Chrome 140 Released with IP Hiding and Script Blocking

Google has released Chrome 140 in the stable channel. Users requiring longer support intervals can use the Extended Stable version, which receives updates every eight weeks. The next major release, Chrome 141, is scheduled for September 30. Chrome 140 comes with enhanced privacy and new features detailed below.

What's new in Chrome 140

IP Hiding in Incognito Mode

The browser now supports IP address hiding in incognito mode for third-party contexts, such as embedded iframes. This feature applies to domains listed in the Masked Domain List (MDL). Requests route through a Google-operated proxy, which masks the user’s real IP address from the destination site.

Probabilistic Reveal Token (PRT) support

To support fraud detection while preserving privacy, Chrome 140 implements the Probabilistic Reveal Token (PRT) mechanism. PRT sends an encrypted token with select requests. After a delay and upon receiving a decryption key from Google, site operators may obtain anonymized, truncated samples of real client IP addresses. The presence of actual IP data in a token is random and not linked to individual requests.

Script Blocking feature

A new Script Blocking feature in incognito mode restricts access to certain JavaScript APIs used for user fingerprinting. The restriction applies to third-party content when behaviors associated with covert tracking are detected. Domains listed in the MDL for engaging in such practices are subject to these controls.

Graphics and Platform Improvements on Linux

The browser now enables automatic selection of the Wayland graphics backend on compatible systems through the OverrideDefaultOzonePlatformHintToAuto setting. This change improves graphical performance by avoiding default reliance on the X11 backend.

Password and Form Management

An AI-assisted password change function is now active. When a user attempts to log in with a password found in known breach databases, Chrome displays a warning and offers to generate and apply a new, secure password. The browser completes the change by filling and submitting the required forms and stores the updated credential in the password manager.

Form autofill capabilities have expanded with an updated AI model that interprets form structure and fills fields based on prior user input patterns. The feature, now labeled "Enhanced autofill," supports additional countries, languages, and data types.

Search and Navigation Optimizations

Default Search Engine Prewarming (DSE Prewarming) is introduced to reduce load times for search result pages. When the address bar gains focus, Chrome preloads layout and resources for the default search engine. This optimization is enabled by default for a subset of users.

AI and Assistant Features

Users in the United States can access the Gemini chatbot directly within the browser. Gemini provides summaries of current page content and answers context-related questions. Interaction is available via text or voice input. Expansion to other regions is planned for future releases.

Tab and Session Management

Chrome now allows users to join shared tab groups. Participants view synchronized tabs across devices. Changes to any tab in the group appear immediately for all members. Tab group creation remains available only in Beta, Dev, and Canary builds.

Security and User Interface Updates

Security warnings for non-HTTPS sites have been redesigned when secure connections are enforced (via chrome://settings/security). Instead of a full-page warning, a dialog appears beneath the address bar, blocking unencrypted content until the user chooses an action.

Web Platform and Developer Features

• Prefetch and prerender requests now include the "Sec-Purpose" HTTP header. The older "Purpose: prefetch" header remains functional for compatibility but is deprecated.
• The ToggleEvent API now includes a source property that identifies the DOM element triggering a toggle event, such as a button opening a popover.
• CSS enhancements include support for counter() and counters() functions in the content property, enabling dynamic text generation. The new caret-animation property controls cursor behavior in input fields, including animation style, timing, direction, and playback state.
• Variable font customization is now possible within @font-face rules using the font-variation-settings property. Typed arithmetic in CSS calculations allows mixed unit operations in expressions like calc(10em / 1px).
• New JavaScript methods Uint8Array.prototype.toBase64, toHex, fromBase64, and fromHex facilitate conversion between binary data and base64 or hexadecimal formats.
• Chrome DevTools now includes AI-assisted performance debugging and supports simulation of the Save-Data HTTP header to test low-bandwidth conditions.

Security Fixes and Vulnerability Rewards

The release resolves six security vulnerabilities. Most were detected using automated tools including AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. No vulnerabilities allowed full sandbox escape or arbitrary code execution. Google has awarded four vulnerability rewards totaling $10,000, with one amount pending disclosure.

You can get the browser from its home page.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: