RenderingNG’s architecture implements performance isolation for all of these features.
To open the side panel and view the results, just click on the G icon next to the search bar. And if you’ve found what you’re looking for or don’t want to see the results any more, you can easily close the panel at any time. We’re experimenting with this feature first in the Chrome OS Dev channel with Google Search, and with any broader rollout in the future, we’d aim to bring it to more platforms with support for more default search engines.
Posted by Yana Yushkina, Product Manager, Chrome
Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 95 is beta as of September 23, 2021.
This version of Chrome introduces the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.
It's our eventual goal to merge the origin private file system of the File System Access API with the Storage Foundation API to reduce the number of entry points for getting access to file-based storage in the browser. A first step toward this objective is the newly proposed access handle. The new feature differs from existing functionality by offering in-place and exclusive write access to a file's content. This change, along with the ability to consistently read unflushed modifications and the availability of a synchronous variant on dedicated workers, significantly improves performance and unblocks new use cases. To join the origin trial, see its entry on Chrome Origin Trials. For more on access handlers, see the information we've added to The File System Access API: simplifying access to local files.
Chrome is trying to reduce the amount of information the user agent string exposes in HTTP requests as well as in navigator.userAgent, navigator.appVersion, and navigator.platform. The user agent string can be used for passive user fingerprinting. To join the origin trial, see its entry on Chrome Origin Trials.
navigator.userAgent
navigator.appVersion
navigator.platform
The following features, previously in a Chrome origin trial, are now enabled by default.
Secure payment confirmation augments the payment authentication experience on the web with the help of the Web Authentication API. The feature adds a new 'payment' extension to that API, which allows a relying party such as a bank to opt-in to creating a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the 'secure-payment-confirmation' payment method.
PublicKeyCredential
'secure-payment-confirmation'
This feature enables a consistent, low friction, strong authentication experience using platform authenticators. Strong authentication with the user's bank is becoming a requirement for online payments in many regions, including the European Union. The proposed feature provides a better user experience and stronger security than existing solutions.
WebAssembly now provides exception handling support. Exception handling allows code to break control flow when an exception is thrown. The exception can be any that is known by the WebAssembly module, or it may be an unknown exception that was thrown by a called imported function.
Currently, web developers can call PerformanceObserver.observe() with the buffered option to listen to past and future performance entries about their site. Unfortunately, past entries need to be stored, and there is a buffer size limit. The droppedEntriesCount parameter helps developers know if they may have lost an entry due to storage being full.
PerformanceObserver.observe()
droppedEntriesCount
The droppedEntriesCount property is one of the options specified as the third parameter of the callback passed in the PerformanceObserver constructor. It provides the number of entries dropped due to the buffer being full.
PerformanceObserver
The EyeDropper API provides a browser-supplied eyedropper for the construction of custom color pickers. Creative applications built for the web could benefit from an ability to sample a color from pixels on the screen. Many OS applications, PowerPoint for example, have this ability but are unable to carry it over to their web equivalents. Even though some browsers have eyedropper capability built into <input type=color> elements, web applications are limited in their ability to integrate this into their custom color pickers since the eyedropper is generally accessible only through the non-customizable popup triggered by the <input> element.
<input type=color>
<input>
Chrome has updated the value provided by the Sec-CH-UA-Platform-Version on Windows to provide a reasonable level of fidelity to allow sites to identify meaningful Windows platform changes. This enables sites to deliver appropriate binary executables and help content specific to a particular operating system version. The current user agent string and existing Sec-CH-UA-Platform-Version implementation provides the major and minor version Windows components. However, as of Windows 10, Windows generally doesn't increase either of these numbers across significant releases. Notably, Windows 11 does not increase either of these numbers. You can find a table of value mappings to Windows releases in the UA Client Hints' repo issue 220.
Sec-CH-UA-Platform-Version
This function, available in windows and workers, allows developers to report errors to the console and any global "error" event handlers in the same way as an uncaught JavaScript exception. It is mainly useful for custom event-dispatching or callback-manipulating libraries. This allows library developers to report exceptions in the same way the browser does, which is useful when they need custom control over running the callback.
URLPattern is a new web API that provides operating system support for matching URLs given a pattern string. It can be used in JavaScript directly or by passing patterns to other web platform APIs such as, for example, as a service worker scope. Both web platform features and JavaScript applications often need to match against URLs. Examples include, service worker scopes on the web platform and URL routing in JavaScript frameworks. Past web platform features have individually created their own URL matching mechanisms. JavaScript has relied on libraries such as path-to-regexp.
This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of current deprecations and previous removals.
Chrome is removing support for FTP URLs. Use of FTP in the browser is sufficiently low that it is no longer viable to invest in improving the existing FTP client. In addition, more capable FTP clients are available on all affected platforms. Google Chrome 72 and later removed support for fetching document subresources over FTP and rendering of top level FTP resources. Currently navigating to FTP URLs results in showing a directory listing or a download depending on the type of resource. A bug in Google Chrome 74 and later resulted in dropping support for accessing FTP URLs over HTTP proxies. Proxy support for FTP was removed entirely in Google Chrome 76. In Chrome 86 FTP support was turned off for pre-release channels (Canary and Beta) and experimentally turned off for one percent of stable users, though it could be reenabled via the command line. In Chrome 87 it was turned off for fifty percent of users but could also be enabled through the command line. Since Chrome 88, it was only available through a deprecation trial and is now disabled.
Most hostnames that aren't valid IPv4 addresses, but end in numbers are treated as valid, and looked up via DNS (for example, http://foo.127.1/). Per the Public Suffix List spec, the eTLD+1 of the hostname in that URL should be 127.1. If that is ever fed back into a URL, http://127.1/ is mapped to http://127.0.0.1/ by the URL spec, which seems potentially dangerous. 127.0.0.0.1 could also potentially be used to confuse users. URLs with these hostnames are now rejected.
http://foo.127.1/
127.1
http://127.1/
http://127.0.0.1/
127.0.0.0.1
Chrome now deprecates sharing WebAssembly modules between cross-origin, but same-site environments to allow agent clusters to be scoped to origins long term.
Chrome's legacy U2F API for interacting with security keys is deprecated and beginning a deprecation trial in Chrome 95 wherein the API remains enabled by default, but the trial token will disable the key for participating sites. U2F security keys themselves are not deprecated and will continue to work.
Affected sites should migrate to the Web Authentication API. Credentials that were originally registered via the U2F API can be challenged via web authentication. USB security keys that are supported by the U2F API are also supported by the Web Authentication API.
U2F is Chrome's original security key API. It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but rather shipped a component extension called cryptotoken, which exposes an equivalent chrome.runtime.sendMessage() method. U2F and Cryptotoken are firmly in maintenance mode and have encouraged sites to migrate to the Web Authentication API for the last two years.
chrome.runtime.sendMessage()
The following timeline is currently planned for deprecation and removal:
Stable as of August 31, 2021. Support added for the googleLegacyAppIdSupport extension.
Beta as of September 23, 2021. The following changes were implemented:
Beta expected in early January 2022, stable in February. The deprecation trial will continue, but its behavior will reverse: the API will be disabled by default, but may be kept alive by trial participants.
Back in May, we published an update on our User-Agent string reduction plans with a promise to publish further details on timing. Now that we have an origin trial ready for testing the Reduced User-Agent header (and associated JS interfaces) we have estimated timelines to share. What follows is repeated from the original blog post, but contains estimated Chrome versions where these Phases will begin to help you prepare.
The Chromium schedule dashboard will be useful for understanding dates associated with each Chrome version and its progression from Canary into Beta and Stable Release.
Note: The usual disclaimers about estimating engineering deadlines apply—unforeseen circumstances may dictate delays. But in the case that we encounter delays, we do not intend to accelerate timelines between Phases.
We plan to roll out these changes slowly and incrementally in 7 Phases—pending origin trial feedback.
Phase 1: Since Chrome 92 (July 20, 2021)
Call to Action (CTA): Audit your site usage to understand where migration may be necessary.
Warn about accessing navigator.userAgent, navigator.appVersion, and navigator.platform in DevTools, beginning in M92.
Phase 2: Chrome 95 to Chrome 100
CTA: Enroll in the origin trial for your site, and provide feedback until Chrome 101 is released.
Launch an origin trial for sites to opt into the final reduced UA string for testing and feedback, for at least 6 months.
We will evaluate feedback from origin trial partners and the community, and based on this feedback proceed to Phases 3 through 7 of our plan, giving the ecosystem adequate time to adapt in between them. Otherwise, depending on feedback we will reconsider the best course of action.
Phase 3: Chrome 100
CTA: Enroll in the deprecation trial or Enterprise policy for your site, when needed.
Launch deprecation trial and Enterprise policy, for instances where a site may need more time for migration.
Phase 4: Chrome 101
CTA: Ensure your site is compatible with the reduced Chrome version number, and migrate to UA Client Hints if not.
Ship reduced Chrome MINOR.BUILD.PATCH version numbers (“0.0.0”). Once rolled-out, the reduced UA string would apply to all page loads on desktop and mobile operating systems for sites that do not opt into the deprecation trial.
Phase 5: Chrome 107
CTA: Ensure your site is compatible with the reduced Desktop UA string and related JS APIs, and migrate to UA Client Hints if not.
Begin roll-out of reduced Desktop UA string and related JS APIs (navigator.userAgent, navigator.appVersion, navigator.platform). Once rolled-out, the reduced UA string would apply to all page loads on desktop operating systems for sites that do not opt into the deprecation trial.
Phase 6: Chrome 110
CTA: Ensure your site is compatible with the reduced Mobile UA string and related JS APIs, and migrate to UA Client Hints if not.
Begin roll-out of reduced Android Mobile (and Tablet) UA string and related JS APIs. Once rolled-out, the reduced UA string would apply to all page loads on Android that do not opt into the deprecation trial.
Phase 7: Chrome 113
Deprecation trial ends and all page loads receive the reduced UA string and related JS APIs.
See the companion Reduced User Agent string updates page for more details and example User Agent strings at each of these phases. We will note any significant delays or changes on this page as well.
Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 94 is beta as of August 26, 2021.
Existing media APIs (HTMLMediaElement, Media Source Extensions, WebAudio, MediaRecorder, and WebRTC) are high-level and narrowly-focused. A low-level codec API would better support emerging applications, such as latency-sensitive game streaming, client-side effects or transcoding, and polyfillable media container support, without the increased network and CPU cost of JavaScript or WebAssembly codec implementations.
HTMLMediaElement
WebAudio
MediaRecorder
The WebCodecs API eliminates these deficiencies by giving programmers a way to use media components that are already present in the browser. Specifically:
This feature has also completed its origin trial in Chrome 93 and is now available by default. For more information, see Video processing with WebCodecs.
The WebGPU API is the successor to the WebGL and WebGL2 graphics APIs for the Web. It provides modern features such as "GPU compute" as well as lower overhead access to GPU hardware and better, more predictable performance. This is an improvement over the existing WebGL interfaces, which were designed for drawing images but could only be repurposed for other kinds of computations with great effort.
WebGPU exposes modern computer graphics capabilities, specifically Direct3D 12, Metal, and Vulkan, for performing rendering and computation operations on a graphics processing unit (GPU). Advantages of WebGPU over earlier technologies include:
This feature is starting an origin trial in Chrome 94 with the hope of shipping in Chrome 99. For more information, see Access modern GPU features with WebGPU.
It's difficult to build web apps that are responsive to user interaction and that remain responsive over time. Scripts are one of the primary culprits hurting responsiveness. Consider a "search-as-you-type" feature: an app with this capability needs to keep up with the user's typing at the same time that it is fetching and displaying results. This doesn't take into account anything happening on the page such as animation, which must be rendered smoothly.
The problem is usually tackled by chunking and scheduling main thread work, specifically executing work asynchronously at appropriate times. This approach has its own problems, including the fact that whatever priority the developer sets, it's still competing for time on the main thread, which doesn't recognize the developer's prioritization, and is also responsible for browser tasks such as fetch() operations and garbage collection.
fetch()
The scheduler.postTask() method fixes these scheduling dilemmas by letting developers schedule tasks (JavaScript callbacks) with an OS browser scheduler at three levels of priority: user-blocking, user-visible, and background. It also exposes a TaskController interface, which can dynamically cancel tasks and change their priority.
scheduler.postTask()
TaskController
This feature completed its origin trial in Chrome 93 and is now available by default in Chrome. For a list of other new and completed origin trials, see the Origin Trials section below.
In addition to the items above, this version of Chrome introduces the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.
Chrome is testing a new HTTP status code: 103 Early Hints for preloading subresources earlier. When a 103 response includes <link rel=preload> or other link headers Chromium tries to preload (and/or preconnect, prefetch) specified resources before the final response is received. This gives web developers a way to optimize apps, sites, and pages.
<link rel=preload>
This update formalizes that the default color space for CanvasRenderingContext2D objects and ImageData objects is sRGB. This clarifies that the CanvasRenderingContext2D interface is fully color managed (that all inputs are converted to the canvas color space). These were previously conventions and not clearly specified. This updates makes the following changes:
CanvasRenderingContext2D
ImageData
Content displayed by CanvasRenderingContext2D is currently limited to the sRGB color space, which is less than the capabilities of modern displays and cameras. This feature allows creating a CanvasRenderingContext2D object that is in the Display P3 color space. This also clears up several points of ambiguity about the color behavior of CanvasRenderingContext2D.
The VirtualKeyboard interface has methods and properties to control when a virtual keyboard is shown or hidden. It also fires events with the size of the virtual keyboard when it occludes content in the page. The virtual keyboard is the on-screen keyboard used for input in scenarios where a hardware keyboard may not be available.
VirtualKeyboard
Unlike a hardware keyboard, a virtual keyboard can adapt its shape to optimize for the expected input. Developers have control over the displayed shape of the virtual keyboard through the inputmode attribute, but have limited control over when the virtual keyboard is shown or hidden.
inputmode
The transform-style: preserve-3d and perspective properties now align with the spec. The preserve-3d property allows child elements to participate in the parent's 3D scene, and the perspective property applies a perspective transform to child elements. Before this change, Chromium applied both of these effects based on the containing block hierarchy rather than the DOM tree, and allowed them to extend through elements without transform-related properties on them.
Chrome now supports the keywords content, min-content, max-content, and fit-content as values for the flex-basis property and its flex shorthand. The content keyword makes flex base size use the default sizing rules as if flex-basis and preferred size property (width or height) are both auto, ignoring any specified width or height in the main axis dimension when flex-basis is auto. The other keywords are the same as usual and give more options for specifying the flex base size.
content
min-content
max-content
fit-content
flex-basis
flex
width
height
auto
In responsive layouts, when adding or removing display:flex to a container, you previously had to sometimes add/remove values for each individual item. content eliminates the need in some situations.
display:flex
The scrollbar-gutter property provides control over the presence of scrollbar gutters (the space reserved to display a scrollbar), allowing developers to prevent layout changes as content expands while avoiding unwanted visuals when scrolling isn't needed. Note that the presence of the scrollbars themselves is determined by the overflow property. The choice of classical or overlay scrollbars is up to the user agent. This property provides developers with more control over how their layouts interact with the scrollbars provided by the browser.
scrollbar-gutter
overflow
This API lets developers manipulate raw media carried by MediaStreamTracks such as the output of cameras, microphones, screen captures or the decoder part of a codec and the input to the decoder part of a codec. It uses WebCodecs interfaces to represent raw media frames and exposes them using streams, similar to the way the WebRTC Insertable Streams exposes encoded data from RTCPeerConnections. Example use cases include funny hats and real-time object identification and annotation.
MediaStreamTracks
With the removal of Flash, there is no longer a need to return anything for navigator.plugins and navigator.mimeTypes. These APIs were used primarily for:
navigator.plugins
navigator.mimeTypes
Some sites use these APIs to probe for PDF viewer support. With this change, these arrays will return fixed lists containing a standard list of PDF viewer plugins.
Note that this is not the removal or change of any API, it is merely the return of fixed arrays for these two existing APIs.
This version of Chrome incorporates version 9.4 of the V8 JavaScript engine. It specifically includes the change listed below. You can find a complete list of recent features in the V8 release notes.
Chrome now supports a web-exposed sampling profiler for measuring client JavaScript execution time. Gathering JavaScript profiles from real users can help developers debug slow observed performance without invasive manual instrumentation.
WebSQL in third-party contexts is now deprecated. Removal is expected in Chrome 97. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated in in 2019. The W3C encourages Web Storage and Indexed Database for those needing alternatives.
Developers should expect that WebSQL itself will be deprecated and removed when usage is low enough.
Private network requests for subresources may now only be initiated from a secure context. Private network requests are those initiated from a public network, targeting a private network. Examples include internet to intranet requests and intranet loopbacks.
This is a first step towards fully implementing Private Network Access. Servers running inside local networks, or on a user's device, expose powerful capabilities to the web in ways that can be quite dangerous. Private Network Access proposes a set of changes to limit the impact of requests to these servers by ensuring that the servers are opting-into any communication with external entities.
For this opt-in to have any meaning, the servers need to be able to ensure that the client origin is authenticated. To that end, only secure contexts are empowered to make external requests.
Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Android WebView, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 93 is beta as of July 29, 2021.
Cross-origin no-CORS requests can now be made to omit credentials (cookies, client certificates, etc.) using the credentialless keyword. Similarly to COEP: require-corp, it can enable cross-origin isolation.
credentialless
COEP: require-corp
Sites that wish to continue using SharedArrayBuffer must opt-in to cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc.).
SharedArrayBuffer
The Multi-Screen Window Placement API allows you to place windows on any display connected to your machine, store that placement, and make a window full-screen on any display. With this API, a presentation app can show slides on one screen and speaker notes on another. An art or music creation app can place palettes on a second screen. And a restaurant can show a touchscreen menu on a kiosk and a separate window for employees. Incorporating developer feedback from the first origin trial, the API enters a second origin trial with an improved shape and ergonomics.
Window controls overlay extends an app's client area to cover the entire window, including the title bar, and the window control buttons (close, maximize/restore, minimize). The web app developer is responsible for drawing and input-handling for the entire window except for the window controls overlay. Developers can use this feature to make their installed desktop web apps look like O.S. apps. For more information, see Customize the window controls overlay of your PWA's title bar.
PWA as URL Handlers allows apps like music.example.com to register themselves as URL handlers for URLs that match patterns like https://music.example.com, https://*.music.example.com, or https://🎵.example.com, so that links from outside of the PWA, for example, from an instant messenger application or an email client, open in the installed PWA rather than in a browser tab.
music.example.com
https://music.example.com
https://*.music.example.com
https://🎵.example.com
Web Bundles provides a new approach to load a large number of resources efficiently using a format that allows multiple resources to be bundled. This feature addresses issues with previous approaches to resource bundling.
The output of some JavaScript bundlers does not interact well with the HTTP cache and configuring them can sometimes be difficult. Even with bundled JavaScript, execution needs to wait for all bytes to download. Ideally loading multiple subresources should use streaming and parallelization, which is not possible with one JavaScript file. For JavaScript modules, execution still needs to wait for an entire resource tree to download because of deterministic execution.
WebXR applications can now retrieve data about planes present in a user's environment, which enables augmented reality applications to create more immersive experiences. Without this feature, developers would have to resort to running their own computer vision algorithms on data from getUserMedia() (available on navigator and MediaDevices) in order to detect planes present in the users' environment. Such solutions have thus far been unable to match the quality and accuracy of native augmented reality capabilities or support world scale.
getUserMedia()
navigator
MediaDevices
AbortSignal.abort() is a static method that allows creating a new AbortSignal object that is already aborted. It is similar in spirit to Promise.reject(), and provides improved developer ergonomics.
AbortSignal.abort()
AbortSignal
Promise.reject()
Web developers have found aborted AbortSignal objects to be useful for a variety of purposes. They signify to JavaScript APIs that no work should be done. Currently, creating an already-aborted AbortSignal object requires multiple lines of code. AbortSignal.abort() requires one: return AbortSignal.abort();
return AbortSignal.abort();
The flexbox and flex items now obey positional alignment keywords. Flexbox previously only obeyed center, flex-start, and flex-end. The additional alignment keywords (start, end, self-start, self-end, left, right) allow authors to more easily align the flex items in the face of varying writing modes and flex flows.
center
flex-start
flex-end
start
end
self-start
self-end
left
right
Without these additional keywords, developers need to change the keyword values whenever they change the writing mode, text direction, or flex reversal properties (flex-direction: row-reverse, flex-direction:column-reverse or align-content: wrap-reverse). The keywords implemented here let them set alignment once.
flex-direction: row-reverse
flex-direction:column-reverse
align-content: wrap-reverse
The Error() constructor supports a new options property called cause, which will be assigned to the error as a property. This allows errors to be chained without unnecessary and overelaborate formalities on wrapping the errors in conditions.
Error()
The meta element's "media" attribute will be honored for meta[name="theme-color"] so that web developers can adjust the theme color of their site based on a media query (dark and light modes for instance). The first one that matches will be picked.
meta[name="theme-color"]
The HTMLMediaElement.controlsList property now supports noplaybackrate, which allows websites to enabled or disable the playback speed control exposed by the browser. With browser vendors adding playback speed control to their media controls, developers should have a way to control the visibility of this new control. Try the new property on the noplaybackrate in HTMLMediaElement.controlsList Sample.
noplaybackrate
HTMLMediaElement.controlsList
The CSS user preference media feature prefers-color-scheme has a potentially significant impact on the amount of CSS that needs to be delivered by a page and on the experience the user is going to have when the page loads. The new Sec-CH-Prefers-Color-Scheme client hint header allows sites to obtain the user's preference optionally at request time, allowing servers to inline the right CSS and therefore avoid a flash of incorrect color theme.
prefers-color-scheme
Sec-CH-Prefers-Color-Scheme
This version of Chrome adds four new features and changes to the User-Agent client hints API.
Sec-CH-UA-Platform
Low-entropy hints are those that don't give away too much information, or give information that would be too easy to discover in other ways to realistically hide. In the context of client hints, this means that these hints are available in every request, whether or not the origin involved requested it or whether the frame involved is a first or third party context.
The WebOTP API will now be supported on desktop when both Chrome on Desktop and Android Chrome are logged in using the same Google account. The WebOPT API provides the ability to programmatically read a one-time code from specially-formatted SMS messages addressed to their origin, reducing user friction during sign-on. Previously, this was only available on mobile devices where SMS was supported.
This version of Chrome incorporates version 9.3 of the V8 JavaScript engine. It specifically includes the changes listed below. You can find a complete list of recent features in the V8 release notes.
Object.hasOwn, a new boolean property, provides an easier-to-use, static method version of Object.prototype.hasOwnProperty.
Object.hasOwn
Object.prototype.hasOwnProperty
Connections to HTTP, HTTPS or FTP servers on ports 989 and 990 now fail. These ports are used by the FTPS protocol, which has never been implemented in Chrome. However, FTPS servers can be attacked in a cross-protocol attack by malicious web pages using carefully-crafted HTTPS requests. This is a mitigation for the ALPACA attack.
Chrome has now removed support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. TLS_RSA_WITH_3DES_EDE_CBC_SHA is a remnant of the SSL 2.0 and SSL 3.0 era. 3DES in transport layer security (TLS) is vulnerable to the Sweet32 attack. Being a CBC cipher suite, it is also vulnerable to the Lucky Thirteen attack. The first replacement AES cipher suites were defined for TLS in RFC3268, published around 19 years ago, and there have been several iterations since.
WebAssembly module sharing between cross-origin but same-site environments will be deprecated to allow agent clusters to be scoped to origins long term. This follows a WebAssembly specification change, which has an impact on the platform as well.
