includes supported-on information for platform and version for all policies.
- Chrome Setup Guides
The Chrome Setup Guides section now includes new, interactive content to help with performing common ChromeOS journeys in the Admin console. These new journeys include:
- Creating test organizational units
- Adding users for testing
- Turning on ChromeOS reporting
- Enrolling a test device
- Setting device policies
- Setting user policies
- Installing apps and extensions
- Adding a Wi-Fi network
To access the new Chrome Setup Guides:- Log in to the Admin console.
- On the left, select Devices>Chrome>Setup Guides.
- Printing reports now available in Chrome Management Reports API
We have added additional endpoints to Chrome Management Reports API that allow access to printing reports. The new endpoints provide per-user and per-printer summary printing reports, as well as a listing of all print jobs submitted to managed printers. The data provided by the new endpoints corresponds to the data in the Print Usage page of the Admin console. This update exposes the same data in the third-party Reports API.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- X25519Kyber768 key encapsulation for TLS
As early as Chrome 116, Chrome will introduce a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This will be exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed.
- Improving performance: Memory Saver and Energy Saver modes
In Chrome 108, we introduced features designed to improve the performance of Chrome and extend battery life under the following enterprise policies: TabDiscardingExceptions, BatterySaverModeAvailability and HighEfficiencyModeEnabled. In Chrome 116, we will expand the capabilities of the Memory Saver feature to help users further understand and use tab discarding to their benefit.
Users with Memory Saver enabled (policy HighEfficiencyModeEnabled) will have increased visibility of discarded tabs in the tab strip and more insight into memory usage of active and inactive tabs.
Additionally, this release will make the management of exceptions (policy TabDiscardingExceptions) more intuitive for users who have access to manage their own exceptions:
- In settings, users will be able to add exceptions based on currently open tabs (in addition to manual entry which exists today)
- In the page action chip of a discarded tab, users will have the option to opt the site out from future discarding.
- Anti-phishing telemetry expansion
In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers, which will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishy pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.
- Network Service on Windows will be sandboxed
As early as Chrome 116, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enabling BFCache for pages that set Cache-Control: no-store
Documents with a
Cache-Control: no-store
header (CCNS) are blocked from entering BFCache. Chrome 116 will start BFCaching these documents, except for the ones with sensitive information (Github).The AllowBackForwardCacheForCacheControlNoStorePageEnabled policy controls if a page with
Cache-Control: no-store
header can be stored in back/forward cache. The website setting this header might not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.If the policy is enabled or unset, the page with
If the policy is disabled, the page withCache-Control: no-store
header might be restored from back/forward cache unless the cache eviction is triggered, for example, when there is HTTP-only cookie change to the site.Cache-Control: no-store
header will not be stored in back/forward cache.
- Idle Timeout policies
In Chrome 116, admins will be able to enforce taking an action, for example closing the browser, or moving to the profile picker, after Chrome has been idle for some amount of time. You will be able to use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout.
- Windows 11 changes affecting Chrome in ~September
An update to Windows 11 later in 2023 will add support for cross-device passkeys flows in Windows webauthn.dll v6. Chrome 116 will recognize this version of Windows and stop offering its own cross-device support in Chrome UI, deferring to Windows instead. This will result in users seeing a different UI, as shown below. This can be tested with Chrome 116 running on Windows Insider Dev Build 23486 or later.
Before:
After:
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years.
As early as Chrome 117, to further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- Extensions Review panel
A new review panel will be added in chrome://extensions which will appear whenever there are potentially unsafe extensions that need the user's attention. The initial launch will highlight extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There will also be a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page.
The ExtensionsUnpublishedAvailability policy will disable extensions that have been unpublished by the developer or violate Chrome Web Store policy. Note that these extensions might also appear in the Extensions Module's review panel but only if they are not installed by policy. The user can choose to remove or keep them.
- Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).
- Bounce Tracking mitigations
As early as Chrome 116, Chrome will launch bounce tracking mitigations. Bounce tracking mitigations will only take effect when the policy is set to true (Block 3rd party cookies). You can use the BlockThirdPartyCookies policy to control this feature. Alternatively, if 3rd party cookies are blocked by default you can exempt specific sites by using the CookiesAllowedForUrls policy.
- Restricting the use of --load-extension
The--load-extension
command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116, --load-extension
will be ignored for users that have enabled Enhanced Safe Browsing.
- Service Worker static routing API
Chrome 116 will release the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Enable access to WebUSB API from extension service workers
As early as Chrome 117, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Simplified sign-in and sync experience
Starting in Chrome 117, some users may experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome Sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome Sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Web MIDI permission prompt
Starting in Chrome 117, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.
Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure user access to the API.
- Removal of the RendererCodeIntegrityEnabled policy
As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- New Chrome Desktop refresh and Chrome menu in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale desktop Chrome UI, communications, and personalization. The menu will be updated in phases starting in Chrome 117 with the Desktop Refresh.
- Update for lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch in Chrome 117 as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary if you enable Chrome Refresh 2023 at chrome://flags#chrome-refresh-2023, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
On iOS, the lock icon is not tappable, so we will be removing the icon.
You can read more in this blog post.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Removal ForceMajorVersionToMinorPositionInUserAgent policy
Chrome 118 plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy.
If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.
- Chrome 119 to phase out support for Web SQL
Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.
The timeline for the deprecation will be:
- Chrome 115 - Add deprecation message
- Chrome 118 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.
An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.
- Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. LegacySameSiteCookieBehaviorEnabledForDomainList policy will be removed in Chrome 121.
- Intent to deprecate: Mutation Events
Synchronous Mutation Events, including `DOMSubtreeModified
`, `DOMNodeInserted
`, `DOMNodeRemoved
`, `DOMNodeRemovedFromDocument
`, `DOMNodeInsertedIntoDocument
`, and `DOMCharacterDataModified
`, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer. Mutation Events will stop functioning in Chrome 127, around July 30, 2024.
Upcoming ChromeOS changes
- Removal of permissive Chrome Apps webview behaviors
As early as Chrome 116, Chrome Apps webview usage have the following restrictions:- SSL errors within webview show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the window.open call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, the previous behavior from Chrome 112 and earlier can also be restored by navigating tochrome://flags
and disablingchrome://flags/#enable-webview-tag-mparch-behavior.
This change was originally scheduled for Chrome 113, but was postponed.
- ChromeOS battery state sounds
As early as Chrome 117, we will add audible sounds to indicate battery status. Users will be able to turn on and off these sounds and Admins will be able to control them through policies.
When the device is not plugged in, you will hear warning sounds if:
- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you will hear an information beep when:
- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level -80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.
Chrome 114
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Chrome Root Store updates | ✓ | ||
Support for Private State Tokens | ✓ | ||
Inactive Tabs in Chrome app on iPhone and iPad | ✓ | ||
Lock profile cookie files on disk | ✓ | ||
Rebranding and updates to Google Password Manager | ✓ | ||
Improved Check passwords on iOS | |||
Saving and retrieving notes in Password Manager now easier | ✓ | ||
Password manager policy disables password import | ✓ | ||
Updates to Bookmarks on Desktop | ✓ | ||
Unpacking nested archives for download protection | ✓ | ||
Separate storage of settings synced to account | ✓ | ||
Side Panel API | ✓ | ||
Pick up where you left off on Android | ✓ | ||
Chrome Enterprise profiles signout | ✓ | ||
Update chip on desktop | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Mandatory extensions for Incognito navigation | ✓ | ||
Audio controls visibility | ✓ | ||
ChromeVox earcons | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Chrome Browser Cloud Management (CBCM) subscription | ✓ | ||
New policies in Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
HTTP requests upgraded to HTTPS in Chrome 115 | ✓ | ||
Chrome policy: disable extensions unpublished from Chrome Web Store (CWS) | ✓ | ||
Skip unload events | ✓ | ||
master_preferences->initial_preferences migration | ✓ | ||
Release cycle changes | ✓ | ||
Bookmarks and Reading List improvements on iOS | ✓ | ||
Update for Secure DNS / Cox ISP users | ✓ | ||
Reading mode | ✓ | ||
Anti-phishing telemetry expansion | ✓ | ||
Deprecating the use of SHA1 in server signatures in TLS | ✓ | ||
Policy Sync dependency handling | ✓ | ||
Web MIDI permission prompt | ✓ | ||
X25519Kyber768 key encapsulation for TLS | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Restricting the use of --load-extension | ✓ | ||
Enable access to WebUSB API from extension service workers in Chrome 116 | ✓ | ||
Removal of the RendererCodeIntegrityEnabled policy | ✓ | ||
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ✓ | |
New Chrome Desktop refresh and Chrome menu in Chrome 117 | ✓ | ||
Update for lock icon | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
Chrome 119 to phase out support for Web SQL | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
App Streaming on Chrome OS | ✓ | ||
Google Photos Shared Albums | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
New Chrome Browser Cloud Management card | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Chrome Root Store updates
As early as Chrome 114, to improve user security and provide a consistent experience across different platforms, Chrome switches to its own default root store and built-in certificate verifier on:- Android
- Linux
- ChromeOS
The ChromeRootStoreEnabled policy allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be made available on Android, Linux, and ChromeOS until Chrome 120.
The Chrome Root Store is already enabled by default on:- Windows
- MacOS
The ChromeRootStoreEnabled policy has been removed from Windows and Mac in Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. Support for name constraints on local trust anchors was added back in Chrome 112.
Chrome continues to use custom local roots installed to the operating system’s trust store. See our article about the Chrome Root Program for more information. We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
- Support for Private State Tokens
Chrome 114 makes the Private State Tokens API available for use by websites. Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without the exchange of user identifying information. Availability of Private State Tokens is controlled using a new setting in Chrome settings called Auto-verify. Read more in this developer blog post.
- Inactive Tabs in Chrome app on iPhone and iPad
In Chrome 114, old tabs are now grouped under a new Inactive Tabs section in the Tab grid view. Chrome users can access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. Alternatively, users can simply click to bring back an inactive tab.
- Lock profile cookie files on disk
To help protect Chrome users against malware attempting to steal cookie information, Chrome 114 on Windows holds an exclusive lock on the profile cookie files on disk. To ensure this behavior does not interfere with any sanctioned software on your system, you can run Chrome with the-enable-features=LockProfileCookieDatabase
command-line flag on the Dev or Beta channel of Chrome 114.
- Rebranding and updates in Google Password Manager
In Chrome 114, the password manager is rebranded as Google Password Manager.
Google Password Manager offers more functionality and is easier to access using the three dot menu. The upgraded Google Password Manager:- groups similar passwords together
- has an improved checkup flow
- and you can add the password manager shortcut to your desktop.
- Saving and retrieving notes in Password Manager now easier
Chrome 114 revamps the password management user journey, triggered from the key icon in the omnibox. It replaces the current list of passwords with a new list that allows navigating to the password details view. In the password details view, users can copy the username or password, unmask the password and edit the stored note.
- Password manager policy disables password import
We recently fixed an issue that previously allowed users to import passwords even though the Password Manager was disabled by Enterprise policy. Users can no longer import passwords when the PasswordManagerEnabled policy is set to false.
- Unpacking nested archives for download protection
Starting in Chrome 114, users with Safe Browsing set to Standard or Enhanced protection now begin recursively unpacking downloads of nested archives. This extends the long-standing protections Chrome offers against malware and unwanted software, and specifically combats techniques abused by distributors of cookie theft malware. The SafeBrowsingProtectionLevel policy allows you to enable or disable Safe Browsing, including this feature.
- Separate storage of settings synced to account
For Chrome users on iOS and Android who have Sync enabled, settings synced to their Google account are now kept separate from the local Chrome settings, which were set when Sync was off. This allows for strictly less data sharing than previously: local settings don’t get automatically uploaded when turning on Sync, and no settings from the account are left behind on the device when Sync is turned off. This feature is still disabled by default and you can enable it using the flagchrome://flags#enable-preferences-account-storage
.
As an admin, you can control who can save and sync data related to managed Google accounts.There are two existing policies to disable Sync functionality, which continue to apply:
- SyncDisabled: Disables the entire Chrome Sync infrastructure, including settings.
- SyncTypesListDisabled: Disables specified individual Sync data types. The existing value preferences covers settings.
- Side Panel API
Manifest V3 extensions can now add their own side panel to Chrome’s built-in side panel UI. See the SidePanel API Chrome developers article for usage and examples.
- New and updated policies in Chrome browser
Policy Description ChromeRootStoreEnabled Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates.
Now available on Mac, Linux and ChromeOS.
InsecureHashesInTLSHandshakesEnabled Insecure Hashes in TLS Handshakes Enabled
ChromeOS updates
- Cursive pre-installed for Enterprise and Education accounts
Cursive, a stylus-first notes app, is now available for Chromebook. It will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Mandatory extensions for Incognito navigation
In Chrome OS 114, Extensions allow admins to enforce security features and customizations in their OU but they cannot be enforced in Incognito mode without user consent. This can be a problem as users can bypass extension-set features, for example, proxies by using Incognito mode for navigation.
The MandatoryExtensionsForIncognitoNavigation policy allows you to configure a list of extensions that users need to explicitly allow to run in Incognito, to use Incognito mode for navigation.
- ChromeVox earcons
ChromeVox is the built-in screen reader on Chromebooks. In ChromeOS 114, an audio indicator (an earcon) now plays when a user with ChromeVox enabled uses the ChromeVox keyboard shortcut to toggle selection on or off.
Admin console updates
- Chrome Browser Cloud Management (CBCM) subscription
In Chrome 114, the Chrome Browser Cloud Management subscription is automatically added to all organizations previously using CBCM without the subscription. This change does not add any new cost to your existing account and you don’t need to do anything. There is no action required on your end (learn more).
- New policies in the Admin console
Policy Name Pages Supported on Category/Field WebRtcTextLogCollectionAllowed User Chrome (Linux, Mac, Windows)
ChromeOSUser experience InsecureHashesInTLSHandshakesEnabled User, Managed Guest Session Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOSSecurity CalendarIntegrationEnabled User ChromeOS Content ChromeAppsWebViewPermissiveBehaviorAllowed User Chrome (Linux, Mac, Windows) ChromeOS Legacy Site Compatibility WallpaperGooglePhotosIntegrationEnabled User ChromeOS Sign-in settings
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- HTTP requests upgraded to HTTPS in Chrome 115
As early as Chrome 115, some users may see HTTP requests automatically upgraded to HTTPs. Any page that can't load via HTTPS is automatically reverted back to HTTP. For standard server configurations, this shouldn't have any visible effect, but improves your users' security.
Some server configurations may cause issues, for example if different content is served via HTTP and HTTPS. Users can disable automatic upgrading for a specific site by changing the Insecure Content site setting to enabled, accessible via Page Info orchrome://settings/content
. You can control this behavior with the HttpsUpgradesEnabled policy, and allowlist specific sites with the HttpAllowlist policy.
In the long term, you should ensure that your organization's servers support HTTPS and serve the same content on both HTTP and HTTPS. If you don't intend to support HTTPS (e.g. on an internal intranet behind a firewall), servers shouldn't respond to port 443, and firewalls should close the connection rather than leave it hanging. You can test HTTPS upgrading in your environment by enablingchrome://flags#https-upgrades
. Please report any issues you encounter.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events, as early as Chrome 115. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- master_preferences to initial_preferences migration
As part of Chrome's ongoing transition to use more inclusive naming, the example in the Enterprise bundle has been renamed frommaster_preferences
toinitial_prefereces
. While there are no changes in Chrome's interpretation of the file, the following fields are no longer present in theinitial_preferences
example file:
- Removed from example because they're no longer valid:
sync_promo.show_on_first_run_allowed
suppress_first_run_bubble
suppress_first_run_Default_browser_prompt
- Removed from example because they can be controlled by a recommended policy:
homepage
homepage_is_newtabpage
show_home_button
session
bookmark_bar
import_* except for import_bookmarks_from_file
make_chrome_default_*
- Removed from example because they're not applicable to enterprise usage, or only applicable to for user-level install:
ping_delay
do_not_launch_chrome
do_no_register_for_update_launch
- Removed from example because they're no longer valid:
- Release cycle changes
Chrome 115 stable release will be moved from June 27 to July 18. All dates after this have been adjusted to account for this delay. Please see the Chromium Dash Schedule for updated dates.
- Bookmarks and Reading List improvements on iOS
On Chrome 115 on iOS, some users who sign in to Chrome from bookmark manager or reading list surfaces will be able to use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncDisabled, SyncTypesListDisabled, EditBookmarksEnabled and ManagedBookmarks will continue to work as before and can be used to configure whether users use and save items in their Google Account.
- Update for Secure DNS / Cox ISP users
For clients running on systems that use the Cox ISP DNS servers, if the DnsOverHttpsMode policy is set to Automatic, then secure DNS queries will be used by Chrome instead of insecure DNS queries starting in Chrome 115 (and in earlier versions, starting on May 16, 2023, if the ChromeVariations policy is set to enable all variations).
- Reading mode
As more content is read online, we’re adding a new feature to help improve the online reading experience. Introducing reading mode, a new feature on Chrome browser, enhances the reading experience on the web for everyone. Reading mode reduces distracting elements through a resizable and customizable reader view in the Chrome browser side panel, enabling readers to focus on the primary content. Users can also customize the font, text size, spacing, theme/background color, and more, making for a more cohesive, intuitive, and comfortable reading experience.
- Anti-phishing telemetry expansion
In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers that will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishy pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.
- Deprecating the use of SHA1 in server signatures in TLS
Chrome 115 is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. SHA1 has known collisions, has been deprecated by the IETF, and should be avoided.
Enterprises that rely on SHA1 signature schemes in TLS can use the InsecureHashesInTLSHandshakesEnabled policy to continue to accept SHA1 in server signatures.
- Policy Sync dependency handling
Currently, we require admins to set SyncDisabled for any data-deletion policy (BrowsingDataLifetime, ClearBrowsingDataOnExitList). Starting in Chrome 115, we will automatically disable sync for the respective data types and will no longer require admins to set the dependent policy.
- Web MIDI permission prompt
Starting in Chrome 116, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires an explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.
Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure users’ access to the API.
- X25519Kyber768 key encapsulation for TLS
As early as Chrome 116, Chrome is introducing a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes may be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS.
- Network Service on Windows will be sandboxed
As early as Chrome 116, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Restricting the use of --load-extension
The--load-extension
command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116,--load-extension
will be ignored for users that have enabled Enhanced Safe Browsing.
- Enable access to WebUSB API from extension service workers in Chrome 116
As early as Chrome 116, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Removal of the RendererCodeIntegrityEnabled policy
As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. You can verify whether your third party software works by no longer applying the policy. You can report any issues you encounter by submitting a bug here.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. Starting in Chrome 114, you'll see an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- New Chrome Desktop refresh and Chrome menu in Chrome 117
With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale desktop Chrome UI, communications, and personalization. The menu will be updated in phases starting in Chrome 117 with the Desktop Refresh.
- Update for lock icon
We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary if you enable Chrome Refresh 2023 atchrome://flags#chrome-refresh-2023
, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.
You can read more in this blog post.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Chrome 119 to phase out support for Web SQL
Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.
The timeline for the deprecation will be:- Chrome 115 - Add deprecation message
- Chrome 118 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.
An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.
Upcoming ChromeOS changes
- App Streaming on ChromeOS
As early as ChromeOS 115, App Streaming will enhance the Phone Hub experience, by allowing users to see and interact with streamed apps running on their Pixel phone. When a user receives a mirrored conversation notification from their Pixel phone, a simple tap on that notification will kick off an app stream directly to the user's ChromeOS desktop. This is part of a Google-wide ambient computing effort.
- Google Photos Shared Albums
In ChromeOS 104, we let users use Google Photos for Wallpapers and Screensavers, but we restricted access to Shared Albums due to privacy concerns. In Chrome 115, we will address these privacy concerns to allow users to select photos from Shared Albums.
- Removal of permissive Chrome Apps webview behaviors
As early as Chrome 116, Chrome Apps webview usage have the following restrictions:- SSL errors within webview show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
window.open
call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, the previous behavior from Chrome 112 and earlier can also be restored by navigating to chrome://flags and disablingchrome://flags/#enable-webview-tag-mparch-behavior
.
This change was originally scheduled for Chrome 113, but was postponed.
Upcoming Admin console changes
Chrome 113
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
First-Party Sets user controls | ✓ | ||
Collect additional data for off-store extensions in telemetry reports | ✓ | ||
Launching FastCheckout for Checkout experiences | ✓ | ||
Updated Password Management Experience on iOS in Chrome 113 | ✓ | ||
Image-set css changes | ✓ | ||
Restructure of the three-dot menu in Desktop | ✓ | ||
Policy troubleshooting page available on Android | ✓ | ||
Chrome Desktop New tab page: Journeys card | ✓ | ||
Discover Feed on iOS and Android | ✓ | ||
Adopt Android media picker | ✓ | ||
Partial translate | ✓ | ||
Android traces on the beta channel | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Screensaver preview | ✓ | ||
Report USB firmware version | ✓ | ||
Allow policy-provided custom trust anchors at the lock screen | ✓ | ||
Files app inline sync status | ✓ | ||
ChromeOS administrator instant reboot | ✓ | ✓ | |
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Risk Assessment card | ✓ | ✓ | |
New policies in Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Chrome Root Store updates and removal of the ChromeRootStoreEnabled policy | ✓ | ||
Support for Private State Tokens | ✓ | ||
New inactive tabs section in the Chrome app on iPhone and iPad | ✓ | ||
Lock profile cookie files on disk | ✓ | ||
Changes to Google Password Manager in Chrome 114 | ✓ | ||
Updates to Bookmarks on Desktop | ✓ | ||
Password management: save and retrieve notes | ✓ | ||
Unpacking Nested Archives in Download Protection | ✓ | ||
Separate storage of settings synced to account in Chrome 114 | ✓ | ||
Chrome policy: disable extensions unpublished from Chrome Web Store (CWS) | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Enable access to WebUSB API from extension service workers in Chrome 115 | ✓ | ||
Skip unload events | ✓ | ||
Release cycle changes | ✓ | ||
Read mode | ✓ | ||
HTTP requests upgraded to HTTPS in Chrome 115 | ✓ | ||
Deprecation Trial for unpartitioned third-party Storage, Service Workers, and Communication APIs | ✓ | ||
Changes to phishing protection on Android as early as Chrome 115 | ✓ | ✓ | |
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ✓ | |
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Mandatory extensions for Incognito navigation | ✓ | ||
App Streaming on Chrome OS | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 introduces user controls for these First-Party Sets. Two enterprise policies are available to manage First-Party Sets: FirstPartySetsEnabled to enable or disable First-Party Sets, and FirstPartySetsOverrides to apply your own sets.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 113 starts collecting additional telemetry on off-store extensions, such as file hashes and themanifest.json
file. Google servers analyze the data collected to detect malicious off-store extensions (including self-hosted extensions) and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Launching FastCheckout for Checkout experiences
In Chrome 113, some users see updated Autofill options targeting checkout pages on some shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Updated Password Management Experience on iOS in Chrome 113
On Chrome on iOS, some users who are signed-in to Chrome but don't have Chrome sync enabled can now use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncDisabled, SyncTypesListDisabled and PasswordManagerEnabled continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Image-set css changes
Chrome 113 implements standard syntax support for image-set and now treats the previously supported-webkit- vendor
prefix syntax as a parse time alias for the standard. This means that values set with the vendor prefix serialize as standard.
Example:
-webkit-image-set(url(example.png) 1x)
Serializes to:
image-set(url(""example.png"") 1x) for specified value (as returned via getPropertyValue() like: testDiv.style.getPropertyValue(""background-image"");)
and to
image-set(url(""example.png"") 1dppx) for computed value (as returned via getComputedStyle() like window.getComputedStyle(testDiv)[""background-image""]).
If needed, the new behavior can be turned off via theCSSImageSet
runtime flag. The rendering and image-selection behavior is the same for both the prefixed and standard syntax (Chrome Status).
- Chrome Desktop New tab page: Journeys card
Chrome assists with complex, multi-session task completion through Journeys resumption and next step suggestions on the New tab page. You can control the visibility of cards on the New tab page using the NTPCardsVisible policy.
- Discover Feed on iOS and Android
In Chrome 113, Chrome might prompt some users to see more personalized content in their Discover Feed.
The Discover Feed also allows non-signed-in users to control the types of content they see, using updated personalization options. For example, they may choose to hide content from a certain source.
When users who are not signed in want to make a change to their feed content, Chrome prompts them to sign in or sync. As an admin, you still control user sign-in and sync with the BrowserSignin, SyncDisabled, and SyncTypesListDisabled policies. So, if an enterprise policy prevents sign-in or sync, users see Not available on your device.
- New and updated policies in Chrome browser
Policy
Description
Allow WebRTC text logs collection from Google Services
Override First-Party Sets
Enable First-Party Sets.
Default third-party storage partitioning setting
Block third-party storage partitioning for these origins
Allow Google Lens camera assisted search (now available on iOS)
Allow screen capture without prior user gesture
Restore permissive Chrome Apps webview behavior
Allow file or directory picker APIs to be called without prior user gesture
- Removed policies in Chrome browser
Policy
Description
ChromeRootStoreEnabled
Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates (removed on Windows and Mac)
WebSQLNonSecureContextEnabled
Force WebSQL in non-secure contexts to be enabled
PrefixedStorageInfoEnabled
Re-enable the deprecated window.webkitStorageInfo API
ChromeOS updates
- Report USB firmware version
Whenever a USB device is plugged or unplugged from a managed ChromeOS device, the USB firmware version is reported alongside existing USB events and telemetry. You can control this using the ReportDevicePeripherals policy, which controls reporting of existing USB events and telemetry.
- Allow policy-provided custom trust anchors at the lock screen
Enterprise and EDU deployments might have proxies that intercept, decrypt and inspect user traffic. This requires the client device to have a CA certificate configured to allow it to trust the proxy server certificate for all web hosts, which is usually issued on the fly. For ChromeOS, enterprise deployments configure such trusted CA certificates through enterprise policy.
These custom policy-provided CA certificates are currently only honored for user traffic and inside the user session, but not at the lock screen. This is an issue for customers who have to do re-authentication at the lock screen, which is enforced by policy, since the proxy set in the user session is enforced at the lock screen but the CA certificate is not accessible.
- Files app inline sync status
This feature moves the existing syncing notification and visual signal to a more granular inline sync status. The status appears adjacent to files in Google Drive that are actively syncing. The status also displays for folders within a hierarchy that have syncing descendants.
- ChromeOS administrator instant reboot
With ChromeOS 113, we give admins the option to trigger ChromeOS reboots via the Admin console to facilitate support flows and apply policies instantly when required. With this option, admins can now instantly apply settings across their fleet, or on a subset of devices. For example, in a cyber attack scenario, admins can now mitigate a current attack by limiting extension permissions and forcing an instant reboot to all affected devices.
A message displays to notify users of the reboot, so they can save any work or manage their time before the reboot occurs.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage have the following restrictions:
- SSL errors within webview show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the
window.open
call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed is available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, the previous behavior from Chrome 112 and earlier can also be restored by navigating tochrome://flags
and disablingchrome://flags/#enable-webview-tag-mparch-behavior
.
Admin console updates
- Risk Assessment card
In the Extension details page, we have created a new Risk assessment card to show third-party risk scores for public extensions. Learn more.
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
User, Managed Guest Session
Chrome (Linux, Mac, Windows)
ChromeOS
Additional app settings
User, Managed Guest Session
Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOS
Content
User, MManaged Guest Session
GS
Chrome (Android)
Chrome (Linux, Mac, Windows)
ChromeOS
Content
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Chrome Root Store updates and removal of the ChromeRootStoreEnabled policy
As early as Chrome 114, to improve user security and provide a consistent experience across different platforms, Chrome will switch to its own default root store and built-in certificate verifier on Android, Linux, and ChromeOS. Chrome continues to use custom local roots installed to the operating system’s trust store. See our article about the Chrome Root Program for more information. The Chrome Root Store is already default enabled on Windows and Mac.
We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
The ChromeRootStoreEnabled policy allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be made available on Android, Linux, and ChromeOS until Chrome 120.
The ChromeRootStoreEnabled policy has been removed from Windows and Mac in Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. Support for name constraints on local trust anchors was added back in Chrome 112.
- Support for Private State Tokens
Starting in Chrome 113, the Private State Tokens API will be available for use by websites. Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without the exchange of user identifying information. Availability of Private State Tokens will be controlled using a new setting in Chrome settings called Auto-verify. For more information, see this developer blog post.
- New inactive tabs section in the Chrome app on iPhone and iPad
In Chrome 114, old tabs will be hidden under a new Inactive Tabs section in the Tab grid view. Chrome users will be able to access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. Alternatively, users can bring back an inactive tab by clicking on it.
- Lock profile cookie files on disk
To help protect Chrome users against malware attempting to steal cookie information, Chrome 114 on Windows holds an exclusive lock on the profile cookie files on disk. You can test this behavior to ensure this doesn't interfere with any sanctioned software on your systems by running Chrome with the-enable-features=LockProfileCookieDatabase
command line flag on Dev and Beta channel of Chrome 114.
- Changes to Google Password Manager in Chrome 114
In Chrome 114, the password manager will be rebranded as Google Password Manager.
Google Password Manager will offer more functionality and be easier to access. You will be able to access the new look password manager via the three dot menu (previously located in Settings>Autofill). The upgraded Google Password Manager groups similar passwords together, has an improved checkup flow and users will be able to add the password manager to their desktop, for easy access.
- Password management: save and retrieve notes
Chrome 114 will revamp the password management native bubble triggered from the key icon in the omnibox. It will replace the current list of passwords with a new list that allows navigating to the password details view. In the password details view, shown on the right below, users can copy the username or password, unmask the password, and edit the stored note.
- Unpacking Nested Archives in Download Protection
Starting in Chrome 114, users with Safe Browsing enabled will begin recursively unpacking downloads of archives. This extends the long-standing protections Chrome offers against malware and unwanted software to combat techniques being abused by distributors of cookie theft malware. The SafeBrowsingProtectionLevel policy can be used to enable or disable Safe Browsing, including this feature.
- Separate storage of settings synced to account in Chrome 114
For Chrome users on iOS and Android who have Sync enabled, settings synced to their Google account will be be kept separate from the local Chrome settings, which were set when Sync was turned-off. This will allow for strictly less data sharing than previously: local settings don’t get automatically uploaded when turning on Sync, and no settings from the account are left behind on the device when Sync is turned off. This feature is still disabled by default and can be enabled viachrome://flags#enable-preferences-account-storage
.
There are two existing policies to disable Sync functionality, which will continue to apply:- SyncDisabled: Disables the entire Chrome Sync infrastructure, including settings.
- SyncTypesListDisabled: Disables specified individual Sync data types. The existing value preferences covers settings.
- Network Service on Windows will be sandboxed
As early as Chrome 115, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enable access to WebUSB API from extension service workers in Chrome 115
As early as Chrome 115, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events, as early as Chrome 115. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.
- Release cycle changes
Chrome 115 stable release will be moved from June 27 to July 18. All dates after this have been adjusted to account for this delay. Please see the Chromium Dash Schedule for updated dates.
- Read mode
As more content is read online, we’re adding a new feature to help boost the reading experience. Introducing reading mode, a new feature on Chrome browser, enhances the reading experience on the web for everyone. Reading mode reduces distracting elements through a resizable and customizable reader view in the Chrome browser side panel, enabling readers to focus on the primary content. Users can also customize the font, text size, spacing, theme/background color, and more, making for a more cohesive, intuitive, and comfortable reading experience.
- HTTP requests upgraded to HTTPS in Chrome 115
As early as Chrome 115, some users may see HTTP requests automatically upgraded to HTTPs. Any page that can't load via HTTPS is automatically reverted back to HTTP. For standard server configurations, this shouldn't have any visible effect, but improves your users' security.
Some server configurations may cause issues, for example if different content is served via HTTP and HTTPS. Users can disable automatic upgrading for a specific site by changing "Insecure Content" site setting to enabled, accessible via Page Info orchrome://settings/content
. You can control this behavior with the HttpsUpgradesEnabled policy, and allowlist specific sites with the HttpAllowlist policy.
In the long term, you should ensure that your organization's servers support HTTPS and serve the same content on both HTTP and HTTPS. If you don't intend to support HTTPS (e.g. on an internal intranet behind a firewall), servers shouldn't respond to port 443, and firewalls should close the connection rather than leave it hanging.
- Deprecation Trial for unpartitioned third-party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 115, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts will also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial. During the trial, sites can temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 113 also adds the DefaultThirdPartyStoragePartitioningSetting enterprise policy, which unpartitions APIs in all third-party contexts, as well as ThirdPartyStoragePartitioningBlockedForOrigins, which unpartitions APIs for third-party contexts when the first-party context’s origin matches the list. Both will be supported for at least 12 milestones. You can read more in this blog post.
- Changes to phishing protection on Android as early as Chrome 115
When a user authenticates to Android with their Google password, for example, during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Extensions must be updated to leverage Manifest V3
Chrome 112 enables access to the WebHID API from extension service workers, as a migration path for Manifest V2 extensions that currently access the API from a background page.Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 114, Cursive, a stylus-first notes app, will be available for Chromebook. It will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Mandatory extensions for Incognito navigation
In Chrome OS 114, Extensions allow admins to enforce security features and customizations in their OU but they cannot be enforced in Incognito mode without user consent. This can be a problem as users can bypass extension-set features, for example, proxies by using Incognito mode for navigation.
The MandatoryExtensionsForIncognitoNavigation policy will allow administrators to configure a list of extensions, which users need to explicitly allow to run in Incognito, to use Incognito mode for navigation.
- App Streaming on Chrome OS
In Chrome OS 114, App Streaming will enhance the Phone Hub experience, by allowing users to see and interact with streamed apps running on their Pixel phone. When a user receives a mirrored conversation notification from their Pixel phone, a simple tap on that notification will kick off an app stream directly to the user's Chrome OS desktop. This is part of a Google-wide ambient computing effort.
Chrome 112
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Enable access to WebHID API from extension service workers | ✓ | ||
Unused site permissions module in safety check | ✓ | ||
Default to origin-keyed agent clustering | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ||
Auto-upgrade mixed content to HTTPS | ✓ | ||
Chrome Root Store updates and removal of the ChromeRootStoreEnabled policy | ✓ | ✓ | |
Updated onboarding experience | ✓ | ||
Policy troubleshooting page available on Android | ✓ | ||
Changes to HTTPS policies | ✓ | ||
Add websites and PWAs to the home screen on iOS | ✓ | ||
New Chrome Sync data types available in Takeout | ✓ | ||
Autofill on iOS | ✓ | ||
Android WebView phases out X-Requested-Header starting from version 112 | ✓ | ||
Web auth flow to use browser tab instead of App window | ✓ | ||
Chrome for Testing | ✓ | ||
Price tracking on iOS | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Screencast supports multi-language transcription in recordings | ✓ | ||
Fast Pair saved devices | ✓ | ||
Introducing the Rupee symbol on US-English keyboards in India | ✓ | ||
Screen Capture shows clicks and keyboard shortcuts | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New Chrome browser insights | ✓ | ||
Device Token Management policy for device token deletion | ✓ | ||
New policies in Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Changes to phishing protection on Android as early as Chrome 113 | ✓ | ||
Deprecation trial for unpartitioned 3rd party Storage, Service Workers, and Communication APIs | ✓ | ||
First-Party Sets user controls | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
Collect additional data for off-store extensions in telemetry reports | ✓ | ||
Launching FastCheckout for Checkout experiences | ✓ | ||
Updated Password Management Experience on iOS in Chrome 113 | ✓ | ||
New inactive tabs section in the Chrome app on iPhone and iPad | ✓ | ||
Image-set css changes | ✓ | ||
Support for Private State Tokens | ✓ | ||
Enable access to WebUSB API from extension service workers in Chrome 113 | ✓ | ||
Changes to Google Password Manager in Chrome 114 | ✓ | ||
Updates to Bookmarks on Desktop | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome 117 will no longer support macOS 10.13 and macOS 10.14 | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Screensaver preview | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
Risk Assessment card | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Unused site permissions module in safety check
Chrome’s safety check can confirm the overall security and privacy of the browsing experience. It tells you if any passwords saved in Chrome have been compromised, flags dangerous extensions, and helps you ensure that your security protections are up to date.
Starting with Chrome 112, safety check includes auto-revocation of unused site permissions on Chrome. Chrome resets permissions from sites that users have not visited for a while. Chrome revokes permissions automatically and offers options to opt out or re-grant. Permissions granted by enterprise policies are not affected.
- Default to origin-keyed agent clustering
Starting in Chrome 112, websites can no longer setdocument.domain
. Websites now need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it now needs to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior. You can read more in this blog post.
Note:
The OriginAgentClusterDefaultEnabled enterprise policy allows you to extend the current behavior.document.domain
has no effect if only one document sets it.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, we are phasing out support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome apps are still launchable.
Starting with Chrome 112, Chrome apps on Windows, Mac and Linux no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome app) install_url (PWA / Web app) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://youtube.com/s/
notifications/manifest/cr_install.html
- Auto-upgrade mixed content to HTTPS on iOS
Chrome 112 on iOS starts automatically upgrading passive mixed content (HTTP image, audio and video on HTTPS pages) to HTTPS, when possible. Previously, Chrome on iOS blocked passive mixed content. All other Chrome platforms auto-upgrade passive mixed content, when possible. An enterprise policy, MixedContentAutoupgradeEnabled, is available to disable mixed content auto-upgrading on HTTPS sites on iOS. The policy will be removed in Chrome 116.
- Chrome Root Store updates and removal of the ChromeRootStoreEnabled policy
Chrome 112 now enforces name constraints on root certificates. This matches the behavior prior to the launch of the Chrome Root Store in Chrome 106. If you previously disabled the Chrome Root Store to work around this issue, you can test again with Chrome 112. If you relied on Chrome not enforcing name constraints, we have provided a temporary EnforceLocalAnchorConstraintsEnabled policy to disable this behavior. This policy will be removed in the future.
As early as Chrome 113, to improve user security and provide a consistent experience across different platforms, Chrome will switch to its own default root store and built-in certificate verifier on Android, Linux, and ChromeOS. Chrome continues to use custom local roots installed to the operating system’s trust store. The Chrome Root Store is already default enabled on Windows and Mac.
We do not anticipate any changes to how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
The ChromeRootStoreEnabled policy allows selective disabling of the Chrome Root Store in favor of the platform root store. You can set this policy to Disabled to force the use of the platform root store, otherwise it is enabled by default. The policy will be made available on Android, Linux, and ChromeOS until Chrome 120.
The ChromeRootStoreEnabled policy will be removed from Windows and Mac on Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. If you previously disabled the Chrome Root Store to work around either of these issues, you can test again with Chrome 112.
- Updated onboarding experience
In Chrome 112, some users see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, RestrictSigninToPattern and SyncTypesListDisabled continue to be available as before to control whether the user can sign into Chrome and turn on sync. You can use the PromotionalTabsEnabled policy to skip onboarding altogether.
- Changes to HTTPS policies
The HttpsOnlyMode policy now supports force_enabled. This enables the Always use secure connections setting onchrome://settings/security
and prevents the user from disabling it. The setting causes a bypassable error interstitial to be displayed before any navigation to a non-HTTPS site. Users can always bypass the error interstitial, and the decision to bypass is remembered for one week. We’ve also added the HttpAllowlist policy, which you can use to define a list of hosts or hostname patterns that are allowed to be non-HTTPS without an error interstitial. For example, you can use the HttpAllowlist policy to allowlist internal sites that might be HTTP-only.
- Add websites and PWAs to the home screen on iOS
Starting in Chrome 112, you can bookmark a website on the iOS device's home screen. If the website offers a Progressive Web Apps (PWAs), then this action adds the app to the home screen. Otherwise, the bookmark opens in the default browser when you tap it. This feature is available to iOS16.4 and above.
- New Chrome Sync data types available in Takeout
In Chrome 112, additional Chrome data is available to export in Takeout and Domain Wide Takeout (DWT). The following data types are available: AUTOFILL, PRIORITY_PREFERENCE, WEB_APP, DEVICE_INFO, TYPED_URL, ARC_PACKAGE, OS_PREFERENCE, OS_PRIORITY_PREFERENCE, PRINTER.
You can control which data types are synced to Chrome Sync using the SyncTypesListDisabled enterprise policy. Instructions on allowing or blocking Takeout can be found in this help center article.
- Autofill on iOS
In Chrome 112, some iOS users see a prompt to choose Chrome for Autofill in their iOS settings. The user can choose to learn more, dismiss the prompt forever, or be reminded again later. The prompt can appear after the user has copied a password from the Chrome password manager, saved a password, or logged into a website using an existing saved password. An enterprise policy, CredentialProviderPromoEnabled, is available to disable any appearance of the prompt.
- Android WebView phases out the X-Requested-Header starting from version 112
To improve privacy, Android WebView begins phasing out the X-Requested-With HTTP request header. Sites that currently rely on this header can sign up for the Deprecation Origin Trial, which will allow them to continue to receive the header. The deprecation trial is planned to run for at least one year, but will continue until replacement APIs have been launched to address the current use cases for the header. Apps can also enable the header for individual destination origins by using a newly introduced AndroidX API. Using this API will continue to provide the header to sites past the end of the deprecation trial.
- Web auth flow to use browser tab instead of App window
In Chrome 112, the authorization page for web auth flow in Chrome extensions now displays either in a new tab or a popup window. This change concerns two API methods: launchWebAuthFlow and getAuthToken. It resolves several existing UX problems:
- the authorization page now displays a URL which protects against phishing attacks.
- sign-in state is now shared with all browser tabs; no need to sign-in into extension separately.
- sign-in state is persisted on Chrome restart.
- fixed accessibility issues of App window.
- Chrome for Testing
In Chrome 112, Puppeteer, Chrome's browser automation library, uses the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you can allowlist the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- Price tracking on iOS
Chrome 112 on iOS enables users to track the prices of products across the web, and receive notifications when the price drops. An enterprise policy, ShoppingListEnabled, is available to control this shopping feature.
- New and updated policies in Chrome browser
Policy
Description
Determine the availability of variations (now available on Android).
Disable HTTPS upgrades for some hostnames, potentially decreasing user security.
Enable automatic HTTPS upgrades.
Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store.
ExtensionExtendedBackgroundLifetime
ForPortConnectionsToUrlsConfigure a list of origins that grant extended background lifetime to the connecting extensions.
Allow the shopping list feature to be enabled (now available on iOS).
Allows users to be shown the Credential Provider Extension promo.
ChromeOS updates
- Screencast supports multi-language transcription in recordings
ChromeOS 112 dramatically expands Screencast recording capabilities by including a wide range of languages by integrating with Google's S3 transcription API.
The Screencast app for ChromeOS lets users record transcribed screencasts on their Chromebook. In previous versions, this feature was available in EN-US only, which meant that only English speaking users in the US could record screencasts. Soon, it will be possible to record and transcribe screencasts in a wide range of languages including Spanish, Japanese, French, Italian, and German.
- Fast Pair saved devices
ChromeOS 112 adds a subpage to Fast Pair settings for saved devices, where users can view their device associations, remove any that may be unwanted, and configure whether they want Fast Pair-paired devices to automatically save to their account. This experience mirrors the management capabilities already available for Fast Pair on Android today, and was explicitly requested as a fast-follow improvement by the ChromeOS Privacy team.
- Introducing the Rupee symbol on US-English keyboards in India
ChromeOS 112 adds the Rupee symbol ₹ to both the virtual keyboard and the physical keyboard, where AltGr+4 is the rupee symbol (hold right-alt + 4).
The compact virtual keyboard just moves some currency keys around so that you can access the Rupee symbol in the more symbols menu. For accessibility, the virtual keyboard has the AltGr layer toggle available, which lets you type AltGr+4 and get the rupee symbol.
Admin console updates
- Device Token Management policy for device token deletion
A new policy allows Chrome Browser Cloud Management administrators to delete the device token on the end-point devices when deleting a browser from the managed browsers list in the Admin console.
When the new Delete token value is selected and a browser is deleted from the Managed browser list, the browser automatically re-enrolls in Chrome Browser Cloud Management the next time it is online, if the enrollment token was not deleted on the device and the enrollment token is still active. The default value remains to invalidate the device token.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field PrivacySandboxSiteEnabledAdsEnabled User & Browser Settings Chrome (Linux, Mac, Windows)
ChromeOS, AndroidSecurity > Privacy Sandbox>Control whether privacy sandbox prompts. PrivacySandboxPromptEnabled User & Browser Settings Chrome (Linux, Mac, Windows)
ChromeOS, AndroidSecurity > Controls whether the Privacy Sandbox Site-suggested ads setting can be disabled for your users. PrivacySandboxAdTopicsEnabled User & Browser Settings Chrome (Linux, Mac, Windows)
ChromeOS, AndroidSecurity >Controls whether your users see the Privacy Sandbox prompt. PrivacySandboxAdMeasurementEnabled User & Browser Settings Chrome (Linux, Mac, Windows) ChromeOS, Android Security >Controls whether the Privacy Sandbox Ad measurement setting can be disabled for your users.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Changes to phishing protection on Android as early as Chrome 113
When a user authenticates to Android with their Google password, for example, during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Deprecation Trial for Unpartitioned third-party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 113, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts would also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs will remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 113 will also add the DefaultThirdPartyStoragePartitioningSetting enterprise policy, which will unpartition APIs in all third-party contexts, as well as ThirdPartyStoragePartitioningBlockedForOrigins, which will unpartition APIs for third-party contexts when the first-party context’s origin matches the list. Both will be supported for at least 12 milestones. You can read more in the blog post.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 will introduce user controls for these First-Party Sets. Two enterprise policies will be made available to manage First-Party sets: one to disable First-Party Sets and one to provide your own sets.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage will have the following restrictions:
- SSL errors within webview will show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window will cause the window reference returned by the
window.open
call in the originating webview to be invalidated.
In Chrome 112, you’ll be able to test out this new behavior by navigating tochrome://flags
and enabling thechrome://flags/#enable-webview-tag-mparch-behavior.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 113 will start collecting additional telemetry on off-store extensions, such as file hashes and themanifest.json
file. The data collected are analyzed on Google servers to detect malicious off-store extensions (including self-hosted extensions) and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Launching FastCheckout for Checkout experiences
In Chrome 113, some users will see an updated Autofill UI targeting checkout pages on shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Updated Password Management Experience on iOS in Chrome 113
On Chrome on iOS, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncDisabled, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Image-set css changes
Chrome 113 implements standard syntax support for image-set and will treat the previously supported -webkit- vendor prefix syntax as a parse time alias for the standard. As a result of this, values set with the vendor prefix will serialize as standard.
Example:
-webkit-image-set(url(example.png) 1x)
Will serialize to:
image-set(url(""example.png"") 1x
for specified value (as returned viagetPropertyValue()
like:
testDiv.style.getPropertyValue(""background-image"");
)and to
If needed, the new behavior can be turned off via theimage-set(url(""example.png"") 1dppx)
for computed value (as returned via
getComputedStyle()
likewindow.getComputedStyle(testDiv)[""background-image""]
).CSSImageSet
runtime flag. The rendering and image-selection behavior will be the same for both the prefixed and standard syntax (Chrome Status).
- Support for Private State Tokens
Starting in Chrome 113, the Private State Tokens API will be available for use by websites. Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without the exchange of user identifying information. Availability of Private State Tokens will be controlled using a new setting in Chrome settings called Auto-verify.
- Enable access to WebUSB API from extension service workers in Chrome 114
As early as Chrome 114, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Changes to Google Password Manager in Chrome 114
In Chrome 114 the password manager will be re-branded as Google Password Manager.
Google Password Manager will offer more functionality and will be easier to access. You will be able to access the new look password manager via the three dot menu (previously located in Settings>Autofill). The upgraded Google Password Manager groups similar passwords together, has an improved checkup flow and users will be able to add the password manager to their desktop, for easy access.
- Network Service on Windows will be sandboxed
As early as Chrome 114, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 117 will no longer support macOS 10.13 and macOS 10.14
Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
In ChromeOS 113, Cursive, a stylus-first notes app, will be available for Chromebook. It will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Upcoming Admin console changes
Chrome 111
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Reminder of change in launch schedule | ✓ | ||
Privacy Sandbox updates in Chrome 111 | ✓ | ||
PPB_VideoDecoder(Dev) API removed | ✓ | ||
New Chrome sync dialog in Chrome for Desktop | ✓ | ||
Payment Handler API requires CSP connect-src | ✓ | ||
Out-of-process System DNS Resolution | ✓ | ||
Azure AD single sign-on (SSO) | ✓ | ||
Web speech recognition API on iOS | ✓ | ||
Chrome updater on Windows and Mac serves the most recent 12 versions | ✓ | ||
Policy name changes | ✓ | ||
Chrome Browser Cloud Management subscription | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Fast Pair | ✓ | ||
Keyboard shortcuts link in Text app | ✓ | ||
Print job origin identification for managed devices | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Configure print server policies with Google groups | ✓ | ||
New policies in Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
LegacySameSiteCookieBehaviorEnabledForDomainList policy extended | ✓ | ||
Enable access to WebHID API from extension service workers in Chrome 112 | ✓ | ||
Unused site permissions module in Safety Check | ✓ | ||
Default to origin-keyed agent clustering in Chrome 112 | ✓ | ||
New Chrome Sync data types available in Takeout in Chrome 112 | ✓ | ||
Chrome for Testing | ✓ | ||
Policy troubleshooting page available on Android | ✓ | ||
Risk Assessment card | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ||
Auto upgrade mixed content to HTTPS | ✓ | ||
Launching FastCheckout for Checkout experiences | ✓ | ||
Collect additional data for off-store extensions in telemetry reports | ✓ | ||
Updated onboarding experience | ✓ | ||
Deprecation trial for unpartitioned 3rd party Storage, Service Workers, and Communication APIs | ✓ | ||
Changes to phishing protection on Android as early as Chrome 113 | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Enable access to WebUSB API from extension service workers in Chrome 113 | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ✓ | |
First-Party Sets user controls | ✓ | ||
Removal ChromeRootStoreEnabled policy | ✓ | ||
Full History sync | ✓ | ||
Removal of permissive Chrome Apps webview behaviors | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Screencast supports multi-language transcription in recordings | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Upcoming Admin console changes | Security/ Privacy | User productivity/ Apps | Management |
New Chrome browser insights | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Reminder of change in launch schedule
Starting in Chrome 110, Chrome started rolling out to the Stable channel one week earlier than previously planned to a very small subset of users. For example, the Chrome 111 Stable release moves from March 7 to March 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users happens at a similar timeframe to the earlier communicated dates. This slower initial rollout leads to better stability and makes it easier for enterprises to stay on the latest and safest version of Chrome.
For more details, read about managing Chrome updates and check out the Chrome release schedule.
- Privacy Sandbox updates in Chrome 111
Chrome 111 updates the user experience of the new ad privacy features related to the Privacy Sandbox project. As part of this, Chrome now shows users a confirmation dialog that introduces the new features to users, and directs them to the appropriate settings pages to allow them to set their preferences.
IT admins can disable Chrome's Privacy Sandbox settings via the PrivacySandboxAdTopicsEnabled, PrivacySandboxSiteEnabledAdsEnabled, and PrivacySandboxAdMeasurementEnabled enterprise policies, and suppress the user-facing prompt via the PrivacySandboxPromptEnabled policy.
For more information, see the developer documentation about Privacy Sandbox technologies in Chrome.
- PPB_VideoDecoder(Dev) API removed
The PPB_VideoDecoder(Dev) API was introduced for Adobe Flash. Since Flash is no longer supported in Chrome, we are removing this API in Chrome 111. If you need any extra time to migrate legacy applications, you can use the ForceEnablePepperVideoDecoderDevAPI enterprise policy. This policy will only be supported through Chrome 114. If you need to use the policy after that, file a bug on crbug.com before May 5, 2023, explaining your use case.
- New Chrome sync dialog in Chrome for Desktop
Some users now see a visually updated dialog to turn on Chrome Sync in Chrome 111. Relevant enterprise policies such as BrowserSignin, SyncDisabled, RestrictSigninToPattern and SyncTypesListDisabled continue to work as before to configure Chrome sync.
- Payment Handler API requires CSP connect-src
If your organization uses the Web Payment API (Payment Handler and Payment Request) and also uses Content-Security-Policy (CSP) for better protection, then you need to add the domains of HTTP requests sent from the Web Payment API to the connect-src directive of the CSP. This is enforced in Chrome 111. For more information, see this developer blog post.
- Out-of-process System DNS Resolution
Starting gradually in Chrome 111, as part of the Linux and Android network service sandboxes, system DNS resolution moves out of the network service and into the unsandboxed browser process, as system DNS resolution cannot run while sandboxed on these platforms. The Enterprise policy OutOfProcessSystemDnsResolutionEnabled is available to control this feature. Setting this policy to false causes system DNS resolution to run in the network process rather than the browser process. This might force the network service sandbox to be disabled, degrading the security of Google Chrome.
- Azure AD single sign-on (SSO)
Chrome 111 now supports automatic sign-on into Microsoft identity providers using account information from Microsoft Windows. This feature is disabled by default and can be enabled using the CloudAPAuthEnabled policy.
- Chrome updater on Windows and Mac serves the most recent 12 versions
The Chrome updater now supports serving versions of Chrome that reached 100% rollout, within the latest 12 releases on the Beta, Stable, and Extended Stable channels. If you're using the TargetVersionPrefix enterprise policy, ensure you are within 12 versions of the latest release. If you don't manually manage Chrome updates, no action is required.
- Policy name changes
We’ve renamed the policies related to Window Placement, to better align with the underlying API and permissions, which have recently been renamed to Window Management. Starting in Chrome 111, DefaultWindowManagementSetting, WindowManagementAllowedForUrls, WindowManagementBlockedForUrls, WindowManagementSettings policies now supercede the DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls policies. The WindowPlacement variants will be removed in a future version. The WindowPlacementSettings atomic group has been renamed to WindowManagementSettings.
- Chrome Browser Cloud Management subscription
As early as March 2023, the Chrome Browser Cloud Management (CBCM) subscription will be automatically added to all Admin console accounts who are using CBCM without the subscription. CBCM customers are now required to have the Chrome Browser Cloud Management subscription to use the service. This change adds no new cost to your existing account and there are no actions required.
- New and updated policies in Chrome browser
Policy Description DomainReliabilityAllowed Allow reporting of domain reliability related data. MixedContentAutoupgradeEnabled Enable mixed content auto upgrading on HTTPS sites. DefaultWindowManagementSetting Default Window Management permission setting. WindowManagementAllowedForUrls Allow Window Management permission on these sites. WindowManagementBlockedForUrls Block Window Management permission on these sites. OutOfProcessSystemDnsResolutionEnabled Enable system DNS resolution outside of the network service. ForceEnablePepperVideoDecoderDevAPI Enable support for the PPB_VideoDecoder(Dev) API. CloudAPAuthEnabled Allow automatic sign-in to Microsoft® cloud identity providers. PrivacySandboxPromptEnabled Choose whether the Privacy Sandbox prompt can be shown to your users. PrivacySandboxAdMeasurementEnabled Choose whether the Privacy Sandbox ad measurement setting can be disabled. PrivacySandboxAdTopicsEnabled Choose whether the Privacy Sandbox Ad topics setting can be disabled. PrivacySandboxSiteEnabledAdsEnabled Choose whether the Privacy Sandbox Site-suggested ads setting can be disabled. GetDisplayMediaSetSelectAllScreensAllowedForUrls (now on Linux) Enables auto-select for multi screen captures.
ChromeOS updates
- Fast Pair
Fast Pair now makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat.
- Keyboard shortcuts link in Text app
The ChromeOS Text app has a series of built-in keyboard shortcuts. ChromeOS 111 adds a link to the Help Center article from the Text app settings, to provide instructions on how to use these keyboard shortcuts.
- Print job origin identification for managed devices
To improve support for specific advanced printing workflows in managed environments, mostly encountered in the Healthcare space, print jobs need to contain information about the device that they originated from. ChromeOS 111 introduces the client-info IPP attribute to populate an admin-specified value, which identifies a device used for downstream printing workflow or reporting activities.
Additionally, all print jobs now indicate ChromeOS together with the running release version.
This new attribute in print jobs is only available for jobs originating from managed devices and controlled by a new admin policy.
Admin console updates
- Configure print server policies with Google groups
Admins can now use new or existing Google groups to configure print servers for users in your organization. That means when you need to configure a print server for a specific set of users–who may or may not belong to different Organizational Units (OUs)–you can now use the flexibility of groups without needing to reconfigure your OUs. Note that configuration of print server policies for user groups works exactly the same as it does for printers.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field LensDesktopNTPSearchEnabled User & Browser Settings; Managed Guest Session Chrome
ChromeOSStartup > New Tab Google Lens button SendMouseEventsDisabled
FormControlsEnabledUser & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidLegacy site compatibility > Disabled element MouseEvents UserBorealisAllowed User & Browser Settings; Managed Guest Session ChromeOS User experience > Allow Borealis on ChromeOS OffsetParentNewSpecBehaviorEnabled User & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidLegacy site compatibility > Enable Legacy HTMLElement Offset behavior AccessControlAllowMethods
InCORSPreflightSpecConformantUser & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidNetwork > CORS Access Control Allow Methods Conformance
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- LegacySameSiteCookieBehaviorEnabledForDomainList policy extended
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. LegacySameSiteCookieBehaviorEnabledForDomainList policy will continue to be supported up until Chrome 121.
- Unused site permissions module in Safety Check
In Chrome 112, Safety Check will be expanded to include auto-revocation of unused site permissions on Chrome. Chrome will reset permissions from sites that have low recent engagement. Chrome informs the user about auto-revocation of permissions and offers options to opt out or re-grant. Permissions granted by enterprise policies are not affected. This launch follows the first extension of Safety Check that introduced proactive notification of permission reminders.
- Default to origin-keyed agent clustering in Chrome 112
In Chrome 112, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior. You can read more in the blog post.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- New Chrome Sync data types available in Takeout in Chrome 112
There will be more Chrome data available to export in Takeout and Domain Wide Takeout (DWT). The following data types are available: AUTOFILL, PRIORITY_PREFERENCE, WEB_APP, DEVICE_INFO, TYPED_URL, ARC_PACKAGE, OS_PREFERENCE, OS_PRIORITY_PREFERENCE, PRINTER.
You can control which data types are synced to Chrome Sync using the SyncTypesListDisabled enterprise policy.
- Chrome for Testing
In Chrome 112, Puppeteer, Chrome's browser automation library, will start using the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you might consider allowlisting the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, we are phasing out support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 112, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://youtube.com/s/
notifications/manifest/cr_install.html
- Auto upgrade mixed content to HTTPS on iOS in Chrome 112
Chrome on iOS will start automatically upgrading passive mixed content (HTTP image, audio and video on HTTPS pages) to HTTPS when possible. The current behavior on iOS is to block passive mixed content. All other Chrome platforms already optimistically upgrade passive mixed content. An Enterprise policy MixedContentAutoupgradeEnabled is available to disable mixed content auto upgrading on HTTPS sites on iOS. The policy will be removed in 116.
- Launching FastCheckout for Checkout experiences
In Chrome 112, some users will see an updated Autofill UI targeting checkout pages on shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 112 will start collecting additional telemetry on off-store extensions, such as file hashes and the manifest.json file. The data collected are analyzed on Google servers to detect malicious off-store extensions and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Updated onboarding experience
In Chrome 112, some users may see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, EnableSyncConsent, RestrictSigninToPattern and SyncTypesListDisabled will continue to be available as before to control whether the user can sign into Chrome and turn on sync. The PromotionalTabsEnabled policy can be used to skip the onboarding altogether.
- Deprecation Trial for Unpartitioned 3rd party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 113, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts would also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs will remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 112 will also add the ThirdPartyStoragePartitioningEnabled enterprise policy, which will allow for unpartitioning all APIs in third-party contexts, to be supported for at least 12 milestones.
- Changes to phishing protection on Android as early as Chrome 113
When a user authenticates to Android with their Google password, for example during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Network Service on Windows will be sandboxed
As early as Chrome 113, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enable access to WebUSB API from extension service workers in Chrome 113
As early as Chrome 113, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 will introduce user controls for these First-Party Sets. Two enterprise policies will be made available to manage First-Party sets: one to disable First-Party Sets and one to provide your own sets.
- Removal ChromeRootStoreEnabled policy
In Chrome 105, we announced the launch of the Chrome Root Store on Windows and Mac. A new policy, called ChromeRootStoreEnabled, was introduced to allow selective disabling of the Chrome Root Store in favor of the platform root store. This policy will be removed from Windows and Mac on Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. If you previously disabled the Chrome Root Store to work around either of these issues, please test again with Chrome 111. We are working on launching the Chrome Root Store for Android, Linux, and ChromeOS. As the Chrome Root Store launches on more platforms, we will continue to provide the policy on those platforms for six months after launch.
- Full History sync
Starting with Chrome 112, Typed URLs will stop syncing for Enterprise users. Open Tabs will continue syncing as usual, unless disabled by existing SyncDisabled and SyncTypesListDisabled policies.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage will have the following restrictions:
- SSL errors within webview will show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window will cause the window reference returned by the window.open call in the originating webview to be invalidated.
In Chrome 112, you’ll be able to test out this new behavior by navigating tochrome://flags
and enabling thechrome://flags/#enable-webview-tag-mparch-behavior
.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 112, Cursive, a stylus-first notes app, will be available for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Screencast supports multi-language transcription in recordings
As early as ChromeOS 112, we plan to dramatically expand Screencast recording capabilities by including a wide range of languages by integrating with Google's S3 transcription API.
The Screencast app for ChromeOS lets users record transcribed screencasts on their Chromebook. In previous versions, this feature was available in EN-US only, which meant that only English speaking users in the US could record screencasts. Soon, it will be possible to record and transcribe screencasts in a wide range of languages including Spanish, Japanese, French, Italian, and German.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Chrome 110
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Windows 7/8/8.1 and Windows Server 2012/2012 R2 are no longer supported
Microsoft is ending support for most variants of Windows 7/8/8.1 in January 2023. As announced in a previous blog post, Chrome 109 is the last supported version of Chrome for these operating systems.
Chrome running on Windows Server 2012 and Windows Server 2012 R2 will not be updated beyond Chrome 109, as those operating systems (OS) are based on Windows 8/8.1. However, critical security fixes will be issued to Chrome 109 on these two OS versions until October 10, 2023 to ease customer transitions. For the most up-to-date information, see this post in the Chrome Enterprise and Education help center.
- Detailed translation settings
Chrome 110 adds new detailed translation settings for controlling the current target language: Never translate languages and Always translate languages. These settings were previously only editable from the Translate UI bubble but now are permanently exposed under chrome://settings/language. Enterprise admins can use the existing TranslateEnabled policy to globally enable or disable translation.
- Change in launch schedule
Starting in Chrome 110, Chrome rolls out to the Stable channel one week earlier than previously planned to a very small subset of users. For example, the Chrome 110 Stable release moves from February 7 to February 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users happens at a similar timeframe to the earlier communicated dates. This slower initial rollout leads to better stability and makes it easier for enterprises to stay on the latest and safest version of Chrome.
For more details, read about managing Chrome updates and check out the Chrome release schedule.
- App Store rating on iOS
In Chrome 110, some iOS users might be presented with Apple’s standardized App Store rating prompt at most once per year. The prompt gives users the option to rate the app or dismiss the prompt. An enterprise policy, AppStoreRatingEnabled, is available to disable any appearance of the prompt.
- User-level Enhanced Safe Browsing on iOS
For Chrome on iOS where the Safe Browsing protection level is not controlled by SafeBrowsingProtectionLevel, users who are signed in and syncing, and have enabled Enhanced Safe Browsing on their Google Account, are now notified that Enhanced Safe Browsing has been enabled on their Chrome profile. Disabling Enhanced Safe Browsing on a synced Google Account disables Enhanced Safe Browsing for their Chrome profile. Additionally, users that are signed-in and non-synced might be prompted to enable Chrome Enhanced Safe Browsing within 5 minutes of enabling Account Level Enhanced Safe Browsing.
- Chrome Headless mode upgrades
Chrome’s Headless mode provides a full Chrome browser to tooling vendors and developers that don’t need to bring pixels to the screen. It's used for test automation, automation of workflow steps, for example, steps required when setting up a new machine in an enterprise or autofill-like behavior, scraping web content, web rendering services, and so on.
We’ve rebuilt Headless mode so that it’s much closer to Chrome’s regular mode. This provides more consistent experiences, including respecting enterprise policies when in Headless mode.
- MetricsReportingEnabled policy available on Android in Chrome
As early as Chrome 110, Chrome on Android slightly modifies the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there is no change to the first run experience. If the admin enables metrics, users can still change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- WebAuthn cannot be used on sites with TLS certificate errors
Starting on Chrome 110, Chrome stops allowing WebAuthn requests on websites with TLS certificate errors. The criteria are the same as those used for showing danger interstitials or a Not secure pill on the omnibox. This prevents bad actors from generating valid assertions in a Man-in-the-Middle attack on users who might skip the interstitial.
Enterprises can use the AllowWebAuthnWithBrokenTlsCerts policy if needed as a workaround.
- Cookie information from extensions
When you enable Enhanced Safe Browsing, Chrome now collects telemetry information about the cookie information extensions request. These activities are analyzed on Google servers and further improve the detection of malicious and policy violating extensions. This improvement allows better protection for all Chrome extension users.
- Deprecation of WebSQL and other old Storage features
Chrome 110 removes the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API. Admins can re-enable webkitStorageInfo until Chrome 112, using the enterprise policy, PrefixedStorageInfoEnabled.
WebSQL in third-party contexts is already disabled, and it has had a warning in DevTools since Chrome 105. Chrome 110 removes support in non-secure contexts. An enterprise policy, WebSQLNonSecureContextEnabled, allows Web SQL to function in non-secure contexts for a few months past the removal date.
- Easier password updates when a compromise is detected
The Check passwords tool now has an expanded set of URLs pointing directly to a Change password form. This allows users to take action and fix compromised passwords. The Check passwords tool is only available if PasswordManagerEnabled is set to true or unset.
- Rolling out GPU changes to NaCL Swapchain and video decoding
Chrome 110 refactors the implementation of the NaCL swapchain and the Pepper video decoding APIs. These changes are not intended to have any behavioral impact on users. However, it is possible that, due to bugs, they might result in visual artifacts, unacceptably slow performance when playing video, unacceptable increases in power, or crashes.
If your enterprise encounters any unexpected problems, you can use the UseMojoVideoDecoderForPepperAllowed and PPAPISharedImagesSwapChainAllowed enterprise policies to roll back to the previous behavior. If issues appear that are fixed by enabling those policies, please also file a bug at crbug.com before May 5, 2023 with the details.
- WebView metrics moves app package name filtering to server-side
WebView metrics only store app package names for a limited set of allowlisted common apps, to preserve user privacy and anonymity. In Chrome 110, the filtering of these apps moves from the client to the server. Apps using WebView can opt out of metrics collection via the app manifest.
- User-Agent reduction Phase 6
As of Chrome 110, some portions of the User-Agent string are reduced on Chrome for Android. As previously detailed in the Chromium blog, we intend to proceed with Phase 6 of the User-Agent Reduction plan. For more details, see this reference page and Chromium update. The UserAgentReduction policy allows for opting out of these changes.
- Real-time URL Allowlist now synced through component updater on Android
In Chrome 110, Chrome on Android uses an allowlist synced through the component updater. This applies to Enhanced Safe Browsing and Make Browsing Better users who have Safe Browsing URL real-time checking enabled. This allows faster rollout of updated allowlist versions. Since the new allowlist versions are served through the component updater, admins who choose to disable the component updater do not benefit from this feature. In these scenarios, Chrome uses a version of the allowlist that is updated less frequently.
- Google Update internal upgrades
In Chrome 109, Google introduced an overhauled version of Google Update that:- provides a cross-platform core for future development of update-related features.
- improves its performance and reliability.
This rollout is continuing gradually throughout the Chrome 110 timeframe. All existing enterprise policies and controls for managing Chrome's version continue to work the same way. These changes first roll out to macOS and eventually to Windows.
Note: For customers that allowlist specific folders and binaries, there is a path change on Mac as follows:- Old:
(~)/Library/Google/GoogleSoftwareUpdate
- New:
(~)/Library/Google/GoogleUpdater
- New and updated policies in Chrome browser
Policy Description ExtensionManifestV2Availability Controls Manifest v2 extension availability. AppStoreRatingEnabled Allows users to be shown the iOS App Store Rating promo. DnsOverHttpsSalt Specifies a salt value to be used in DnsOverHttpsTemplatesWithIdentifiers when evaluating identify information. DnsOverHttpsTemplatesWithIdentifiers Specifies URI template of desired DNS-over-HTTPS resolver with identity information. MetricsReportingEnabled
(new on Android)Enables reporting of usage and crash-related data. PPAPISharedImagesSwapChainAllowed Allows modern buffer allocation for Graphics3D APIs PPAPI plugin.
PdfLocalFileAccessAllowedForDomains Allows local file access to file://
URLs on these sites in the PDF Viewer.UseMojoVideoDecoderForPepperAllowed Allows Pepper to use a new decoder for hardware accelerated video decoding. AllowWebAuthnWithBrokenTlsCerts Allows Web Authentication requests on sites with broken TLS certificates. ShowCastSessionsStartedByOtherDevices Shows media controls for Google Cast sessions started by other devices on the local network. NewBaseUrlInheritanceBehaviorAllowed Allows enabling the feature NewBaseUrlInheritanceBehavior. ThrottleNonVisibleCrossOriginIframesAllowed Allows enabling throttling of non-visible, cross-origin iframes.
ChromeOS updates
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), starting in ChromeOS 110, you now see which channel you are on in the bottom right. You can click the time to open quick settings, which now include the device build and a feedback button.
- Search autocomplete redesign
In ChromeOS Search, we’ve redesigned the Launcher Search autocomplete to help users optimize their Search journey. We've included:- robust autocomplete for mistyped or misspelled queries.
- clear search result categories for selected results.
- and intuitive keyboard navigation for result selection.
- ChromeOS 110 no longer supports Active Directory Management
As previously announced, ChromeOS 110 no longer supports Active Directory Management for ChromeOS devices, and login to these devices is blocked.
If you are still using Active Directory Management for ChromeOS devices, make sure to finalize your migration to Cloud Management before updating to ChromeOS 110. If you are not using Active Directory Management for ChromeOS devices, this feature update does not affect you.
- Select-to-speak improvements
Chromebook users can now start Select-to-speak from the context menu (right-click menu) of the selected text. For users who continue to start Select-to-speak from the status-tray icon, we've updated the instructions shown when hovering over the icon.
Select-to-speak can now automatically switch language to match the content selected by the user, so that words are pronounced correctly in that language, without the user having to manually change the voice settings.
In addition, we've made setting up Select-to-speak easier, by moving the Select-to-speak settings to a ChromeOS settings page, rather than opening a separate browser tab.
- Local website approvals for Family Link users
Parents now have the option to quickly approve blocked websites directly on their child’s Chromebook without the Family Link app. When blocked from accessing a website, children can now choose to Ask in person to allow parents to approve access. For details, see Manage your child's account on Chromebook.
- Feedback tool refresh with inline assistive capabilities
Users can report a problem or share feedback with Google with the Feedback form. In ChromeOS 110, a refreshed Feedback form shows users several related help articles, to help them diagnose problems.
Admin console updates
- New policies in the Admin console
Policy Name Pages Supported on Category/Field PdfLocalFileAccess
AllowedForDomainsUser & Browser Settings; Managed Guest Session Chrome (Linux, Mac, Windows)
ChromeOSContent > Allow local file access to file://
URLs on these sites in the PDF ViewerThrottleNonVisibleCrossOrigin
IframesAllowedUser & Browser Settings; Managed Guest Session Chrome (Linux, Mac, Windows, Android)
ChromeOSContent > Allows enabling throttling of non-visible, cross-origin iframes AllowWebAuthnWithBroken
TlsCertsUser & Browser Settings; Managed Guest Session Chrome (Linux, Mac, Windows, Android)
ChromeOSSecurity > Allow Web Authentication requests on sites with broken TLS certificates.
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- Unused site permissions module in Safety Check
To better protect user security and privacy, Chrome 111 will automatically revoke the granted permissions that belong to unused websites (not used for 2 months). Chrome will also show the revoked permissions on settings so that users can review them. The revoked permission data will be wiped out 1 month after revocation happens. Permissions granted by enterprise policies are not affected.
- Privacy Sandbox updates in Chrome 111
Chrome 111 will update the user experience of the new ad privacy features related to the Privacy Sandbox project. As part of this, Chrome will show users a confirmation dialog that explains their options and allows them to set their preferences.
IT admins will be able to disable Chrome's Privacy Sandbox settings via the PrivacySandboxAdTopicsEnabled, PrivacySandboxSiteEnabledAdsEnabled, and PrivacySandboxAdMeasurementEnabled enterprise policies, and suppress the user-facing prompt via the PrivacySandboxPromptEnabled policy.
For more information, see the developer documentation about Privacy Sandbox technologies in Chrome.
- New Chrome Sync data types available in Takeout in Chrome 111
There will be more Chrome data available to export in Takeout and Domain Wide Takeout (DWT). The following data types are available: AUTOFILL, PRIORITY_PREFERENCE, WEB_APP, DEVICE_INFO, TYPED_URL, ARC_PACKAGE, OS_PREFERENCE, OS_PRIORITY_PREFERENCE, PRINTER.
You can control which data types are synced to Chrome Sync using the SyncTypesListDisabled enterprise policy.
- Chrome for Testing
As early as Chrome 111, Puppeteer, Chrome's browser automation library, will use the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you might consider allowlisting the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- PPB_VideoDecoder(Dev) API removed
The PPB_VideoDecoder(Dev) API was introduced for Adobe Flash. Since Flash is no longer supported in Chrome, this API will be removed in Chrome 111. If you need any extra time to migrate legacy applications, you will be able to use the ForceEnablePepperVideoDecoderDevAPI enterprise policy. As this policy will only be supported through Chrome 114, please file a bug on crbug.com by May 5, 2023 at the absolute latest, explaining your use case if you must use the policy.
- New Chrome sync dialog in Chrome for Desktop
Some users will see a visually updated dialog to turn on Chrome Sync in Chrome 111. Relevant enterprise policies such as BrowserSignin, SyncDisabled, RestrictSigninToPattern and SyncTypesListDisabled will continue to work as before and can be used to configure Chrome sync.
- Strict MIME type checks for Worker scripts
As early as Chrome 112, Chrome will strictly check MIME types for Worker scripts, like Service Workers or Web Workers. Strict checking means that Chrome will only accept JavaScript resources for Workers with a MIME type oftext/javascript
. Currently, Chrome will also accept other MIME types, liketext/ascii
. This change is aimed at improving the security of web applications, by preventing inclusion of inappropriate resources as JavaScript files.
Disabling the StrictMimetypeCheckForWorkerScriptsEnabled policy allows you to keep the current behavior.
- Default to origin-keyed agent clustering in Chrome 112
In Chrome 112, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior. You can read more in the blog post.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- Changes to phishing protection on Android as early as Chrome 112
When a user authenticates to Android with their Google password, for example during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 112, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://youtube.com/s/
notifications/manifest/cr_install.html
- Network Service on Windows will be sandboxed
As early as Chrome 112, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enable access to WebUSB API from extension service workers in Chrome 112 or later
As early as Chrome 112, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Payment Handler API will require CSP connect-src
If your organization is using the Web Payment API (Payment Handler and Payment Request) and also uses Content-Security-Policy (CSP) for better protection, then you need to make sure the domains of HTTP requests sent from the Web Payment API are added to the connect-src directive of the CSP. This will be enforced in Chrome 111. For more information, see this Chrome developer blog post.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 112 introduces user controls for these First-Party Sets.
- Removal ChromeRootStoreEnabled policy
In Chrome 105, we announced the launch of the Chrome Root Store. A new policy, called ChromeRootStoreEnabled, was introduced to allow selective disabling of the Chrome Root Store in favor of the platform root store. This policy will be removed in Chrome 113.
Upcoming ChromeOS changes
- Fast Pair
Fast Pair will make Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it will automatically detect and pair with your ChromeOS device or Android phone in a single tap. Fast Pair will also associate your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 111.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 112, Cursive, a stylus-first notes app, will be available for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Updated emoji picker
The updated emoji picker will include commonly used symbols and characters, such as scientific notations and math operators. In addition, we will also include text-based emoticons (kaomoji) for even more expressive conversations. The new top-level navigation bar will help you find the high-level category quickly, ranging from emojis, symbols, and emoticons. The improved universal search will show possible matches from all categories.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Upcoming Admin console changes
- Configure print server policies with Google groups
Admins will be able to use new or existing Google groups to configure print servers for users in your organization. That means when you need to configure a print server for a specific set of users–who may or may not belong to different Organizational Units (OUs)–you will be able to use the flexibility of groups without needing to reconfigure your OUs. Note that configuration of print server policies for user groups works exactly the same as it does for printers.
Chrome 109
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Confirmation permission chips in the address bar | ✓ | ||
About this page on Desktop | ✓ | ||
UI changes for some download warnings | ✓ | ||
Changes to HTMLElement.offsetParent | ✓ | ||
Changes to mouse events on disabled form controls | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
Release of Speculation Rules API for prerender in Android | ✓ | ||
Chrome handles case for matching in a different way | ✓ | ||
Lens image search in the Google New tab page search box | ✓ | ||
DNS queries to Cox resolvers automatically use SecureDNS if enabled | ✓ | ||
Chrome unpacks and scans 7z archives for malware | ✓ | ||
Measure usage of Web APIs | ✓ | ||
Google Update internal upgrades | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
More robust logic for audio device selection | ✓ | ||
Ghost windows for ARC Apps launching | ✓ | ||
Device metrics and userID information now available to Telemetry API | ✓ | ||
Color Picker improvements | ✓ | ||
Disable Trash in the Files app | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
New policies in the Admin console | ✓ | ✓ | ✓ |
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Detailed translation settings in Chrome 110 | ✓ | ||
Chrome for Testing | ✓ | ||
User-level Enhanced Safe Browsing on iOS in Chrome 110 | ✓ | ||
MetricsReportingEnabled policy available on Android in Chrome | ✓ | ||
Change in launch schedule starting in Chrome 110 | ✓ | ||
Content Analysis connector for local DLP agent integration | ✓ | ||
Windows 7/8/8.1 and Windows Server 2012/2012 R2 will be supported through Chrome 109 | ✓ | ||
Rolling out GPU Changes to NaCL Swapchain and video decoding | ✓ | ||
WebAuthn cannot be used on sites with TLS certificate errors | ✓ | ||
Default to origin-keyed agent clustering in Chrome 110 | ✓ | ||
Password Change URLs | ✓ | ||
User-Agent Reduction Phase 6 | ✓ | ||
Changes to phishing protection on Android as early as Chrome 111 | ✓ | ||
Privacy Sandbox updates | ✓ | ||
Strict MIME type checks for Worker scripts | ✓ | ||
Chrome Private Network Access preflights for subresources enforced in Chrome 113 | ✓ | ✓ | |
Enable access to WebHID API from extension service workers in Chrome 111 | ✓ | ||
Enable access to WebUSB API from extension service workers | ✓ | ||
Deprecation of Web SQL and other old Storage features | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ||
Payment Handler API will require CSP connect-src | ✓ | ||
First Party Sets user controls | ✓ | ||
Removal of ChromeRootStoreEnabled policy | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Channel labeling on ChromeOS | ✓ | ||
Fast Pair | ✓ | ||
Updates to emoji picker | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Confirmation permission chips in the address bar
Chrome is consolidating permission prompts and indicators to make them more consistent and easier to understand. Some users now see a new permissions chip experience in the address bar, showing a chip after a user has made a decision on a permission prompt. It confirms the action a user has just taken and is shown for 4 seconds. If the user clicks on it, the page info bubble is shown, which allows users to manage their permission settings for the current site.
For some users, the lock icon in the address bar is hidden while a chip is displayed. Note that chips are only visible during certain permission requests and while a confirmation chip is displayed. As soon as the chip disappears, the lock icon becomes visible again.
- About this page on Desktop in Chrome 109
We are improving the From the web feature in the site info UI. It is now called About this page and it opens a website with multiple pieces of information regarding the source and topic of a website. Our goal is to empower users with the context to evaluate the trustworthiness of a webpage for themselves. You can learn more about helpful Search tools in this blog post.
This feature is only enabled when Make searches and browsing better is enabled in Settings > Sync and Google Services > Other Google services. You can control this setting with the UrlKeyedAnonymizedDataCollectionEnabled policy.
- UI changes for some download warnings
As early as Chrome 109, to protect users from malware, Chrome shows detailed context and customized UIs for some download warnings. For example, if Chrome detects a download to potentially steal user's information, the description changes from Chrome blocked this file because it is dangerous to This file contains malware that can compromise your personal or social network accounts. You can disable download warnings by setting the SafeBrowsingProtectionLevel enterprise policy, or you can allowlist specific domains using SafeBrowsingAllowlistDomains.
- Changes to HTMLElement.offsetParent
In Chrome 109, the Javascript APIs HTMLElement.offsetParent, HTMLElement.offsetTop, and HTMLElement.offsetLeft are changed in an edge case involving ShadowDOM to match the behavior of Firefox and Safari. A new enterprise policy, OffsetParentNewSpecBehaviorEnabled, is available to disable the new behavior until Chrome 120. A polyfill was made to help migrate to the new behavior: https://github.com/josepharhar/offsetparent-polyfills.
- Changes to mouse events on disabled form controls
In Chrome 109, some users see changes to the behavior of mouse events: clicking on form control elements with the disabled attribute triggers slightly different DOM events. Additional mouse events, including mousemove, mouseenter, mouseleave, mouseover, are fired on these elements. The ancestors of some types of form controls no longer receive click, mouseup, or mousedown events. A new enterprise policy, SendMouseEventsDisabledFormControlsEnabled, can disable the new behavior until at least Chrome 120.
- Intent to deprecate and remove: Event.path
To improve web compatibility, Chrome 109 no longer supports the non-standard API Event.path. Websites should migrate to Event.composedPath(), which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView, allows you to extend the lifetime of Event.path by an additional 6 milestones.
- Release of Speculation Rules API for prerender in Android
Chrome 103 introduced same-origin prerendering triggered by the Speculation Rules API. Chrome 109 expands coverage to also allow triggering same-site cross-origin pages. This allows web authors to suggest to Chrome which cross-origin pages that the user is likely to navigate to next. This prerendering is done with credentials and storage access, but such prerender targets must opt in by using the Supports-Loading-Mode: credentialed-prerender header. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which result in Chrome ignoring the hints provided using this API. See our article for more information.
- Chrome handles case for matching in a different way
Previously, Chrome uppercased a request's method when matching withAccess-Control-Allow-Methods
response headers in CORS preflight. After this change, Chrome doesn't uppercase a request's method, except for those normalized in the specification. So, Chrome now requires exact case-sensitive matching.
For example, previously accepted, now rejected:
Request: fetch(url, {method: 'Foo'})
Response Header: Access-Control-Allow-Methods: FOO
Previously rejected, now accepted:
Request: fetch(url, {method: 'Foo'})
Response Header: Access-Control-Allow-Methods: Foo
Namely, post and put are not affected because they are specified in https://fetch.spec.whatwg.org/#concept-method-normalize, while patch is affected.
An enterprise policy AccessControlAllowMethodsInCORSPreflightSpecConformant is available to control whether request methods are uppercased when matching withAccess-Control-Allow-Methods
response headers in CORS preflight.
- Lens image search in the Google New tab page search box
In Chrome 109, some users see a camera icon in the search box when navigating to the Google New tab page. This feature allows users to search by image, by uploading a file from their computer or entering an image URL. This feature might only show on the Google New tab page. It does not show in Incognito, Guest User, or non-Google new tab pages. An enterprise policy LensDesktopNTPSearchEnabled, is available to control this feature.
- DNS queries to Cox resolvers automatically use SecureDNS if enabled
If SecureDNS is enabled via the DnsOverHttpsMode enterprise policy, insecure DNS requests to Cox DNS resolvers are upgraded to secure DNS requests without requiring a DnsOverHttpsTemplates enterprise policy.
- Chrome unpacks and scans 7z archives for malware
In Chrome 109, Safe Browsing unpacks 7z archives locally to check for malware. This is similar to the previously-shipped local analysis of zip and rar archives. Chrome now reports contained files, hashes, and lengths to Safe Browsing. You can disable this by disabling Safe Browsing with the SafeBrowsingProtectionLevel policy.
- Measure usage of Web APIs
As part of the Privacy Sandbox effort, Chrome continues to collect information about APIs commonly called by websites so that we can better understand their use as fingerprinting surfaces. You can disable this collection using the UrlKeyedAnonymizedDataCollectionEnabled enterprise policy.
- Google Update internal upgrades
Over the coming weeks, Google introduces an overhauled version of Google Update that:
- provides a cross-platform core for future development of update-related features.
- improves its performance and reliability.
Note: For customers that allowlist specific folders and binaries, there is a path change on Mac as follows:
- Old:
(~)/Library/Google/GoogleSoftwareUpdate
- New:
(~)/Library/Google/GoogleUpdater
All existing enterprise policies and controls for managing Chrome's version will continue to work the same way. These changes first roll out to macOS and eventually to Windows.
- New and updated policies in Chrome browser
Policy
Description
Allow using Google Assistant on the web, for example, to enable changing passwords automatically.
Enable the Chrome Enterprise Device Trust Connector attestation flow for a list of URLs.
Control the new behavior for event dispatching on disabled form controls.
Require online OCSP or CRL checks for local trust anchors (now also available on iOS).
Make Access-Control-Allow-Methods matching in CORS preflight spec conformant.
- Removed policies in Chrome browser
Policy
Description
UrlParamFilterEnabled
Control the URL parameter filter feature.
ChromeOS updates
- Ghost windows for ARC Apps launching
When users try to launch an Android Runtime for Chrome (ARC) app when ARC is still booting or the app is still loading, the shelf presents the App icon with a spinner above it to indicate the App is pending launch. With this feature, the ghost window pops up as an intermediate window state during the ARC booting time which improves perception and sets expectations of ARC apps by actively showing progress in the UI.
- Device metrics and userID information now available to Telemetry API
The Telemetry API can provide valuable insights about users and devices in your enterprise. ChromeOS 109 now reports device activity status and userID data for the Telemetry API.
- Disable Trash in the Files app
In ChromeOS 108, we introduced a new Trash section in the Files app, giving you 30 days to change your mind before files are permanently deleted. Note: This feature doesn't support Play, Linux, Windows file areas.
In ChromeOS 109, you can now disable the Trash section with the TrashEnabled policy.
Admin console updates
Upcoming Chrome browser changes
- Detailed translation settings in Chrome 110
New detailed translation settings will be added for controlling the current target language, never translate languages, and always translate languages. These settings were previously only editable from the Translate UI bubble but will now be permanently exposed under chrome://settings/language. Enterprise users may use the existing TranslateEnabled enterprise policy to globally enable or disable translation.
- Chrome for Testing
As early as Chrome 110, Puppeteer, Chrome's browser automation library, will use the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you might consider allowlisting the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- User-level Enhanced Safe Browsing on iOS in Chrome 110
For Chrome on iOS where the Safe Browsing protection level is not controlled by SafeBrowsingProtectionLevel, users who are signed in and syncing, and have enabled Enhanced Safe Browsing on their Google Account, will be notified that Enhanced Safe Browsing has been enabled on their Chrome profile. Disabling Enhanced Safe Browsing on a synced Google Account will disable Enhanced Safe Browsing for their Chrome profile. Additionally, users that are signed-in and non-synced might be prompted to enable Chrome Enhanced Safe Browsing within 5 minutes of enabling Account Level Enhanced Safe Browsing.
- MetricsReportingEnabled policy available on Android in Chrome
As early as Chrome 110, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Change in launch schedule starting in Chrome 110
Starting in Chrome 110, Chrome will be rolled out to the Stable channel one week earlier than previously communicated to a very small subset of users. For example, the Chrome 110 Stable release moves from February 7 to February 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users will happen at a similar timeframe to the earlier communicated dates.
- Content Analysis connector for local DLP agent integration
Some third party software, for example AV or DLP agents, injects code into Chrome. Though this practice is discouraged, it is still prevalent in the enterprise environment since there are few alternatives for these local agents.
Chrome 110 will provide secure, native integration that allows selected third party DLP agents to protect sensitive data transfers that happen within the browser.
- Windows 7/8/8.1 and Windows Server 2012/2012 R2 will be supported through Chrome 109
Microsoft is ending support for most variants of Windows 7/8/8.1 in January 2023. As announced in a previous blog post, Chrome 109 will be the last supported version of Chrome for these operating systems.
Update: Chrome running on Windows Server 2012 and Windows Server 2012 R2 will not be updated beyond Chrome 109, as those OSes are based on Windows 8/8.1. However, critical security fixes will be issued to Chrome 109 on these two OS versions until October 10, 2023 to ease customer transitions. For the most up to date information, see this post in the Chrome Enterprise and Education help center.
- Rolling out GPU changes to NaCL Swapchain and video decoding
As early as Chrome 110, we will refactor the implementation of the NaCL swapchain and the Pepper video decoding APIs. These changes are not intended to have any behavioral impact on users. However, it is possible that due to bugs they might result in visual artifacts, unacceptably slow performance when playing video, unacceptable increases in power, or crashes. Information about how to signal any problems will be available as these refactors roll out.
- WebAuthn cannot be used on sites with TLS certificate errors
Starting on Chrome 110, Chrome will stop allowing WebAuthn requests on websites with TLS certificate errors. The criteria will be the same used for showing danger interstitials or a Not secure pill on the omnibox. This will prevent bad actors from generating valid assertions in a Man-in-the-Middle attack on users who may skip the interstitial.
Enterprises will be able to use the AllowWebAuthnWithBrokenTlsCerts policy if needed as a workaround.
- Default to origin-keyed agent clustering in Chrome 110
As early as Chrome 110, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- Password Change URLs
The Check passwords tool,chrome://settings/passwords/check
, and its analogues on other platforms, query change password URLs from the backend to facilitate fixing compromised passwords, for example,https://example.com/settings/change_password.html
. This launch will extend the list of URLs available on the backend.
- User-Agent reduction Phase 6
As of Chrome 110, some portions of the User-Agent string will be reduced on Chrome for Android. As previously detailed in the Chromium blog, we intend to proceed with Phase 6 of the User-Agent Reduction plan. For more details, see this reference page and Chromium update. The UserAgentReduction policy allows for opting out of these changes.
- Changes to phishing protection on Android as early as Chrome 111
When a user authenticates to Android with their Google password, for example, during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Privacy Sandbox updates in Chrome 111
Chrome 111 will update the user experience of the new ad privacy features related to the Privacy Sandbox project. As part of this, Chrome will show users a confirmation dialog that explains their options and allows them to set their preferences.
IT admins can disable Chrome's Privacy Sandbox settings via the PrivacySandboxAdTopicsEnabled, PrivacySandboxSiteEnabledAdsEnabled, and PrivacySandboxAdMeasurementEnabled enterprise policies, and suppress the user-facing prompt via the PrivacySandboxPromptEnabled policy.
For more information, see the developer documentation about Privacy Sandbox technologies in Chrome.
- Strict MIME type checks for Worker scripts
As early as Chrome 111, Chrome will strictly check MIME types for Worker scripts, like Service Workers or Web Workers. Strict checking means that Chrome will only accept JavaScript resources for Workers with a MIME type of text/javascript. Currently, Chrome will also accept other MIME types, like text/ascii. This change is aimed at improving the security of web applications, by preventing inclusion of inappropriate resources as JavaScript files.
Disabling the StrictMimetypeCheckForWorkerScriptsEnabled policy allows you to keep the current behavior.
- Chrome Private Network Access preflights for subresources enforced in Chrome 113
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post.
As early as Chrome 111 on Android, the warnings will turn into errors and affected requests will fail, for sites not opted out via an Origin Trial. Remaining platforms will also have these warnings enforced in Chrome 113. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- Enable access to WebUSB API from extension service workers
As early as Chrome 111, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Deprecation of Web SQL and other old Storage features
The Web SQL API is rarely used, and since its removal by Safari, only Chromium-based browsers have supported it. It requires frequent security fixes, and developers have been discouraged from using it for years. We're now engaging in an effort to seek out and warn anyone who may still be using Web SQL, with the goal of removing it entirely in 2023.
What you need to do depends on how you're using Web SQL:
- If you're just using Web SQL to detect whether a given browser is Chrome, that method will stop working when Web SQL is removed. Navigator.userAgentData is a better alternative.
- If you're using Web SQL to simply store a few data points,
localStorage
andsessionStorage
provide easier ways to do this. - However, if you're using Web SQL for more complex storage, you'll need to find a proper replacement.
Here are some migration options for more complex storage:
- If your storage needs don't require a relational database,
IndexedDB
is the standard solution for structured storage on the web. Large sites rely onIndexedDB
, and all major browsers support it. - For those who do need a relational database, we've partnered with the SQLite team to create an evergreen cross-browser Web SQL replacement. In November, SQLite released a web backend, using Emscripten to compile to WebAssembly and leveraging the new File System Access Handles API as a low-level virtual file interface. It's about as fast as Web SQL, and often it's faster. For more information, see our blog post Deprecating and removing Web SQL, which we'll update when noteworthy events occur.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. We'll remove this support in Chrome 110. An enterprise policy, WebSQLNonSecureContextEnabled, will let Web SQL function in non-secure contexts for a few months past the removal date.
In Chrome 110, we will also remove the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Network Service on Windows will be sandboxed
As early as Chrome 111, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.Starting with Chrome 112, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://youtube.com/s/notifications/
manifest/cr_install.html
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome. In 2023, extensions using Manifest V2 may cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- Payment Handler API will require CSP connect-src
If your organization is using the Web Payment API (Payment Handler and Payment Request) and also uses Content-Security-Policy (CSP) for better protection, then you need to make sure the domains of HTTP requests sent from the Web Payment API are added to the connect-src directive of the CSP. For more information, see this developer blog post.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 111 introduces user controls for these First-Party Sets.
- Removal of ChromeRootStoreEnabled policy
In Chrome 105, we announced the launch of the Chrome Root Store. A new policy, called ChromeRootStoreEnabled, was introduced to allow selective disabling of the Chrome Root Store in favor of the platform root store. The policy will be removed in Chrome 113.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 110, Cursive, a stylus-first notes app, will be available for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), starting in 110, you will see which channel you are on in the bottom right. You will be able to click the time to open quick settings, which will have a new UI showing the device build and a feedback button.
- Fast Pair
Fast Pair will make Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it will automatically detect and pair with your ChromeOS device or Android phone in a single tap. Fast Pair will also associate your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 111.
- Updates to emoji picker
The updates for the emoji picker will include commonly used symbols and characters, such as scientific notations and math operators. In addition, we will also include text-based emoticons (kaomoji) for even more expressive conversations. The new top-level navigation bar will help you find the high-level category quickly, ranging from emojis, symbols, and emoticons. The improved universal search will show possible matches from all categories.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Chrome 108
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Improving performance: Memory Saver and Energy Saver modes | ✓ | ||
Google Password Manager: Notes for passwords | ✓ | ||
Google Password Manager: Updates on iOS | ✓ | ||
Windows: pin to taskbar during install | ✓ | ||
Custom default error pages for Progressive Web Apps | ✓ | ||
New Chrome sync dialog on iOS | ✓ | ||
Price tracking | ✓ | ||
Change asynchronous methods to synchronous in FileSystemSyncAccessHandle | ✓ | ||
Chrome on Linux to use Chrome's built-in DNS client by default | ✓ | ||
Improved reporting for internal callback mechanism | ✓ | ||
Cookies and site data dialog improvements | ✓ | ||
Improve sharing of previewed files | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
Removed policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Cursive canvas lock | ✓ | ||
Screencast multi-accounts | ✓ | ||
ChromeOS Version Rollback | ✓ | ||
ChromeOS Camera App: Document scanning improvements | ✓ | ||
Captive portal improvements | ✓ | ✓ | |
Easier ways to navigate your virtual keyboard | ✓ | ||
SIM lock policy | ✓ | ✓ | |
Files app trash | ✓ | ✓ | |
Contact center Desk API connectors | ✓ | ||
Human Presence Sensor | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS data controls | ✓ | ✓ | ✓ |
App Details - installation requests | ✓ | ✓ | |
Apps & Extension usage reports | ✓ | ||
New Chrome Browser Cloud Management sign-up experience | ✓ | ||
Delegated Admins can see all their devices | ✓ | ✓ | |
New policies in the Admin console | ✓ | ✓ | ✓ |
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Confirmation permission chips in the address bar | ✓ | ||
Google Update internal upgrades | ✓ | ||
About this page on Desktop in Chrome 109 | ✓ | ||
Chrome to change the UI for some download warnings | ✓ | ||
Detailed translation settings in Chrome 109 | ✓ | ||
Changes to HTMLElement.offsetParent | ✓ | ||
Changes to mouse events on disabled form controls | ✓ | ||
UrlParamFilterEnabled removed in Chrome 109 | ✓ | ||
Removal of master_preferences in Chrome 109 | ✓ | ||
User-level Enhanced Safe Browsing on iOS in Chrome 109 | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Release of Speculation Rules API for prerender in Android | ✓ | ||
Device token deletion | ✓ | ||
Content analysis connector for local DLP Agent integration | ✓ | ||
Change in launch schedule starting in Chrome 110 | ✓ | ||
Windows 10 as minimum required version in Chrome 110 | ✓ | ||
Private Network Access preflights for subresources enforced in Chrome 113 | ✓ | ✓ | |
Rolling out GPU Changes to NaCL Swapchain and video decoding | ✓ | ||
Access to WebHID API from extension service workers in Chrome 110 | ✓ | ||
WebAuthn cannot be used on sites with TLS certificate errors | ✓ | ||
Strict MIME type checks for Worker scripts | ✓ | ||
Default to origin-keyed agent clustering in Chrome 110 | ✓ | ||
WebUSB from extension service workers | ✓ | ||
Deprecation of Web SQL and other old Storage features | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Channel labeling on ChromeOS | ✓ | ||
Fast Pair | ✓ | ||
Updates to emoji picker | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Improving performance: Memory Saver and Energy Saver modes
In Chrome 108 on Windows, Mac, and ChromeOS, some users experience new performance-enhancing features: Memory Saver and Energy Saver. These features are designed to improve the performance of Chrome, and extend battery life, respectively. Users can control these features using the options under Settings > Performance.
As part of this launch, Chrome now includes the following enterprise policies:
- TabDiscardingExceptions: By using this policy, you specify URL patterns that are never discarded by the browser.
- BatterySaverModeAvailability: When set to Disabled, the Battery Saver mode is switched off. When set to EnabledBelowThreshold or not set, Battery Saver Mode is enabled when the device is on battery power and battery level is low. When set to EnabledOnBattery, Battery Saver Mode is enabled when the device is on battery power.
- HighEfficiencyModeEnabled: This policy enables or disables the High Efficiency Mode setting.
- Google Password Manager: Updates on iOS
From Chrome on iOS 108, it is easier for users to access their passwords. We have simplified the password list view, to show users just their passwords. Password-related settings display on their own screen, making it easier for users to see and manage their settings in one place. Existing features like adding or editing passwords and password checkup remain available on the password list view.
- Windows: pin to taskbar during install
As early as Chrome 108, the Chrome installer pins Chrome to the Windows taskbar for easier access to Chrome. You can use the do_not_create_desktop_shortcut setting in initial_preferences to control this behavior.
- New Chrome sync dialog on iOS
On Chrome on iOS, some users see a visually updated dialog to turn on Chrome sync in the first run. Relevant enterprise policies such as BrowserSignin, SyncDisabled, RestrictAccountsToPatterns and SyncTypesListDisabled continue to work as before and can be used to configure Chrome sync.
- Price tracking
Chrome 108 enables users to price track products from across the web, and receive email or mobile notifications when the price of a tracked item drops. Tracked items are saved alongside bookmarks with Sync. This feature is only available for signed-in, syncing users who have Web & App activity enabled. You can control this with the ShoppingListEnabled policy.
- Change asynchronous methods to synchronous in FileSystemSyncAccessHandle
In Chrome 108,getSize()
,truncate()
,flush()
andclose()
async methods inFileSystemSyncAccessHandle
primitive in the File System Access API have been converted to synchronous methods, in line with read()
andwrite()
methods.
This change supports a fully synchronous API forFileSystemSyncAccessHandle
, enabling high performance for WebAssembly (WASM) based applications.
We don't anticipate this change causing any issues. However, an enterprise policy, FileSystemSyncAccessHandleAsyncInterfaceEnabled, is available until Chrome 110 to enable the async methods. You can use this to rollback the change temporarily if you need to make any changes to your apps.
- Chrome on Linux to use Chrome's built-in DNS client by default
The built-in DNS client is enabled by default on Windows, macOS, Android, ChromeOS. As early as Chrome 108, Chrome on Linux also uses the built-in DNS client by default. Enterprises can opt out by setting BuiltInDnsClientEnabled policy to Disabled.
- Improved reporting for internal callback mechanism
Chrome 108 improves security by reporting misuse of our internal callback mechanism via crash reports. You can control this using the MetricsReportingEnabled policy.
- Cookies and site data dialog improvements
In Chrome 108, we’ve redesigned and simplified the Cookies and site data dialog so only per-site level information is displayed, and can be easily controlled by users. You can use the DefaultCookiesSetting, CookiesAllowedForUrls, CookiesBlockedForUrls, and CookiesSessionOnlyForUrls enterprise policies to control Chrome's behavior.
- New and updated policies in Chrome browser
Policy Description CopyPreventionSettings Allows blocking copying to the clipboard on specified URLs. TabDiscardingExceptions URL pattern Exceptions to tab discarding. HighEfficiencyModeEnabled Enable High Efficiency Mode. BatterySaverModeAvailability Enable Battery Saver Mode. OnFileTransferEnterpriseConnector Configuration policy for the OnFileTransfer Chrome Enterprise connector. FileSystemSyncAccessHandleAsyncInterfaceEnabled Re-enable the deprecated async interface for FileSystemSyncAccessHandle in File System Access API. VirtualKeyboardResizesLayoutByDefault (Android) The virtual keyboard resizes the layout viewport by default.
ChromeOS updates
- ChromeOS version rollback
The ChromeOS rollback feature enables managed devices to download and run an earlier version of ChromeOS than the one currently installed. Rollback works in conjunction with pinning to a target version, and requires that updates are enabled.
In this first release, rollback supports rolling back up to the previous N-3 release milestone, where N is the current release on the stable channel, as well as, the current release of the LTC and LTS channels.
The rollback feature will be available on the admin console from December 8th 2022. The earliest version of ChromeOS that you can roll back to is version 107.
Please note that installing an earlier ChromeOS version requires that devices have to perform a powerwash, an operation that erases any local user data.
- ChromeOS Camera App: Document scanning improvements
From M107, document scanning in the ChromeOS Camera App is automatically downloaded when the user selects it, making it available to more devices including those with Apollo Lake and MT8173 processors. From M108, the document scanning feature supports taking multiple pages and combining them into a single PDF.
- Captive portal improvements
ChromeOS has improved the user experience for signing into Wi-Fi networks that require captive portal sign-in, for example, at hotels or airports where you are directed to a web page to enter credentials or accept terms and conditions before being connected to the Internet. Improvements include:
- clearer messaging regarding the need to sign in
- easier to find access to sign in pages
- more reliable connection to sign in pages
- Easier ways to navigate your virtual keyboard
If you have a Chromebook with a touchscreen, it’s now even easier to type what you want easily with a newly redesigned virtual keyboard. With just a tap on the new header bar, you can switch between languages, pull up the emoji library, or access the handwriting tool. The virtual keyboard also more quickly processes fast typing – so no need to slow down to make sure that every key is pressed one by one.
- SIM lock policy
The ChromeOS Admin console now supports the ability to prohibit or allow managed users to lock their SIM card with a PIN.
This feature is available in all ChromeOS devices and is particularly useful for organizations that own their employees’ or students’ SIM cards and want to retain control over them. This is a highly requested feature from EDU because they want to avoid the situation of a student's SIM card PIN locking their device from a reliable internet connection (many students do not have internet at home, for example). EDU also wants to avoid the situation of students intentionally locking themselves out of an internet connection so as to prevent themselves from submitting assignments on time.
- Contact Center Desk API connectors
For contact center agents, productivity is paramount. But, with the range of apps, tabs and windows that agents use, it can be difficult and time-consuming to locate the right information at the right time. For agents managing multiple customer interactions simultaneously, it becomes even more difficult, leading to stress and frustration for the agent, and a longer wait time for your customers. ChromeOS Desk connectors solve this problem by introducing the desk as a container. Communications solutions that have integrated with ChromeOS Desk API automatically open a new desk per interaction. The desk opens all the tabs and apps an agent needs for this interaction, and once the interaction is complete, the desk closes down all these with one click. For each new interaction, a new desk opens, making it easier and faster for an agent to access the correct agent information at the right time.
Reach out to the ChromeOS team directly to join the Trusted Tester program and try ChromeOS Desk connectors.
- Human Presence Sensor
Some Lenovo ThinkPad Chromebooks now have screen privacy features that use Human Presence detection to lock the screen when the user leaves their device and alert the user when another person is looking at their screen. With Lock on Leave, we dim and lock the screen more quickly when no user is detected to protect their privacy. We also have a Keep Awake feature that prevents the screen from dimming when the user is present so that they can continue to view the screen. With Viewing Protection, users are shown an eye alert icon in the shelf and can choose to further mask all private notifications when we detect a second person.
Admin console updates
- ChromeOS data controls
Data controls are a set of controls for protecting enterprise users from data leakage on endpoints. These capabilities, integrated at the OS level, allow admins to track, restrict, or report the following actions when handling corporate content using simple workflow based rules that do not require content to be scanned:- Copy and paste
- Screen capture (screenshots and video capture)
- Screen sharing
- Printing
- And the ability to automatically turn on the electronic privacy screen on a compatible device
- Apps Details - Installation Requests
The list of extension requests that were previously shown in the right panel sidebar are now shown in a card in the App Details page called Installation Requests. Admins can see requests by organizational unit, browser, or user - making it easier for admins to make granular installation decisions. To allow extension requests, see our help center article.
- Apps & Extension usage report
There is a new warning icon for Extensions that are still using Manifest v2. To enable the Apps & Extension Usage Report, see this help center article. We also recommend contacting your internal developers or vendors that are still publishing Manifest v2 extensions to learn about their migration plans to Manifest v3. Please review the Extension Manifest v2 deprecation timeline for more information.
- New Chrome Browser Cloud Management sign-up experience
IT admins can now sign up for Chrome Browser Cloud Management using a new simple four-step sign-up flow. The new sign-up flow allows IT admins to create an Admin console account for Chrome Browser Cloud Management and it allows to optionally add the Chrome Enterprise Update (for ChromeOS) and Workspace free Essentials subscriptions to your new account. Learn more.
- Enrolling browsers with Mosyle
Mosyle is an Unified Endpoint Management platform focused on managing Apple devices. We have updated our documentation to describe how to deploy Chrome Browser Cloud Management tokens with Mosyle.
Enroll browsers with Mosyle (iOS/iPadOS)
Enroll browsers with Mosyle (macOS)
- New policies in the Admin console
Policy Name Pages Supported on Category/Field AllowOnlyPolicyNetworksToConnectIfAvailable Networks Settings ChromeOS General settings > Wi-Fi Networks Networks Settings All Platforms WIFI / Ethernet Settings > Details > Custom search domains HighEfficiencyModeEnabled User Settings All platforms Other settings VirtualKeyboardResizesLayoutByDefault User Settings All platforms User experience BatterySaverModeAvailability User Settings All platforms Power and shutdown TabDiscardingExceptions User settings All platforms Other settings FileSystemSyncAccessHandleAsyncInterfaceEnabled User settings All platforms Hardware
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel
Upcoming Chrome browser changes
- Confirmation permission chips in the address bar
Chrome is consolidating permission prompts and indicators to make them more consistent and easier to understand. Some users will see a new permissions chip experience in the address bar, a chip shown after a user has made a decision on a permission prompt. It confirms the action a user has just taken and is shown for 4 seconds. If the user clicks on it, the page info bubble is shown, which is a surface that among others, allows users to manage their permission settings for the current site.
For some users, the lock icon in the address bar will be hidden while a chip is being shown. Please note, chips are only visible during certain permission requests and while a confirmation chip is being displayed. As soon as the chip disappears, the lock icon is visible again.
- Google Update internal upgrades
Chrome 109 introduces the next version of Google Update based on tried-and-true Chromium technology. It will provide a cross-platform core for future development of update-related features. All existing enterprise policies and controls for managing Chrome's version work the same way.
- About this page on Desktop in Chrome 109
We are improving the From the web feature in the site info UI. It is now called About this page and it opens a website with multiple pieces of information regarding the source and topic of a website.
This feature is only enabled when Make searches and browsing better is enabled in Settings > Sync and Google Services > Other Google services. You can control this setting with the UrlKeyedAnonymizedDataCollectionEnabled policy.
- Chrome to change the UI for some download warnings
As early as Chrome 109, to protect users from malware, Chrome will start to show detailed context and customized UIs for some download warnings. For example, if Chrome detects a download to potentially steal user's information, the description will be changed from Chrome blocked this file because it is dangerous to This file contains malware that can compromise your personal or social network accounts. You can disable download warnings by setting the SafeBrowsingProtectionLevel enterprise policy, or allowlist specific domains using SafeBrowsingAllowlistDomains.
- Detailed translation settings in Chrome 109
New detailed translation settings have been added for controlling the current target language, never translate languages, and always translate languages. These settings were previously only editable from the Translate UI bubble but are now permanently exposed under chrome://settings/language. Enterprise users may use the existing TranslateEnabled enterprise policy to globally enable or disable translation.
- Changes to HTMLElement.offsetParent
In Chrome 109, the Javascript APIs HTMLElement.offsetParent, HTMLElement.offsetTop, and HTMLElement.offsetLeft will be changed in an edge case involving ShadowDOM in order to match the behavior of Firefox and Safari. A new enterprise policy, OffsetParentNewSpecBehaviorEnabled, will be added to disable the new behavior until Chrome 120. A polyfill was made in order to help migrate to the new behavior: https://github.com/josepharhar/offsetparent-polyfills.
- Changes to mouse events on disabled form controls
In Chrome 109, some users will see changes to the behavior of mouse events: clicking on form control elements with the disabled attribute will fire slightly different DOM events. Additional mouse events, including mousemove, mouseenter, mouseleave, mouseover, and more will be fired on these elements. The ancestors of some types of form controls will no longer receive click, mouseup, or mousedown events. A new enterprise policy, SendMouseEventsDisabledFormControlsEnabled, will be added to disable the new behavior until at least Chrome 120.
- UrlParamFilterEnabled removed in Chrome 109
The UrlParamFilterEnabled policy allows admins to control if parameters are removed when a user selects Open Link in Incognito Window from the context menu. This is a temporary policy introduced when the change was introduced in Chrome. The policy will be removed in Chrome 109.
- Removal of master_preferences in Chrome 109
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 108, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 109, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
Alternatively, you will be able to use the CompatibleInitialPreferences enterprise policy to extend support for the master_preferences naming. This policy is not currently available.
- User-level Enhanced Safe Browsing on iOS in Chrome 109
For Chrome on iOS where the Safe Browsing protection level is not controlled by SafeBrowsingProtectionLevel, users that are signed in and syncing that have enabled Enhanced Safe Browsing on their Google Account will be notified that Enhanced Safe Browsing has been enabled on their Chrome profile. Disabling Enhanced Safe Browsing on a synced Google Account will disable Enhanced Safe Browsing for their Chrome profile. Additionally, users that are signed-in and non-synced may be prompted to enable Chrome Enhanced Safe Browsing within 5 minutes of enabling Account Level Enhanced Safe Browsing.
- Intent to deprecate and remove: Event.path
To improve web compatibility, we will stop supporting the non-standard APIEvent.path
as early as Chrome 109. Websites should migrate toEvent.composedPath()
, which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView will allow you to extend the lifetime ofEvent.path
by an additional 6 milestones.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 109, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Release of Speculation Rules API for prerender in Android
Chrome 103 introduced same-origin prerendering triggered by the Speculation Rules API. Chrome 109 expands coverage to also allow triggering same-site cross-origin pages. This allows web authors to suggest to Chrome which cross-origin pages that the user is likely to navigate to next. This prerendering will be done with credentials and storage access, but such prerender targets will need to opt in by using theSupports-Loading-Mode: credentialed-prerender
header. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which will result in Chrome ignoring the hints provided using this API. See our article for more information.
- Content Analysis connector for Local DLP Agent Integration
Some third party software (for example, AV/DLP agents) injects code into Chrome. Though this practice is discouraged, it is still prevalent in the enterprise environment since there are no good alternatives for these local agents.
Chrome 110 will provide secure, native integration that transfers content (file or text) between Chrome and selected 3rd party DLP agents when a Chrome Browser Cloud Management managed user performs an action that sends data from their endpoint using Chrome Enterprise connectors.
- Change in launch schedule starting in Chrome 110
Starting in Chrome 110, Chrome will be rolled out to the Stable channel one week earlier than previously communicated. For example, the Chrome 110 Stable release moves from Feb 7 to Feb 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users will happen at a similar timeframe to the earlier communicated dates.
- Windows 10 as minimum required version in Chrome 110
Microsoft ends support for Windows 7 ESU, Windows 8, and Windows 8.1 extended support on January 10, 2023. Chrome 110, tentatively scheduled for release on February 1, is the first version of Chrome which will have a minimum Windows version of Windows 10.
- Chrome Private Network Access preflights for subresources enforced in Chrome 113
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post.
As early as Chrome 110 on Android, the warnings will turn into errors and affected requests will fail, for sites not opted out via an Origin Trial. Remaining platforms will also have these warnings enforced in Chrome 113. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- Rolling out GPU Changes to NaCL Swapchain and video decoding
As early as Chrome 110, we will refactor the implementation of the NaCL swapchain and the Pepper video decoding APIs. These changes are not intended to have any behavioral impact on users. However, it is possible that due to bugs they might result in visual artifacts, unacceptably slow performance when playing video, unacceptable increases in power, or crashes. Information about how to signal any problems will be available as these refactors roll out.
- WebAuthn cannot be used on sites with TLS certificate errors
Starting on M110, Chrome will stop allowing WebAuthn requests on websites with TLS certificate errors. The criteria will be the same used for showing danger interstitials or a Not secure pill on the omnibox. This will prevent bad actors from generating valid assertions in a Man-in-the-Middle attack on users who may skip the interstitial.
Enterprises will be able to use the AllowWebAuthnWithBrokenTlsCerts policy if needed as a workaround.
- Strict MIME type checks for Worker scripts
As early as Chrome 110, Chrome will strictly check MIME types for Worker scripts, like Service Workers or Web Workers. Strict checking means that Chrome will only accept JavaScript resources for Workers with a MIME type oftext/javascript
. Currently, Chrome will also accept other MIME types, liketext/ascii
. This change is aimed at improving the security of web applications, by preventing inclusion of inappropriate resources as JavaScript files.
Disabling the StrictMimetypeCheckForWorkerScriptsEnabled policy allows you to keep the current behavior.
- Default to origin-keyed agent clustering in Chrome 110
As early as Chrome 110, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- WebUSB from extension service workers
Chrome 111 will enable access to WebUSB API from extension service workers as a migration path for manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Deprecation of Web SQL and other old Storage features
The Web SQL API is rarely used, and since its removal by Safari, only Chromium-based browsers have supported it. It requires frequent security fixes, and developers have been discouraged from using it for years. We're now engaging in an effort to seek out and warn anyone who may still be using Web SQL, with the goal of removing it entirely in 2023.
What you need to do depends on how you're using Web SQL:
- If you're just using Web SQL to detect whether a given browser is Chrome, that method will stop working when Web SQL is removed. Navigator.userAgentData is a better alternative.
- If you're using Web SQL to simply store a few data points, localStorage and sessionStorage provide easier ways to do this.
- However, if you're using Web SQL for more complex storage, you'll need to find a proper replacement.
Here are some migration options for more complex storage:
- If your storage needs don't require a relational database, IndexedDB is the standard solution for structured storage on the web. Large sites rely on IndexedDB, and all major browsers support it.
- For those who do need a relational database, we are partnering with the SQLite team to create an evergreen cross-browser Web SQL replacement. The team is adding a web backend to SQLite, using Emscripten to compile it to WebAssembly and leveraging the new File System Access Handles API as a low-level virtual file interface. We expect this to be ready for use early in 2023. For more information, see our blog post Deprecating and removing Web SQL, which we'll update when noteworthy events occur.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. We'll remove this support in Chrome 110. An enterprise policy, WebSQLNonSecureContextEnabled, will let Web SQL function in non-secure contexts for a few months past the removal date.
In Chrome 110, we will also remove the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Network Service on Windows will be sandboxed
As early as Chrome 111, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 111 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 111, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://youtube.com/s/notifications/
manifest/cr_install.html
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome.
In 2023, extensions using Manifest V2 will cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3. If you need additional time to adjust to the Manifest V3 transition, you'll be able to extend Manifest V2 support in Chrome using an enterprise policy until January 2024.
You can see which manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), starting in 109 you will see which channel you are on in the bottom right. Selecting the time to open quick settings will have a new UI with the device build as well as a button directly to submit feedback.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 110, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 111.
- Updates to emoji picker
In ChromeOS 111, the emoji picker will include commonly used symbols and characters, such as scientific notations and math operators. In addition, we will include text-based emoticons (kaomoji) for even more expressive conversations. The new top-level navigation bar will help you find the high-level category quickly, ranging from emojis, symbols, and emoticons. The improved universal search will show possible matches from all categories.
Chrome 107
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Support for Encrypted Client Hello (ECH) | ✓ | ||
User-Agent reduction Phase 5 | ✓ | ||
Marshmallow deprecation for Chrome on Android | ✓ | ||
BuiltinCertificateVerifierEnabled removed on Mac | ✓ | ||
Updates to Incognito Mode | ✓ | ||
A redesign for browser downloads | ✓ | ||
Password import for Chrome Desktop | ✓ | ||
Sync after sign-in intercept | ✓ | ✓ | |
Updated Media picker on Android | ✓ | ||
Automatic revocation of disruptive notifications | ✓ | ||
DisplayCapturePermissionsPolicyEnabled policy removed | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Camera Framing | ✓ | ||
Files app: Improved filtering in Recent tab | ✓ | ||
Lock device on lid close | ✓ | ||
3P Identity Provider: Autofill username | ✓ | ✓ | |
Deprecate Assistant stylus features | ✓ | ||
Saved desks | ✓ | ||
Close a desk and its windows in one click | ✓ | ||
Photos integrations | ✓ | ||
Long-press to add accents | ✓ | ||
ChromeOS Accessibility settings improvements | ✓ | ✓ | |
Multi-touch virtual keyboard | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Managed browser list: CSV export limit increased to 150,000 records | ✓ | ||
Admin console: Extension request card | ✓ | ||
Text action buttons instead of icons in Device and Browser lists | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Change Async methods to Sync in FileSystemSyncAccessHandle | ✓ | ✓ | |
As early as Chrome 108, Chrome will change the UI for some download warnings. | ✓ | ✓ | |
Password Manager: Updates on iOS | ✓ | ||
Password Manager: Notes for Passwords | ✓ | ||
Windows: Pin to taskbar during install | ✓ | ||
Removal of master_preferences | ✓ | ||
Device token deletion | ✓ | ||
Rolling out GPU changes to NaCL Swapchain and video decoding | ✓ | ||
Strict MIME type checks for Worker scripts | ✓ | ||
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Default to origin-keyed agent clustering in Chrome 109 | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Windows 10 minimum required version in Chrome 110 | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ✓ | |
Deprecation of Web SQL and other old storage features | ✓ | ||
Extensions must be updated to use Manifest V3 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
Fast Pair | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ | |
ChromeOS Camera App: Document scanning improvements | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Channel labeling on ChromeOS | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Support for Encrypted Client Hello (ECH)
Chrome 107 starts rolling out support for ECH on sites that opt in, as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS.
If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you encounter any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- User-Agent reduction Phase 5
User-Agent (UA) reduction describes the effort to minimize the identifying information shared in the User-Agent string which might be used for passive fingerprinting. Beginning in Chrome 107, Chrome reduces some portions of the User-Agent string on desktop devices. As previously detailed in the Chromium blog, we intend to proceed with Phase 5 of the User-Agent reduction plan. The<platform>
and<oscpu>
tokens, parts of the User-Agent string, are reduced to the relevant<unifiedPlatform>
token values, and are no longer updated. Additionally, the values for navigator.platform are frozen on desktop platforms. For more details, see this reference page and Chromium update.
The UserAgentReduction policy allows for opting out of these changes.
- BuiltinCertificateVerifierEnabled removed on Mac
In Chrome 107, we have removed the BuiltinCertificateVerifierEnabled policy on Mac. This policy was used to control the use of the built-in certificate verifier while using the platform provided root store. Since Chrome 105, a new implementation is available that uses the built-in certificate verifier with the Chrome Root Store. You can control the new implementation using the ChromeRootStoreEnabled policy.
- Updates to Incognito mode on iOS
Users can configure Chrome to open external links in Incognito using Settings > Privacy and Security > Ask to open links from other apps in Incognito. If you use the IncognitoModeAvailability policy to disable or to force Incognito mode, the policy setting takes precedence, and this user setting won't be available.
- A redesign for browser downloads
In Chrome 107, remaining users now see a redesigned downloads experience for desktop that moves downloads into a secondary UI surface, following an initial rollout in Chrome 102. The new download tray stems from the trusted UX of Chrome and allows for more effective warnings to better protect users. If you need extra time to adjust to this change, the DownloadBubbleEnabled enterprise policy is available to temporarily keep the old behavior.
- Password import for Chrome Desktop
Starting in Chrome 107 Desktop users can import their passwords using Chrome browser. Previously, users were only able to import viapasswords.google.com
. They can now upload a CSV file of passwords to add them to their saved passwords in Google Password Manager. If the user has sync enabled, their passwords are available across their devices, where they are signed in with the same account.
- Sync after sign-in intercept
To provide a more consistent experience, Chrome now shows a new welcome screen after the user creates a new profile through the sign-in intercept. The user can optionally enable sync as well as modify the new profile name and theme color. The sign-in intercept bubble now contains an enterprise disclaimer if a new profile is to be managed by an organization. This also modifies the signed-out profile creation experience for consistency with other flows.
Enterprise administrators can disable the welcome dialog by setting the PromotionalTabsEnabled policy to false.
- Automatic revocation of disruptive notifications
Some notification prompts and messages are increasingly disruptive for users. Chrome automatically removes the notification grant for sites that send such notifications to users, as these sites are violating Google’s Developer Terms of Service. These sites also have subsequent notification prompts muted.
Any sites listed in the NotificationsAllowedForUrls enterprise policy do not have their notification permissions revoked.
- DisplayCapturePermissionsPolicyEnabled policy removed
Thedisplay-capture
permissions-policy controls access to thegetDisplayMedia()
method, in accordance with the Screen Capture W3 specification.
In Chrome 94, we introduceddisplay-capture
as well as the enterprise policy, DisplayCapturePermissionsPolicyEnabled, for bypassing it. Chrome 107 removes this enterprise policy, so it is no longer possible to bypass thedisplay-capture
permissions-policy.
- New and updated policies in Chrome browser
Policy
Description
Show Journeys on the Chrome history page, available on Android.
Allow using Google Assistant on the web, for example, to enable changing passwords automatically.
Enable strict MIME type checking for worker scripts.
ShoppingListEnabled
This policy controls the availability of the shopping list feature.
ChromeOS updates
- Camera Framing
Camera Framing provides automatic zooming and centering of the user's face for video conference calls or taking selfies. If the device or camera supports Camera Framing, there’s a prompt and an option in Quick Settings to enable or disable the feature. To center yourself again, simply toggle the feature off and back on.
- Lock device on lid close
Settings now supports locking a device when the lid closes without suspending. This can be helpful if you have background tasks such as an SSH connection and don’t want them to be paused. The existing settings for Show lock screen when waking from sleep now also apply to lock the screen when closing the lid.
On an enterprise level, admins can set Action on lid close to Do nothing, by setting the LidCloseAction policy to 3 = Do nothing, and set Lock screen on sleep or lid close, by setting the ChromeOsLockOnIdleSuspend policy to true. With these settings, devices lock when the lid is closed except if they are docked and using an external monitor. In such a case, the device does not lock when the lid closes, but it locks if the external monitor is removed and the lid is still closed.
After locking, the device sleeps if configured to do so after an idle timeout, determined by the PowerManagementIdleSettings policy. If wake locks are allowed and an application holds a wake lock, with the AllowWakeLocks policy, the device does not sleep, which significantly affects battery consumption.
- 3P Identity Provider: Autofill username
With ChromeOS 107, we improve the online login flow for Chrome Enterprise and Education users that authenticate with Azure AD or Okta. Admins can activate the DeviceAutofillSAMLUsername policy to ensure that users no longer have to re-enter their username when authenticating with a third-party identity provider (3P IdP).
- Photos integrations
As early as Oct 3rd, Chromebook users get access to enhanced video editing features from Google Photos. The experience is optimized for a larger screen, and seamlessly integrates with the built-in Gallery app and your Chromebook files – so you can use local images and clips recorded on your Chromebook camera or stored in your Files app to build your movie.
While movie editing typically comes with a steep learning curve, the revamped movie creation tools in Google Photos help you make high-quality movies with just a few taps using your video clips and photos. Starting in Q4 2022, you can create beautiful movies from suggested themes, or put yourself in the director's seat and start from scratch, right on your Chromebook.
Admin console updates
- New policies in the Admin console
Policy Name
Pages
Supported on
Category/Field
Networks Settings
ChromeOS
General settings > Block SSIDs
User & Browser Settings
Chrome
ChromeOS
Security > Compromised password alerts
User & Browser Settings
ChromeOS
Security > WebAuthn
Device Settings
ChromeOS
Device updates > Auto-update settings > Allow peer to peer auto update downloads
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel
Upcoming Chrome browser changes
- Change Async methods to Sync in FileSystemSyncAccessHandle Launch
In Chrome 108,getSize()
,truncate()
,flush()
andclose()
async methods inFileSystemSyncAccessHandle
primitive in the File System Access API will be converted to synchronous methods, in line withread()
andwrite()
methods.
This change supports a fully synchronous API forFileSystemSyncAccessHandle
, enabling high performance for WebAssembly (WASM) based applications.
An enterprise policy, FileSystemSyncAccessHandleAsyncInterfaceEnabled, will be available until Chrome 110 to enable the async methods.
- As early as Chrome 108, Chrome will change the UI for some download warnings
To protect users from malware, Chrome will start to show detailed context and customized UIs for some download warnings. For example, if Chrome detects a download to potentially steal user's information, the description will be changed from Chrome blocked this file because it is dangerous to This file contains malware that can compromise your personal or social network accounts. You can disable download warnings by setting the SafeBrowsingProtectionLevel enterprise policy, or allowlist specific domains using SafeBrowsingAllowlistDomains.
- Password Manager: Updates on iOS
From Chrome on iOS 108, we plan to make it easier for users to access their passwords. The password list view will be simplified, to show users just their passwords. Password-related settings will be moved to their own screen, making it easier for users to see and manage their settings in one place. Existing features like adding or editing passwords and password checkup will remain available on the password list view.
- Password Manager: Notes for Passwords
From Chrome for Desktop 108, you will be able to save a note for each saved credential in the password manager. Passwords (and notes) will move to a sub-page and will no longer be accessible from the eye icon on the Password List View, as part of this change. You will now need to re-authenticate before accessing the sub-page.
- Windows: pin to taskbar during install
As early as Chrome 108, the Chrome installer will pin Chrome to the Windows taskbar for easier access to Chrome. You will be able to use thedo_not_create_desktop_shortcut
setting in initial_preferences to control this behavior.
- Removal of master_preferences
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 107, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 108, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
- Rolling out GPU Changes to NaCL Swapchain and video decoding
As early as Chrome 109, we will refactor the implementation of the NaCL swapchain and the Pepper video decoding APIs. These changes are not intended to have any behavioral impact on users. However, it is possible that due to bugs they might result in visual artifacts, unacceptably slow performance when playing video, unacceptable increases in power, or crashes. Information about how to signal any problems will be available as these refactors roll out.
- Strict MIME type checks for Worker scripts
Starting with Chrome 109, Chrome will strictly check MIME types for Worker scripts, like Service Workers or Web Workers. Strict checking means that Chrome will only accept JavaScript resources for Workers with a MIME type oftext/javascript
. Currently, Chrome will also accept other MIME types, liketext/ascii
. This change is aimed at improving the security of web applications, by preventing inclusion of inappropriate resources as JavaScript files.
- Chrome sends Private Network Access preflights for subresources
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post.
In Chrome 109 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- Default to origin-keyed agent clustering in Chrome 109
As early as Chrome 109, websites will be unable to set document.domain. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- Intent to deprecate and remove: Event.path
To improve web compatibility, we will stop supporting the non-standard API Event.path as early as Chrome 109. Websites should migrate toEvent.composedPath()
, which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView will allow you to extend the lifetime ofEvent.path
by an additional 6 milestones.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 109, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Windows 10 as minimum required version in Chrome 110
Microsoft ends support for Windows 7 ESU and Windows 8.1 extended support on January 10, 2023. Chrome 110, tentatively scheduled for release on February 7, is the first version of Chrome which will have a minimum Windows version of Windows 10.
- Network Service on Windows will be sandboxed
As early as Chrome 111, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 111 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 111, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property
Extension ID (Chrome App)
install_url (PWA / Web App)
Gmail
pjkljhegncpnkpknbcohdijeoejaedia
https://mail.google.com/mail/
installwebapp?usp=adminDocs
aohghmighlieiainnegkcijnfilokake
https://docs.google.com/document/
installwebapp?usp=adminDrive
apdfllckaahabafndbhieahigkjlhalf
https://drive.google.com/drive/
installwebapp?usp=adminSheets
felcaaldnbdncclmgdcncolpebgiejap
https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides
aapocclcgogkmnckokdopfmhonfmgoek
https://docs.google.com/presentation/
installwebapp?usp=adminYoutube
blpcfgokakmgnkcojhhkbfbldkacnbeo
https://youtube.com/s/notifications/
manifest/cr_install.html
- Deprecation of Web SQL and other old Storage features
The Web SQL API is rarely used, and since its removal by Safari, only Chromium-based browsers have supported it. It requires frequent security fixes, and developers have been discouraged from using it for years. We're now engaging in an effort to seek out and warn anyone who may still be using Web SQL, with the goal of removing it entirely in 2023.
What you need to do depends on how you're using Web SQL:
- If you're just using Web SQL to detect whether a given browser is Chrome, that method will stop working when Web SQL is removed. Navigator.userAgentData is a better alternative.
- If you're using Web SQL to simply store a few data points,
localStorage
andsessionStorage
provide easier ways to do this. - However, if you're using Web SQL for more complex storage, you'll need to find a proper replacement.
Here are some migration options for more complex storage:
- If your storage needs don't require a relational database, IndexedDB is the standard solution for structured storage on the web. Large sites rely on IndexedDB, and all major browsers support it.
- For those who do need a relational database, we are partnering with the SQLite team to create an evergreen cross-browser Web SQL replacement. The team is adding a web backend to SQLite, using Emscripten to compile it to WebAssembly and leveraging the new File System Access Handles API as a low-level virtual file interface. We expect this to be ready for use early in 2023. For more information, see our blog post Deprecating and removing Web SQL, which we'll update when noteworthy events occur.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. We'll remove this support in early 2023. An enterprise policy, WebSQLNonSecureContextEnabled, will let Web SQL function in non-secure contexts for a few months past the removal date.
In early 2023, we will also remove the window.webkitStorageInfo API. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome.
In 2023, extensions using Manifest V2 will cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3. If you need additional time to adjust to the Manifest V3 transition, you'll be able to extend Manifest V2 support in Chrome using an enterprise policy until January 2024.
You can see which manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 108.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 108, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
- ChromeOS Camera App: Document scanning improvements
From M107, document scanning in the ChromeOS Camera App will be automatically downloaded when the user selects it, making it available to more devices including those with Apollo Lake and MT8173 processors. From M108, the document scanning feature will support taking multiple pages and combining them into a single PDF.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 109, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), starting in 109 you will see which channel you are on in the bottom right. Selecting the time to open quick settings will have a new UI with the device build as well as a button directly to submit feedback.
Chrome 106
Chrome browser updates | Security/ Privacy | User productivity/ Apps | Management |
---|---|---|---|
Accurate screen labels for window placement | ✓ | ||
Chrome shows Journeys on the History page on Android | ✓ | ||
Incognito lock on Android | ✓ | ||
Incognito downloads prompt on Android | ✓ | ||
Release of Prerender2 in Desktop | ✓ | ||
Chrome allows users to search their history, bookmarks, and tabs directly in the Omnibox | ✓ | ||
New lock screen widgets for iOS 16 | ✓ | ||
Updates to the instructional chip shown for region search | ✓ | ||
Persistent quota deprecation launch | ✓ | ||
Changes to chrome.runtime | ✓ | ||
New and updated policies in Chrome browser | ✓ | ||
ChromeOS updates | Security/ Privacy | User productivity/ Apps | Management |
Default link capture behavior | ✓ | ||
Admin console updates | Security/ Privacy | User productivity/ Apps | Management |
Networks management in Chrome Policy API | ✓ | ||
CUPS print servers management in Chrome Policy API | ✓ | ||
Support for group-based policies for printers in Policy API | ✓ | ||
New policies in the Admin console | ✓ | ||
Upcoming Chrome browser changes | Security/ Privacy | User productivity/ Apps | Management |
Support for Encrypted Client Hello (ECH) | ✓ | ||
Link anonymization when entering Incognito | ✓ | ✓ | |
Device token deletion | ✓ | ||
MetricsReportingEnabled policy will be available on Android in Chrome | ✓ | ||
Removal of window.webkitStorageInfo | ✓ | ||
Removal of master_preferences | ✓ | ||
User-Agent reduction Phase 5 | ✓ | ||
Automated password changes on Desktop | ✓ | ||
Chrome sends Private Network Access preflights for subresources | ✓ | ||
Marshmallow deprecation for Chrome on Android | ✓ | ||
BuiltinCertificateVerifierEnabled being removed on Mac | ✓ | ||
Network Service on Windows will be sandboxed | ✓ | ||
Chrome apps no longer supported on Windows, Mac, and Linux | ✓ | ✓ | |
Default to origin-keyed agent clustering in Chrome 109 | ✓ | ||
Intent to deprecate and remove: Event.path | ✓ | ||
Windows 10 as minimum required version in Chrome 110 | ✓ | ||
Web SQL deprecation in non-secure contexts | ✓ | ||
Extensions must be updated to leverage Manifest V3 | ✓ | ||
Upcoming ChromeOS changes | Security/ Privacy | User productivity/ Apps | Management |
ChromeOS Accessibility settings improvements | ✓ | ||
Photos integrations | ✓ | ||
Cursive pre-installed for Enterprise and Education accounts | ✓ | ||
Long-press diacritics | ✓ | ||
Channel labeling on ChromeOS | ✓ | ||
Save and recall Desks | ✓ | ||
Super Resolution Audio for Bluetooth headset microphones | ✓ | ||
Multi-touch virtual keyboard | ✓ | ||
Fast Pair | ✓ | ||
Passpoint: Seamless, secure connection to Wi-Fi networks | ✓ | ✓ |
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Accurate screen labels for window placement
Chrome 105 launched a feature to display a label that meaningfully describes the screen to a user. For example, you can use this label to request permission to open and place windows on a connected screen.
This feature is a requested enhancement of the Multi-Screen Window Placement API which launched in Chrome 100, and was first rolled out in Chrome 105. You can read more on our Chrome Platform Status page. Enterprise policies are available to control access to the Window Placement API: WindowPlacementAllowedForUrls and WindowPlacementBlockedForUrls.
- Chrome shows Journeys on the History page on Android
- Incognito lock on Android
Chrome 106 on Android 11 and later requires authentication when resuming an Incognito session. The feature is disabled by default. It can be enabled using the new Lock Incognito tabs when you leave Chrome toggle under Settings > Privacy and security. This feature is not available on managed devices where the IncognitoModeAvailability enterprise policy is set to Disabled.
- Release of Prerender2 in Desktop
Expanding our prerender efforts released on Chrome 101 for Android, we shipped Prerender2 for Desktop in Chrome 105 which allows Chrome to pre-render pages that the user may highly-likely navigate next, aiming to produce an instant navigation. An enterprise policy, NetworkPredictionOptions, is available to block the usage of all prerendering activities which results in Chrome ignoring any hints or triggers to prerender a page. See our article for more information.
- Chrome allows users to search their history, bookmarks, and tabs directly in the Omnibox
Chrome 106 helps users to quickly find what they are looking for by enabling them to search their history, bookmarks, or tabs directly in the Omnibox. Using one of the prepopulated shortcuts—@history, @bookmarks, or @tabs—users can choose to conduct a focused search limited to the area selected. You can change or deactivate these shortcuts in Settings -> Search Engine > Manage search engine and site search > Site search.
- Updates to the instructional chip shown when using region search
When using Google Lens, some users see a new look on their instructional chip, which includes a helpful icon and updated text. This ensures users have all the information they need to search visual elements on their screen. You can control this feature with the LensRegionSearchEnabled enterprise policy.
- Persistent quota deprecation launch
In Chrome 106, the window.PERSISTENT quota type inwebkitRequestFileSystem
is no longer supported.webkitRequestFileSystem
still accepts a type parameter and use of the PERSISTENT and TEMPORARY types creates file systems with separate roots, but the PERSISTENT type no longer grants access to a persistent file system.
Legacy quota APInavigator.webkitPersistentStorage
is an alias tonavigator.webkitTemporaryStorage
. The deprecated quota, APIwebkitStorageInfo
, ignores thestorageType
parameter for its methods.
- Changes to chrome.runtime
In Chrome 106, chrome.runtime is no longer defined unconditionally on all sites. In contexts where there is no connectable extension, websites should never expectchrome.runtime
to be defined.
Over the past couple of months, we have taken steps to remove Chrome's legacy U2F security API. This API was implemented in an internal Chrome extension called CryptoToken, which by design was externally connectable from all URLs. The presence of this extension meant thatchrome.runtime
was effectively always defined on any web origin, because there was always at least one extension to connect to, even if the user installed no other connectable extensions. As part of the U2F removal process, Chrome 106 stops loading CryptoToken by default, which means thatchrome.runtime
is now undefined in contexts where there is no other connectable extension.
Websites should never assume thatchrome.runtime
is defined unconditionally. As a temporary workaround, the effects of this change can be reversed by enabling thechrome://flags/#load-cryptotoken-extension
flag or by using the enterprise policy named LoadCryptoTokenExtension.
- New and updated policies in Chrome browser
Policy Description Load the CryptoToken component extension at startup.
Configuration policy for the OnPrint Google Enterprise Connector.
Keep browsing data by default when creating enterprise profile.
Enable or disable persistent quota.
Re-enable the deprecated
window.webkitStorageInfo
API.
ChromeOS updates
- Default link capture behavior
Newly installed apps no longer handle links clicked in the browser by default. Links clicked in the browser are always opened in the browser, unless the Open supported links setting is enabled from the Settings app.
Admin console updates
- Networks management in Chrome Policy API
We have added support for network management in the Chrome Policy API. This allows admins to use the API to create, delete, and configure WiFi, ethernet, and VPN networks, and certificates. For more details, see Policy schema names.
- CUPS print servers management in Chrome Policy API
Admins can now create, delete, and manage print server configurations within their ecosystem using the Chrome Policy API. For more details, see the Chrome Printer Management API guide and Policy schema names.
- Support for group-based policies for printers in Policy API
Adding to existing support for printer management on an OU-by-OU basis, admins can now modify printer settings for particular Google groups within their organization using the Policy API. For more details, see Group policy.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field WebUsbAllowDevicesForUrls User & Browser Settings; Managed Guest Session Chrome ChromeOS Android Hardware > WebUSB API allowed devices ApplicationLocaleValue User & Browser Settings Windows User experience > Browser locale RestoreOnStartup User & Browser Settings; Managed Guest Session Chrome ChromeOS Startup > Pages to load on startup
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming Chrome browser changes
- Support for Encrypted Client Hello (ECH)
As early as Chrome 107, Chrome will start rolling out support for ECH on sites that opt-in, as a continuation of our network related efforts to improve our users’ privacy and safety on the web, for example, Secure DNS.If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it with Chrome 106. You can enable the new behavior by navigating to
If you encounter any incompatibilities, you will be able to use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.chrome://flags
and enabling the#encrypted-client-hello
flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
- Link anonymization when entering Incognito
As early as Chrome 107, Chrome will remove some URL parameters when a user selects Open link in incognito window from the context menu. You can control this behavior with the UrlParamFilterEnabled enterprise policy.
- MetricsReportingEnabled policy will be available on Android in Chrome
As early as Chrome 107, Chrome on Android will slightly modify the first run experience to support the MetricsReportingEnabled policy. If the admin disables metrics reporting, there will be no change to the first run experience. If the admin enables metrics, users will still be able to change the setting in Chrome settings. When enabled, the MetricsReportingEnabled policy allows anonymous reporting of usage and crash-related data about Chrome to Google.
- Removal of window.webkitStorageInfo
As early as Chrome 107, window.webkitStorageInfo API will be removed. This legacy quota API has been deprecated since 2013, and has been replaced by the now standardized StorageManager API.
- Removal of master_preferences
master_preferences and initial_preferences are ways of setting default preferences for a Chrome install. The historical name of the file is master_preferences, but it was renamed to initial_preferences in Chrome 91. To make the transition easy for IT admins, from Chrome 91 to Chrome 107, naming the file either initial_preferences or master_preferences has the same effect. In Chrome 108, if you name the file master_preferences, it will not work by default. You should rename the file initial_preferences.
Alternatively, you will be able to use the CompatibleInitialPreferences enterprise policy to extend support for the master_preferences naming. This policy is not currently available.
- User-Agent reduction Phase 5
Beginning in Chrome 107, some portions of the User-Agent string will be reduced on desktop devices. As previously detailed in the Chromium blog, we intend to proceed with Phase 5 of the User-Agent reduction plan. The<platform>
and<oscpu>
tokens, parts of the User-Agent string, are reduced to the relevant<unifiedPlatform>
token values, and will no longer be updated. Additionally, the values fornavigator.platform
are frozen on desktop platforms. For more details, see this Chromium update.
The UserAgentReduction policy will allow for opting out of these changes.
- Automated password changes on Desktop
Chrome 107 will allow users to change their passwords automatically using Google Assistant on Desktop. If their passwords have been compromised, for example, this feature makes it easier to change passwords, and ultimately will help keep users safer. A policy will be available to enable or disable automated password changes in Google Assistant.
- Chrome sends Private Network Access preflights for subresources
Chrome 104 started sending a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a newAccess-Control-Request-Private-Network: true
header. In this initial phase, this request is sent, but no response is required from network devices. If no response is received, or it does not carry a matchingAccess-Control-Allow-Private-Network: true
header, a warning is shown in DevTools. For more details, see this blog post).
In Chrome 107 at the earliest, the warnings will turn into errors and affected requests will fail. You can disable Private Network Access checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
If you want to test this feature in advance, you can enable warnings usingchrome://flags/#private-network-access-send-preflights
. If you want to test how it behaves once warnings turn into errors, you can enablechrome://flags/#private-network-access-respect-preflight-results
.
Chrome is making this change to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. To learn more about mitigating this change proactively, see details on what to do if your site is affected. Read the whole blog post for a more general discussion and latest updates about Private Network Access preflights.
- BuiltinCertificateVerifierEnabled being removed on Mac
The BuiltinCertificateVerifierEnabled policy will be removed in Chrome 107 on Mac. This policy was used to control the use of the built-in certificate verifier while using the platform provided root store. Starting in Chrome 105, a new implementation is available that uses the built-in certificate verifier with the Chrome Root Store. The new implementation may be controlled by the ChromeRootStoreEnabled policy.
- Network Service on Windows will be sandboxed
As early as Chrome 108, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, Chrome apps are being phased out in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 109 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 109, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/installwebapp?usp=admin Docs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://youtube.com/s/notifications/
manifest/cr_install.html
- Default to origin-keyed agent clustering in Chrome 109
As early as Chrome 109, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior.
Note:document.domain
has no effect if only one document sets it.
- Intent to deprecate and remove: Event.path
To improve web compatibility, we will stop supporting the non-standard APIEvent.path
as early as Chrome 109. Websites should migrate toEvent.composedPath()
, which is a standard API that returns the same result. If you need additional time to adjust, a policy EventPathEnabled, available on Windows, Mac, Linux, ChromeOS, Android and WebView will allow you to extend the lifetime ofEvent.path
by an additional 6 milestones.
- Windows 10 as minimum required version in Chrome 110
Microsoft ends support for Windows 7 ESU and Windows 8.1 extended support on January 10, 2023. Chrome 110, tentatively scheduled for release on February 7, is the first version of Chrome which will have a minimum Windows version of Windows 10.
- Web SQL deprecation in non-secure contexts
The non-standard Web SQL API is rarely used and requires frequent security fixes. At this point, only Chromium-based browsers support it. Web developers have been discouraged from using it for years. We are engaging in a careful process to seek out and warn partners who may still be using Web SQL, with the goal of removing it from Chrome entirely in 2023. Meanwhile, we're working on a replacement using WebAssembly.
We've already disabled Web SQL in third-party contexts. The next step is to remove support in non-secure contexts. In Chrome 105, we introduced a deprecation warning in DevTools. In early 2023, we plan to remove support in third-party contexts.
An enterprise policy, WebSQLNonSecureContextEnabled, is available when support ends, to allow Web SQL API to function in non-secure contexts if needed. The policy will expire in alignment with the API’s non-secure context removal schedule, currently planned for Chrome 110.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
All new extensions submitted to the Chrome Web Store already must implement Manifest V3, but existing Manifest V2 extensions can still be updated, and still run in Chrome.
In 2023, extensions using Manifest V2 will cease running in Chrome. If your organization is running extensions that use Manifest V2, you must update them to leverage Manifest V3. If you need additional time to adjust to the Manifest V3 transition, you'll be able to extend Manifest V2 support in Chrome using an enterprise policy until at least January 2024.
You can see which manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to our recent update on the transition to Manifest V3 and to the Manifest V2 support timeline.
Upcoming ChromeOS changes
- Photos integrations
As early as Oct 3rd, Chromebook users will get access to enhanced video editing features from Google Photos. The experience is optimized for a larger screen, and will seamlessly integrate with the built-in Gallery app and your Chromebook files—so you can use local images and clips recorded on your Chromebook camera or stored in your Files app to build your movie.
While movie editing typically comes with a steep learning curve, the revamped movie creation tools in Google Photos help you make high-quality movies with just a few taps using your video clips and photos. Starting in Q4 2022, you’ll be able to create beautiful movies from suggested themes, or put yourself in the director's seat and start from scratch, right on your Chromebook.
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 107, Cursive is a stylus-first notes app for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks.
- Long-press diacritics
In the virtual keyboard, users can hold a key to type an accented version or variant of that letter. Now users with a hardware keyboard can also hold a letter key to choose an accent or a letter variant. For example, hold the e key to see a list of accents, such as è in caffè or é in déjà vu.
- Channel labeling on ChromeOS
Trying out the latest version of ChromeOS? For users on non-stable channels (Beta, Dev, Canary), you will see which channel you are on next to the battery icon in the bottom right. Selecting the time to open quick settings will have a new UI with the device build as well as a button directly to submit feedback.
- Save and recall Desks
Starting in 107, you will be able to save and close an entire virtual desk, including all its app windows and their layout — perfect for when you want to switch gears or focus on a different task. When you’re ready to get back to it, you can open your saved desk and all its windows and tabs with a click.
- Fast Pair
Fast Pair makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat. This feature will be available as early as ChromeOS 108.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 108, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Additional resources
- How Chrome releases work—Chrome Release Cycle
- Chrome Browser downloads and Chrome Enterprise product overviews—Chrome Browser for enterprise
- Chrome version status and timelines—Google Update Server Viewer
- Announcements: Chrome Releases Blog | Chromium Blog
- Developers: Learn about changes to the web platform
Still need help?
- G Suite, Cloud Identity customers (authorized access only)—Contact support
- Chrome Browser Enterprise Support—Sign up to contact a specialist
- Chrome Administrators Forum
- Chrome Enterprise Help Center