The Browser Company's Chromium-based Arc browser "isn't perfect, and it takes some getting used to," writes the Verge. "But it's full of big new ideas about how we should interact with the web — and it's right about most of them." Arc wants to be the web's operating system. So it built a bunch of tools that make it easier to control apps and content, turned tabs and bookmarks into something more like an app launcher, and built a few platform-wide apps of its own. The app is much more opinionated and much more complicated than your average browser with its row of same-y tabs at the top of the screen. Another way to think about it is that Arc treats the web the way TikTok treats video: not as a fixed thing for you to consume but as a set of endlessly remixable components for you to pull apart, play with, and use to create something of your own. Want something to look better or have an idea for what to do with it? Go for it.

This is a fun moment in the web browser industry. After more than a decade of total Chrome dominance, users are looking elsewhere for more features, more privacy, and better UI. Vivaldi has some really clever features; SigmaOS is also betting on browsers as operating systems; Brave has smart ideas about privacy; even Edge and Firefox are getting better fast. But Arc is the biggest swing of them all: an attempt to not just improve the browser but reinvent it entirely....

Right now, Arc is only available for the Mac, but the company has said it's also working on Windows and mobile versions, both due next year. It's still in a waitlisted beta and is still very much a beta app, with some basic features missing, other features still in flux, and a few deeply annoying bugs. But Arc's big ideas are the right ones. I don't know if The Browser Company is poised to take on giants and win the next generation of the browser wars, but I'd bet that the future of browsers looks a lot like Arc....

In a way, Arc is more like ChromeOS than Chrome. It tries to expand the browser to become the only app you need because, in a world where all your apps are web apps and all your files are URLs, who really needs more than a browser?
The article describes Arc as a power user tool with vertical sidebar combining bookmarks, tabs, and apps. (And sets of these can apparently be combined into different "spaces".) These are enhanced with a hefty set of keyboard shortcuts (including tab searching), along with built-in media controls for Twitch/Spotify/Google Meet (as well as a picture-in-picture mode).
BR. Arc even has a shareable, collaborative whiteboard app "Easel". And it also offers powerful features like the ability to rewrite how your browser displays any site's CSS. ("I have one that removes the Trending sidebar from Twitter and another that cleans up my Gmail page.")

1Password has announced that passkey support will be available to its customers in "early 2023," allowing users to securely log in to apps and websites without a password. The Verge reports: Passkeys are a passwordless login technology developed by the FIDO Alliance, whose members include most of the Big Tech companies. The tech allows users to replace traditional passwords with their device's own authentication -- such as an iPhone with Face ID -- offering greater security and protection since there's no password to steal or accidentally hand over via a phishing attack.

1Password claims its own variation, called Universal Sign On, will be superior to others by supporting multiple platforms and cross-platform syncing when it launches next year. By contrast, passkey support through companies like Apple is only built to seamlessly synchronize access on devices within the same ecosystem. A live demonstration of how passkeys will work is available for 1Password users using the latest version of its Chrome browser extension, alongside a video demo for those not using the service and a directory listing which websites, apps, and services are using passkeys for authentication. 1Password will bring full support for passkeys to its browser extension and desktop apps in early 2023, with mobile support to follow.

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.

An anonymous reader quotes a report from The Verge: Darin Fisher has built a lot of web browsers. A lot of web browsers. He was a software engineer at Netscape early in his career, working on Navigator and then helping turn that app into Firefox with Mozilla. Then, he went to Google and spent 16 years building Chrome and ChromeOS into massively successful products. Last year, he left Google for Neeva, where he worked on ways to build a browser around the startup's search engine. And now, he's leaving Neeva to join The Browser Company and work on Arc, one of the hottest new browsers on the market. Arc, which has been in an invite-only beta for more than a year, is trying to rethink the whole browser UI. It has a sidebar instead of a row of tabs, offers a lot of personalization options, and is meant for people who live their computing life in a browser (which is increasingly most people). CEO Josh Miller often talks about building "the internet computer," too, and using the browser as a way to make the internet more useful.

Fisher has been an advisor to The Browser Company for a while, but Monday is his first official day at the company as a software engineer. Ahead of his new gig, Fisher and I got on a call to talk about why he thinks browsers are due for a reinvention -- and why he thinks a startup is the best place to do it. The answer starts with the browser's defining feature: tabs. Fisher doesn't hate tabs -- in fact, he helped popularize them. But he hates that using a modern browser involves opening a million of them, not being able to find them again, and eventually just giving up and starting all over again. "I remember when tabbed browsing was novel," Fisher says, "and helped people feel less cluttered because you don't have as many windows." But now, "even when I use Chrome," Fisher says, "I get a bunch of clutter. At some point, I just say, 'Forget it, I'm not even going to bother trying to sort through all these tabs. If it's important, I'll open it again.'" Browsers need better systems for helping you manage tabs, not just open more of them.

The best way to improve the browser, Fisher ultimately decided, is to just start from scratch. Arc is full of new ideas about how web browsers can work: it combines bookmarks and tabs into one app switcher-like concept; it makes it easy to search among your open tabs; it has built-in tools for taking notes and making shareable mini websites. The experience can be jarring because it's so different, but Fisher says that's part of what he's excited about. "This is not stuff people haven't talked about before," he says, "but actually putting it together and focusing on it and thinking about the small steps that go a long way, I think that's where there's so much opportunity." Fisher likes to compare a browser to an operating system, which matches with The Browser Company's idea that Arc isn't just a browser but rather an iOS-like system for the open web. "It has task management UI, it has UI for creating and starting a journey, but there's so much more in between," he says. What the iPhone did for native apps, Arc hopes to do for web apps. Fisher says he's interested in improving the way files move around the internet, for instance, finding a better way than the constant downloading and uploading we all do all day. He likes that Arc has a picture-in-picture mode that works by default, pulling your YouTube video out when you switch tabs. All these make the web feel more connected and cohesive rather than just a bunch of tabs in a horizontal line. The Browser Company also plans to reinvent the internet browser for mobile, too. On mobile, in particular, he says, "there are so many opportunities because the starting point is so archaic."

"He's vague on the details of his plans -- and The Browser Company hasn't really started working on a mobile browser yet anyway -- but says that's a big focus for him going forward," adds The Verge.

Following yesterday's article about Google Chrome preparing to deprecate the JPEG-XL image format, a Google engineer has now provided their reasons for dropping this next-generation image format. Phoronix reports: As noted yesterday, a patch is pending for the Google Chrome/Chromium browser to deprecate the still-experimental (behind a feature flag) JPEG-XL image format support from their web browser. The patch marks Chrome 110 and later as deprecating JPEG-XL image support. No reasoning was provided for this deprecation, which is odd considering JPEG-XL is still very young in its lifecycle and has been receiving growing industry interest and support.

Now this evening is a comment from a Google engineer on the Chromium JPEG-XL issue tracker with their expressed reasons: "Thank you everyone for your comments and feedback regarding JPEG XL. We will be removing the JPEG XL code and flag from Chromium for the following reasons:

- Experimental flags and code should not remain indefinitely
- There is not enough interest from the entire ecosystem to continue experimenting with JPEG XL
- The new image format does not bring sufficient incremental benefits over existing formats to warrant enabling it by default
- By removing the flag and the code in M110, it reduces the maintenance burden and allows us to focus on improving existing formats in Chrome"

Chrome will no longer support Windows 7 nor Windows 8.1 upon the release of Chrome 110, currently scheduled to hit stable on February 7, 2023. From that point on, you'll need to be running at least Windows 10 to maintain access to new builds. Android Police reports: While Google won't be doing anything to stop users of older platforms from continuing to install and run earlier releases of Chrome, they'd be missing out on the latest critical security and usability enhancements.

An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.

An anonymous reader quotes a report from BetaNews: Slack developer Felix Rieseberg released Windows 95 as an Electron app four years ago, updating it shortly afterwards to allow it to run gaming classics like Doom. Now he rolls out a new version which can run on any Windows, Mac or Linux system. Based on the Electron framework, Rieseberg's Windows 95 is written entirely in JavaScript, so it doesn't run as smoothly as it would if it was a native app, but you shouldn't let that put you off.

This is the second update of the year, which brings it up to version 3.1.1 and includes two important changes:

- Upgraded from Electron v18 to Electron v21 (and with it, Chrome and Node.js)
- Upgraded v86 (sound is back!)

The earlier update (in June) brought the software up to 3.0.0 and introduced the following changes:

- Upgraded from Electron v11 Electron v18 (and with it, Chrome and Node.js)
- Upgraded v86 (now using WASM)
- Upgraded various smaller dependencies
- Much better scaling on all platforms
- On Windows, the link to OSFMount was broken and is now fixed.
- On Windows, you can now see a prettier installation animation.
- On Windows, windows95 will have a proper icon in the Programs & Features menu. You can download the latest version of the Windows 95 app for Windows, macOS, and Linux at their respective links.

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

Google has announced what it's calling "the world's first laptops built for cloud gaming," less than two weeks after announcing plans to shut down Stadia. Forbes reports: Google says the Acer Chromebook 516 GE, ASUS Chromebook Vibe CX55 Flip and Lenovo Ideapad Gaming Chromebook all have refresh rates of at least 120Hz, displays with up to 1600p resolution, immersive audio and, critically for cloud gaming, WiFi 6 or 6E connectivity. Some models have RGB keyboards too. Subject to availability, you may get a SteelSeries Rival 3 gaming mouse at no extra cost if you pick up one of these Chromebooks. All three laptops were benchmarked by GameBench to ensure that they're capable of running games at 120 frames per second at 1080p resolution. You should get input latency of under 85 ms as well. Google notes that's "console-class" input latency.

[...] Google is bringing some neat cloud gaming features to these Chromebooks. For one thing, the devices will support Xbox Cloud Gaming, Amazon Luna and NVIDIA GeForce Now. In the latter case, Google worked with NVIDIA to ensure these Chromebooks support GeForce Now's highest RTX 3080 tier. That enables cloud gaming at 120 fps at a resolution of 1600p on these systems, which come with the GeForce Now app preinstalled. You'll also be able to install Xbox Cloud Gaming as a web app on your Chromebook. Additionally, these Chromebooks will come with three-month trials for both the GeForce Now RTX 3080 tier and Amazon Luna. Meanwhile, it could be pretty easy for you to find and start playing games on these services through ChromeOS. If you search for a game in the launcher (i.e. through the Everything Button), you'll see where it is available. You'll then be able to load up the game with a single click. To begin with, this feature will be compatible with GeForce Now and the Play Store. "It's good to see that Google hasn't entirely given up on cloud gaming," adds Forbes. "Still, the timing of this announcement comes at a very odd time."

An email mocking Chrome browsing mode's faux privacy has surfaced in the courtroom. From a report: On International Data Privacy Day last year, an email popped into Alphabet Chief Executive Sundar Pichai's inbox from Google's marketing chief Lorraine Twohill full of ideas on gaining user trust. "Make Incognito Mode truly private," she wrote in a bullet point. "We are limited in how strongly we can market Incognito because it's not truly private, thus requiring really fuzzy, hedging language that is almost more damaging." Now, billions of dollars in damages could be at stake in a consumer lawsuit targeting the private-browsing feature if a judge agrees Tuesday to let the case proceed as a class action on behalf of millions of users.

Twohill's assessment of Incognito's shortcomings was remarkably candid considering Google had already been sued at the time she messaged her boss, who himself had shepherded the feature through development back when the company launched its Chrome browser in 2008. Google denies wrongdoing. "Privacy controls have long been built into our services and we encourage our teams to constantly discuss or consider ideas to improve them," spokesman Jose Castaneda said in an email. Court filings show that well before the search engine giant was taken to court, rank and file Googlers frankly voiced their own frustrations that Incognito didn't live up to its name.

"The Rust programming language is getting so popular that the team behind it is creating a team that's dedicated to defining the default Rust coding style," reports ZDNet: Each language has style guides and, if they're popular enough, may have multiple style guides from major users, like Google, which has its guide for C++ — the language Chrome is written in. Python's Guido van Rossum's posted his styling conventions here.

Rust, which reached version 1.0 in 2015, has a style guide in the "rustfmt" or 'Rust formatting tool' published on GitHub. The tool automatically formats Rust code to let developers focus on output and aims to reduce the steep learning curve confronting new Rust developers. The guide instructs developers to "Use spaces, not tabs" and says "each level of indentation must be 4 spaces", for example....

But the team responsible for writing the style guide between 2016 and 2018 has "by design" come to end, so now it's now been decided to create the Rust style team, consisting of Josh Triplett, Caleb Cartwright, Michal Goulet, and Jane Lusby. The crew will first tackle a "backlog of new language constructs that lack formatting guidance" and move on to "defining and implementing the mechanisms to evolve the default Rust style, and then begin introducing style improvements."

The work includes minor language changes, big structural changes, and backwards compatibility and the style team wants to craft the tool to make it current for easier coding in Rust, and help adoption.
New constructs "by default, get ignored and not formatted by rustfmt," according to a blog post by the Rust style team, "and subsequently need formatting added. Some of this work has fallen to the rustfmt team in recent years, but the rustfmt team would prefer to implement style determinations made by another team rather than making such determinations itself."

The post also notes that the backwards compatibility maintained by rustfmt "also prevents evolving the Rust style to take community desires into account and improve formatting over time." rustfmt provides various configuration options to change its default formatting, and many of those options represent changes that many people in the community would like enabled by default... but [rustfmt] cannot make this the default without causing continuous integration failures in existing projects. We need a way to evolve the default Rust style compatibly, similar in spirit to the mechanisms we use for Rust editions: allowing existing style to continue working, and allowing people to opt into new style.

To solve both of these problems, RFC 3309 has revived the Rust style team, with three goals:

- Making determinations about styling for new Rust constructs
- Evolving the existing Rust style
- Defining mechanisms to evolve the Rust style while taking backwards compatibility into account

We don't plan to make any earth-shattering style changes; the look and feel of Rust will remain largely the same. Evolutions to the default Rust style will largely consist of established rustfmt options people already widely enable, or would enable if they were stable. We expect that the initial work of the style team will focus on clearing a backlog of new language constructs that lack formatting guidance. Afterwards, we will look towards defining and implementing the mechanisms to evolve the default Rust style, and then begin introducing style improvements.

An anonymous reader quotes a report from Consumer Reports: A Consumer Reports investigation finds that TikTok, one of the country's most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who don't have TikTok accounts. These companies embed tiny TikTok trackers called "pixels" in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work. To look into TikTok's use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company's pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in ".org," ".edu," and ".gov." We wanted to look at those sites because they often deal with sensitive subjects. We found hundreds of organizations sharing data with TikTok.

If you go to the United Methodist Church's main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn't share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.) The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok's advertising business is exploding, and experts say the data collection will probably grow along with it.

After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites. We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies. Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you're on, and what you're clicking, typing, or searching for, depending on how the website has been set up. What does TikTok do with all that information? "Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services," says Melanie Bosselait, a TikTok spokesperson. The data "is not used to group individuals into particular interest categories for other advertisers to target." If TikTok receives data about someone who doesn't have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says. There's no independent way for consumers or privacy researchers to verify such statements. But TikTok's terms of service say its advertising customers aren't allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. "We continuously work with our partners to avoid inadvertent transmission of such data," TikTok's Bosselait says. What can you do to protect your personal information? Consumer Reports recommends using privacy-protecting browser extensions like Disconnect, changing your browser's privacy settings to block trackers, and trying a more private browser like Firefox and Brave.

With Stadia coming to an abrupt halt, gamers want Google to issue a software update for the controllers that unlocks Bluetooth to allow them to work wirelessly with other game systems. It would also "avoid a lot of plastic and circuit board trash," adds Ars. From the report: Stadia's controllers were custom-made to connect directly to the Internet, reducing lag and allowing for instant firmware updates and (sometimes painful) connections to smart TVs. There's Bluetooth inside the Stadia controller, but it's only used when you're setting up Stadia, either with a TV, a computer with the Chrome browser, or a Chromecast Ultra. The Google Store's page for the Stadia controller states in a footnote: "Product contains Bluetooth Classic radio. No Bluetooth Classic functionality is enabled at this time. Bluetooth Classic may be implemented at a later date." (Bluetooth Classic is a more traditional version of Bluetooth than modern low-energy or mesh versions.) That potential later date can't get much later for fans of the Stadia controller. Many cite the controller's hand feel and claim it as their favorite. They'd like to see Google unlock Bluetooth to make their favorite something more than a USB-only controller and avoid a lot of plastic and circuit board trash.

"Now if you'd just enable Bluetooth on the controller, we could help the environment by not letting them become electronic waste," writes Roadrunner571 on one of many controller-related threads on the r/Stadia subreddit. "They created trash and they at least owe it to me to do their best within reason to prevent millions of otherwise perfectly good controllers from filling landfills," another wrote. Many have called for Google, if they're not going to push a firmware update themselves to unlock the functionality, to open up access to the devices themselves, so the community can do it for them. That's often a tricky scenario for large companies relying on a series of sub-contracted manufacturers to produce hardware. Some have suggested that the full refunds give Google more leeway to ignore the limited function of their devices post-shutdown. It's worth noting that you can still plug a Stadia controller into the USB port on a Smart TV, computer, or gaming console and use it as a controller through a standard HID (Human Interface Device) connection. But, currently, it's not possible to connect the controllers wirelessly, unless you go through a lot of effort.

AmiMoJo writes: Google announced an extension of the deadline to remove support for Manifest V2 extensions in the company's Chrome browser and the open source Chromium core. The change does not impact the core decision of removing support for Manifest V2 extensions in favor of Manifest V3. Dubbed, the adblocker killer initially, due to limitations imposed on content blocking and other types of browser extensions, Google made concessions that allows content blockers to run on Chrome after the final switch is made. Extensions are still limited in comparison to Manifest V2, especially if multiple that use filtering functionality are run simultaneously, or if lots of filters are activated in a single extension. Google's initial plan was to stop supporting Manifest V2 extensions in Chrome by June 2023. For most users, support would run out in January 2023, but an Enterprise policy would enable users to extend the deadline by six months.

Martin Brinkmann writes via gHacks: From next year onward, extensions for Google Chrome and most other Chromium-based browsers, will have to rely on a new extension manifest. Manifest V3 defines the boundaries in which extensions may operate. Current Chromium extensions use Manifest V2 for the most part, even though the January 2023 deadline is looming over the heads of every extension developer. Google is using its might to push Manifest v3, and most Chromium-based browsers, including Microsoft Edge, will follow. [...]

Mozilla announced early on that it will support Manifest v3 as well, but that it would continue to support important APIs that Google limited in Manifest v3. Probably the most important of them all is the WebRequest API. Used by content blockers extensively to filter certain items, it has been replaced by a less powerful option in Manifest v3. While Manifest v3 does not mean the end for content blocking on Chrome, Edge and other Chromium-based browsers, it may limit abilities under certain circumstances. Users who install a single content blocker and no other extension that relies on the same relevant API may not notice much of a change, but those who like to add custom filter lists or use multiple extensions that rely on the API, may run into artificial limits set by Google.

Mozilla reaffirmed this week that its plan has not changed. In "These weeks in Firefox: issue 124," the organization confirms that it will support the WebRequst API of Manifest v2 alongside Manifest v3. Again, a reminder that Mozilla plans to continue support for the Manifest v2 blocking WebRequest API (this API powers, for example, uBlock Origin) while simultaneously supporting Manifest v3.

Framework and Google have announced the new Framework Laptop Chromebook Edition. As the name implies, this is an upgradable, customizable Chromebook from the same company that put out the Framework laptop last year. From a report: User-upgradable laptops are rare enough already, but user-upgradable Chromebooks are nigh unheard of. While the size of the audience for such a device may remain to be seen, it's certainly a step in the right direction for repairability in the laptop space as a whole. Multiple parts of the Framework are user-customizable, though it's not clear whether every part that's adjustable on the Windows Framework can be adjusted on the Chromebook as well. Each part has a QR code on it which, if scanned, brings up the purchase page for the part's replacement. Most excitingly (to me), the Chromebook Edition includes the same expansion card system as the Windows edition, meaning you can choose the ports you want and where to put them. I don't know of any other laptop, Windows or Chrome OS, where you can do this, and it's easily my personal favorite part of Framework's model. You can choose between USB-C, USB-A, microSD, HDMI, DisplayPort, Ethernet, high-speed storage, "and more," per the press release. HDMI, in particular, is a convenient option to have on a Chromebook.

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.

An anonymous reader shares a report: Here's a fun new feature for Chrome for Android: fingerprint-protected Incognito tabs. 9to5Google discovered the feature in the Chrome 105 stable channel, though you'll have to dig deep into the settings to enable it at the moment. If you want to add a little more protection to your private browsing sessions, type "chrome://flags/#incognito-reauthentication-for-android" into the address bar and hit enter. After enabling the flag and restarting Chrome, you should see an option to "Lock Incognito tabs when you leave Chrome." If you leave your Incognito session and come back, an "unlock Incognito" screen will appear instead of your tabs, and you'll be asked for a fingerprint scan.

TechCrunch has learned and Google confirmed the company is slashing projects at its in-house R&D division known as Area 120. From the report: The company on Tuesday informed staff of a "reduction in force" which will see the incubator halved in size, as half the teams working on new product innovations heard their projects were being canceled. Previously, there were 14 projects housed in Area 120, and this has been cut down to just seven. Employees whose projects will not continue were told they'll need to find a new job within Google by the end of January 2023, or they'll be terminated. It's not clear that everyone will be able to do so. According to Area 120 lead Elias Roman, the division aims to sharpen its focus to only AI-first projects, as opposed to its earlier mandate to fuel product incubation across all of Google.

Over the years, the division has launched a number of successful products, including the HTML5 gaming platform GameSnacks, now integrated with Google Chrome; an AirTable rival called Tables which exited to Google Cloud; an A.I.-powered conversational ads platform AdLingo, which also exited to Cloud; video platforms Tangi and Shoploop, which exited to Google Search and Shopping, respectively; the web-based travel app Touring Bird, which exited to Commerce; and a technical interview platform Byteboard, a rare external spinout. One of the projects now being cut with the changes is Qaya, a service offering web storefronts for digital creators, launched late last year.

The other six projects being canceled weren't yet launched, but included a financial accounting project for Google Sheets, another shopping-related product, analytics for AR/VR, and, unfortunately, three climate-related projects. These latter projects had focused on EV car charging maps with routing, carbon accounting for I.T., and carbon measurement of forests. Google confirmed the changes in a statement to TechCrunch: "Area 120 is an in-house incubator for experimental new products. The group regularly starts and stops projects with an eye toward pursuing the most promising opportunities. We've recently shared that Area 120 will be shifting its focus to projects that build on Google's deep investment in AI and have the potential to solve important user problems. As a result, Area 120 is winding down several projects to make way for new work. Impacted team members will receive dedicated support as they explore new projects and opportunities at Google."