Google yesterday released Chrome 84, the first upgrade in almost two months, with changes to how some notifications are displayed and a restart of the SameSite cookie standard that was postponed this spring.
The search giant also paid out more than $21,000 in bounties to researchers who reported some of the 38 vulnerabilities patched in Chrome 84. One of the flaws was marked “Critical,” Google’s most-serious threat ranking, with another seven tapped as “High,” the second-most dire. Google had not yet decided on rewards for the critical bug and four of the high.
Chrome 84’s sole critical bug was reported to Google only on July 8 by researchers at 360 Alpha Lab, an arm of the Chinese security vendor 360. Google said that the vulnerability was a “heap buffer overflow” in the browser’s background fetch.
Chrome updates in the background, so most users can finish the refresh by relaunching the browser. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. Those who are new to Chrome can download version 84 for Windows, macOS and Linux directly.
Google updates Chrome approximately every six weeks; the previous upgrade was released May 19.
Note: Google suspended Chrome releases in mid-March because of the coronavirus pandemic and its impact on businesses. Chrome 81 was slated to launch March 16 but was postponed three weeks. Google skipped Chrome 82 and resumed upgrade numbering with Chrome 83. The eight weeks between Chrome 83 and 84 was an unusual length of time; through year’s end, Chrome will upgrade every six weeks.
Shutting up obnoxious notification demands
Just days into 2020, Google outlined a quieter notification system created after customers complained of irritating interruptions as site after site bombarded them with requests to enable in-browser notifications.
The plan then was that Chrome 80, slated to ship in early February, would kick off a less intrusive practice and a minimalist UI (user interface). But only a few received the changes. And then came the pandemic.
Chrome 84 finally institutes the revamped notification process, although it’s disabled by default. To switch it on, users can head to Settings > Advanced > Privacy and security > Site Settings > Notifications, then toggle “Use quieter messaging (blocks notification prompts from interrupting you)” to block the usual notification pop-ups.
Previously, Google said it would automatically enable the quieter UI for those who “repeatedly deny” notification requests from sites. Google will also automatically silence those sites it decides abuse the notification system.
Part of the new UI helps users defend themselves from repeated notification requests from the same website. A bell-style icon in the address bar – emblazoned with a strike-out – leads to a dialog that offers “Continue blocking” as a choice.
Chrome 84 includes other, somewhat similar, new features or functionality. Among them: warnings when executable files begin downloading from a secure page (one marked as HTTPS) but actually transfer the bits over an insecure HTTP connection. When Google announced the new alerts in early February, one of its security engineers noted, “These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.”
Five months ago, these warnings were to debut in Chrome 82, the upgrade Google skipped because of the pandemic. They were later rescheduled to start with Chrome 84. In the latest Chrome, .exe format files – called “executables” – downloaded over an insecure connection will trigger a warning only. In Chrome 85, now set to release Aug. 25, .exe files will be blocked from downloading over such connections.
GoogleGoogle’s current schedule for warning of, then blocking several file formats downloaded over insecure connections starts with Chrome 84 and should end with Chrome 88.
Getting tougher on some cookies
Another function Google previously postponed made an appearance in Chrome 84: SameSite.
SameSite, which has also been promoted by rivals Mozilla and Microsoft, was designed to give website developers a way to control which cookies can be sent by a browser and under what conditions.
Under new classification rules, cookies distributed from a third-party source – not by the site the user is at, in other words – must be correctly set and accessed only over secure connections. Cookies without a SameSite definition will be considered as first-party-only by default; third-party cookies, like those an ad distributor tracking users, won’t be sent if they lack the definition.
SameSite enforcement was always to roll out slowly, starting with a few users before expanding to larger and larger pools. First steps were taken with small numbers of Chrome 80 users early in the year, but with the impact of the pandemic, Google reversed course. Just days before Chrome 81’s delayed launch, the Mountain View, Calif. company said it had paused the SameSite roll-out for fear that it might disrupt “essential services” rendered by the websites of banks, grocery stores, government agencies and healthcare organizations.
At the time, Google said it would resume enforcement later in the year, perhaps over the summer.
That time has apparently come.
Google did point out that enforcement would be introduced over time. “To reduce disruption, the updates will be enabled gradually, so different users will see it at different times,” the company said in release notes for enterprise users and administrators.
Other stuff, and enterprise too
Some Chrome 84 users, Google said, will see a power savings as their browser suspends painting of pages that are obscured by other windows.
This had been on Chrome 81’s to-do list at one point, but was punted, first to Chrome 83 and then to 84; Google blamed “incompatibilities with some virtualization software.” The roll-out of this function will continue in next month’s Chrome 85.
Enterprise admins who manage Chrome within their organizations can downgrade the browser to an earlier version. (See this support document for the necessary steps.) To assist in downgrading, Chrome retains one or more “snapshots” of User Data, also called the user’s profile, that contains information including browser history, saved bookmarks and stored cookies. In Chrome 84, administrators can call the UserDataSnapshotRetentionLimit group policy to set the number of snapshots to be saved.
Chrome’s next upgrade, to version 85, is slated to ship on Aug. 25.
