Following in Mozilla's footsteps, Google announced today plans to hide notification popup prompts inside Chrome starting next month, February 2020. ZDNet reports: According to a blog post published today, Google plans to roll out a "quieter notification permission UI that reduces the interruptiveness of notification permission requests." The change is scheduled for Google Chrome 80, scheduled for release on February 4, next month.

Starting with Chrome 80 next month, Google's browser will also block most notification popups by default, and show an icon in the URL bar, similar to Firefox. When Chrome 80 launches next month, a new option will be added in the Chrome settings section that allows users to enroll in the new "quieter notification UI." Users can enable this option as soon as Chrome 80 is released, or they can wait for Google to enable it by default as the feature rolls out to the wider Chrome userbase in the following weeks. According to Google, the new feature works by hiding notification requests for Chrome users who regularly dismiss notification prompts. Furthermore, Chrome will also automatically block notification prompts on sites where users rarely accept notifications.

Speaking of Chromebooks, David Ruddock, opines at AndroidPolice: Chrome OS' problems really became apparent to me when Android app compatibility was introduced, around five years ago. Getting Android apps to run on Chrome OS was simultaneously one of the Chrome team's greatest achievements and one of its worst mistakes. In 2019, two things are more obvious than ever about the Android app situation on Chrome. The first is that the "build it and they will come" mantra never panned out. Developers never created an appreciable number of Android app experiences designed for Chrome (just as they never did for Android tablets). The second is that, quite frankly, Android apps are very bad on Chrome OS. Performance is highly variable, and interface bugs are basically unending because most of those apps were never designed for a point-and-click operating system. Sure, they crash less often than they did in the early days, but anyone saying that Android apps on Chrome OS are a good experience is delusional.

Those apps are also a crutch that Chrome leans on to this day. Chrome OS doesn't have a robust photo editor? Don't worry, you can download an app! Chrome doesn't have native integration with cloud file services like Box, Dropbox, or OneDrive? Just download the app! Chrome doesn't have Microsoft Office? App! But this "solution" has basically become an insult to Chrome's users, forcing them to live inside a half-baked Android environment using apps that were almost exclusively designed for 6" touchscreens, and which exist in a containerized state that effectively firewalls them from much of the Chrome operating system. As a result, file handling is a nightmare, with only a very limited number of folders accessible to those applications, and the task of finding them from inside those apps a labyrinthine exercise no one should have to endure in 2019. This isn't a tenable state of affairs -- it's computing barbarism as far as I'm concerned. And yet, I've seen zero evidence that the Chrome team intends to fix it. It's just how it is. But Android apps, so far as I can tell, are basically the plan for Chrome. Certainly, Linux environment support is great for enthusiasts and developers, but there are very few commonly-used commercial applications available on Linux, with no sign that will change in the near future. It's another dead end. And if you want an even more depressing picture of Chrome's content ecosystem, just look at the pitiable situation with web apps.

An anonymous reader shares a report: The Samsung Galaxy Chromebook is one of the nicest pieces of laptop hardware I've touched in a very long time. Not since Google's 2017 Pixelbook has there been a ChromeOS device this good looking, this powerful, or -- here's the rub -- this expensive. Available sometime in the first quarter, the Galaxy Chromebook starts at $999 and could go much higher if you fully upgrade its RAM and storage. The central conceit of this laptop is that there really is demand for a high-end Chromebook, and while that may be more true in 2020 than it was in 2017, it's not a sure thing. Chrome OS still has a nagging inability to do some of the things you'd want a device that costs more than a thousand dollars to do: run full desktop apps, easily edit photos and video, or play more premium games.

Despite those limitations, Google and Samsung are looking for ways to get Chromebooks to escape the classroom and start appearing in boardrooms. The Galaxy Chromebook could be part of a revitalized effort to do just that. Running down the specs of the Galaxy Chromebook is like hitting a laundry list of the things you might want in a top-tier Windows ultrabook. It has a 13.3-inch 4K AMOLED display and an Intel 10th-gen Core-i5 Processor. There's a fingerprint sensor for unlocking, two USB-C ports, and expandable storage via microSD. The screen rotates 360-degrees and there's an included S-Pen stylus that can be stored in a silo on the device itself. It's built out of aluminum instead of plastic, has a large trackpad, and is less than 10mm thick.

Google Chrome will get support for error codes, similar to the ones seen on Windows blue screen of death (BSOD) crash pages. From a report: The idea is to provide Chrome users with a code they can search online and find debugging help for various types of crashes. Work on this new feature started in November last year, and the error codes are already under testing in current Chrome Canary (v81) releases. The error codes will appear on the so-called "sad tab" page, also known as the "Aw, Snap!" page, which Chrome displays when a tab crashes.

A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. From a report: The extension is named Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn), and was launched last month, on December 9. According to an introductory blog post, Shitcoin Wallet lets users manage Ether (ETH) coins, but also Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings). Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser's riskier environment. However, the wallet app wasn't what it promised to be. Yesterday, Harry Denley, Director of Security at the MyCrypto platform, discovered that the extension contained malicious code. According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.

An anonymous reader quotes a report from ZDNet: A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google Chrome, the world's most popular web browser. The vulnerabilities, five, in total, are named "Magellan 2.0," and were disclosed today by the Tencent Blade security team. All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of "remote exploitation" is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks, by default.

Just like the original Magellan vulnerabilities, these new variations are caused by improper input validation in SQL commands the SQLite database receives from a third-party. An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker. In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to "remote code execution, leaking program memory or causing program crashes." All apps that use an SQLite database to store data are vulnerable, although, the vector for "remote attacks over the internet" is not exploitable by default. To be exploitable, the app must allow direct input of raw SQL commands, something that very few apps allow. Thankfully, Google patched all five Magellan 2.0 vulnerabilities in Google Chrome 79.0.3945.79, released two weeks ago.

The SQLite project also fixed the bugs in a series of patches on December 13, 2019; however, these fixes have not been included in a stable SQLite branch -- which remains v3.30.1, released on December 10.

Because some internet websites unfairly block browsers from accessing their services, starting with Vivaldi 2.10, released today, the Vivaldi browser plans to disguise itself as Chrome to allow users to access websites that unfairly block them. From a report: Vivaldi will do this by modifying its default user-agent (UA) string to the UA string used by Chrome. A UA string is a piece of text that browsers send to websites when they initiate a connection. The UA String contains data about the browser type, rendering engine, and operating system. For example, a UA string for Firefox on Windows looks like this: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0. UA strings have been in use since the 90s. For decades, websites have used UA agent strings to fine-tune performance and features or block outdated browsers. However, many website owners these days use UA strings to block users from accessing their sites. Some do it because they're not willing to deal with browser-specific bugs, some do it because of pettiness, while big tech companies like Google and Microsoft have done it (and continue to do it) to sabotage competitors on the browser market.

An anonymous reader quotes a report from Ars Technica: Another former employee has accused Google of violating federal labor law by firing her for activities related to labor organizing. In a Tuesday blog post, Kathryn Spiers says Google terminated her after she created a browser tool to notify employees of their organizing rights. Spiers says she worked on a Google security team that was focused on how Google employees used Chrome within the company. Part of her job was to "write browser notifications so that my coworkers can be automatically notified of employee guidelines and company policies while they surf the Web."

So when Google hired a consulting company known for its anti-union work, Spiers wrote a notification that would appear whenever Google employees visited the firm's website. The notification stated that "Googlers have the right to participate in protected concerted activities." That's a legal term of art for worker organizing efforts. It also included a link to the worker rights notification mandated by the NLRB settlement. Google responded swiftly and harshly, according to Spiers. She was suspended from her job pending an investigation. Spiers writes that Google officials "dragged me into three separate interrogations with very little warning each time. I was interrogated about separate other organizing activities, and asked (eight times) if I had an intention to disrupt the workplace." She says she wasn't allowed to consult with a lawyer. Two weeks later, on December 13, Spiers was fired. She was told that she had violated Google's policies but couldn't get more details about which policies she had violated. In an email shared with several media outlets, Google executive Royal Hansen said: "[Spiers] misused a security and privacy tool to create a pop-up that was neither about security nor privacy. She did that without authorization from her team or the Security and Privacy Policy Notifier team, and without a business justification. And she used an emergency rapid push to do it."

Hansen argued that the firing had nothing to do with the content of the message. "The decision would have been the same had the pop-up message been on any other subject," he argued.

Microsoft's new Chromium-based Edge browser is now open to developers to submit extensions. The updated version of Edge is set to launch on January 15. From a report: Microsoft says that if a developer has already created an extension for Google Chrome, there shouldn't be any additional work to port it over to Edge Chromium. The browser will be the new default delivered to all 900 million Windows 10 users, so developers should have no reason not to port their extensions over.

Microsoft quietly released some new documentation recently, detailing how the company plans to launch its new Chrome-based Microsoft Edge browser. From a report: The company has been working on this new browser for a little while, and we are less than a month away from the public release. [...] The changes here are pretty obvious, but it is still important to understand exactly how Microsoft is going to replace the older Edge browser on a technical level. Microsoft says it has already made changes to Windows 10 and the older Edge browser to support the migration.

All start menu pins, tiles, and shortcuts for the current version of Microsoft Edge will migrate to the next version of Microsoft Edge.
All taskbar pins and shortcuts for the current version of Microsoft Edge will migrate to the next version of Microsoft Edge.
The next version of Microsoft Edge will be pinned to the taskbar. If the current version of Microsoft Edge is already pinned, it will be replaced.
The next version of Microsoft Edge will add a shortcut to the desktop. If the current version of Microsoft Edge already has a shortcut, it will be replaced.
Most protocols that Microsoft Edge handles by default will be migrated to the next version of Microsoft Edge.
Current Microsoft Edge will be hidden from all UX surfaces in the OS, including settings, all apps, and any file or protocol support dialogs.
All attempts to launch the current version of Microsoft Edge will redirect to the next version of Microsoft Edge.

Android Authority argues that the new Microsoft Chromium Edge browser "is full of neat tricks" and "packs more features than Firefox": The final major feature is called Apps. Essentially, Apps allows you to download and install web pages and web apps for use without the Edge browser. Previously, you had to find these dedicated web apps via the Microsoft Store, but now Edge handles downloading and managing web apps all in the browser. For example, you can download the Twitter web app via Edge just by visiting the Twitter website and clicking "install this site as an app" from the settings menu. Once installed, you can run the webpage as an app directly from your desktop, taskbar, or start menu like any other piece of software. It's like saving links only better, as some web apps can run offline too. Alternatively, you can install the Android Authority webpage and run it as an app to catch up with the latest news without having to boot up Edge each time. It's pretty neat and something that I intend to use more often.

Overall, Edge offers everything you'll want in a web browser and more. Microsoft finally feels on the cutting edge of the internet.
The browser does have a smaller range of supported extensions, but you can also manually install Chrome extensions, according to the article. It adds that Microsoft Edge Chromium "typically uses just 70 to 75 percent of the RAM required by Chrome [and] is even more lightweight than Firefox."

And while acknowledging that Microsoft's Windows 10 "has its share" of telemetry issues, the article adds that "at no point during my couple of weeks with Edge have I noticed it thrashing my hard drive.

"Chrome has a habit of scanning various files on my computer, despite opting out of all the available data sharing options. This isn't great for system performance and raises obvious security questions."

An anonymous reader quotes Mike Melanson's "This Week in Programming" column: WebAssembly is a binary instruction format for a stack-based virtual machine and this week, the World Wide Web Consortium (W3C) dubbed it an official web standard and the fourth language for the Web that allows code to run in the browser, joining HTML, CSS and JavaScript... With this week's news, WebAssembly has officially reached version 1.0 and is supported in the browser engines for Firefox, Chrome, Safari, and Internet Explorer, and the Bytecode Alliance launched last month to help ensure "a WebAssembly ecosystem that is secure by default" and for bringing WebAssembly to outside-the-browser use.

Of course, not everything is 100% rosy. As pointed out by an article in The Register, WebAssembly also brings with it an increased level of obfuscation of what exactly is going on, giving it an increased ability to perform some surreptitious actions. For example, they cite one study that "found 'over 50 percent of all sites using WebAssembly apply it for malicious deeds, such as [crypto] mining and obfuscation.'" Nonetheless, with WebAssembly gaining this designation by W3C, it is, indeed, time to pay closer attention to the newly nominated Web language standard.

Chrome 79 is creating an issue with WebView (the Android component that allows apps to display content from the web), reports 9to5Google: On Friday morning, Android developers reliant on WebView and local storage began encountering an issue where their apps lost data after users updated to version 79 of WebView. Those affected took to Chromium's bug tracker, and have described the incident as a "catastrophe" and "major issue." To end users, it's as if apps were entirely reset and just downloaded for the first time. This includes saved data disappearing or being logged out. Given the level of system opacity, most will blame developers for a problem that's out of their hands.

By that afternoon, Google engineers responded and isolated the issue to "profile layout changes" where "local storage was missed off the list of files migrated." A member of the Chromium team apologized Saturday morning, with the Chrome/WebView rollout halted after 50% of devices already received the update. At the highest priority level (P0), Google is currently "working on a solution that minimizes the data loss, and that can be rolled out safely." The last guidance for a patch is 5-7 days.

Google is rolling out Chrome 79, and it includes a number of password protection improvements. The Verge reports: The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web.

You can control this new functionality in the sync settings in Chrome, and Google is using strongly hashed and encrypted copies of passwords to match them using multiple layers of encryption. This allows Google to securely match passwords using a technique called private set intersection with blinding. Alongside password warnings, Google is also improving its phishing protection with a real-time option. Google has been using a list of phishing sites that updates every 30 minutes, but the company found that fraudsters have been quickly switching domains or hiding from Google's crawlers. This new real-time protection should generate warnings for 30 percent more cases of phishing.

Google today released Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users. This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predictive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism. ZDNet has outlined each new feature in-depth.

Two years ago, Apple launched an aggressive battle against ads that track users across the web. Today executives in the online publishing and advertising industries say that effort has been stunningly effective -- posing a problem for advertisers looking to reach affluent consumers. The Information reports: Since Apple introduced what it calls its Intelligent Tracking Prevention feature in September 2017, and with subsequent updates last year, advertisers have largely lost the ability to target people on Safari based on their browsing habits with cookies, the most commonly used technology for tracking. One result: The cost of reaching Safari users has fallen over 60% in the past two years, according to data from ad tech firm Rubicon Project. Meanwhile ad prices on Google's Chrome browser have risen slightly.

That reflects the fact that advertisers pay more money for ads that can be targeted at people with specific demographics and interests. "The allure of a Safari user in an auction has plummeted," said Rubicon Project CEO Michael Barrett. "There's no easy ability to ID a user." This shift is significant because iPhone owners tend to be more affluent and therefore more attractive to advertisers. Moreover, Safari makes up 53% of the mobile browser market in the U.S., according to web analytics service Statscounter. Only about 9% of Safari users on an iPhone allow outside companies to track where they go on the web, according to Nativo, which sells software for online ad selling. It's a similar story on desktop, although Safari has only about 13% of the desktop browser market. In comparison, 79% of people who use Google's Chrome browser allow advertisers to track their browsing habits on mobile devices through cookies. (Nativo doesn't have historical data so couldn't say what these percentages were in the past.)

An anonymous reader quotes a report from Ars Technica: Since March, Google has been promising that its streaming Stadia platform would be capable of full 4K, 60fps gameplay (for users with a robust Internet connection and $10/month Stadia Pro subscription). But technical analyses since launch have shown that some of the service's highest profile games aren't hitting that mark. A Digital Foundry analysis of Red Dead Redemption 2 on Stadia, for instance, found that the game actually runs at a native 2560x1440 resolution, which is then upscaled to the 4K standard of 4096x2160 via the Chromecast Ultra. And a Bungie representative said that the Stadia version of Destiny 2 runs at the PC equivalent of "medium" graphics settings and that the game will "render at a native 1080p and then upsample [to 4K] and apply a variety of techniques to increase the overall quality of effect."

Over the weekend, Google issued a statement to 9to5Google that essentially places the blame for this situation on Stadia developers themselves (emphasis added): "Stadia streams at 4K and 60fps -- and that includes all aspects of our graphics pipeline from game to screen: GPU, encoder, and Chromecast Ultra all outputting at 4K to 4K TVs, with the appropriate Internet connection. Developers making Stadia games work hard to deliver the best streaming experience for every game. Like you see on all platforms, this includes a variety of techniques to achieve the best overall quality. We give developers the freedom of how to achieve the best image quality and frame rate on Stadia, and we are impressed with what they have been able to achieve for day one. We expect that many developers can, and in most cases will, continue to improve their games on Stadia. And because Stadia lives in our data centers, developers are able to innovate quickly while delivering even better experiences directly to you without the need for game patches or downloads."

Microsoft's Edge browser is built on the same open source code as Google Chrome. But Ed Bott, writing for ZDNet, noticed something interesting: On January 15, 2020, Microsoft is scheduled to roll out a completely revamped Edge browser to the general public. That browser, which is available for beta testing now on all supported versions of Windows and MacOS, includes a feature called Tracking Prevention. If that name sounds familiar, you're not imagining things. Microsoft added a Tracking Protection feature to Internet Explorer 9, back in 2011; it used simple text files called Tracking Protection Lists (TPLs) to allow or block third-party requests from specific domains. That's the same general principle behind Tracking Prevention in the new Edge, but the implementation is more usable and more sophisticated, with multiple Trust Protection Lists taking the place of a single TPL.

I've spent the past week looking closely at this feature... [A]lthough it's aimed at the online advertising and tracking industries in general, my tests suggest that its effects are likely to be felt most directly by one company: Google.

Using the default Balanced setting, Tracking Prevention blocked a total of 2,318 trackers, or an average of 35 on each page. Of that total, 552 were from Google domains. That's a mind-boggling 23.8% of the total. To put that into perspective, the second entry on the list of blocked trackers was Facebook, which represented 3.8% of the total.
Rather than an anti-Google conspiracy, the article suggests this is instead just a reflection of both Google's ubiquity and its business model.

"Google Analytics and Google AdSense are embedded on a staggering number of web pages."

An anonymous reader quotes the International Business Times: At the recent Tianfu cup held in Chengdu, China, Chinese China's top white-hat hackers have converged to test zero-days against top software available in the market today. During the first day of the event, Chinese security researchers were able to break into major browsers such as Safari, Microsoft Edge, and Google Chrome.

Since March 2018, the Chinese government has officially discouraged security researchers from joining hacking competitions outside the county. The recent Tianfu Cup is the venue for hackers to showcase their skills and even earn six-figure bounties for successful exploits. Former Pwn2Own winner Team 360 Vulcan took home $382,500 for successfully hacking the old version of Office 365, Microsoft Edge, Adobe PDF Reader, VMWare Workstation, and gemu+ Ubuntu during the two days event, reports ZDNet... Search engine giant Google has a representative in the event with some members of the Google Chrome security team present on site. Organizers plan to submit a report of all bugs uncovered during the event to all vendors when the competition concludes, says ZDNet.

Google has announced that Cloud Print, its cloud-based printing solution, is being retired at the end of next year. 9to5Google reports: The announcement comes in the form of a support document for Cloud Print that popped up recently, which is kind enough to remind us that Cloud Print has technically been in beta since it launched a decade ago: "Cloud Print, Google's cloud-based printing solution that has been in beta since 2010, will no longer be supported as of December 31, 2020. Beginning January 1, 2021, devices across all operating systems will no longer be able to print using Google Cloud Print. We recommend that over the next year, you identify an alternative solution and execute a migration strategy."

Google notes that Chrome OS' native printing solutions have been vastly improved since Cloud Print launched in 2010, and also promises that native printing in Chrome OS will continue to get more features over time: "Google has improved the native printing experience for Chrome OS, and will continue adding features to native printing. For environments besides Chrome OS, or in multi-OS scenarios, we encourage you to use the respective platform's native printing infrastructure and/or partner with a print solutions provider."