Tag: chrome

Google Chrome is getting an automatic picture-in-picture mode

Posted on by Martin Brinkmann

Google plans to roll out an automatic picture-in-picture mode in Chrome 134. The browser will be released next month. When it does, Chrome may continue to show video content on certain sites when the user scrolls away from the video content.

This feature works for the most part identical to that of Mozilla Firefox, which has had the feature for some time now.

Google has added a few safeguards to the feature. In particular, automatic picture-in-picture kicks only in if..

  • The site uses a secure connection (https).
  • Media is playing in the active window / tab.
  • Media played with sound for at least two seconds.
  • The media player needs to have set a handler for picture-in-picture.
  • Google uses heuristics next to that using media engagement, unless you explicitly allow a site to enable the mode.

Chrome users may allow or disallow automatic picture-in-picture mode, which gives them control over the feature.

Enable or disable Chrome’s auto picture-in-picture feature

You can give it a try in Chrome 134 or newer by following these instructions:

  1. Load chrome://flags/#auto-picture-in-picture-for-video-playback in the Chrome 134 or newer address bar.
  2. Set the value of the feature to enabled.
  3. Restart Google Chrome.

Note: the feature won’t be available on all sites at the time of writing. It does not work on YouTube for instance.

If you do not need the feature, you could set the value of the experimental flag to disabled to block it. This flag will be removed in the future though, which means that you do need to make changes to the settings in Chrome at that point to disable automatic picture-in-picture mode in Google Chrome.

Since it launches in Chrome, it is likely that it will also launch in other Chromium-based browsers in the future.

What is your take on this feature in general? Do you use it in another browser already? Feel free to leave a comment down below.

Chrome

How to remove Google Lens from Chrome’s address bar

Posted on by Martin Brinkmann

If you still use Google Chrome, then you may have noticed that the browser displays a Google Lens entry in the address bar. It is still rolling out I guess, but more and more installations get this.

With Google Lens integration, Chrome users may run searches for anything that they see on the page. So, activate Google Lens with a click or tap, and then draw around the element on the page that you want to know more about.

You can select text and run a search, but this is not really new, as you can do so easily already in all browsers. Lens lets you select anything though, which means that you can search for images or elements in images, and also text in images that you cannot select using basic text selection options in browsers.

Google Chrome with Google Lens visible in address bar.
Google Lens in the address bar of Google Chrome

Google Lens in Chrome depends on Google Search as the default search provider. It is also good to know that page data is transferred to Google whenever Lens is used in Chrome.

Some Chrome users will find Lens useful. Not for plain text, as you can do so already. Maybe for quick translating, but the core use is to search for anything that cannot be selected individually. So, a person in an image, text shown in videos or images, or any other element that is shown on the screen.

How to disable Google Lens in Chrome

Google Lens disable
Set Lens Overlay to Disabled to turn off Google Lens in Chrome

You can, at least temporarily, disable Google Lens in Chrome. Here is how this is done:

  1. Load chrome://flags/#enable-lens-overlay in the address bar.
  2. Set the status of Lens overlay to Disabled.
  3. Restart Google Chrome.

This disables the interface in Chrome.

Note: Experimental Flags like Lens Overlay may come and go at any time. It is possible that Google is going to remove the flag in a future version of Chrome. This would remove the option to disable Google Lens in Chrome, unless Google decides to integrate an option in the Chrome Settings.

What is your take on Google Lens in Chrome? Something that you would use, maybe if launched in a different browser. Feel free to leave a comment down below.

Chrome

Google Chrome 130: fixes 17 security issues

Posted on by Martin Brinkmann

Google released a new stable version of its Chrome browser today. The new version is a security and feature update.

As far as security is concerned, users no longer have to worry about 17 security issues, as Google patched them in the new release.

Three of the publicly disclosed one are rated high, which comes second only to critical. Google makes no mention of exploits in the wild, which means that it is not aware of attacks targeting any of the fixed issues.

Chrome users may want to upgrade the web browser to the latest version as soon as possible. This is done automatically on most systems, but you may speed up the installation on the desktop by selecting Menu > Help > About Google Chrome.

Windows users may also run winget upgrade google.chrome.exe to upgrade the browser from the command line.

Did you know?

Chrome for Android may move and delete Tabs automatically

You can check out the full list of disclosed vulnerabilities that Google patched in Chrome here.

As far as new features or changes are concerned, there is little information from Google about those.

Developers may check out the Platform Status page for Chrome 130 to get an overview of development related changes.

The Enterprise and Education lists some of the changes that apply to users.

Here are the most noteworthy ones:

  • Chrome is going to start to display “small chips” after certain user actions. The example that Google gives is that when users add something to the reading list, Chrome displays a Toast that confirms the action and offers a link to the reading list side panel.
  • Some users get a new account menu when they select the avatar in Chrome for iOS on the new tab page.
  • PDFs display “seamlessly” in Chrome 130 for Android now.
  • Chrome freezes a tab that “has been hidden and silent for more than 5 minutes and uses a lot of CPU” when Energy Saver is enabled. TAbs with audio- or video-conferencing functionality and tabs that control external devices are exempt.
  • Chrome’s URL parser parses non-special URLs correctly now.
  • Chrome on Android supports third-party autofill and password providers now.

Google has also started to turn off classic extensions for first users.

Chrome for Android may move and delete Tabs automatically

Posted on by Martin Brinkmann

Google released Chrome 129 today for Android and desktop systems. The update fixes a few security issues and introduces new features and changes as well.

One change in particular affects users of Chrome on Android: the automatic handling of inactive tabs.

Once updated to Chrome 129 on Android, the browser will move inactive tabs to a new group automatically. There, the tabs remain for a period of 60 days before they are deleted automatically according to Google.

Tip: Switching from Chrome to Firefox is easier than ever before. If you worry about disabled or crippled extensions, Firefox is your best bet to avoid this.

Note: Whether the deleting is enabled by default is unclear. Google says that the tabs will get deleted automatically, but it was disabled in Chrome 129 Beta.

When is a tab considered inactive? Google moves tabs to the Inactive Tabs group after 14 days of inactivity. Inactivity means that the tab was not activated in that time in Chrome.

Chrome for Android's new Inactive menu.

Good news is that you may change the functionality in the settings. Here is how that is done:

  1. Open Google Chrome on the Android device.
  2. Select Menu > Settings to open the preference.
  3. Activate Tabs there to display tab-related settings.
  4. Tap on Inactive to customize the functionality.
  5. Set the period to 7 days, 14 days, 30 days, or never. The default is 14 days.
  6. Toggle “Close after 60 days” to enable or disable the auto-delete feature.

Google says that the feature is designed to reduce Chrome’s memory usage and to improve the accessibility of tabs in the browser.

Deleted tabs remain accessible through the browsing history, but only if it has not been deleted.

Chrome users who do not want inactive tabs to be moved to the new group should set the functionality to Never. This ensures that Chrome won’t move inactive tabs out of sight or delete them after the inactivity period.

How do you handle tabs in your browser? Keep everything open? Use bookmarks? Start afresh on every start? Feel free to leave a comment below.

0.0.0.0 Day: decade-old vulnerability affects all browsers

Posted on by Martin Brinkmann

Security researchers have disclosed a vulnerability that affects all modern browsers. What makes it particularly worrisome is that it has been known for 18 years; that goes back to a time before Google even thought of creating Chrome.

The details:

  • The researchers call the issue 0.0.0.0 Day.
  • It allows malicious websites to interact with services that run on the local network.
  • This could lead to unauthorized access or remote code execution attacks on local services from outside the local network.

In other words: the security issue allows the circumvention of security protections by malicious websites. Chromium’s Private Network protection does not protect against this, neither does Firefox. Apple’s Safari browser was also vulnerable, but the company has released a patch that blocks access to 0.0.0.0.

The blog post provides a technical description of the vulnerability. It also explains why it took this long to react on it.

The researchers found a Mozilla bug listing that dates back 18 years. It shows that the developers were not sure whether the reported bug was a security issue, a bug, or no flaw at all.

How Google, Mozilla, and Apple plan to react

Researchers at Oligo disclosed the vulnerability to security teams of major browsers in April 2024.

  • Google: plans to block access starting in Chrome 128 and finalize the rollout by Chrome 133. Other Chromium-based browsers will get this as well.
  • Apple: has implemented a change that blocks destination host IP addresses, if the IP is all zeroes.
  • Mozilla: fix is in progress. Firefox is special, as it never restricted Private Network Access in first place. Will implement Private Network Access, but no ETA on this one.

The fixes are important, but so is standardization of the issue. HTTP requests to 0.0.0.0 should be added to security standards according to the security researchers.

Closing Words

The security researchers note that use of 0.0.0.0 on the Web is on the rise. They use counters provided by Chromium for this. According to those, it is used by 0.015% of all websites. While that may not sound like much, it equates to roughly 100,000 public websites that may communicate with 0.0.0.0.

Malicious actors may exploit the issue in their attacks. Oligo points out that ShadowRay, a recent attack that targets AI workloads, could be executed from browsers using 0.0.0.0 as the attack vector.

It is unclear if browser extensions such as Port Authority for Firefox provide protection against this kind of attack.

What is your take on this new vulnerability? Seems that there is always something new, or shall I say old, that is affecting the security of browsers. (via Born)

Chrome

Keep on blocking in a free world: how to switch from Chrome to Firefox

Posted on by Martin Brinkmann

Google Chrome users who have extensions installed may soon have some or even all of their installed extensions disabled by Google.

While all browser extensions may be impacted, it is ad blockers and privacy extensions that are impacted the most.

One example: uBlock Origin, arguably the most loved and powerful content blocker available for browsers, will not be offered anymore for Chrome and all other Chromium-based browsers.

This means that you cannot install the browser extension anymore in Chrome, Microsoft Edge, Vivaldi, Opera, and myriads others.

One exemption: Brave Software revealed recently that it plans to continue support for uBlock Origin. This would be the one exemption at the time of writing.

The developer of uBlock Origin has created a lite-version of the extension. Called uBlock Origin Lite, it remains available for Chrome. Its functionality is reduced, however.

Furthermore, users of Chrome who use uBlock Origin need to download and install uBlock Origin Lite manually. A click on the “find alternative” button in Chrome

How to find out if you are impacted by the change

Chrome Extensions Support
Google Chrome highlights extensions that will soon no longer be compatible with the browser

Do the following to find out if extensions that you have installed in Chrome are impacted:

  • Load chrome://extensions/ in the browser’s address bar. You may also open the page manually by going to Menu > Extensions > Manage Extensions.
  • If you see “These extensions may soon no longer be supported” at the top, you are affected by the change.

Tip: you can check out a detailed guide about this here.

Google lists all incompatible extensions. Each features a “find alternative” button, which opens a special page on the Chrome Web Store that highlights extensions that continue to remain compatible with Chrome in the future.

For uBlock Origin, Google suggests the following options:

  • uBlock Origin Lite
  • Adblock Plus
  • Stands Adblocker
  • Ghostery Tracker & Adblocker

While all block ads, none offers the functionality of uBlock Origin.

What you can do about it

You have just a few options at this point:

  1. Keep on using Chrome until Google disables the extensions. You may then extend support for about a year using Enterprise policies.
  2. Keep on using Chrome and use a different browser extension that works for you, hoping that Google does not introduce any other changes in the future that may impact it.
  3. Switch to Brave Browser. This is a valid option only if you want to keep on using uBlock Origin, AdGuard, uMatrix, or NoScript.
  4. Switch to Firefox or a Firefox-based browser. The extensions, including uBlock Origin, remain available and maintained for Firefox.

The first option is valid for all Chromium-based browsers, but it is temporary only. Google will remove the Enterprise policy next year, and that marks the end of support in Chrome.

As you see, you have a few options only. While you could keep on using a Chromium-based browser, Brave Browser, it is unclear for how long Brave will support the four special extensions.

Admittedly, it is also unclear for how long Mozilla will support the old extensions system. If it sees an uptick in users, as some Chrome users may migrate to Firefox because of the changes Google implements, it could very well be for a long time.

Are you affected by the change? Do you have any extensions that you rely on that would make you switch browsers, if your current favorite would not support them anymore? Feel free to leave a comment down below.

Google is testing a compact mode in Chrome

Posted on by Martin Brinkmann

Whenever there is an option to turn on a compact mode, I pick it. The main reason for that is that compact mode removes whitespace so that more content is displayed on the screen at the same time.

Google is testing a compact mode for its Chrome web browser. An experimental flag was added in Chrome Canary that adds the mode to the browser.

Compact Mode reduces the height of the user interface elements tabstrip and other toolbars, including the bookmarks toolbar. Google says that this frees up space for web content.

Here is how you enable it:

  1. Load chrome://flags/#compact-mode in the browser’s address bar.
  2. Set the status of the experimental flag to Enabled.
  3. Restart Google Chrome.
  4. Right-click on a blank spot on the tabstrip and select Toggle Compact Mode.

The change is immediate, a restart of the browser is not required. Repeat the steps listed above to restore the regular interface of the Chrome browser.

Chrome Compact Mode vs. Normal Mode

Here is a before and after screenshot for comparison:

The normal Chrome user interface
The normal Chrome user interface
The new Compact interface of the Chrome browser
The new Compact interface of the Chrome browser

The height of the toolbars is reduced, which means that they take up less space. It is a useful feature for users who want compact toolbars to free up room for web content displayed in the browser.

Note: Google lists compact mode as a prototype right now. Since it is an experimental flag, it is not guaranteed that the feature will make it into stable Chrome. It could change before it lands or it could be pulled entirely by Google before Stable users can set their sights on the feature.

Closing Words

I prefer compact modes, but this is not enough to convince me to make Chrome my default browser. It would go too far to list my reasons here, but I prefer browsers that are not run by advertising companies.

What is your preference? Compact Mode all the time or do you prefer other modes? Feel free to leave a comment down below.

Chrome

Report: Google sneaked in code in Chrome that is favoring Google

Posted on by Martin Brinkmann

A report suggests that Google has sneaked code into Chromium-based browsers that is favoring Google-owned properties. Browsers like Chrome, Brave, and Microsoft Edge appear affected.

If true, it would give critics of Google’s dominance in web browsing a mighty powerful argument.

Here are the details: Google Chrome and other Chromium-based browsers give *.google.com sites full access to system / tab CPU usage, GPU usage, memory usage, detailed processor information, and a logging backchannel.

Luca Casonato published information about this on X and Simon Willison published code that anyone may run to verify the claim.

Chrome returning information on google-owned properties
The information that Chrome reveals to Google when the code is run

Here is how that is done:

  1. Open Google Chrome on your system.
  2. Load https://www.google.com/ or any other *.google.com property.
  3. Select Menu > More Tools > Developer Console.
  4. Switch to the Console tab, if it is not active already.
  5. Type allow pasting.
  6. Paste the following code: chrome.runtime.sendMessage(‘nkeimhogjdpnpccoofpliimaahmaaome’, {method: ‘cpu.getInfo’}, response => {console.log(JSON.stringify(response, null, 2));});
  7. Press the Enter-key.

Chrome returns information when the code is run on a Google property. It returns an error message when you run it on any other site.

The code is accessible on the Chromium Code Search website. You can load it here and check it out yourself.

Casonato suggests that the exclusive feature is a violation of the Digital Markets Act as browser vendors “must give the same capabilities to everyone”.

Closing Words

It is unclear if and how Google is using the information. Casonato says that he does not believe that the company uses it for something malicious or invasive, such as fingerprinting.

Still, Google favoring Google in Chrome and Chromium-based browsers is giving critics of Google’s dominance in web browsing another reason why a browser monopoly or duopoly (if you consider Safari), is bad for users.

It is also interesting to note that other Chromium-based browsers have kept the code in their browsers. It is unclear why.

Which browser do you use mainly and why?

Google Chrome 126

Google Chrome 126 fixes 21 security issues

Posted on by Martin Brinkmann

Google released a new stable version of its Chrome web browser for all supported platforms. Chrome 126 is a security update first and foremost, but it makes non-security changes to the browser as well.

The security update is available already. Google rolls out these updates over the course of days and weeks. Most Chrome installations are updated automatically, thanks to the built-in updating system.

Desktop users may install the update quicker by opening Menu > Help > About Google Chrome. Chrome displays the installed version on the page that opens and runs a check for updates. The browser will download any new version it finds.

Chrome 126: the security fixes

Google mentions that it has fixed 21 unique security issues in Chrome 126. It lists only externally reported issues on the page. All of these are rated high or lower, and there does not seem to be a(nother) 0-day issue that is affecting the browser at this time.

The security issues rated high type confusion, use after free, heap buffer overflow, and inappropriate implementation issues.

The non-security changes of Chrome 126

Here is an overview of important non-security changes in the new Chrome release:

  • OCR-AI Reader for inaccessible PDF documents that creates a “built-in PDF screen reader”.
  • Beginning to switch to an out-of-process iframe architecture for the PDF viewer. This makes it simpler to add new features to it according to Google.
  • Reactive prefetch on desktop. The feature speeds up navigations and the loading of pages by using a Google-owned service to predict resources that should be prefetched.
  • Tab Group support on iPad.
  • Starting in Chrome 126, Chrome starts to directly support accessibility client software that uses Microsoft Windows’s UI Automation accessibility framework.
  • Search any text or image using Google Lens.

Developers may want to check out the Chrome Status website for development related changes.

Have you tried Google Chrome recently?

Google

Latest Chrome 125 security update fixes 11 unique issues

Posted on by Martin Brinkmann

Google has released a new security update for its Chrome web browser for all supported platforms. The update patches 11 unique security issues in the browser. It comes days after an out-of-bounds security update for Chrome to address a 0-day security vulnerability.

While the issues do not appear to be exploited at the time of writing, it is recommended to update Chrome immediately.

This is done by loading chrome://settings/help in the browser’s address bar or selecting Menu > Help > About Google Chrome manually.

Chrome lists the installed version and will download a new version that it finds automatically on desktop systems.

Pro Tip: open a command prompt window on Windows and run winget upgrade google.chrome.exe to update Chrome without opening it.

Chrome should display one of the following versions after installation of the update:

  • Chrome for Mac or Windows: 125.0.6422.141 or 125.0.6422.142
  • Chrome for Linux: 125.0.6422.141
  • Chrome Extended Channel for Mac or Windows: 124.0.6367.243
  • Chrome for Android: 125.0.6422.146 or 125.0.6422.147

The security fixes

Google lists seven of the eleven security issues that it fixed in the Chrome update on the official releases site.

All seven have a severity rating of high. Google does not publish information about security issues that it discovered internally. The severity of the four unmentioned security issues is unknown as a consequence.

Here is what Google reveals about the listed security issues:

  • [$7000][339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
  • [TBD][338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [TBD][338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [TBD][338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
  • [TBD][339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
  • [TBD][339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
  • [TBD][339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11

The security issues affect several components of the browser, including APIs, keyboard inputs, media session, WebRTC, and Dawn. Dawn is an “open-source and cross-platform implementation of the WebGPU standard” according to Google Source.