Advertisement

Chrome 136 Released with New Features and Security Improvements

Google has released Chrome 136 along with an updated stable version of the open-source Chromium project. For users who need more time to update, an extended stable branch remains available, offering support for up to 8 weeks. The next release, Chrome 137, is scheduled for May 27.

Advertisеment

💡 While Chrome is based on Chromium, it includes additional features such as Google branding, a crash notification system, DRM modules for protected video playback, automatic updates, Sandbox isolation, Google API keys, and RLZ parameter tracking during search.

Google Chrome Logo
Image credits: winaero.com

What's new in Chrome 136

Improved Privacy Protections

Chrome 136 introduces new protections against browsing history leaks via the :visited CSS pseudo-class. Previously, attackers could determine which links a user visited by analyzing changes in the style of links across sites.

Chrome now isolates the processing of the :visited selector to the current site.

Links are styled as "visited" only if they were opened from the same site or iframe. This isolation is achieved by hashing the visited link styles using three components: the link, the top-level site, and the iframe host.
For example:

If you click on a link on site "A", it will only show as "visited" on site "A".
Same-site (same-origin) links remain highlighted, even if clicked from a different site.

This feature resembles protections added to Firefox in 2010, although workarounds existed until recently. Chrome's implementation aims to completely close these gaps.

Some changes, such as isolating :visited styles, may require adjustments for sites using the old behavior.

Android Updates

Chrome now sends telemetry data about APK packages downloaded through the browser to Google's servers.

Initially limited to telemetry, this feature will eventually warn users about malicious APK downloads and block malicious files if Enhanced Browser Protection (Safe Browsing > Enhanced Protection) is enabled. Remote

Debugging Changes

To combat malware that uses remote debugging, Chrome now requires a separate data directory for remote debugging sessions. Users must specify the --user-data-dir option along with --remote-debugging-pipe or --remote-debugging-port.
The default directories on Windows, Linux, and macOS no longer support remote debugging.

A separate encryption key is used for the debug directory, ensuring that user data in the main directory is secure.

CSS and web development improvements

  • The string argument to the attr() function has been renamed to raw-string to avoid confusion with similar syntax such as attr(foo type(<string>)).
  • The ProgressEvent API now uses the double type for its loaded and shared attributes, matching the HTML <progress> element and providing smoother progress indicators.
  • A new static RegExp.escape method allows developers to safely escape strings for use in regular expressions.

Access Key Improvements

Sites can now automatically generate access keys based on stored credentials without displaying a modal dialog if the user has previously approved the creation of credentials.

Other changes

New CSS property

Added the dynamic-range-limit property to control the maximum brightness of HDR content.

Speculation Rules API Update

The <script type="speculationrules"> API now supports an optional tag field for origin tracking. This tag is sent via the Sec-Speculation-Tags HTTP header.

Developer Tools Improvements

  • The Performance Dashboard now includes reports on:
    • Requests using the legacy HTTP/1.1 protocol.
    • Caching efficiency.
    • Font optimizations using the font-display property.
  • The Privacy & Security > Third-Party Cookies page now supports searching for individual cookies.
  • Experimental feature identifies issues with DOM elements and attributes.

Security Fixes

Chrome 136 addresses eight vulnerabilities identified by automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. None of the issues allow sandbox bypass or code execution outside of the sandbox.

As part of its bug bounty program, Google has awarded $10,000 for vulnerability reports:

  • One bounty of $5,000.
  • Two bounties of $2,000 each.
  • One bounty of $1,000.

The press release is here.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.