Google Chrome 86 and Brave 1.13.82, Both Based On Chromium 86, Are Released With Security Enhancements And New Features
There are many security enhancements, new APIs, background tab resource-limits, new CSS rules and other goodies in Chromium 86 and browsers based on that web browser such as Chrome 86 and Brave 1.13.82. Chromium 86 is slightly slower on Linux machines with Intel processors and Intel graphics and marginally faster on machines with AMD processors and AMD graphics.
written by 윤채경 (Yoon Chae-kyung). published 2020-10-09 - last edited 2020-10-09
Google has released new versions of their Chrome and Chromium products and Brave has released a new version of the Brave Web Browser based on the latest Chromium. Microsoft has not yet released a Linux version of their Edge browser as they promised to do in in October (to be fair, there's still 20 days left).
Chromium 86 has 35 security bug-fixes, security and performance enhancements, some of which may be a bit annoying, and a lot of new features. Performance is about the same as it was in previous versions on machines with AMD processors and AMD graphics cards. It is, for some reason, worse on machines with Intel processors using integrated Intel graphics.
Google has released a new version of their Chrome web browser and the Chromium browser it is based on. Chromium is what is most interesting to GNU/Linux users as that's what GNU/Linux distributions include. Most distributions have not upgraded their Chromium builds to Chromium 86, which is understandable since building it takes everything from 10 to 40 hours depending on the machine you build it on.
Overall performance in Chromium 86 should be improved by a new resource limit for background tabs. A background tab is no longer allowed to use more than 1% of the CPU resources and it can only do that once a minute. Tabs are frozen if they are inactive for five minutes. There are two exceptions: Tabs playing video or other media content and tabs recording are exempt from this rule. There does not appear to be any way to make an exception, so this is something to be aware of if you rely on having a tab or two with some page that produces alarms when something is triggered. Only background tabs are affected so it is possible to work-around those kind of use-cases by putting such tabs in their own windows. Still, it would be nice if it was configurable.
Chromium 86 has a new, for now, experimental feature called "Back-forward cache" (called "bfcache"). This is currently disabled by default. This new feature can be enabled by typing
chrome://flags in to the address bar and
#back-forward-cache into the search box on that page (or just
back-). This new feature creates a special cache used by the back and forward buttons so the back button becomes instant. WebKit based web browsers have had this for some time but Chromium couldn't use the WebKit implementation due to it's multi-process nature. This is something you may want to enable if you tend to jump and and forth between pages using the back and forward buttons; it does seem to make a difference.
Number.prototype.toString is a whopping 75% faster. This doesn't seem to make any practical difference, but it's .. faster in micro-benchmarks.
Actual real-world performance, tested using Linux 5.9-rc8 and Mesa 20.2.0, is for whatever reason worse in Chromium 86 compared to previous versions if you are using a Intel machine with integrated Intel graphics. This may have to do with the many workarounds Google applies to the Intel GPU driver on a really broad and very general basis (These are now based on
isNvidia even though there's a big difference between Linux users using an older Mesa version with the i865 driver and a recent Mesa version with Intel Iris).
Performance on a test-system with a AMD Ryzen 2600 processor and a MSI RX 470 GPU showed a marginal improvements in browsers based on Chromium 86 compared to Chromium 85.
The Unity WebGL 2018 test shows marginally slower performance on a Intel CPU with Intel graphics while performance is slightly better on AMD CPU with AMD graphics. You can try the Unity WebGL 2018 test yourself if you want to compare how various browsers perform on your machine. The Mozilla Firefox results are always dismal in this particular test while all the browsers based on Chromium are typically within margin of error. It's interesting to note that the changes to Chromium 86 that make it slower on Intel affects Brave more than it affects Chrome.
The Basemark Web 3.0 test, available at web.basemark.com, shows a pretty clear performance-divergence between the AMD and Intel test systems with Chromium 86. Brave 1.5.72 is faster than 1.3.82 on AMD while it's notably slower on Intel, and the same is true for Chrome 86 vs Chromium 85. The South Korean NAVER whale browser, based on the much older Chromium 83, wins this test in both cases. Mozilla Firefox is barely trying with performance close to half of what the Chromium-based browsers provide.
The Principledtechnologies WebXPRT 3 test is one that favors Mozilla Firefox. The results from this test is a bit odd, it's the only one where the latest Brave Web Browser is notably slower than the previous version while Chrome 86 is faster than Chromium 85. It's interesting to note that this is the least graphics-intensive test of them all. Basemark Web makes heavy use of WebGL and the Unity WebGL 2018 test is a pure WebGL test. That may explain the difference.
Your numbers will obviously differ unless you run the tests on an identical machine. The following benchmark numbers aren't really all that important in terms of what they say about the hardware in question, what actually matters is the relative performance between the web browsers on a otherwise identical hardware and software platform.
Quite a few of the changes in Chromium (and Chrome) 86 are security-related. And we don't mean the 35 security fixes in this release. Chromium 86 adds protection against forms that are served over HTTPS with the form content being sent insecurely via HTTP. Some sites actually do it that way, either due to incompetence, neglect or shear stupidity. The protection against those kinds of insecure forms is three-fold:
- Chromium will now give a warning when a form served by HTTPS posts using HTTP
- Another warning is given when you try to submit a form that will POST over HTTP. That warning presents the choices or
- Auto-completion is disabled in mixed input forms
Earlier Chromium versions introduced a somewhat annoying security feature that blocks "unsafe" (meaning files served over HTTP) downloads of executable files. This "feature" has now been extended to include archives (zip files, ISO images, etc). "Unsafe" document downloads (PDF files, docx files, etc) results in a warning. Webmasters should take notice; this is a problem if you serve files over HTTP. It's also kind of annoying for end-users, Chromium 86 won't let you have that Linux ISO if it's served by HTTP.
Chromium 86 has a new
https:// part of web addresses since Chromium 76. One annoying side-effect of this is that if you copy and paste the address bar when it shows the address without the protocol is that you copy the shortened web address but you paste the full address. It's still possible to double-click on the address bar to get the full address shown like in previous versions.
Chromium 86 has a support for a new Native File System API that lets web pages request access to local files. Web applications have to ask for permission before they can use this functionality. This allows web applications to have menus with , and those kinds of things.
Chromium 86 adds support for the Document-Policy header which allows web developers to specify what browser features should and should not be allowed on a per-document basis. This goes beyond the Content-Security-Policy which allows web developers to limit the origin of resources used on a page. The Document-Policy lets web developers specify what those resources can do once they are loaded. This is good in many ways, but it does open the door for limiting what end-users can do with a document they've opened in Chromium. Keep in mind that Mozilla Firefox allows you to +RightClick and get the context menu even if a website prohibits that, Chromium and Chrome have no similar functionality.
A total of 35 security-related bugs have been fixed in this release.
Chromium 86 adds support for a special
.well-known/change-password URL webmasters can use to redirect users to a page can change their password (it's supposed to be a redirect, not a page with a link in it). Chromium will use this if to prompts users to change their password if it "detects" that a password has been compromised. How, concretely, it would detect this is unclear.
On the topic of passwords, Chromium 86 can let you edit your saved passwords if you go to
chrome://flags and enable a new
#edit-passwords-in-settings setting. The
Default is, for now, to hide this feature.
The words used in the Chromium 86 code-base have been changed to "inclusive" terminology. Words like "blacklist" and "whitelist" have been changed to "allowlist" and "blocklist". This isn't something anyone will notice because the user-facing strings where changed in a similar fashion in 2019.
Chrome/Chromium is gradually removing support for the FTP protocol. This is done gradually; 1% of those who install Chromium 86 won't be able to use FTP sites. Chromium 87 will increase that to 50% and nobody will be able to use Chromium to access FTP sites when Chromium 88 is released. It will, temporarily, be possible to keep the FTP protocol working by starting Chromium with
A new PointerEvents API v3 lets websites determine the tilt and angle of a stylus pen.
A new The Asynchronous Clipboard API adds support for copying and pasting HTML in addition to raw text. Perhaps GNU/Linux clip-board managers will get support for this in the future. Copying text from a HTML using the Parcellite clipboard manager works the same with Chromium 85 as it does with Chrome 86.
navigator.registerProtocolHandler() method will finally replace whitespaces with
%20 instead of
+. This is what other web browsers like Mozilla Firefox have been doing all along. Chrome/Chromium have been all alone in insisting that a whitespace is the same as a +.
- It's now possible to add CSS
flexparameters to the
displaystyle of a
- The ::marker pseudo-element can now be used to add custom colors, shapes and sizes to <ul> and <ol> list tags.
New Protocol Support
A lot of new protocol prefixes have been added to the
registerProtocolHandler(). Most of those related to de-centralized and digital currencies ( cabal, dat, did, dweb, ethereum, hyper, ipfs, ipns and ssb).
The Native File System API is not the only new API in Chromium 86. Several APIs have been added as special "Origin Trials". A "Origin Trial" API is one that's built in to the browser but limited to web pages coming from
::1). Web developers who run a web server on their own machine can play with those but they can't be deployed and used to serve anyone on the web. The new "Origin Trial" APIs are:
- A Cross-origin opener policy reporting API for reporting Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy violations
- A "Save Battery" meta-tag that allows Chromium to tell websites that the machine it is running on is low on battery. The idea is that websites can serve simpler less CPU (and battery) demanding content in such cases.
- A new Screen Information API "Adds multi-screen information APIs and extends window and fullscreen APIs for cross-screen placement". How many screens are connected and their resolution will totally not be used for web browser fingerprinting if this leaves the "Origin Trial" and becomes a standard feature.
- A new Credential Management API, proposed by Mozilla, lets users login to websites without passwords. Websites can use this API to get user information, public keys and those kinds of things.
Chromium 86 takes some first steps to replace the user-agent sent by web browsers with a new "User-Agent Client Hints" system system. Pay attention if you have a website where you serve different content based on what kind of device a visitor uses. The user-agent it sends is, for now, familiar:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
..but that will change in future versions. "User-Agent Client Hints" is a new standard where web browsers do not send all that information to web servers by default. The idea is to limit what web servers get to see to the name of the web browser, and that's it. Additional information can be requested, and the W3C "User-Agent Client Hints" draft lists a whole range standards for collecting all sorts of incriminating details about people's web browsers using this new standard. The big difference is that a web server will get the information shown above by default with today's User-Agent system while the new standard requires the web server to request that information. It will be interesting to see just how many of those "hints" will be configurable and how many will be mandatory. Chrome and Chromium 86 are, for now, sending the full User-agent like previous versions did. This versions adds support the new "User-Agent Client Hints" standard. That new standard will probably the only one you can rely on in future versions (Chrome 87 beta still sends
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.11 Safari/537.36", who knows what Chrome 88 will do).
The Chromium developers were debating only showing website domains instead of the full address during the development cycle. The result would have been an address bar showing
linuxreviews.org regardless of what actual page you were viewing (like
linuxreviews.org/News). That rather controversial proposal ended up with a comment by Emily Stark assuring that:
"Disable keyword elision for SimplifiedUrlDisplay field trial config
We are not planning to run the stable experiment with this enabled."
The push for this change is somehow motivated by phishing attacks; showing nothing but the domain name will, according to proponents of this idea, somehow make it easier to see if you're on the right domain or not. How, exactly, showing nothing but the domain would help is unclear; you can see the domain name at the start of a long URL as it is, cutting the URL off when the domain name ends doesn't help people who don't look at the address bar.
New GNU/Linux versions of Google Chrome and the Brave Web Browser based on Chromium 86 are available. Most distributions have not yet updated their Chromium packages to Chromium 86. That will change as soon as they've built and tested it. Most GNU/Linux distributions will have Chromium 86 available within days, not weeks. You can use the Google-branded Chrome, or the Brave Web Browser, if you want to use a Chromium 86 based browser right now. But you might as well wait. There is a lot of new features in Chromium 86, but there's nothing overly exciting and there's nothing that won't be there next week.