Google Chrome 86 and Brave 1.13.82, Both Based On Chromium 86, Are Released With Security Enhancements And New Features

There are many security enhancements, new APIs, background tab resource-limits, new CSS rules and other goodies in Chromium 86 and browsers based on that web browser such as Chrome 86 and Brave 1.13.82. Chromium 86 is slightly slower on Linux machines with Intel processors and Intel graphics and marginally faster on machines with AMD processors and AMD graphics.

written by 윤채경 (Yoon Chae-kyung)  2020-10-09 - last edited 2020-10-09. © CC BY

Google Chrome 86 running the Unity WebGL 2018 benchmark.

Google has released new versions of their Chrome and Chromium products and Brave has released a new version of the Brave Web Browser based on the latest Chromium. Microsoft has not yet released a Linux version of their Edge browser as they promised to do in in October (to be fair, there's still 20 days left).

Chromium 86 has 35 security bug-fixes, security and performance enhancements, some of which may be a bit annoying, and a lot of new features. Performance is about the same as it was in previous versions on machines with AMD processors and AMD graphics cards. It is, for some reason, worse on machines with Intel processors using integrated Intel graphics.

Google has released a new version of their Chrome web browser and the Chromium browser it is based on. Chromium is what is most interesting to GNU/Linux users as that's what GNU/Linux distributions include. Most distributions have not upgraded their Chromium builds to Chromium 86, which is understandable since building it takes everything from 10 to 40 hours depending on the machine you build it on.

Performance[edit]

Overall performance in Chromium 86 should be improved by a new resource limit for background tabs. A background tab is no longer allowed to use more than 1% of the CPU resources and it can only do that once a minute. Tabs are frozen if they are inactive for five minutes. There are two exceptions: Tabs playing video or other media content and tabs recording are exempt from this rule. There does not appear to be any way to make an exception, so this is something to be aware of if you rely on having a tab or two with some page that produces alarms when something is triggered. Only background tabs are affected so it is possible to work-around those kind of use-cases by putting such tabs in their own windows. Still, it would be nice if it was configurable.

Chromium 86 has a new, for now, experimental feature called "Back-forward cache" (called "bfcache"). This is currently disabled by default. This new feature can be enabled by typing chrome://flags in to the address bar and #back-forward-cache into the search box on that page (or just back-). This new feature creates a special cache used by the back and forward buttons so the back button becomes instant. WebKit based web browsers have had this for some time but Chromium couldn't use the WebKit implementation due to it's multi-process nature. This is something you may want to enable if you tend to jump and and forth between pages using the back and forward buttons; it does seem to make a difference.

Chromium 86 has bumped the V8 JavaScript engine to version v8.6. The release notes story is that Number.prototype.toString is a whopping 75% faster. This doesn't seem to make any practical difference, but it's .. faster in micro-benchmarks.

Actual real-world performance, tested using Linux 5.9-rc8 and Mesa 20.2.0, is for whatever reason worse in Chromium 86 compared to previous versions if you are using a Intel machine with integrated Intel graphics. This may have to do with the many workarounds Google applies to the Intel GPU driver on a really broad and very general basis (These are now based on isIntel or isAMD or isNvidia even though there's a big difference between Linux users using an older Mesa version with the i865 driver and a recent Mesa version with Intel Iris).

Performance on a test-system with a AMD Ryzen 2600 processor and a MSI RX 470 GPU showed a marginal improvements in browsers based on Chromium 86 compared to Chromium 85.

The Unity WebGL 2018 test shows marginally slower performance on a Intel CPU with Intel graphics while performance is slightly better on AMD CPU with AMD graphics. You can try the Unity WebGL 2018 test yourself if you want to compare how various browsers perform on your machine. The Mozilla Firefox results are always dismal in this particular test while all the browsers based on Chromium are typically within margin of error. It's interesting to note that the changes to Chromium 86 that make it slower on Intel affects Brave more than it affects Chrome.

The Basemark Web 3.0 test, available at web.basemark.com, shows a pretty clear performance-divergence between the AMD and Intel test systems with Chromium 86. Brave 1.5.72 is faster than 1.3.82 on AMD while it's notably slower on Intel, and the same is true for Chrome 86 vs Chromium 85. The South Korean NAVER whale browser, based on the much older Chromium 83, wins this test in both cases. Mozilla Firefox is barely trying with performance close to half of what the Chromium-based browsers provide.

The Principledtechnologies WebXPRT 3 test is one that favors Mozilla Firefox. The results from this test is a bit odd, it's the only one where the latest Brave Web Browser is notably slower than the previous version while Chrome 86 is faster than Chromium 85. It's interesting to note that this is the least graphics-intensive test of them all. Basemark Web makes heavy use of WebGL and the Unity WebGL 2018 test is a pure WebGL test. That may explain the difference.

Your numbers will obviously differ unless you run the tests on an identical machine. The following benchmark numbers aren't really all that important in terms of what they say about the hardware in question, what actually matters is the relative performance between the web browsers on a otherwise identical hardware and software platform.

Security Enhancements[edit]

Quite a few of the changes in Chromium (and Chrome) 86 are security-related. And we don't mean the 35 security fixes in this release. Chromium 86 adds protection against forms that are served over HTTPS with the form content being sent insecurely via HTTP. Some sites actually do it that way, either due to incompetence, neglect or shear stupidity. The protection against those kinds of insecure forms is three-fold:

• Chromium will now give a warning when a form served by HTTPS posts using HTTP
• Another warning is given when you try to submit a form that will POST over HTTP. That warning presents the choices Send anyway or Go back
• Auto-completion is disabled in mixed input forms

Earlier Chromium versions introduced a somewhat annoying security feature that blocks "unsafe" (meaning files served over HTTP) downloads of executable files. This "feature" has now been extended to include archives (zip files, ISO images, etc). "Unsafe" document downloads (PDF files, docx files, etc) results in a warning. Webmasters should take notice; this is a problem if you serve files over HTTP. It's also kind of annoying for end-users, Chromium 86 won't let you have that Linux ISO if it's served by HTTP.

Chromium 86 has a new Always show full URLs option in the context menu that appears if you right-click the address bar or press the ≣ Menu key when it's in focus. Chrome and Chromium have been hiding the https:// part of web addresses since Chromium 76. One annoying side-effect of this is that if you copy and paste the address bar when it shows the address without the protocol is that you copy the shortened web address but you paste the full address. It's still possible to double-click on the address bar to get the full address shown like in previous versions.

Native File System API in action in Chrome 86.

Chromium 86 has a support for a new Native File System API that lets web pages request access to local files. Web applications have to ask for permission before they can use this functionality. This allows web applications to have menus with Open file, Save as.. and those kinds of things.

Chromium 86 adds support for the Document-Policy header which allows web developers to specify what browser features should and should not be allowed on a per-document basis. This goes beyond the Content-Security-Policy which allows web developers to limit the origin of resources used on a page. The Document-Policy lets web developers specify what those resources can do once they are loaded. This is good in many ways, but it does open the door for limiting what end-users can do with a document they've opened in Chromium. Keep in mind that Mozilla Firefox allows you to Shift+RightClick and get the context menu even if a website prohibits that, Chromium and Chrome have no similar functionality.

A total of 35 security-related bugs have been fixed in this release.

Editable Passwords[edit]

Chromium 86 adds support for a special .well-known/change-password URL webmasters can use to redirect users to a page can change their password (it's supposed to be a redirect, not a page with a link in it). Chromium will use this if to prompts users to change their password if it "detects" that a password has been compromised. How, concretely, it would detect this is unclear.

On the topic of passwords, Chromium 86 can let you edit your saved passwords if you go to chrome://flags and enable a new #edit-passwords-in-settings setting. The Default is, for now, to hide this feature.

The words used in the Chromium 86 code-base have been changed to "inclusive" terminology. Words like "blacklist" and "whitelist" have been changed to "allowlist" and "blocklist". This isn't something anyone will notice because the user-facing strings where changed in a similar fashion in 2019.

Goodbye FTP[edit]

Chrome/Chromium is gradually removing support for the FTP protocol. This is done gradually; 1% of those who install Chromium 86 won't be able to use FTP sites. Chromium 87 will increase that to 50% and nobody will be able to use Chromium to access FTP sites when Chromium 88 is released. It will, temporarily, be possible to keep the FTP protocol working by starting Chromium with --enable-ftp or --enable-features=FtpProtocol".

New APIs[edit]

A new PointerEvents API v3 lets websites determine the tilt and angle of a stylus pen.

A new The Asynchronous Clipboard API adds support for copying and pasting HTML in addition to raw text. Perhaps GNU/Linux clip-board managers will get support for this in the future. Copying text from a HTML using the Parcellite clipboard manager works the same with Chromium 85 as it does with Chrome 86.

Behavioral Changes[edit]

The navigator.registerProtocolHandler() method will finally replace whitespaces with %20 instead of +. This is what other web browsers like Mozilla Firefox have been doing all along. Chrome/Chromium have been all alone in insisting that a whitespace is the same as a +.

New CSS[edit]

• It's now possible to add CSS inline-grid, grid, inline-flex and flex parameters to the display style of a <fieldset> tag.
• The ::marker pseudo-element can now be used to add custom colors, shapes and sizes to <ul> and <ol> list tags.

New Protocol Support[edit]

A lot of new protocol prefixes have been added to the registerProtocolHandler(). Most of those related to de-centralized and digital currencies ( cabal, dat, did, dweb, ethereum, hyper, ipfs, ipns and ssb).

Experimental Features[edit]

The Native File System API is not the only new API in Chromium 86. Several APIs have been added as special "Origin Trials". A "Origin Trial" API is one that's built in to the browser but limited to web pages coming from localhost (127.0.0.1 or ::1). Web developers who run a web server on their own machine can play with those but they can't be deployed and used to serve anyone on the web. The new "Origin Trial" APIs are:

• A Cross-origin opener policy reporting API for reporting Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy violations
• A new WebHID API for low-level access to Human Interface Devices. This is a pretty interesting one. This API allows websites to serve JavaScript device drivers for gamepads, keyboards, mice and other devices to end-users browsers. It's kind of neat, but also kind of scary. Rare game-pads seem to be the primary use-case (remember, Google has a gaming on demand service called Stadia).
• A "Save Battery" meta-tag that allows Chromium to tell websites that the machine it is running on is low on battery. The idea is that websites can serve simpler less CPU (and battery) demanding content in such cases.
• A new Screen Information API "Adds multi-screen information APIs and extends window and fullscreen APIs for cross-screen placement". How many screens are connected and their resolution will totally not be used for web browser fingerprinting if this leaves the "Origin Trial" and becomes a standard feature.
• A new Credential Management API, proposed by Mozilla, lets users login to websites without passwords. Websites can use this API to get user information, public keys and those kinds of things.

Bye-Bye User-agent[edit]

Chromium 86 takes some first steps to replace the user-agent sent by web browsers with a new "User-Agent Client Hints" system system. Pay attention if you have a website where you serve different content based on what kind of device a visitor uses. The user-agent it sends is, for now, familiar:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36

..but that will change in future versions. "User-Agent Client Hints" is a new standard where web browsers do not send all that information to web servers by default. The idea is to limit what web servers get to see to the name of the web browser, and that's it. Additional information can be requested, and the W3C "User-Agent Client Hints" draft lists a whole range standards for collecting all sorts of incriminating details about people's web browsers using this new standard. The big difference is that a web server will get the information shown above by default with today's User-Agent system while the new standard requires the web server to request that information. It will be interesting to see just how many of those "hints" will be configurable and how many will be mandatory. Chrome and Chromium 86 are, for now, sending the full User-agent like previous versions did. This versions adds support the new "User-Agent Client Hints" standard. That new standard will probably the only one you can rely on in future versions (Chrome 87 beta still sends Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.11 Safari/537.36", who knows what Chrome 88 will do).

Rejected Ideas[edit]

The Chromium developers were debating only showing website domains instead of the full address during the development cycle. The result would have been an address bar showing linuxreviews.org regardless of what actual page you were viewing (like linuxreviews.org/News). That rather controversial proposal ended up with a comment by Emily Stark assuring that:

The push for this change is somehow motivated by phishing attacks; showing nothing but the domain name will, according to proponents of this idea, somehow make it easier to see if you're on the right domain or not. How, exactly, showing nothing but the domain would help is unclear; you can see the domain name at the start of a long URL as it is, cutting the URL off when the domain name ends doesn't help people who don't look at the address bar.

Availability[edit]

New GNU/Linux versions of Google Chrome and the Brave Web Browser based on Chromium 86 are available. Most distributions have not yet updated their Chromium packages to Chromium 86. That will change as soon as they've built and tested it. Most GNU/Linux distributions will have Chromium 86 available within days, not weeks. You can use the Google-branded Chrome, or the Brave Web Browser, if you want to use a Chromium 86 based browser right now. But you might as well wait. There is a lot of new features in Chromium 86, but there's nothing overly exciting and there's nothing that won't be there next week.

3.67

(3 votes)