Google today launched Chrome 84 for Windows, Mac, Linux, Android, and iOS. Chrome 84 resumes SameSite cookie changes, includes the Web OTP API and Web Animations API, and removes older Transport Layer Security (TLS) versions. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed.
First deprecated with Chrome 81 in April, TLS 1.0 and TLS 1.1 have now been completely removed with Chrome 84. This is notable for anyone who manages a website, even if they don’t use Chrome at home or at work. TLS is a cryptographic protocol designed to provide communications security over a computer network — websites use it to secure all communications between their servers and browsers. TLS also succeeds Secure Sockets Layer (SSL) and thus handles the encryption of every HTTPS connection.
Chrome 84 is arriving late. When the coronavirus crisis took hold, Google delayed Chrome 81, skipped Chrome 82 altogether, and moved Chrome 83 up a few weeks. Microsoft followed suit with Edge’s release schedule, consistent with Google’s open source Chromium project, which both Chrome and Edge are based on. Mozilla meanwhile committed to not changing Firefox’s release schedule, which sees a new version every four weeks.
SameSite cookie changes
In May 2016, Chrome 51 introduced the SameSite attribute to allow sites to declare whether cookies should be restricted to a same-site (first-party) context. The hope was this would mitigate cross-site request forgeries (CSRF).
Chrome 80 began enforcing a new secure-by-default cookie classification system, treating cookies that have no declared SameSite value as
SameSite=Lax cookies. Only cookies set as
SameSite=None; Secure are available in third-party contexts, provided they are being accessed from secure connections. Due to the coronavirus crisis, however, Google paused the SameSite cookie changes, with plans to resume enforcement sometime over the summer. SameSite cookie enforcement has now resumed with a gradual rollout ramping up over the next several weeks for Chrome 80 and newer.
The following backward-compatible behaviors are removed as of Chrome 80:
- Disallow defaulting of SameSite attribute to ‘None’: The SameSite attribute now defaults to Lax, meaning your cookies are only available to other sites from top-level navigations. As originally implemented in Chrome, the SameSite attribute defaults to None, which was essentially the Web’s status quo. Cookies have valid cross-site use cases, but if a site owner did not previously want to allow cross-site cookie use, there was no way to declare such an intent or enforce it.
- Value ‘None’ no longer allowed on insecure contexts: Chrome now requires that when the SameSite attribute is set to None, the Secure attribute must also be present. The Secure attribute requires that the attached cookie can only be transmitted over a secure protocol such as HTTPS.
Cross-site cookies that are missing the required settings are effectively blocked.
Web OTP API and Web Animations API
Chrome 84 introduces the Web OTP API (formerly called the SMS Receiver API). This API helps users enter a one-time password (OTP) on a webpage when a specially crafted SMS message is delivered to their Android phone. When verifying the ownership of a phone number, developers typically send an OTP over SMS that must be manually entered by the user (or copied and pasted). The user has to switch to their native SMS app and back to their web app to input the code. The Web OTP API lets developers help users enter the code with one tap.
Chrome 84 also adopts the Web Animations API, which gives developers more control over web animations. These can be used to help users navigate a digital space, remember your app or site, and provide implicit hints around how to use your product. Parts of the API have been around for some time, but this implementation brings greater spec compliance and supports compositing operations, which control how effects are combined and offer many new hooks that enable replaceable events. The API also supports Promises, which allow for animation sequencing and provide greater control over how animations interact with other app features.
Android and iOS
Chrome 84 for Android is rolling out slowly on Google Play. The changelog isn’t available yet — it merely states that “This release includes stability and performance improvements.”
Chrome 84 for iOS meanwhile is out on Apple’s App Store with the usual “stability and performance improvements.” Here is the full changelog:
- You’re now more protected from malware and phishing while browsing with our new Safe Browsing features.
- On iPad, Chrome introduces better mouse and trackpad support.
- You can now share a web page by creating and sharing a QR code. To get started, tap the ‘Share’ icon at the top right.
- You can find your downloads in the downloads folder in Chrome’s menu, or in your device’s Files app.
- You can add nicknames to your payment cards saved in Chrome on your device. Add a nickname when saving a new card or go to Settings > Payment methods > Edit.
Chrome 84 implements 38 security fixes. The following were found by external researchers:
- [$ TBD] Critical CVE-2020-6510: Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
- [$ 5000] High CVE-2020-6511: Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
- [$ 5000] High CVE-2020-6512: Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
- [$ 2000] High CVE-2020-6513: Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
- [$ TBD] High CVE-2020-6514: Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30
- [$ TBD] High CVE-2020-6515: Use after free in tab strip. Reported by DDV_UA on 2020-05-14
- [$ TBD] High CVE-2020-6516: Policy bypass in CORS. Reported by Yongke Wang of Tencent’s Xuanwu Lab (xlab.tencent.com) on 2020-06-08
- [$ TBD] High CVE-2020-6517: Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
- [$ 3000] Medium CVE-2020-6518: Use after free in developer tools. Reported by David Erceg on 2019-07-20
- [$ 3000] Medium CVE-2020-6519: Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
- [$ 1000] Medium CVE-2020-6520: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
- [$ 500] Medium CVE-2020-6521: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
- [$ TBD] Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
- [$ N/A] Medium CVE-2020-6523: Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
- [$ N/A] Medium CVE-2020-6524: Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
- [$ N/A] Medium CVE-2020-6525: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
- [$ 1000] Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
- [$ 500] Low CVE-2020-6527: Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
- [$ 500] Low CVE-2020-6528: Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
- [$ N/A] Low CVE-2020-6529: Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
- [$ N/A] Low CVE-2020-6530: Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
- [$ TBD] Low CVE-2020-6531: Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
- [$ N/A] Low CVE-2020-6533: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
- [$ N/A] Low CVE-2020-6534: Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
- [$ TBD] Low CVE-2020-6535: Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
- [$ TBD] Low CVE-2020-6536: Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $ 21,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Chrome offers Origin Trials, which let you try new features and provide feedback on usability, practicality, and effectiveness to the web standards community. Chrome 84 has four new Origin Trials: Cookie Store API, Idle Detection, Origin Isolation, and WebAssembly SIMD. Furthermore, two Origin Trials have graduated and are now enabled by default: Content Indexing API and Wake Lock API based on promises.
Other developer features in this release include:
- App shortcuts: To improve users’ productivity and facilitate re-engagement with key tasks, Chrome now supports app shortcuts in Android. They allow web developers to provide quick access to a handful of common actions that users need frequently. For sites that are already Progressive Web Apps, creating shortcuts requires only adding items to the web app manifest.
- Autoupgrade Image Mixed Content: “Mixed content” is when an HTTPS page loads content such as scripts or images over insecure HTTP. Previously, mixed images were allowed to load, but the lock icon was removed and, as of Chrome 80, replaced with a Not Secure chip. This was confusing and did not sufficiently discourage developers from loading insecure content that threatens the confidentiality and integrity of users’ data. Starting in Chrome 84, mixed image content will be upgraded to https and images will be blocked if they fail to load after upgrading. Auto upgrading of mixed audio and video content is expected in a future release.
- Blocking Insecure Downloads from Secure (HTTPS) Contexts: Chrome intends to block insecurely delivered downloads initiated from secure contexts (“mixed content downloads”). Once downloaded, a malicious file can circumvent any protections Chrome puts in place. Furthermore, Chrome does not and cannot warn users by downgrading security indicators on secure pages that initiate insecure downloads, as it does not reliably know whether an action will initiate an insecure download until the request is made. User-visible warnings will start in Chrome 84 on desktop, with plans to block insecure downloads completely in Chrome 88. Warnings will not appear in Android until Chrome 85.
- Resize Observer: The Resize Observer API was updated to conform to recent specs. ResizeObserverEntry has three new properties,
devicePixelContentBoxSizeto provide more detailed information about the DOM feature being observed. This information is returned in an array of
ResizeObserverSizeobjects, which are also new.
- revert Keyword: The revert keyword resets the style of an element to the browser default.
- Unprefixed Appearance CSS Property: An unprefixed version of
-webkit-appearanceis now available in CSS as
- Unprefixed ruby-position CSS Property: The
ruby-positionproperty is now supported
in Chrome. This is an unprefixed version of -webkit-ruby-position, which controls the position of a ruby annotation. This property has three possible values:
inter-character, but Chrome has only implemented the first two. This change creates feature parity with Firefox.
- Web Authenticator API: Cross-origin iframe Support: Adds support for web authentication calls from cross-origin iframes if enabled by a feature policy. This brings Chrome in line with the Web Authentication Level Two specification.
For a full rundown of what’s new, check out the Chrome 84 milestone hotlist.
Google should now be back to releasing a new version of its browser every six weeks or so. Chrome 85 will arrive in mid-August.