Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Chrome Operating Systems Technology

Chrome 80 Arrives With Mixed Content Autoupgraded To HTTPS, Cookie Changes, and Contact Picker API (venturebeat.com) 63

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 80 for Windows, Mac, Linux, Android, and iOS. The release includes autoupgrading mixed content to HTTPS, SameSite cookie changes, quieter permission UI for notifications, and more developer features. This release thus beefs up security for the world's most popular browser and begins cracking down on cross-site cookies. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often have to stay on top of everything available -- as well as what has been deprecated or removed. Among other things, Chrome 80 has started deprecating FTP support by disabling it by default for non-enterprise clients.
This discussion has been archived. No new comments can be posted.

Chrome 80 Arrives With Mixed Content Autoupgraded To HTTPS, Cookie Changes, and Contact Picker API

Comments Filter:
  • by Futurepower(R) ( 558542 ) on Tuesday February 04, 2020 @09:21PM (#59691822) Homepage
    In the Windows OS, does Chrome still install System Services? Years ago it installed 3 services, giving it more power over the OS than the user.
    • by AHuxley ( 892839 )
      The ads needed it that way...
      Now the new browser is an ad delivery service that feels "better".
    • All Google programs do. They use those to apply updates without pestering users for restarts like Firefox does. Mind you they are scheduled / on demand run services and don't run continuously in the background.

    • by AmiMoJo ( 196126 )

      Yes but they don't give Chrome more power than the user, that's nonsense.

      Chrome installs 3 services to assist with updates. Naturally the Chrome browser itself runs at a very low privilege level for security reasons, so it can't update itself. The services assist with downloading the update, installing it and relaunching Chrome. They do so with the same permission level as the user, no more, because they install to the user's home directory.

      By the way, Firefox has the exact same thing but worse - it install

  • I think there are still a good minority of sites that still have FTP sites to download applications.
    Now I don't see any good reason for them to do that in 2020, but they are still around.

    However, I remember back in the old days Using Mosaic to FTP into public sites. As there were more public sites running FTP servers then web servers.

    • I hope they allow at least to register the protocol through a addon so it can be redirected to an outside app.

      IMHO, they should instead to raise a warning before change from http to ftp and later open the link... if the security (an maintainance cost I guess... ) is REALLY the reason and not just a excuse.

  • by WaffleMonster ( 969671 ) on Tuesday February 04, 2020 @09:58PM (#59691904)

    Just more examples of Google doing shit and substituting their own judgment for the explicit intent of site operators because they can.

    There are already CSP header values: block-all-mixed-content and upgrade-insecure-requests. There are already browser options to control mixed content.

    Most site operators can easily implement policy they want browsers to enforce without having their decisions overridden because Google thinks it knows better than everyone else.

    The behavior is especially problematic given the fact there are no assurances the SAME content would even be available via https. The safer "because security" approach with least surprise would simply be "block-all-mixed-content".

    • by sjames ( 1099 ) on Wednesday February 05, 2020 @12:45AM (#59692146) Homepage Journal

      Many consider ability to access legitimate resources to be part of security. That is, locking someone out of an access that should be granted is bad like not locking them out of and access they should not have is bad. Chrome is trying really hard to fail.

      If they really wanted security, they wouldn't have neutered the API for dynamic content blocking. Of course, that might be used to block unwanted ads...

      It was a nice browser before they started deciding that we mere users should trust the Goog to know best and not worry our pretty little heads about it.

      Rumor has it the next version will have a driver for a robot arm connected through USB so it can actually pat the user on the head.

      • If they really wanted security, they wouldn't have neutered the API for dynamic content blocking.

        This should be repeated.

    • by AHuxley ( 892839 )
      That could be 3rd party ads trying to gain information about users for free. That now gets powerful new privacy protection.
      Encryption protects their own ads all the way to the user and back again.
      • And good. It's a potential leak path for user information. The ability to block ads has never depended on it being unencrypted so this is as much of a net win for the privacy conscious as it is for those who don't care and those whose tinfoil hats need re-tuning.

    • "Most site operators can easily "

      I don't think you can finish that sentence honestly. Especially with the words you chose. "Easy" means you have to be aware of the problem, know your platform well enough to find the solution, and have a desire to do so.

      If you don't know your technology you can cut off content, especially if you have a client with more secure ssl/tls settings than you have.

    • Just more examples of Google doing shit and substituting their own judgment for the explicit intent of site operators because they can.

      And thank God. If there's one thing we have learnt in the past 15 years is that site operators do not have the interests of users in mind at all.
      Now excuse me I've just been asked by a client to add another 5 tracking scripts to this website because it didn't load slowly enough.

      In all seriousness, Google forcing things despite how onesided and abusive it has been has given website creates a very much needed kick in the nads.

    • Well, that's Google, isn't it? They consider themselves smarter than anyone else, and better able to make decisions for us. If they leave it up to us to decide, we're just going to be idiots and pull a Trump or Brexit. Democracy is under sustained attack right now and it's frightening to see people openly preferring fascism. Just because they're losing.
    • by AmiMoJo ( 196126 )

      Blocking mixed content is a security enhancement that should have happened years ago. Upgrading insecure requests is just an attempt to fix broken sites automatically.

      It's not up to the site operators to decide how secure MY browser is going to be. I run uBlock too, I get to decide what content is acceptable, not them.

      • by tlhIngan ( 30335 )

        Blocking mixed content is a security enhancement that should have happened years ago. Upgrading insecure requests is just an attempt to fix broken sites automatically.

        It's not up to the site operators to decide how secure MY browser is going to be. I run uBlock too, I get to decide what content is acceptable, not them.

        And yet, there can be perfectly reasonably reasons for mixed content. Ads have long switched over to secure modes.

        But other content may be "insecure" simply because the site owner wants them t

    • Comment removed based on user account deletion
    • There are a lot of site operators, and a lot of them DO NOT know what is best, quite the opposite. I am sure that some are very smart, but some others are downright bad. Upgrading mixed content makes sense, when you load an HTTPS page, you expect it to be HTTPS. If it is not, entirely, you are being given a false sense of security. Everything should be encrypted. There is no excuse not to do it. Only people who dont care about peoples privacy would think encryption is bad.

  • autoupgrading mixed content to HTTPS,

    Assuming this actually means something, can I have a burger and fries with it?

    • Three definitions help you understand what this alleged word salad means.

      HTTPS
      The combination of HTTP with TLS, a protocol based on public-key cryptography that makes the connection confidential and tamper-evident
      Mixed content
      A page delivered through HTTPS contains an <img> tag referring to a different website using cleartext HTTP
      Upgrading
      Given a resource that uses cleartext HTTP, the web browser looks for an HTTPS version of the resource on the same server at the same path

      Now if a restaurant's websit

  • by BAReFO0t ( 6240524 ) on Wednesday February 05, 2020 @03:17AM (#59692270)

    Cause let's be real: That's what Chrome is. The Internet Explorer of today.
    Aka a "be evil" corporation's murder weapon in the act of monopolism.

    Although its popularity is a US-centric thing.

    • Was just about to post the same. In particular the sentence:

      Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often have to stay on top of everything available -- as well as what has been deprecated or removed

      has already been written before, only it was about Internet Explorer then.

    • What are these other browsers? There's Firefox, and...what exactly?

      Firefox has its own problems, namely that the Mozilla Foundation got big and has tons of money. Now it has lots of fun things to do with that money. The web browser project has become an unwanted chore.

    • by AmiMoJo ( 196126 ) on Wednesday February 05, 2020 @08:05AM (#59692654) Homepage Journal

      How quickly people forget what Internet Explorer was like.

      It was the polar opposite of Chrome. Riddled with security flaws, where as Chrome consistently comes out best for the number of critical CVEs/year and at contests like pwn2own.

      Internet Explorer was full of proprietary technologies, and the codebase itself was closed source. It didn't support the standards of the day properly and it added proprietary extensions. In comparison Chrome is highly standards complaint and experimental extensions are always open from the very start and submitted as standards once proven.

      It's also worth noting that Chrome is actually best-in-class for this. Apple adds proprietary extensions too, e.g. their new advertising ping-back API. Apple also breaks the web far more than Chrome does, e.g. their recent privacy enhancements around 3rd party cookies that Chrome is only adopting after both Safari and Firefox did, and in a more compatible way that gives sites time to change.

      So let's be real here, the closest modern browser to Internet Explorer is probably Safari and even that's nothing like it.

      • To be fair, the biggest problem with IE was that its layout engine was lousy and some containers would overlap, and a few margins would be a few pixels too wide. Most sites "worked" in IE, but they just looked ugly (a fate worse than death for your typical web designer).

        Google is one of the companies that has been pushing for outrageous amounts of Javascript and application-centric design, and when Chrome showed up, that's when I started encountering lots of web pages that refused to load at all and all I

    • Although its popularity is a US-centric thing.

      Uh, what? Do you have a source to back up that claim?

  • HTML5 is a standard they said. Your fears that it will not be a standard due to not being a stable interface are unfounded they said. "Living standard" is not an oxymoron and only means additions they said.

    BULlSHIT, I say.
    Pointlessly adding shit so nobody can keep up always was the point! To kill Opera, IE, Safari, Firefox, ...!

    • Comment removed based on user account deletion
      • Nitpick: "to kill" something doesn't necessarily mean the deed is done, the target dead. I mean, wasn't that the point of that famous Shakespeare line "to be or not to be". To do signifies intention, rather than accomplished fact, such as in the To-Do list of the things I forgot to do today.
  • it is very interesting, but i don't know
  • No thanks, I don't want a cookie cutter browser.

  • So google have decided to forgive all badly built websites? This is rubbish, give the site owners a wakeup call by dumping their SERP until they fixed mixed content and force a HTTPS connection.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...