All articles tagged with #chrome
Lifehacker explains how vertical tabs free up header space and improve tab visibility, with step-by-step instructions to enable them in Chrome, Firefox, Edge, and Zen Browser, plus compact mode and tab-group tips.
Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, tying authentication sessions to hardware-backed keys (TPM on Windows, with macOS Secure Enclave support planned) so stolen cookies become useless; if a device lacks secure key storage, DBSC gracefully falls back to normal behavior. Early results show reduced session theft, and Google plans broader device support and enterprise integration while preserving privacy and avoiding cross-site tracking.
Google Chrome 146 on Windows adds Device Bound Session Credentials (DBSC), cryptographically linking a user’s session to the device’s hardware (TPM on Windows, Secure Enclave on macOS) so stolen session cookies can’t be exploited. New short-lived cookies require possession of the hardware-bound private key, otherwise they expire quickly. macOS support is planned for a future Chrome release. The DBSC protocol, developed with Microsoft and tested with partners like Okta, aims to reduce cookie theft while preserving privacy, with implementation guidance and W3C specs available for developers.
Google Chrome’s stable update introduces native vertical tabs on the left for easier tab management and more vertical screen space, plus a revamped full-page Reading Mode that removes ads and distractions for a cleaner reading experience; both features are rolling out today and can be enabled via the right-click menu after updating.
Chrome 147 Stable (Windows/macOS/Linux) introduces tighter Local Network Access restrictions—prompting for local WebSocket permissions and limiting WebTransport usage to the local network—alongside new features like the Web Printing API, CSS updates (border-shape, contrast-color), lazy-loading for audio/video, and promoting WebNN from trial to origin, plus WebXR-related enhancements.
Google says Android now leads mobile web performance, citing higher Speedometer scores and up to 47% faster LoadLine results versus non-Android platforms, with real-world gains of about 4–9% in page loads and interactions. The improvement is attributed to deep hardware-OS-Chrome integration and collaboration with SoC makers and OEMs to optimize Chrome and kernel scheduling.
Google released Chrome security updates to fix two high-severity zero-days exploited in the wild: CVE-2026-3909 (out-of-bounds write in Skia) and CVE-2026-3910 (V8 sandbox escape). Users should update to Chrome 146.0.7680.75/76 on Windows/macOS and 146.0.7680.75 on Linux; CISA added these flaws to the KEV catalog with a March 27, 2026 deadline for federal agencies.
Google released emergency Chrome updates to fix two high-severity zero-days actively exploited in the wild: CVE-2026-3909 (an out-of-bounds write in Skia) and CVE-2026-3910 (an issue in the V8 engine). Patches rolled out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75) in the Stable channel, with automatic updates available. Google says exploits exist in the wild but will keep bug details restricted until most users are updated. These are the second and third Chrome zero-days exploited in 2026; Google previously fixed CVE-2026-2441 in February, and it paid over $17 million to 747 researchers through its VRP in 2025.
Researchers from Palo Alto Networks" Unit 42 disclosed a high-severity vulnerability (CVE-2026-0628) in Chrome's Gemini AI panel that could be exploited by a malicious extension to inject code with the panel’s elevated privileges, enabling silent camera and microphone access, local file theft, screenshots, and phishing. The flaw arises from how Chrome handles the declarativeNetRequest API for gemini.google.com; when loaded inside the Gemini panel it gains browser-level rights, unlike in a normal tab. Google patched the issue on January 5, 2026, so users should update Chrome immediately; organizations should apply the patch across endpoints to mitigate enterprise risk from trusted-panel attacks.
Google is moving Chrome’s release cadence from four weeks to two weeks, starting in September with Chrome 153; beta channels will also switch to a two‑week cycle, while Dev and Canary stay on their current cadence and Extended Stable for enterprises remains eight weeks, all to deliver faster performance improvements and easier debugging across desktop, Android, and iOS.
Security researchers disclosed a now-patched Chrome vulnerability, CVE-2026-0628, caused by weak WebView policy that could let a malicious extension inject code into the Gemini Live panel, enabling privilege escalation and access to local files, camera, microphone, and screenshots. The flaw affected Chrome versions prior to 143.0.7499.192/193 (Windows/macOS) and 143.0.7499.192 (Linux) and was fixed by Google in early January 2026. The incident underscores risks from AI-enabled browser components expanding the attack surface and the potential for abuse via extensions with basic permissions.
You can tailor Chrome's top toolbar by pinning frequently used extensions, rearranging icons, and using the toolbar customization panel to show or hide buttons like Home, Forward, Bookmarks, Reading List, History, Incognito, and Task Manager. You can also access quick features such as Google Lens search, QR code sharing, Reading Mode, and Copy Link directly from the toolbar. For broader changes, change Chrome's theme via Customize Chrome to apply different colors and backgrounds, with an option to revert to the default look.
Google outlined a plan to keep HTTPS secure in a post-quantum era by using Merkle Tree Certificates (MTCs) that compress quantum-resistant data into compact proofs. A certificate authority would sign a single Tree Head for potentially millions of certs, with browsers receiving a lightweight inclusion proof instead of bulky post-quantum material (roughly 2.5 KB today vs. 64 bytes). Public transparency logs help prevent rogue certs, and Chrome has already started implementing MTCs, with Cloudflare piloting about 1,000 TLS certs while CAs prepare to adopt the system. An IETF working group on PKI, Logs, and Tree Signatures is coordinating standards to standardize this long-term, aiming to accelerate post-quantum resilience without slowing handshake times.
Google released an emergency Chrome patch to fix CVE-2026-2441, a use-after-free in CSS font rendering that was exploited in the wild; the fix was backported to stable builds on Windows, macOS and Linux, and users are urged to update immediately as more patches could follow.
Google released emergency Chrome updates to fix CVE-2026-2441—a use-after-free in CSSFontFeatureValuesMap exploited in the wild—marking Chrome’s first zero-day patch of 2026; the fix has been backported across commits and is rolling out to Windows, macOS (145.0.7632.75/76), and Linux (144.0.7559.75), with a note that related issues remain addressed in bug 48393607. Users should update Chrome or enable auto-update.