Chrome 80 has been released on the stable version of the browser across Windows, macOS, Linux, Chrome OS, iOS and Android. With it comes a slew of updates, bug fixes and changes to how cookies work – like breaking the internet a little bit.
Here’s everything you need to know.
Chrome 80 Cross Site Tracking Cookies
The biggest change to Chrome is the prevention of across-site tracking. These cookies basically manage user sessions and can also be used to track users across sites if they aren’t given SameSite attribution – this is when the browser can only access the cookies if the URl matches that in the address bar, or if a site utilises “safe HTTP methods.”
The problem is that they have has significant security vulnerabilities that can be exploited to grab user accounts or steal money digitally.
As a result, Chrome is now cracking down on this by offering “a new secure-by-default cookie classification system.” Developers will need to actually set up SameSite variables for their cookies. If they don’t, the cookies will be set to secure by default, which is a big issue and could cause breakages for sites that utilise cross-site tracking such as online retailers/
Developers still have a little time to get on board, though. Google has said that the new cookie crackdown won’t be released until later in the month as a gradual roll out.
Chrome 80 Auto Upgrading Mixed Content
While we’re on the subject of security and privacy, Chrome 80 will also auto upgrade mixed content (HTTP content on HTTPS sites) by changing the URL to HTTPS, as opposed to blocking the content altogether.
This will only impact audio and video content – mixed images will still load but the omnibox will marl the site as ‘note secure’. Developers can avoid this warning by using the ‘upgrade-insecure-request’s or ‘block-all-mixed-content’ Content Security Policy directives.
Last year the Chromium blog explained why encouraging developers to move to HTTPS sites is important for security:
“For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.”
Other Chrome 80 updates for users
Chrome 80 also brings some other changes, such as:
- Quieter notifications
- Support for SVG images as favicons
- Contact Picker API
- Content indexing API
Chrome 80 updates for developers
And here’s whats new for devs:
- Support for let and class redeclarations in the Console
- Improved WebAssembly debugging
- Network panel updates
- Highlight the selected network request in the OverviewURL and path columns in the Network panel
- Updated User-Agent strings
- Audits panel update – new configuration UI
- Coverage tab updates – per-function or per-block coverage modes and Coverage must now be initiated by a page reload
You can grab more details from here.
Chrome 80 Security Vulnerability Fixes
56 security vulnerabilities submitted by external researchers were also fixed in Chrome 80:
- High CVE-2019-18197: Multiple vulnerabilities in XML. Reported by BlackBerry Security Incident Response Team on 2019-11-01
- High CVE-2019-19926: Inappropriate implementation in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16
- High CVE-2020-6385: Insufficient policy enforcement in storage. Reported by Sergei Glazunov of Google Project Zero on 2019-12-18
- High CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite. Reported by Richard Lorenz, SAP on 2020-01-03
- High CVE-2020-6387: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16
- High CVE-2020-6388: Out of bounds memory access in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-16
- High CVE-2020-6389: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16
- High CVE-2020-6390: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
- Medium CVE-2020-6391: Insufficient validation of untrusted input in Blink. Reported by MichaÅ‚ Bentkowski of Securitum on 2019-10-24
- Medium CVE-2020-6392: Insufficient policy enforcement in extensions. Reported by Microsoft Edge Team on 2019-12-03
- Medium CVE-2020-6393: Insufficient policy enforcement in Blink. Reported by Mark Amery on 2019-12-17
- Medium CVE-2020-6394: Insufficient policy enforcement in Blink. Reported by Phil Freo on 2019-10-15
- Medium CVE-2020-6396: Inappropriate implementation in Skia. Reported by William Luc Ritchie on 2019-12-18
- Medium CVE-2020-6397: Incorrect security UI in sharing. Reported by Khalil Zhani on 2019-11-22
- Medium CVE-2020-6398: Uninitialized use in PDFium. Reported by pdknsk on 2019-12-09
- Medium CVE-2020-6399: Insufficient policy enforcement in AppCache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- Medium CVE-2020-6400: Inappropriate implementation in CORS. Reported by Takashi Yoneuchi (@y0n3uchy) on 2019-12-27
- Medium CVE-2020-6401: Insufficient validation of untrusted input in Omnibox. Reported by Tzachy Horesh on 2019-10-24
- Medium CVE-2020-6402: Insufficient policy enforcement in downloads. Reported by Vladimir Metnew (@vladimir_metnew) on 2019-11-28
- Medium CVE-2020-6403: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-09-19
- Medium CVE-2020-6404: Inappropriate implementation in Blink. Reported by kanchi on 2019-11-13
- Medium CVE-2020-6405: Out of bounds read in SQLite. Reported by Yongheng Chen(Ne0) & Rui Zhong(zr33) on 2020-01-15
- Medium CVE-2020-6406: Use after free in audio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-15
- Medium CVE-2019-19923: Out of bounds memory access in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16
- Low CVE-2020-6408: Insufficient policy enforcement in CORS. Reported by Zhong Zhaochen of andsecurity.cn on 2019-11-20
- Low CVE-2020-6409: Inappropriate implementation in Omnibox. Reported by Divagar S and Bharathi V from Karya Technologies on 2019-12-26
- Low CVE-2020-6410: Insufficient policy enforcement in navigation. Reported by evi1m0 of Bilibili Security Team on 2018-09-07
- Low CVE-2020-6411: Insufficient validation of untrusted input in Omnibox. Reported by Khalil Zhani on 2019-02-07
- Low CVE-2020-6412: Insufficient validation of untrusted input in Omnibox. Reported by Zihan Zheng (@zzh1996) of University of Science and Technology of China on 2019-05-30
- Low CVE-2020-6413: Inappropriate implementation in Blink. Reported by MichaÅ‚ Bentkowski of Securitum on 2019-09-19
- Low CVE-2020-6414: Insufficient policy enforcement in Safe Browsing. Reported by Lijo A.T on 2019-11-06
- Low CVE-2020-6416: Insufficient data validation in streams. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2019-12-08
- Low CVE-2020-6417: Inappropriate implementation in installer. Reported by Renato “Wrath” Moraes and Altieres “FallenHawk” Rohr on 2019-12-13
How to upgrade to Chrome 80
You can upgrade now on desktop by going to Settings – Help – About Google Chrome. It will automatically scan for updates and install if its ready. If you’re using Android or an iOS you can get the update via the app store.