v96.0 [Sep 25, 2021]
- Chrome on Android no longer supports Android Lollipop.
- Apps shortcut in the bookmarks bar defaults to off.
- Network data moves to a new folder on Windows.
- New security events for BeyondCorp Enterprise Threat and Data Protection .
- Feature flag to force the Chrome Major Version number to 100.
- DNS-based HTTP to HTTPS redirect .
- Chrome shows Journeys in the History page.
- Chrome starts deprecating the U2F security key API.
- Chrome on Android shows reuse warnings for Google passwords.
- Chrome sync ends support for Chrome 48 and earlier.
- Migrate to Open Screen Library Cast channel.
- Google Toolbar for Internet Explorer no longer available.
- Chrome installer for macOS now available as a single universal version.
- New and updated policies in Chrome browser.
v93.0 [Jun 6, 2021]
This update includes 27 security fixes that were contributed by external researchers:
- [$20000] High CVE-2021-30606: Use after free in Blink. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-28.
- [$10000] High CVE-2021-30607: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-03.
- [$7500] High CVE-2021-30608: Use after free in Web Share. Reported by Huyna at Viettel Cyber Security on 2021-06-15.
- [$5000] High CVE-2021-30609: Use after free in Sign-In. Reported by raven (@raid_akame) on 2021-08-13.
- [$N/A] High CVE-2021-30610: Use after free in Extensions API. Reported by Igor Bukanov from Vivaldi on 2021-04-19.
- [$20000] Medium CVE-2021-30611: Use after free in WebRTC. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-28.
- [$20000] Medium CVE-2021-30612: Use after free in WebRTC. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-29.
- [$15000] Medium CVE-2021-30613: Use after free in Base internals. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-16.
- [$10000] Medium CVE-2021-30614: Heap buffer overflow in TabStrip. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-05-10.
- [$5000] Medium CVE-2021-30615: Cross-origin data leak in Navigation. Reported by NDevTK on 2021-05-12.
- [$5000] Medium CVE-2021-30616: Use after free in Media. Reported by Anonymous on 2021-07-21.
- [$3000] Medium CVE-2021-30617: Policy bypass in Blink. Reported by NDevTK on 2021-07-07.
- [$3000] Medium CVE-2021-30618: Inappropriate implementation in DevTools. Reported by @DanAmodio and @mattaustin from Contrast Security on 2021-07-23.
- [$3000] Medium CVE-2021-30619: UI Spoofing in Autofill. Reported by Alesandro Ortiz on 2021-08-02.
- [$NA] Medium CVE-2021-30620: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-20.
- [$NA] Medium CVE-2021-30621: UI Spoofing in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-04-30.
- [$NA] Medium CVE-2021-30622: Use after free in WebApp Installs. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2021-06-28.
- [$10000] Low CVE-2021-30623: Use after free in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-06-25.
- [$TBD] Low CVE-2021-30624: Use after free in Autofill. Reported by Wei Yuan of MoyunSec VLab on 2021-07-19.
v91.0 [Mar 8, 2021]
- Chrome pauses collapsed tab groups
Chrome allows users to organize tabs into collapsible groups, helping them stay productive. For some users, Chrome 91 pauses those tabs when the user collapses them, to reduce CPU and power consumption. Chrome does not pause tabs if they are playing audio, holding a web lock, holding an IndexedDB lock, connected to a USB device, capturing video or audio, being mirrored, or capturing a window or display.
- Chrome blocks port 10080 and adds a policy for allowing specific ports
Chrome 91 adds port 10080 to the restricted ports list and blocks traffic through it. This does not affect customers using standard ports, but custom configurations using non-standard ports may be affected.
If you're affected by this change, or if you were affected by the previous change that blocked port 554, Chrome introduces the ExplicitlyAllowedNetworkPorts enterprise policy, where you can allow these specific ports in your environment.
- Chrome enables quantum computer resistant security
Chrome 91 supports a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages fit in a single network frame.
You can set the CECPQ2Enabled policy to disable this mechanism. You can also disable it by setting the ChromeVariations policy to a non-default value. For more details, see https://www.chromium.org/cecpq2.
- Chrome no longer allows TLS 1.0 or TLS 1.1
The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
We previously communicated that this would happen as early as January 2021, but we extended the deadline until Chrome 91.
- PWAs can launch when the user logs into the OS
Users expect some apps, like chat apps, to launch as soon as they log into a Windows or Mac device. Chrome 91 allows users to set Progressive Web Apps (PWAs) to launch as soon as the user logs into the OS.
As an admin, you can configure a PWA at install time with the option to launch automatically when a user logs in to its OS session.
You control this behavior using the WebAppSettings enterprise policy.
- Chrome on iOS warns users if they reuse their saved passwords on known phishing sites
To better protect users from phishing schemes, Chrome warns users if it appears that they've entered a saved password on a known phishing site. This feature is now being expanded to Chrome on iOS.
You control your organization's use of this feature using the PasswordManagerEnabled enterprise policy.
- Chrome introduces initial_preferences
As part of Chrome's move to using more inclusive naming, admins can control the browser's initial preferences using a file named initial_preferences. This file behaves the same way as, and will eventually replace, the master_preferences file that exists today. To minimize any disruption, Chrome continues to support the master_preferences file and more notice will be given before we remove support for master_preferences.
- Chrome uses DNS-over-HTTPS on Linux
DNS-over HTTPS protects user privacy by encrypting DNS queries, and was already enabled for Windows, Mac, ChromeOS, and Android in prior releases. Chrome 91 supports this feature on Linux. The DNS requests of all users will be auto-upgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available (based on a list of known DoH-capable servers).
You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy with Group Policy or in the Google Admin Console. Setting it to off ensures that your users are not affected by Secure DNS.
- Chrome adds Referrer Chain to Client Side Detection pings
To better protect users, Chrome conducts client-side checks of suspicious websites. In Chrome 91, if Enhanced Protection is enabled, the referrers of the website are also sent to Chrome.
You control this behavior using the SafeBrowsingProtectionLevel enterprise policy.
- Download deep scanning available for Enhanced Safe Browsing users
Users who consented to Enhanced Safe Browsing can send downloads to Google for deep scanning when the existing safety checks are inconclusive.
You can disable this by controlling the user's Safe Browsing setting via the SafeBrowsingProtectionLevelpolicy.
- Chrome adds Google Account-tied tokens to Enhanced Safe Browsing pings
For users who consented to Enhanced Safe Browsing, who have signed in to their Google accounts, Google Account-tied tokens are added to various phishing detection pings. This provides better protection and reduces false positives.
v87.0 [Sep 9, 2020]
Various fixes from internal audits, fuzzing, and other initiatives.
v84.0 [Apr 17, 2020]
- Layout Instability Shifted Element Surfacing.
- revert keyword.
- Sec-CH-UA Client Hints.
- Web Animations API.
- @import rules in CSSStyleSheet.replace().
- Unprefixed 'appearance' CSS property.
- Unprefixed ruby-position CSS property.
- Raw Clipboard Access.
- Idle Detection.
- ReportingObserver on workers.
- fractionalSecondDigits option for Intl.DateTimeFormat.
- Private methods and accessors.
- WebAssembly SIMD.
- Gutters in flexbox: row-gap and column-gap properties.
- Cookie Store API.
- Screen Wake Lock API.
- Web Authenticator API: cross-origin iframe support.
- Media Feeds.
- TLS 1.0 and TLS 1.1.
- Origin isolation.
- Blocking insecure downloads from secure (HTTPS) contexts.
v83.0 [Mar 19, 2020]
This update includes 4 security fixes:
- Use after free in speech.
- Insufficient policy enforcement in WebView.
- Out of bounds write in V8.
- Various fixes from internal audits, fuzzing and other initiative.
v80.0 [Nov 12, 2019]
- Updates to cookies with SameSite: Starting in Chrome 80, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. Cookies with SameSite=None must also be marked Secure and delivered over HTTPS. To reduce disruption, the updates will be enabled gradually, so different users will see it at different times. We recommend that you test critical sites using the instructions for testing.
- Pop-ups and synchronous XHR requests not allowed on page unload: Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 88:
- To allow pop-ups on page unload, see AllowPopupsDuringPageUnload.
- To allow synchronous XHRs on page unload, see AllowSyncXHRInPageDismissal.
- Control data types in Chrome sync: Chrome users have the ability to granularly enable or disable each type of data that’s synchronized in the advanced Data from Chrome sync settings. In Chrome 80, you can also control the data types synced using the SyncTypesListDisabled policy.
- Changes to how HTTPS pages load secure subresources in Chrome 80 and 81: In Chrome 80, http:// audio and video resources on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources by clicking on the lock icon on the address bar and selecting Site Settings. In Chrome 80, http:// images on https:// pages will still be allowed to load, but users will see “Not Secure” on the address bar. In Chrome 81, http:// images on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. You can control these changes using the StricterMixedContentTreatmentEnabled policy, which disables autoupgrades for audio and video and the warning for images. This policy is a temporary policy and will be removed in Chrome 84. The InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies will control the site setting described above. You should begin ensuring that resources in pages are fetched over HTTPS and manage exceptions using a policy. For more information, see the Chromium blog.
- Control if websites can check for user payment methods: The PaymentMethodQueryEnabled policy allows you to control if websites can check for user payment methods. For details, see PaymentMethodQueryEnabled.
- Web Components v0 removed: The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. For more information, see the Web Components update. Until Chrome 85, you can use the WebComponentsV0Enabled policy to re-enable web components v0.
- Introduction of tab groups for some users: Starting in Chrome 80, some users will be able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. A wider rollout is planned for Chrome 81.
- Block external extensions: In Chrome 80, you can use the BlockExternalExtensions policy to stop the installation of external extensions on your devices. The policy will not block kiosk apps or extensions installed by policy.
- Chrome Browser Cloud Management Reporting Companion no longer required: The functionality previously provided by the Chrome Browser Cloud Management - Reporting Companion extension has been integrated directly into Chrome Browser. If you’re using Chrome Browser Cloud Management, users will no longer see the extension on their devices when reporting is turned on. No action is required from admins or users.
v74.0 [Mar 5, 2019]
- Chrome Browser Cloud Management: Chrome Browser has introduced support for management through the Google Admin console with Chrome Browser Cloud Management. Admins can use the Admin console to manage Chrome Browser across Windows®, Mac®, and Linux®, without requiring users to sign in. Learn more about Chrome Browser Cloud Management.
- Dark mode for Windows in Chrome 74: In Chrome 74, if the system theme is set to dark, Chrome on Windows will also use a dark theme on screen.
- Pop-ups will not be allowed on page unload: Chrome 74 no longer allows pop-ups during page unload (see the removal notice). If you have any enterprise apps that still require pop-ups on page unload, you can enable the AllowPopupsDuringPageUnload policy to allow pop-ups on page unload until Chrome 82.
- Legacy Browser Support will no longer need an extension: In Chrome 74, you can deploy Legacy Browser Support to automatically switch users between Chrome Browser and another browser. You can use policies to specify which URLs open in an alternative browser. For example, you can ensure that browser traffic to the public internet uses Chrome Browser, but visits to your organization’s intranet use Internet Explorer. You can turn on LBS and set policies to manage LBS in the Chrome Group Policy Template. Learn more about Legacy Browser Support Beta for Windows.
v71.0 [Nov 16, 2018]
- Refreshed look for Camera app.
- Fingerprint and PIN enrollment in Out of Box Experience.
- Autocomplete in Launcher search.
- Adaptive top UI in Chrome browser based on user scrolling.
- Unified setup flow to connect with an Android phone.
- Assistant natively integrated into the OS (Pixel Slate first, expanding to more devices later).
- New features for families including app management and screen time limits.
- Ability to create semi-full pages in Launcher for customizations.
- Launched Android P on Pixel Slate.
- Fingerprint authentication mode on Pixel Slate.
- Portrait mode for Camera app on Pixel Slate.
v70.0 [Sep 6, 2018]
Chrome 70 adds support for Desktop Progressive Web Apps on Windows and Linux, support for Public Key Credentials to the Credential Management API, allows you to provide a name to dedicated workers and plenty more.
v65.0 [Dec 26, 2017]
- The CSS Paint API allows you to programmatically generate an image.
- The Server Timing API allows web servers to provide performance timing information via HTTP headers.
- the new CSS display: contents property can make boxes disappear!
v63.0 [Sep 22, 2017]
This update includes 37 security fixes.
[$10500] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
[$6337] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
[$5000] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
[$5000] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
[$5000] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
[$3500] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
[$500] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
[$3337] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
[$2500] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
[$2000] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
[$1000] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
[$1000] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
[$500] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
[$TBD] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
[$500] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
[$N/A] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
[$N/A] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-17
[$N/A] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
v62.0 [Jul 31, 2017]
This update includes 35 security fixes. Below, are the fixes that were contributed by external researchers.
[$7500 $1337] High CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07
[$5000] High CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26
[$3000] High CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30
[$3000] High CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14
[$3000] High CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14
[$3000] High CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15
[$3000] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05
[$N/A] High CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14
[$5000] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16
[$2000] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05
[$1000] Medium CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03
[$1000] Medium CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16
[$1000] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17
[$500] Medium CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06
[$500] Medium CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28
[$500] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28
[$N/A] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22
[$N/A] Low CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
[$N/A] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18
[$N/A] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by Johannes Bergman (johberlvi@) on 2017-08-28
v60.0 [Apr 23, 2017]
- Fix SpecialLocaleHandler to handle google correctly.
- Fix bug in PaintOpBuffer folding alpha optimization.
- Revert "Stability instrumentation Crashpad integration".
v59.0 [Mar 24, 2017]
- "A number of fixes and improvements."
- Revamped Settings and "About Google Chrome" page.
- Headless mode in Linux and macOS.
v54.0 [Jul 13, 2016]
CacheQueryOptions Arrive in Chrome 54
If you use the Cache Storage API, either within a service worker or directly from web apps via window.caches, there's some good news: starting in Chrome 54, the full set of CacheQueryOptions is supported, making it easier to find the cached responses you're looking for.
v49.0 [Nov 17, 2015]
GCC-based newlib toolchains removed from the SDK. These have been superseded by the nacl-clang toolchain which also produces statically linked architecture specific nexe files.
gtest/gmock no longer shipped as pre-built libraries. This is in-line with normal gtest/gmock usage guidelines. Projects wishing to use gtest/gmock must now add explicit include paths and compile gtest-all.cc locally.
v45.0 [May 17, 2015]
Chrome/Pepper 45 (10 July 2015)
UDP Socket Multicast API in stable (PPB_UDP_SOCKET 1.2).
v40.0 [Sep 28, 2014]
- FileSystemProvider: Use the chrome.fileSystemProvider API to create file systems, that can be accessible from the file manager on Chrome OS.
v19.0 [Feb 6, 2012]
- Tabs, bookmarks, applications, history, themes, extensions and other settings synchronization.
- Some menu changes.
v5.0 [Apr 29, 2010]
Google Chrome Extensions - Extensions are little programs which add useful features to your browser.
Translation in the browser - Chrome is the first browser to incorporate machine translation in the browser itself, without requiring additional plugins or extensions.
v3.0 [May 27, 2009]
Apart from the usual improvements and fixes of every new release, the new version of Chrome released on November 2 2009, presents a new feature called 'bookmark sync'. With this option, very useful for people who use two or more computers, you will be able to synchronize and update your bookmarks instantly so as to access them from every computer you use, thus avoiding the need to add them manually.
Browse the Web with a Chromium-based browser that sends no data to Google.
It is an efficient, user friendly web browser, without any bloat inside.
Take your Florida Standards Assessments safely with this browser.
It can back up and restore your Google Chrome personal data.
CloudBerry Explorer for Google Cloud Storage is a free to use file manager.