Google has released Chrome 136 along with an updated stable version of the open-source Chromium project. For users who need more time to update, an extended stable branch remains available, offering support for up to 8 weeks. The next release, Chrome 137, is scheduled for May 27.
Advertisеment
💡 While Chrome is based on Chromium, it includes additional features such as Google branding, a crash notification system, DRM modules for protected video playback, automatic updates, Sandbox isolation, Google API keys, and RLZ parameter tracking during search.

What's new in Chrome 136
Improved Privacy Protections
Chrome 136 introduces new protections against browsing history leaks via the :visited
CSS pseudo-class. Previously, attackers could determine which links a user visited by analyzing changes in the style of links across sites.
Chrome now isolates the processing of the :visited selector to the current site.
Links are styled as "visited" only if they were opened from the same site or iframe. This isolation is achieved by hashing the visited link styles using three components: the link, the top-level site, and the iframe host.
For example:
If you click on a link on site "A", it will only show as "visited" on site "A".
Same-site (same-origin) links remain highlighted, even if clicked from a different site.
This feature resembles protections added to Firefox in 2010, although workarounds existed until recently. Chrome's implementation aims to completely close these gaps.
Some changes, such as isolating :visited styles, may require adjustments for sites using the old behavior.
Android Updates
Chrome now sends telemetry data about APK packages downloaded through the browser to Google's servers.
Initially limited to telemetry, this feature will eventually warn users about malicious APK downloads and block malicious files if Enhanced Browser Protection (Safe Browsing > Enhanced Protection) is enabled. Remote
Debugging Changes
To combat malware that uses remote debugging, Chrome now requires a separate data directory for remote debugging sessions. Users must specify the --user-data-dir option along with --remote-debugging-pipe or --remote-debugging-port.
The default directories on Windows, Linux, and macOS no longer support remote debugging.
A separate encryption key is used for the debug directory, ensuring that user data in the main directory is secure.
CSS and web development improvements
- The string argument to the attr() function has been renamed to raw-string to avoid confusion with similar syntax such as attr(foo type(<string>)).
- The ProgressEvent API now uses the double type for its loaded and shared attributes, matching the HTML <progress> element and providing smoother progress indicators.
- A new static RegExp.escape method allows developers to safely escape strings for use in regular expressions.
Access Key Improvements
Sites can now automatically generate access keys based on stored credentials without displaying a modal dialog if the user has previously approved the creation of credentials.
Other changes
New CSS property
Added the dynamic-range-limit property to control the maximum brightness of HDR content.
Speculation Rules API Update
The <script type="speculationrules"> API now supports an optional tag field for origin tracking. This tag is sent via the Sec-Speculation-Tags HTTP header.
Developer Tools Improvements
- The Performance Dashboard now includes reports on:
- Requests using the legacy HTTP/1.1 protocol.
- Caching efficiency.
- Font optimizations using the font-display property.
- The Privacy & Security > Third-Party Cookies page now supports searching for individual cookies.
- Experimental feature identifies issues with DOM elements and attributes.
Security Fixes
Chrome 136 addresses eight vulnerabilities identified by automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. None of the issues allow sandbox bypass or code execution outside of the sandbox.
As part of its bug bounty program, Google has awarded $10,000 for vulnerability reports:
- One bounty of $5,000.
- Two bounties of $2,000 each.
- One bounty of $1,000.
The press release is here.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: