Previous release notes

Note: For information about the current Chrome version and targeted releases, see Chrome Enterprise release notes.

For administrators who manage Chrome browser or ChromeOS devices for a business or school.

For emails about future releases, sign up here.
To try out new features before they're released, sign up for the trusted tester program.
Connect with other Chrome Enterprise IT admins through the Chrome Enterprise Customer Forum.
Sign up to take the ChromeOS administrator credential exam.
Get help and see additional resources below.

Chrome version & Stable channel release date
Chrome 140: August 27, 2025
Chrome 139: July 30, 2025
Chrome 138: June 18, 2025
Chrome 137: May 20, 2025
Chrome 136: April 23, 2025
Chrome 135: March 26, 2025
Chrome 134: February 26, 2025
Chrome 133: January 29, 2025
Chrome 132: January 8, 2025
Chrome 131: November 6, 2024
Chrome 130: October 9, 2024
Chrome 129: September 11, 2024
Chrome 128: August 14, 2024
Chrome 127: July 17, 2024
Chrome 126: June 5, 2024
Chrome 125: May 8, 2024
Chrome 124: April 10, 2024
Chrome 123: March 13, 2024
Chrome 122: February 14, 2024
Chrome 121: January 17, 2024
Chrome 120: November 29, 2023
Chrome 119: October 25, 2023
Chrome 118: October 4, 2023
Chrome 117: September 8, 2023
Chrome 116: August 9, 2023

_{Table updated: September 25, 2025}

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Note: For information about the current Chrome version and targeted releases, see Chrome Enterprise release notes.

Open all | Close all

Chrome 140

Chrome 140 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Automated password change	✓
Contextual Search suggestions in Chrome address bar		✓
DSE Prewarming		✓
Enhanced autofill		✓
Launch Chrome into a new Profile using command line	✓		✓
Signed-in users: Autofill and settings from Google Account.	✓
ServiceWorkerAutoPreload mode			✓
Shared tab groups		✓
Update to No HTTPS warning	✓
Stop sending Purpose: prefetch header from prefetches and prerenders	✓		✓
Deprecate special font size rules for H1 within some elements			✓
SharedWorker inherits controller for blob URL			✓
New policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
New filters on the Chrome Enterprise Overview page			✓
Regionalize covered Chrome Enterprise data			✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Copy/Paste rules protection	✓		✓
DLP support for iFrames	✓		✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Add a search hijacking heuristic signal to extension telemetry	✓
New Tab page footer	✓	✓	✓
Gemini in Chrome		✓
PostQuantum cryptography for DTLS in WebRTC	✓
CSS find-in-page highlight pseudos		✓	✓
Local network access restrictions	✓		✓
Origin-bound cookies (by default)	✓
Permissions policy for Device Attributes API	✓		✓
Strict Same Origin policy for Storage Access API	✓
window.name property no longer preserved for cross-site navigations	✓
Deprecating savedTabGroups as individual value in SyncTypesListDisabled			✓
Disallow non-trustworthy plaintext HTTP prerendering	✓
HSTS tracking prevention	✓
Web App manifest: update eligibility algorithm			✓
Happy Eyeballs V3	✓		✓
2SV enforcement for admins			✓
Disallow spaces in non-file:// URL hosts	✓
Remove third-party storage partitioning policies	✓
SafeBrowsing API v4 → v5 migration	✓
X25519Kyber768 key encapsulation for TLS	✓
Isolated Web Apps			✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Enrolled browsers support for the Enterprise Chrome Web Store customizations		✓
Inactive profile deletion in Chrome Enterprise Core	✓		✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Chrome browser rule UX refactor	✓		✓
Increased file size support for DLP scans	✓		✓
Watermarking customization	✓		✓

DOWNLOAD Release notes (PDF)

↑ back to top

The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Allow 1 to 2 weeks for translation for some languages.

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Automated password change
When Chrome detects that a user has signed into a website with a known compromised password, it now offers to change it automatically. This feature is available on a set of eligible sites. The feature uses AI, and admins can control it using the AutomatedPasswordChangeSettings enterprise policy.
- Chrome 140 on ChromeOS, Linux, macOS, Windows

Contextual search suggestions in Chrome address bar
With this feature, you can ask anything about the page you’re on, directly in context. Building on the existing Search habit of the address bar, users can ask a question with Google Lens by selecting anything on screen or asking with words. A Google Lens action in the address bar and contextual suggestions guide people to the feature when it’s most helpful. Admins can control this feature with the existing LensOverlaySettings policy.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Feature starts rollout
- Chrome 140 on ChromeOS, Linux, macOS, Windows: If the LensOverlaySettings policy is not set, this feature will respect the GenAiDefaultSettings policy if present.

DSE Prewarming
DSE Prewarming optimizes the default search provider integration in the Omnibox. When the Omnibox gets a focus, Chrome starts prerendering the prewarm page that preload required resources for the search result page, and reuses the resources to accelerate navigating to the search result page in the next query. Admins can control this feature with the, NetworkPredictionOptions enterprise policy.
- Chrome 140 on ChromeOS, Linux, macOS, Windows: Gradual roll-out

Enhanced autofill
Starting in Chrome 137, some users can turn on Autofill with AI, a new feature that helps users fill out online forms more easily. On relevant forms, Chrome can use AI to better understand the form and offer users to automatically fill in previously-saved info. Admins can control the feature using the existing GenAiDefaultSettings policy and a new AutofillPredictionSettings policy.
- Chrome 137 on ChromeOS, Linux, macOS, Windows
- Chrome 140 on ChromeOS, Linux, macOS, Windows: The existing Autofill with AI feature will be renamed to Enhanced autofill, allow users to save and fill additional types of info, and become available in more countries and languages

Launch Chrome into new profile via command line
This feature is designed for our enterprise partners and admins who need to launch web applications from their native app catalogs directly into a specific managed Chrome profile using Chrome-Cli. Currently, if the designated profile does not exist, Chrome defaults to the last-used profile, creating a disjointed user experience. With this new feature, when a specified profile is not found, Chrome initiates the existing profile creation flow, pre-populating the user's email address to streamline the setup process. This is a key technical enabler for admins aiming to onboard their enterprise users to Chrome Enterprise via managed profiles.
- Chrome 140 on Linux, macOS, Windows

Signed-in users: Autofill and settings from Google Account
As part of our effort to streamline Chrome’s identity model on Desktop, managed accounts that originally signed in to Chrome implicitly by signing in to a Google web property, and who are in a managed profile with user policies, can now save and use Autofill, settings and themes from their Google Account while signed in. Existing user policies continue to work as before, including SyncDisabled, SyncTypesListDisabled, BrowserSignin, AutofillAddressEnabled, AutofillCreditCardEnabled and PasswordManagerEnabled.
- Chrome 140 on Linux, macOS, Windows

ServiceWorkerAutoPreload mode
ServiceWorkerAutoPreload is a mode where the browser issues the network request in parallel with the service worker bootstrap, and consumes the network request result inside the fetch handler if the fetch handler returns the response with respondWith(). If the fetch handler result is fallback, it passes the network response directly to the browser. ServiceWorkerAutoPreload is defined as an optional browser optimization, which will change the existing service worker behavior. Admins can control this feature using an enterprise policy called ServiceWorkerAutoPreloadEnabled.
- Chrome 140 on Android, Windows: ServiceWorkerAutoPreloadEnabled policy
- Chrome 144 on Android, Windows: ServiceWorkerAutoPreloadEnabled policy will be removed

Shared tab groups
Users can now collaborate on tabs using the shared tab groups feature. With this feature, users can create and use a set of tabs on their desktop or mobile device and their collaborative partners can browse the same tabs on their devices. When one person changes a tab in the group, the changes are reflected across all users’ browsers in the group. Admins can control this feature using an enterprise policy, TabGroupSharingSettings, in Chrome 140.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Rollout of the ability to join and use a shared tab group. Users on Stable Chrome will not be able to create a shared tab group (the entry point will not be available) - this part of the feature will only be available on Beta/Dev/Canary for this phase of rollout.
- Chrome 139 on iOS: As early as Chrome 139, support for iOS will rollout
- Chrome 140 on Android, iOS, ChromeOS, Linux, macOS, Windows: TabGroupSharingSettings enterprise policy will be available to the enterprise owner in the admin console. 100% of users on Stable will be able to join and use a shared tab group. However, the ability to create a shared tab group will remain exclusive to users on Beta/Dev/Canary, implying that only users on those channels could initiate a group (their friends and coworkers on Stable can then join).

Update to No HTTPS warning
Chrome 140 updates the warning displayed when a user opts in to the Always use secure connections on chrome://settings/security from an interstitial to a dialog. The URL content security indicator on the warning changes from an asterisk to a broken lock, while the full page load remains blocked and the functionality remains unchanged. Some users might see this warning automatically when visiting HTTP sites. Users can opt in to the warning on chrome://settings/security.
- Chrome 140 on ChromeOS, Linux, macOS, Windows: New warning design on desktop platforms
- Chrome 141 on Android: New warning design on Android

Stop sending Purpose: prefetch header from prefetches and prerenders
Now that prefetches and prerenders are using the Sec-Purpose header for prefetches and prerenders, this change removes the legacy Purpose: prefetch header that is still currently passed. This update is behind a feature flag or kill switch to prevent compatibility issues.

The scope includes speculation rules prefetch, speculation rules prerender, <link rel=prefetch>, and Chromium's non-standard <link rel=prerender>.
- Chrome 140 on Windows, macOS, Linux, Android

Deprecate special font size rules for H1 within some elements
The HTML spec contains a list of special rules for <h1> tags nested within <article>, <aside>, <nav>, or <section> tags. Chrome 140 deprecates these special rules, because they can cause accessibility issues. For example, they can visually reduce the font size for nested <h1> tags so that they look like <h2> tags, but nothing in the accessibility tree reflects this demotion.
- Chrome 140 on Windows, macOS, Linux, Android

SharedWorker inherits controller for blob URL
According to Worker client case (github), workers should inherit controllers for the blob URL. However, existing code allows only dedicated workers to inherit the controller, and shared workers do not inherit the controller. This is the fix to make Chromium behavior adjust to the specification. An enterprise policy SharedWorkerBlobURLFixEnabled is available to control this feature.
- Chrome 140 on Windows, macOS, Linux, Android

New policies in Chrome browser

Policy	Description
DataControlsRules	Sets a list of Data Controls rules.
LiveCaptionEnabled	Enable Live Caption
ProtectedContentIdentifiersAllowed	Allows web pages to use identifiers for the purpose of protected content playback
TabGroupSharingSettings	Tab group sharing settings
RestrictCoreSharingOnRenderer	Restrict CPU core sharing for renderer process
OriginKeyedProcessesEnabled	Enable origin-keyed process isolation by default.
AutomatedPasswordChangeSettings	Enable automated password change
ServiceWorkerAutoPreloadEnabled	Allow ServiceWorker to dispatch navigation requests without waiting for its startup
PrivacySandboxFingerprintingProtectionEnabled	Choose whether the Privacy Sandbox Fingerprinting Protection feature is to be enabled in Incognito mode.
WebRtcPostQuantumKeyAgreement	Enable post-quantum key agreement for WebRTC
SerialAskForUrls	Allow the Serial API on these sites
SerialBlockedForUrls	Block the Serial API on these sites
DefaultSerialGuardSetting	Control use of the Serial API
SerialAllowAllPortsForUrls	Automatically grant permission to sites to connect all serial ports.
LocalNetworkAccessAllowedForUrls	Allow sites to make requests to local network endpoints.
LocalNetworkAccessBlockedForUrls	Block sites from making requests to local network endpoints.

Chrome Enterprise Core changes

New filters on the Chrome Enterprise Overview page
The Chrome Overview page now includes new filters that allows admins to refine data by last activity date and organizational unit. This Overview page was originally introduced in Chrome 137 as part of the Chrome browser Enterprise section within the Google Admin console.
- Chrome 140 on Android, iOS, Linux, macOS, Windows: As early as Chrome 140, new filters will be available on the Overview page.

Regionalize covered Chrome Enterprise data
With Chrome 139, administrators gained the ability to designate a specific geographic location for storing users' covered Chrome Enterprise data. Options include the United States, European Union (displayed as Europe in the Google Admin console), or No preference. The full migration is anticipated to conclude by the end of Chrome 140. This setting is configurable within the Google Admin console under Data > Compliance > Data regions > Region > Data at rest. For details on the types of data covered, refer to the Chrome Enterprise Service Specific Terms.
- Chrome 139 on Android, iOS, ChromeOS, Linux, macOS, Windows: Rollout will begin. Admins may be able to set a region; however, data may not be fully regionalized until the end of Chrome 140.
- Chrome 140 on Android, iOS, ChromeOS, Linux, macOS, Windows: The initial migration will be fully regionalized.

Chrome Enterprise Premium changes

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

Copy/Paste rules protection
To help organizations better prevent data exfiltration on mobile devices, Chrome is extending its existing desktop clipboard data controls. Administrators can now use the DataControlsRules policy to set rules that block or warn users when they attempt to copy or paste content that violates organizational policies. This feature allows admins to define data boundaries and prevent sensitive information from being pasted from a work context into personal apps or websites on their mobile fleet. This addresses a significant security gap and a frequently requested feature from enterprise customers who have cited the lack of mobile data controls as a concern.

To use this feature, administrators can configure clipboard restrictions within the DataControlsRules policy, providing a consistent management experience across desktop and mobile to strengthen their organization's overall security posture. This help center article provides further context on how administrators can configure and manage Chrome Enterprise reporting connectors to forward browser security and data protection events to third-party services for analysis.
- Chrome 140 on Android: Copy/Paste Rules Protection becomes available on Android

DLP support for iFrames
To enhance security and prevent data exfiltration, Chrome 140 extends Data Loss Prevention (DLP) capabilities to content within iFrames. With this change, when a user performs a DLP-triggering action (such as uploading a file) from a site loaded in an iFrame, Chrome now sends the entire URL hierarchy, from the source iFrame up to the top-level page, to be evaluated against all applicable DLP rules.

No new enterprise policies are required to enable this functionality; it works with existing DLP rules configured via the Connector policies. Administrators should be aware that their existing rules now apply to iFrame contexts, which might block user actions that were previously permitted.
- Chrome 139 on Linux, macOS, Windows: Initial launch of Data Loss Prevention support for iFrames. This phase adds enforcement for file upload events originating from within an iFrame context and it will work with existing DLP rules configured via the OnFileAttachedEnterpriseConnector policy
- Chrome 140 on Linux, macOS, Windows: This expanded phase combines two feature rollouts, extending DLP iFrame support to include enforcement for both file download and printing actions.

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Add a search hijacking heuristic signal to extension telemetry
Malicious Chrome extensions intercept and redirect Omnibox and Realbox (the search box in the New tab page) search queries from the Search Engine Results Page (SERP) to an attacker-controlled URL. This feature adds a client-side heuristic to detect such search hijacking. The core idea is to compare user-initiated searches with successful SERP landings; a significant discrepancy over time strongly indicates hijacking activity. This heuristic generates a new signal, uploaded to the Safe Browsing CRX telemetry server via the existing Extension Telemetry service in Chrome. Server-side analysis of signal data from multiple Chrome browsers can then identify potential search hijacking.
- Chrome 141 on ChromeOS, Linux, macOS, Windows

New tab page footer
An update to the New tab page includes a new footer designed to provide users with greater transparency and control over their Chrome experience.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Extension Attribution will begin to show on the NTP. If an extension has changed your default New tab page, you'll now see a message in the footer that attributes the change to that specific extension. This message often includes a link directly to the extension in the Chrome Web Store, making it easier to identify and manage unwanted extensions. If you're an administrator, you can disable this attribution using the NTPFooterExtensionAttributionEnabled policy.
- Chrome 139 on Linux, macOS, Windows: Browser management disclosure will be shown if one of the policies to customize the footer is set by an enterprise admin. For users whose Chrome browser is managed by a trusted source, the New tab page footer will now display a management disclosure notice. This helps you understand how your browser is being managed. Administrators can disable this notice with the NTPFooterManagementNoticeEnabled policy. Additionally, organizations can customize the footer's appearance using the EnterpriseLogoUrlForBrowser and EnterpriseCustomLabelForBrowser policies to display a custom logo and label.
- Chrome 141 on Linux, macOS, Windows: A default notice (Managed by <domain name>) will start to be shown in the New tab page footer for all managed browsers. Visibility can be changed with the NTPFooterManagementNoticeEnabled policy.

Gemini in Chrome
Gemini is now integrated into Chrome on macOS and Windows, and can understand the content of your current page. Users can now seamlessly get key takeaways, clarify concepts, and find answers, all without leaving their Chrome tab. This integration includes both chat—where users can interact with Gemini via text, and Gemini Live , by which users can interact with Gemini via voice.

In Chrome 141, Gemini in Chrome will be available for users signed into Chrome in the US. Admins can turn off this feature (value 1) using the GeminiSettings policy or by using the GenAiDefaultSettings (value 2). For more details, see Gemini in Chrome in the Help Center.
- Chrome 137 on macOS, Windows: Feature is available for some Google AI Pro and Ultra subscribers in the US and on pre-Stable (Dev, Canary, Beta) channels in the US.
- Chrome 141 on macOS, Windows: Feature gradually rolls out on Stable for users signed into Chrome in the US.

PostQuantum cryptography for DTLS in WebRTC
This feature will enable the use of PostQuantum Cryptography (PQC) with WebRTC connections. The motivation for PQC is to get WebRTC media traffic up to date with the latest cryptography protocols and prevent Harvest Now to Crack Later scenarios.

This feature will be controllable by an enterprise policy WebRtcPostQuantumKeyAgreementEnabled, to allow enterprise users to opt out of PQC. The policy will be temporary and is planned to be removed by Chrome 151.
- Chrome 141 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 151 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Remove Enterprise Policy

CSS find-in-page highlight pseudos
This feature will expose find-in-page search result styling to authors as a highlight pseudo-element, like selection and spelling errors. This allows authors to change the foreground and background colors or add text decorations, which can be especially useful if the browser defaults have insufficient contrast with the page colors or are otherwise unsuitable.
- Chrome 141 on Windows, macOS, Linux, Android

Local network access restrictions
Chrome 140 restricts the ability to make requests to the user's local network, gated behind a permission prompt. A local network request is any request from a public website to a local IP address or loopback, or from a local website (for example, Intranet) to loopback. Gating the ability for websites to perform these requests behind a permission mitigates the risk of cross-site request forgery attacks against local network devices such as routers, and reduces the ability of sites to use these requests to fingerprint the user's local network.

This permission is restricted to secure contexts. If granted, the permissions additionally relaxes mixed content blocking for local network requests (since many local devices are not able to obtain publicly trusted TLS certificates for various reasons).

This work supersedes a prior effort called Private Network Access, which used preflight requests to have local devices opt-in. Enterprises that need to disable or auto-grant the permission can do so using the LocalNetworkAccessAllowedForUrls and LocalNetworkAccessBlockedForUrls policies. The value of '*' can be used to allow local network access on all URLs, matching the behavior prior to rolling out the restrictions.
- Chrome 141 on Windows, macOS, Linux, Android

Origin-bound cookies (by default)
In Chrome 141, cookies are bound to their setting origin (by default) such that they're only accessible by that origin, that is, sent on a request or visible through document.cookie. Cookies might ease the host and port binding restrictions through use of the Domain attribute but all cookies will be bound to their setting scheme.

Temporary enterprise policies LegacyCookieScopeEnabled and LegacyCookieScopeEnabledForDomainList are available to revert this change. These policies will stop working in Chrome 150.
- Chrome 141 on Windows, macOS, Linux, Android, iOS: policy will be made available
- Chrome 150 on Windows, macOS, Linux, Android, iOS: policy will be removed

Permissions policy for Device Attributes API
The new Permissions policy enables restricting access to the Device Attributes API, which is available only for policy-installed kiosk web apps and policy-installed Isolated Web Apps, both only on managed ChromeOS devices.

Additionally, the feature is controlled by content settings. 2 new policies are introduced: DeviceAttributesBlockedForOrigins and DefaultDeviceAttributesSetting, to complement the previously-introduced DeviceAttributesAllowedForOrigins policy. The feature is enabled by default for the supported scenarios described above.
- Chrome 141 on Windows, macOS, Linux

Strict Same Origin policy for Storage Access API
We plan to adjust the Storage Access API semantics to strictly follow the Same Origin Policy, to enhance security. Using document.requestStorageAccess() in a frame only attaches cookies to requests to the iframe's origin (not site) by default. The CookiesAllowedForUrls policy or Storage Access Headers can still be used to unblock cross-site cookies.
- Chrome 141 on Windows, macOS, Linux, Android

window.name property no longer preserved for cross-site navigations
The value of the window.name property is currently preserved throughout the lifetime of a tab, even with navigation that switches browsing context groups, which can leak information and potentially be used as a tracking vector. As early as Chrome 142, the window.name property will no longer be preserved in this case, which will mitigate this issue.

This update will introduce a new temporary enterprise policy, ClearWindowNameCrossSiteBrowsing, which will stop working in Chrome 146.
- Chrome 142 on Windows, macOS, Linux, Android, iOS

Deprecating savedTabGroups as individual value in SyncTypesListDisabled
Currently, the SyncTypesListDisabled enterprise policy allows administrators to disable the synchronization of savedTabGroups datatype on desktop platforms. On mobile platforms, however, Tab Groups synchronization is already managed by the tabs datatype. To align desktop behavior with mobile and simplify sync management, the individual savedTabGroups datatype will be deprecated and will no longer be an individually customizable value within the SyncTypesListDisabled policy

Action required by administrators:

Starting with Chrome 142, if your SyncTypesListDisabled policy disables either tabs or savedTabGroups, both data types will now be considered disabled. This means that disabling tabs will also disable saved tab groups, and vice-versa. The savedTabGroups value will be entirely removed from the list of supported datatypes for this policy. Administrators who have saved tab groups disabled and intend to keep this behavior must explicitly disable the tabs datatype. This will ensure the desired behavior before the savedTabGroups value is fully removed.
- Chrome 142 on Windows, macOS, Linux

Disallow non-trustworthy plaintext HTTP prerendering
This launch will provide the capability to disallow non-trustworthy plaintext HTTP prerendering.
- Chrome 142 on Windows, macOS, Linux, Android

HSTS tracking prevention
This update will mitigate user tracking by third-parties via the HTTP Strict Transport Security (HSTS) cache. This feature only allows HSTS upgrades for top-level navigations and blocks HSTS upgrades for sub-resource requests. Doing so makes it infeasible for third-party sites to use the HSTS cache in order to track users across the web.
- Chrome 142 on Windows, macOS, Linux, Android

Web App manifest: update eligibility algorithm
As early as Chrome 139, the Web App manifest will specify an update eligibility algorithm. This makes the update process more deterministic and predictable, giving the developer more control over whether (and when) updates should apply to existing installations, and allowing removal of the update check throttle that user agents currently need to implement to avoid wasting network resources.
- Chrome 142 on Windows, macOS, Linux
- Chrome 143 on Android

Happy Eyeballs V3
This launch is an internal optimization in Chrome that implements Happy Eyeballs V3 to achieve better network connection concurrency. Happy Eyeballs V3 performs DNS resolutions asynchronously and staggers connection attempts with preferable protocols (H3/H2/H1) and address families (IPv6 or IPv4) to reduce user-visible network connection delay. This feature is gated by a temporary policy HappyEyeballsV3Enabled.
- Chrome 144 on Android, ChromeOS, Linux, macOS, Windows

2SV enforcement for admins
To better protect your organization’s information, Google will soon require all accounts with access to admin.google.com to have 2-Step Verification (2SV) enabled. As a Google Workspace administrator, you need to confirm your identity with 2SV, which requires your password plus something additional, such as your phone or a security key.

The enforcement will be rolled out gradually over the coming months. You should enable 2SV for the admin accounts in your organization before Google enforces it. For more information, see this About 2SV enforcement for admins.
- Chrome 137 on ChromeOS, Linux, macOS, Windows: 2SV enforcement starts
- Chrome 145 on ChromeOS, Linux, macOS, Windows: 2SV mandatory

Disallow spaces in non-file:// URL hosts
According to the URL Standard specification, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host. This causes Chromium to fail several tests included in the Interop2024 HTTPS URLs for WebSocket and URL focus areas. To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github).
- Chrome 145 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia

Remove Third-party storage partitioning policies
Third-party storage partitioning became the default in Chrome 115. The chrome:// flag that allowed users to disable this feature was removed in Chrome 128, and the deprecation trial ended with Chrome 139. In Chrome 145, the enterprise policies DefaultThirdPartyStoragePartitioningSetting and ThirdPartyStoragePartitioningBlockedForOrigins will be removed. Users are advised to transition to alternative storage solutions, either by adapting to third-party storage partitioning or by using document.requestStorageAccess({...}) where needed.

If you have any feedback, you can add it here in the Chromium bug.
- Chrome 145 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Removal of DefaultThirdPartyStoragePartitioningSetting and ThirdPartyStoragePartitioningBlockedForOrigins

SafeBrowsing API v4 → v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5. If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users. For more details, see Migration From V4 - Safe Browsing.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows: Feature would gradually roll-out

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0. To learn more, see Protect Chrome Traffic with Hybrid Kyber KEM.
- Chrome 131 on Linux, macOS, Windows: Chrome will switch the key encapsulation mechanism to the final standard version of ML-KEM
- Chrome 145 on Linux, macOS, Windows: Enterprise policy will be removed

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications. Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.

In this initial release, IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 146 on Windows This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators may use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 146, and will be removed in Chrome 147. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 146.
- Chrome 147 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core updates

Enrolled browsers support for the Enterprise Chrome Web Store customizations

The Customized Chrome Web Store will support managed browsers enrolled in Chrome Enterprise Core (Cloud machine settings). This will allow admins to customize the Chrome Web Store without the need for users to sign in. The customizations include:
- Add company logos
- Add hero banners and custom announcements
- Curate extension collections
- Hide extension categories
The Chrome Web Store customization settings were previously launched in Chrome 132 but only supported user-level policies (for signed-in users). As early as Chrome 140, this feature will be available to Chrome Enterprise Core Truster Testers.
- Chrome 141 on Linux, macOS, Windows: As early as Chrome 141, this feature will launch to General Availability (GA).

Chrome Enterprise Overview page

Chrome 137 introduced a new Overview page in the Chrome browser section of the Google Admin console. The Overview page allows IT administrators to quickly find key information about their deployment:

- Active & inactive profiles and enrolled browsers

- Identify browsers out-of-date and with pending updates

- Identify high-risk extensions (according to Spin.AI) and get a preview of most requested extensions

- Security Insights (for example, sensitive file uploads or downloads)

The Overview page also allows admins to quickly access key actions such as managing extensions, accessing the browser or profile list and setting update policies, to name a few.
- Chrome 137 on Android, iOS, Linux, macOS, Windows: Publicly Available to IT administrators
- Chrome 141 on Android, iOS, Linux, macOS, Windows: New filtering available on the Overview page for Organization Unit and Activity Dates

Inactive profile deletion in Chrome Enterprise Core

In June 2025, the inactive period for profile deletion setting started to roll out. In September 2025, the setting will begin to automatically delete managed profiles in the Admin console that have been inactive for more than the defined inactivity period. When releasing the setting, the inactivity period of time has a default value of 90 days. Meaning that by default, all managed profiles that have been inactive for more than 90 days are deleted from your account. Administrators can change the inactive period value using this setting. The maximum value to determine the profile inactivity period is 730 days and the minimum value is 28 days.

If the set value is lowered, it might have a global impact on any currently managed profiles. All impacted profiles will be considered inactive and, therefore, be deleted. This does not delete the user account. If an inactive profile is reactivated on a device, that profile will reappear in the console.
- Chrome 141 on Android, ChromeOS, Linux, macOS, Windows: Policy was rolled out in June. Deletion will start in September and the initial wave of deletion will complete by the end of September. After the initial deletion rollout, inactive profiles will continue to be deleted once they have reached their inactivity period.

Upcoming Chrome Enterprise Premium changes

Chrome browser rule UX refactor
To enhance the Data Loss Prevention (DLP) rule creation experience, the Google Admin console is being updated to streamline how administrators define policies for different applications like Chrome and Workspace. This first introduces mutually exclusive application groups, meaning that a single DLP rule can now only target one application group at a time—either Workspace apps (like Drive, Gmail), Chrome browser triggers (like file upload, URL visited), or ChromeOS triggers. This change simplifies rule configuration, eliminates potential conflicts from overlapping app selections, and lays the groundwork for more specialized and user-friendly workflows tailored to each platform's needs.

Administrators will see an updated Apps selection interface using radio buttons to enforce this single-group selection for new rules. Existing rules that previously combined applications from multiple groups will be transparently migrated by the system into separate, compliant, single-platform rules to ensure continued protection and a seamless transition. Banners within the Admin console will provide information regarding these changes and the migration process. No new enterprise policies are introduced with this update; the changes are to the rule configuration interface.
- Chrome 141 on ChromeOS, Linux, macOS, Windows: Enables mutually exclusive app selection for DLP rule configuration in Admin Console

Increased file size support for DLP scans
Chrome Enterprise Premium now extends its Data Loss Prevention (DLP) and malware scanning capabilities to include large and encrypted files. Previously, files larger than 50 MB and all encrypted files were skipped during content scanning. This update closes that critical security gap. For policies configured to save evidence, files up to 2GB can now be sent to the Evidence Locker. This provides administrators with greater visibility and control, significantly reducing the risk of data exfiltration through large file transfers.

No new policy is required to enable this feature. It is automatically controlled by the existing DLP rule configurations in the Google Admin console. If admins have rules that apply to file uploads, downloads, or printing, they will now also apply to large and encrypted files.
- Chrome 140 on Linux, macOS, Windows: Feature is rolled out

Watermarking customization
Chrome Enterprise Premium now allows administrators to customize the appearance of watermarks. This enhancement is motivated by the need to improve user experience, addressing concerns such as eyestrain and readability on pages with existing watermarks.

To control the watermark's appearance, administrators can use the new WatermarkStyle policy. Within this policy, admins can configure the following:
- 'font_size': Sets the font size of the text in pixels.
- 'fill_opacity': Sets the fill opacity of the text, from 0 (transparent) to 100 (opaque).
- 'outline_opacity': Sets the outline opacity of the text, from 0 (transparent) to 100 (opaque).
This provides administrators with greater flexibility to balance security requirements with user productivity.
- Chrome 141 on ChromeOS, Linux, macOS, Windows: This launch enables administrators to customize watermark font size and opacity using the new WatermarkStyle policy in the Google Admin Console.

↑ back to top

ChromeOS 140 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Screen recording notifications		✓
Device Attributes API in IWAs	✓
GoogleLocationServicesEnabled policy	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Battery charge limit setting in UI			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Current ChromeOS updates

Screen recording notifications
This feature introduces a notification bypass allowlist for the getAllScreensMedia API for trusted applications.

Device Attributes API in IWAs
This launch brings a new Permissions-Policy for Device Attributes API on managed devices and changes how the permission to that API is obtained for Isolated Web Apps.

GoogleLocationServicesEnabled policy
Early 2025, ChromeOS shipped a new system-wide geolocation control inside of Privacy and security settings that can be set to Allow, Only allowed for system services (for example, automatic time zone and local weather), or Off. Admins can choose to either set a default value that users can override, or enforce one of the settings. To change their device settings, users can select Settings > Privacy and security > Privacy control > Location access > Change access.

If an extension or app relies on access to device location as part of your management strategy, you need to set the GoogleLocationServicesEnabled policy to enforce allow. Otherwise, devices might only be able to send location to these apps or extensions with precise IP address data.

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Battery Charge Limit setting in UI

As early as ChromeOS 143, users will be able to take direct control of their Chromebook’s battery health to extend its lifespan with new charging optimization settings. These features help preserve your battery’s long-term health by adjusting how your device charges.

To configure these options, users can navigate to Settings > System preferences > Power and click Change next to Optimized charging. You can choose between:
- Adaptive charging: Intelligently delays charging to 100% until it's needed, based on your daily usage patterns.
- Charge limit: Maximizes your battery's lifespan by limiting the maximum charge to 80%.
This feature is the user-facing counterpart to the DevicePowerBatteryChargingOptimization policy available in the Google Admin console. Admins can set this policy to one of three options:
1. Adaptive: The device delays charging to 100% until necessary.
2. Limited: The battery charges only to around 80%.
3. Standard: If neither of the above optimized settings are selected, the battery charges normally to 100%
It is important to note that the policy set by an administrator overrides any setting selected by the user. A user can only benefit from adjusting the charge optimization options on their device if no overriding policy is enforced. By default, if no policy is enforced, Optimized Charging is enabled on the device with the Adaptive Charging option selected.

↑ back to top

Chrome 139

Chrome 139 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
AI Mode for search recommendations in Chrome		✓
Admin-configurable site search		✓	✓
Chrome on Android no longer supports Android Oreo or Android Pie			✓
Malicious APK download checks	✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
New tab page footer	✓	✓	✓
Prevent accidental password deletions on Chrome	✓
Promotional notifications			✓
Remove risky extension flags in Chrome	✓
Remove SwiftShader fallback	✓
Shared tab groups		✓
Support accounts in pending state on Chrome iOS	✓
Upcoming change for CA certificates included in the Chrome Root Store	✓
Stop sending Purpose: prefetch header from prefetches and prerenders	✓		✓
Chrome removes support for macOS 11			✓
Fire error event instead of throwing exception for CSP blocked worker			✓
Randomizing TCP port allocation on Windows			✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Group based policies for connector configuration selection			✓
New remote commands and CSV export for the Managed Profile List			✓
New tab page cards for Microsoft 365		✓	✓
Regionalize covered Chrome Enterprise data			✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Active account detection	✓		✓
Chrome Enterprise Connectors API	✓		✓
Copy and paste rules protection	✓		✓
Data Loss Prevention support for iFrames	✓		✓
Enable watermarking on Single Page Applications	✓		✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
2SV enforcement for admins			✓
Automated password change	✓
Contextual search suggestions in Chrome address bar		✓
Enhanced autofill		✓
Gemini in Chrome		✓
Happy Eyeballs V3	✓		✓
Launch Chrome into new profile from command line	✓		✓
PostQuantum cryptography for DTLS in WebRTC	✓
ServiceWorkerAutoPreload			✓
CSS find-in-page highlight pseudos		✓	✓
Deprecate special font size rules for H1 within some elements			✓
IP protection	✓		✓
Local network access restrictions	✓		✓
Probabilistic reveal tokens	✓		✓
Propagate Viewport overscroll-behavior from Root	✓		✓
Script blocking in Incognito	✓		✓
SharedWorker script inherit controller for blob script URL			✓
Strict Same Origin Policy for Storage Access API	✓
Web App Manifest: specify update eligibility, icon urls are Cache-Control: immutable			✓
Clear window name for cross-site navigations that switches browsing context group	✓
Disallow non-trustworthy plaintext HTTP prerendering	✓
HSTS tracking prevention	✓
Disallow spaces in non-file:// URL hosts			✓
Remove third-party storage partitioning policies	✓
SafeBrowsing API v4 → v5 migration	✓
Isolated Web Apps			✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Inactive profile deletion in Chrome Enterprise Core	✓		✓
Chrome Enterprise Overview page			✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Increased file size support for Data Loss Prevention scans	✓		✓
Watermarking customization	✓		✓
Chrome browser rule UX refactor	✓		✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

AI Mode for search recommendations in Chrome
AI Mode is a feature that helps users dive deeper into topics they care about by showing AI Mode for search recommendations in Chrome. A new policy, AIModeSettings, is available to control search recommendations in the address bar and New tab page search box. This policy also controls AI Mode recommendations in the address bar and the new tab page omnibox.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: AI Mode recommendations starts rolling out in the address bar and the new tab page search box. The AI Mode entry point is also rolled out in the new tab page search box.
- Chrome 139
  - on Windows, macOS, Linux and ChromeOS: The AI Mode entrypoint button in the address bar begins rollout. AI Mode inline compose box in new tab page omnibox begins rollout.
  - on Android, iOS: The AI Mode entrypoint in the new tab page omnibox begins to roll out. And for iOS the AI Mode recommendations starts rollout in the address bar as well.

Admin-configurable site search
Site search shortcuts are a way to use the address bar (omnibox) as a search box for a specific site without navigating directly to the site’s URL, similar to how you can use the omnibox to perform a broad Google search of the web. Administrators can now create site shortcuts for users to shortcut to the most critical enterprise sites. Users can initiate a search by typing the shortcut or @shortcut (for example, @work), followed by Space or Tab, in the address bar.

Admins control these shortcut settings using the SiteSearchSettings policy.
- Chrome 128 on ChromeOS, Linux, macOS, Windows: Gradual rollout
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Adding an additional policy parameter allowing admins to specify Allow user override, which allows users to edit, disable, or delete admin-set shortcuts

Chrome on Android no longer supports Android Oreo or Android Pie
The last version of Chrome that supports Android Oreo or Android Pie is Chrome 138, and it includes a message to affected users informing them to upgrade their operating system. Chrome 139 and later versions will not be supported on, nor shipped or available to, users running Android Oreo or Android Pie.
- Chrome 139 on Android: Chrome on Android no longer supports Android Oreo or Android Pie.

Malicious APK download checks
Chrome on Android now contacts Google servers about Android Package Kit (APK) files downloaded in Chrome, to get a verdict about their safety. If a downloaded APK file is determined to be dangerous, Chrome shows a warning and blocks the download, to protect users against mobile malware. Such download warnings are bypassable by the user through the Chrome UI. These malicious APK download checks are performed for users enrolled in Standard Protection or Enhanced Protection from Google Safe Browsing. This feature can be disabled by setting the Safe Browsing mode to No Protection using the SafeBrowsingProtectionLevel policy.
- Chrome 139 on Android

Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to use Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This brings improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely-hosted code is disallowed on Manifest V3.

Beginning June 2024, Chrome gradually disables Manifest V2 extensions running in the browser. An enterprise policy - ExtensionManifestV2Availability - can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled are not subject to the disabling of Manifest V2 extensions until June 2025 - at which point the policy is to be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core.
- Chrome 127 on ChromeOS, LaCrOS, Linux, macOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Remove ExtensionManifestV2Availability policy.

New tab page footer
An update to the New tab page includes a new footer designed to provide users with greater transparency and control over their Chrome experience.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Extension Attribution will begin to show on the NTP. If an extension has changed your default New tab page, you'll now see a message in the footer that attributes the change to that specific extension. This message often includes a link directly to the extension in the Chrome Web Store, making it easier to identify and manage unwanted extensions. If you're an administrator, you can disable this attribution using the NTPFooterExtensionAttributionEnabled policy.
- Chrome 139 on Linux, macOS, Windows: Browser management disclosure will be shown if one of the policies to customize the footer is set by an enterprise admin. For users whose Chrome browser is managed by a trusted source, the New tab page footer will now display a management disclosure notice. This helps you understand how your browser is being managed. Administrators can disable this notice with the NTPFooterManagementNoticeEnabled policy. Additionally, organizations can customize the footer's appearance using the EnterpriseLogoUrlForBrowser and EnterpriseCustomLabelForBrowser policies to display a custom logo and label.
- Chrome 140 on Linux, macOS, Windows: A default notice (Managed by <domain name>) will start to be shown in the New tab page footer for all managed browsers. Visibility can be changed with the NTPFooterManagementNoticeEnabled policy.

Prevent accidental password deletions on Chrome
To reduce the risk of accidental deletion of passwords on Delete browsing data, Chrome 139 now points users to Google Password Manager settings, where they can better manage and delete passwords and passkeys. The feature removes the Passwords and other sign-in data selection in Delete browsing data and instead directs users to Google Password Manager where they can delete individually or in bulk.

This feature does not impact the existing enterprise policies ClearBrowsingDataOnExitList and BrowsingDataLifetime.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Feature will gradually roll out.

Promotional notifications
In Chrome 128, new promotional OS-level notifications began to be shown to users. These notifications are governed by the PromotionsEnabled enterprise policy.
- Chrome 128 on ChromeOS, Linux, macOS, Windows
- Chrome 139 on Windows: In Chrome 138, promotional notifications were only activated on Chrome clients when upgrading from Windows 10 to Windows 11. From Chrome 139, this is being extended to all Windows Chrome installations. Notifications will still be only shown to a subset of low-engaged users, and these can be disabled through the PromotionsEnabled enterprise policy.

Remove risky extension flags in Google Chrome
To enhance the security and stability of the Chrome browser for our users, official Chrome branded builds will be removing --extensions-on-chrome-urls and --disable-extensions-except command-line flags starting in Chrome 139. This change aims to mitigate the risks associated with harmful and unwanted extensions.

Developers can still use the both flags in non-branded builds such as Chromium and Chrome For Testing.
- Chrome 139 on Linux, macOS, Windows

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation now fails instead of falling back to SwiftShader. This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content. To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the javascript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. It is important to test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 139
  - on Linux, macOS: Swiftshader will be disabled on macOS and Linux. Users on machines without a GPU will not be able to use WebGL.
  - On Windows: The fallback to Swiftshader after three out-of-memory (OOM) errors will be disabled on Windows. Swiftshader usage will be limited to devices without a GPU or those with a GPU on the blocklist.

Shared tab groups
Users can now collaborate on tabs using the shared tab groups feature. With this feature, users can create and use a set of tabs on their desktop or mobile device and their collaborative partners can browse the same tabs on their devices. When one person changes a tab in the group, the changes are reflected across all users’ browsers in the group. An enterprise policy, TabGroupSharingSettings, will be available in Chrome 140 to control this feature.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Rollout of the ability to join and use a shared tab group. Users on Stable Chrome will not be able to create a shared tab group (the entry point will not be available) - this part of the feature will only be available on Beta/Dev/Canary for this phase of rollout.
- Chrome 139 on iOS: As early as Chrome 139, support for iOS will rollout
- Chrome 140 on Android, iOS, ChromeOS, Linux, macOS, Windows: TabGroupSharingSettings enterprise policy will be available to the enterprise owner in the Google Admin console.

Support accounts in pending state on Chrome iOS
Accounts whose credentials somehow became invalid are no longer automatically signed out and removed from Chrome on iOS. Instead, these accounts stay signed in to the browser, in a newly introduced pending state associated with a persistent error indication in the UI so users are encouraged to resolve it. This also means that local data associated with these accounts are no longer automatically deleted, but instead kept on disk. Existing policies controlling sign-in (for example, BrowserSignin) continue to work as before.
- Chrome 139 on iOS: Feature will gradually roll out

Upcoming change for CA certificates included in the Chrome Root Store
In response to sustained compliance failures, Chrome 139 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Chunghwa Telecom and Netlock, are trusted by default. This applies to Chrome 139 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Chunghwa Telecom or Netlock root CA certificates included in the Chrome Root Store and issued:

    - after July 31, 2025, will no longer be trusted by default.

    - on or before July 31, 2025, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Chunghwa Telecom or Netlock certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 139 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 139 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after July 31, 2025.

Stop sending Purpose: prefetch header from prefetches and prerenders
Now that prefetches and prerenders are using the Sec-Purpose header for prefetches and prerenders, this change removes the legacy Purpose: prefetch header that is still currently passed. This update is behind a feature flag or kill switch to prevent compatibility issues.

The scope includes speculation rules prefetch, speculation rules prerender, <link rel=prefetch>, and Chromium's non-standard <link rel=prerender>.
- Chrome 139 on Windows, macOS, Linux, Android

Chrome to remove support for macOS 11
Chrome 138 is the last release to support macOS 11; Chrome 139 and later will no longer support macOS 11, which is outside of its support window with Apple. Running on a supported operating system is essential to maintaining security.

On Macs running macOS 11, Chrome will continue to work, showing a warning infobar, but will not update any further. If a user wishes to have their Chrome updated, they need to update their computer to a support version of macOS. For new installations of Chrome 139 and later, macOS 12 and later will be required.
- Chrome 139 on Windows, macOS, Linux

Fire error event instead of throwing exception for CSP blocked worker
When blocked by Content Security Policy (CSP), Chromium currently throws a SecurityError from the constructor of Worker and SharedWorker. To be spec-compliant, the CSP needs to be checked as part of fetch and then fire error events asynchronously instead of throwing an exception when the script runs new Worker(url) or new SharedWorker(url).

This update aims to make Chromium spec-conformant, which is, it no longer throws exceptions following constructor calls, and fires error events asynchronously.
- Chrome 139 on Windows, macOS, Linux, Android

Randomizing TCP port allocation on Windows
This feature enables TCP port randomization on Windows versions 2020 H1 and later. We do not anticipate issues with rapid re-use of prior ports (which can cause rejections due to port re-use timeouts) on these versions. The rapid port re-use issue stems from the Birthday problem, where the probability of randomly re-picking an already used port quickly approaches 100% with each new port chosen, unlike sequential port re-use models.
- Chrome 139 on Windows, macOS, Linux

New policies in Chrome browser

Policy	Description
GeminiSettings	Settings for Gemini integration
WatermarkStyle	Configure Custom Watermark Settings
EnableUnsafeSwiftShader	Allow software WebGL fallback using SwiftShader
NTPFooterManagementNoticeEnabled	Control the visibility of the management notice on the New Tab Page for managed browsers
EnterpriseLogoUrlForBrowser	Enterprise Logo URL for a managed browser
EnterpriseCustomLabelForBrowser	Set a custom enterprise label for a managed browser
LocalNetworkAccessRestrictionsEnabled	Specifies whether to apply restrictions to requests to local network endpoints
LocalNetworkAccessAllowedForUrls	Allow sites to make requests to local network endpoints.
LocalNetworkAccessBlockedForUrls	Block sites from making requests to local network endpoints.

Removed policies in Chrome browser

Policy	Description
ExtensionManifestV2Availability	Control Manifest v2 extension availability
SelectParserRelaxationEnabled	Controls whether the new HTML parser behavior for the <select> element is enabled
KeyboardFocusableScrollersEnabled	Enable keyboard focusable scrollers

Chrome Enterprise Core changes

Group based policies for connector configuration selection
Reporting connector configurations that receive events sent by managed browsers can now be configured by groups in addition to organizational units.
- Chrome 139 on ChromeOS, Linux, macOS, Windows

New remote commands and CSV export for the Managed profiles list
The Admin console will support profile-level "Clear cache" and "Clear cookies" remote commands, and CSV export for the Managed Profiles list. You can select one or multiple profiles and perform a remote command.
- Chrome 137 on Android, Linux, macOS, Windows: Adding CSV export for Managed profiles.
- Chrome 139 on Linux, macOS, Windows: Profile-level support for remote commands.

New tab page cards for Microsoft 365
Enterprise users with Outlook or SharePoint can now access their upcoming meetings or suggested files directly from the New tab page. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most. Admins can enable the cards with NTPSharepointCardVisible and NTPOutlookCardVisible. For Microsoft tenants who do not allow for self-authorization, the admin must also consent to the app permissions during first authentication or approve the app for use in Microsoft Entra.
- Chrome 134 on Linux, macOS, Windows: Available to Trusted Testers
- Chrome 137 on Linux, macOS, Windows: Gradual rollout to all customers
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Users do not need to be signed into Chrome to use this feature

Regionalize covered Chrome Enterprise data
Starting in Chrome 139, Admins can use data regions to store users’ covered Chrome Enterprise data in a specific geographic location. The location options are United States, European Union (labeled Europe in the Google Admin console), or No preference. The initial migration will not complete until the end of Chrome 140. This can be set in the Google Admin console via Data > Compliance > Data regions > Region > Data at rest. For more information about the types of data covered, see the Chrome Enterprise Service Specific Terms.
- Chrome 139 on Android, iOS, ChromeOS, Linux, macOS, Windows: Rollout will begin. Admins may be able to set a region; however, data may not be fully regionalized until the end of Chrome 140.
- Chrome 140 on Android, iOS, ChromeOS, Linux, macOS, Windows: The initial migration will be fully regionalized.

Chrome Enterprise Premium changes

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

Active account detection
Chrome Enterprise can now detect whether an employee is using their corporate or personal Google account on Google Workspace pages like Google Drive, Docs, or Gmail. This allows administrators to create more granular Data Loss Prevention (DLP) rules to prevent sensitive data from being moved to personal accounts, addressing a critical data exfiltration risk. For instance, an administrator can now configure a policy in the Google Admin console to block a file upload to a personal Google Drive account while still allowing it to a corporate account. To use this feature, administrators should create or update their DLP rules to include the new Google Workspace Web app signed-in account condition. There is no single enterprise policy to enable or disable this feature; control is managed through the creation of these specific DLP rules.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: The Chrome browser can detect the active user account on Google Workspace pages and sends this information as a new signal with Data Loss Prevention (DLP) scan requests.

Chrome Enterprise Connectors API
Chrome Enterprise is introducing programmatic management for Chrome Enterprise Connectors. This update exposes connector settings as new and updated policies within the existing Chrome Policy API, allowing IT administrators and technology partners to manage these configurations at scale. Previously, this was a manual process in the Google Admin console. This update enables automation, which helps reduce manual errors and improve the efficiency of managing integrations with third-party security solutions.

Administrators can use the Chrome Policy API to programmatically control settings for event reporting, content analysis, and real-time URL checks. This launch includes updates to the OnSecurityEventEnterpriseConnector policy and adds new policies such as OnFileAttachedEnterpriseConnector, OnFileDownloadedEnterpriseConnector, OnFileTransferEnterpriseConnector, OnBulkDataEntryEnterpriseConnector, OnPrintEnterpriseConnector, and EnterpriseRealTimeUrlCheckMode.

For technical details, developers should refer to the main Chrome Policy API documentation
- Chrome 139 on Android, iOS, Linux, macOS, Windows: This rollout adds support for programmatic management of Chrome Enterprise Connectors via a new API

Copy and paste rules protection
To help organizations better prevent data exfiltration on mobile devices, Chrome is extending its existing desktop clipboard data controls. Administrators can now use the DataControlsRules policy to set rules that block or warn users when they attempt to copy or paste content that violates organizational policies. This feature allows admins to define data boundaries and prevent sensitive information from being pasted from a work context into personal apps or websites on their mobile fleet. This addresses a significant security gap and a frequently requested feature from enterprise customers who have cited the lack of mobile data controls as a concern. To use this feature, administrators can configure clipboard restrictions within the DataControlsRules policy, providing a consistent management experience across desktop and mobile to strengthen their organization's overall security posture.
- Chrome 139 on Android: Copy and Paste rules protection becomes available on Android

Data Loss Prevention support for iFrames
To enhance security and prevent data exfiltration, Chrome's Data Loss Prevention (DLP) capabilities are being extended to the content within iFrames. Currently, DLP rules configured by administrators do not apply to content inside an iFrame, which allows a potential security loophole where users can bypass restrictions. This feature closes that gap. With this change, when a user performs a DLP-triggering action (such as uploading a file) from a site loaded in an iFrame, Chrome will send the entire URL hierarchy, from the source iFrame up to the top-level page, to be evaluated against all applicable DLP rules.

The motivation for this change is to provide a more robust security posture and eliminate a known method for bypassing data protection policies. No new enterprise policies are required to enable this functionality; it will work with existing DLP rules configured via the Connector policies. Administrators should be aware that their existing rules will now apply to iFrame contexts, which may block user actions that were previously permitted.
- Chrome 139 on Linux, macOS, Windows: Initial launch of Data Loss Prevention support for iFrames. This phase adds enforcement for file upload events originating from within an iFrame context and it will work with existing DLP rules configured via the OnFileAttachedEnterpriseConnector policy
- Chrome 140 on Linux, macOS, Windows: This expanded phase combines two feature rollouts, extending DLP iFrame support to include enforcement for both file download and printing actions.

Enable watermarking on Single Page Applications
To enhance data security, Chrome Enterprise Premium’s watermarking feature now supports Single Page Applications (SPAs). This addresses a significant customer request, as watermarks previously only applied to traditional websites. This capability is controlled by your existing Data Loss Prevention (DLP) policies in the Google Admin Console; no new policy configuration is required for this enhancement.

IT administrators should be aware of a key technical limitation. SPAs utilize same-document navigations, which cannot be paused for a security scan like a standard page load. Consequently, there may be a brief delay before a watermark appears after navigating within an SPA. Additionally, DLP rules set to Warn or Block will not display an interstitial page for these SPA navigations; the action would only trigger on a full page reload.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: This rollout adds support for watermarking on Single Page Applications (SPAs)

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

2SV enforcement for admins
To better protect your organization’s information, Google will soon require all accounts with access to admin.google.com to have 2-Step Verification (2SV) enabled. As a Google Workspace administrator, you need to confirm your identity with 2SV, which requires your password plus something additional, such as your phone or a security key.

The enforcement will be rolled out gradually over the coming months. You should enable 2SV for the admin accounts in your organization before Google enforces it. For more information, see this About 2SV enforcement for admins.
- Chrome 137 on ChromeOS, Linux, macOS, Windows: 2SV enforcement starts
- Chrome 140 on ChromeOS, Linux, macOS, Windows: 2SV mandatory

Automated password change
When Chrome detects that a user has signed into a website with a known compromised password, it will offer the user to change it automatically. This feature will be available on a set of eligible sites. The feature uses AI, and can be controlled via the Enterprise policy AutomatedPasswordChangeSettings.
- Chrome 140 on ChromeOS, Linux, macOS, Windows

Contextual search suggestions in Chrome Address bar
With this feature you can ask anything about the page you’re on, directly in context. Building on the existing Search habit of the address bar, users can ask a question with Google Lens by selecting anything on screen or asking with words. A Google Lens action in the address bar and contextual suggestions guide people to the feature when it’s most helpful. This feature is gated by the existing LensOverlaySettings policy.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Feature starts rollout
- Chrome 140 on ChromeOS, Linux, macOS, Windows: If the LensOverlaySettings policy is not set this feature will respect the GenAiDefaultSettings policy if present.

Enhanced autofill
Starting in Chrome 137, some users can turn on Autofill with AI, a new feature that helps users fill out online forms more easily. On relevant forms, Chrome can use AI to better understand the form and offer users to automatically fill in previously saved info. Admins can control the feature using the existing GenAiDefaultSettings policy and a new AutofillPredictionSettings policy.
- Chrome 137 on ChromeOS, Linux, macOS, Windows
- Chrome 140 on ChromeOS, Linux, macOS, Windows: The existing "Autofill with AI" feature will be renamed to "Enhanced autofill", allow users to save and fill additional types of info, and become available in more countries and languages.

Gemini in Chrome
Gemini is now integrated into Chrome on macOS and Windows, and can understand the content of your current page. Users can now seamlessly get key takeaways, clarify concepts, and find answers, all without leaving their Chrome tab. This integration includes both chat—where users can interact with Gemini via text, and Gemini Live, with which users can interact with Gemini via voice.

In Chrome 140, Gemini in Chrome will become available for users signed into Chrome in the US. Admins can turn off this feature (value 1) using the GeminiSettings policy or by using the GenAiDefaultSettings (value 2). For more details, see Gemini in Chrome in the Help Center.
- Chrome 137 on macOS, Windows: Feature is available for some Google AI Pro and Ultra subscribers in the US and on pre-Stable (Dev, Canary, Beta) channels in the US.
- Chrome 140 on macOS, Windows: Feature gradually rolls out on Stable for users signed into Chrome in the US.

Happy Eyeballs V3
This launch is an internal optimization in Chrome that implements Happy Eyeballs V3 to achieve better network connection concurrency. Happy Eyeballs V3 performs DNS resolutions asynchronously and staggers connection attempts with preferable protocols (H3/H2/H1) and address families (IPv6 or IPv4) to reduce user-visible network connection delay. This feature is gated by a temporary policy HappyEyeballsV3Enabled.
- Chrome 140 on Android, ChromeOS, Linux, macOS, Windows

Launch Chrome into new profile via command line
This enhancement addresses a critical gap for our enterprise partners and admin who need to launch web applications from their native app catalogs directly into a specific managed Chrome profile using Chrome CLI (command line interface). Currently, if the designated profile does not exist, Chrome defaults to the last-used profile, creating a disjointed and insecure user experience. With this new feature, when a specified profile is not found, Chrome will initiate the existing profile creation flow, pre-populating the user's email address to streamline the setup process. This is a key technical enabler for admins aiming to onboard their enterprise users to Chrome Enterprise via Managed Profiles.
- Chrome 140 on Linux, macOS, Windows

PostQuantum cryptography for DTLS in WebRTC
This feature enables the use of PostQuantum Cryptography (PQC) with WebRTC connections. The motivation for PQC is to get WebRTC media traffic up to date with the latest cryptography protocols and prevent Harvest Now to Crack Later scenarios.

This feature will be controllable by an enterprise policy WebRtcPostQuantumKeyAgreementEnabled, to allow enterprise users to opt out of PQC. The policy will be temporary and is planned to be removed by Chrome 150.
- Chrome 140 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 150 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Remove Enterprise Policy

ServiceWorkerAutoPreload mode
ServiceWorkerAutoPreload is a mode where the browser issues the network request in parallel with the service worker bootstrap, and consumes the network request result inside the fetch handler if the fetch handler returns the response with respondWith(). If the fetch handler result is fallback, it passes the network response directly to the browser. ServiceWorkerAutoPreload is defined as an optional browser optimization, which will change the existing service worker behavior.

A temporary enterprise policy called ServiceWorkerAutoPreloadEnabled will be added to control this feature.
- Chrome 140 on Android, Windows: policy will be made available
- Chrome 144 on Android, Windows: policy will be removed

CSS find-in-page highlight pseudos
Exposes find-in-page search result styling to authors as a highlight pseudo-element, like selection and spelling errors. This allows authors to change the foreground and background colors or add text decorations, which can be especially useful if the UA defaults have insufficient contrast with the page colors or are otherwise unsuitable.
- Chrome 140 on Windows, macOS, Linux, Android

Deprecate special font size rules for H1 within some elements
The HTML spec contains a list of special rules for <h1> tags nested within <article>, <aside>, <nav>, or <section> tags. These special rules are deprecated, because they cause accessibility issues. Namely, they visually reduce the font size for nested <h1>s so that they "look" like <h2>s, but nothing in the accessibility tree reflects this demotion.
- Chrome 140 on Windows, macOS, Linux, Android

IP protection
This feature limits availability of a user’s original IP address in third-party contexts in Incognito mode, enhancing Incognito's protections against cross-site tracking when users choose to browse in this mode. IP addresses facilitate a range of use cases, including routing traffic and preventing fraud and spam. However, they can also be used for tracking. For Chrome users who choose to browse in Incognito mode, we want to provide additional control over their IP address, without breaking essential web functionality. To strike this balance between protection and usability, this proposal focuses on limiting the use of IP addresses in a third-party context in Incognito mode. To that end, this proposal uses a list-based approach, where only domains on the Masked Domain List (MDL) in a third-party context will be impacted. For enterprises, this feature can be controlled via the PrivacySandboxIpProtectionEnabled enterprise policy.
- Chrome 140 on Windows, macOS, Linux, Android

Local network access restrictions
Chrome 140 restricts the ability to make requests to the user's local network, gated behind a permission prompt. A local network request is any request from a public website to a local IP address or loopback, or from a local website (for example,. intranet) to loopback. Gating the ability for websites to perform these requests behind a permission mitigates the risk of cross-site request forgery attacks against local network devices such as routers, and reduces the ability of sites to use these requests to fingerprint the user's local network.

This permission is restricted to secure contexts. If granted, the permissions additionally relaxes mixed content blocking for local network requests (since many local devices are not able to obtain publicly trusted TLS certificates for various reasons).

This work supersedes a prior effort called Private Network Access, which used preflight requests to have local devices opt-in. Enterprises that need to disable or auto-grant the permission can do so using the LocalNetworkAccessAllowedForUrls and LocalNetworkAccessBlockedForUrls policies. The value of '*' can be used to allow local network access on all URLs, matching the behavior prior to rolling out the restrictions.
- Chrome 140 on Windows, macOS, Linux, Android

Probabilistic Reveal Tokens
To ensure that all businesses can continue to estimate the amount of fraud on their systems, train models to defend against fraud, and analyze emerging fraudulent behavior while still mitigating the ability to track users at scale using IP addresses, we propose to introduce a delayed IP sampling mechanism called Probabilistic Reveal Tokens (PRTs) alongside IP Protection for use in protected traffic.

PRTs will be included on proxied requests in a new HTTP header added by the browser for domains that indicate they want to receive them via a signup process. Each PRT will contain a ciphertext, generated by an Issuer and re-randomized for unlinkability by the browser prior to the request, that the recipient can decrypt after a delay. Google will be the issuer for Chrome's implementation. A minority of the decrypted PRTs contain the client's pre-proxy IP address (that is, non-masked, and as observed by the token issuer), while the remaining PRTs provide no information about the client's original IP address. This results in only a small percent of PRTs containing and revealing the user's IP. Since PRTs will only be attached when IP Protection is enabled, admins can use the PrivacySandboxIpProtectionEnabled policy to control IP Protection and PRTs.
- Chrome 140 on Windows, macOS, Linux, Android

Propagate Viewport overscroll-behavior from Root
This feature will propagate overscroll-behavior from the root instead of the body. The CSS working group resolved on not propagating properties from the body to the viewport. Rather, properties of the viewport are to be propagated from the root element e.g. scroll-behavior, scroll-snap-type, scroll-padding. As such, overscroll-behavior should be propagated from the root element. However, Chrome has had a longstanding issue of propagating overscroll-behavior from the body rather than the root, which deviates from the behavior of Safari(WebKit) and Firefox(Gecko). This feature intends to fix this by propagating overscroll-behavior from the root rather than the body.
- Chrome 140 on Windows, macOS, Linux, Android

Script blocking in Incognito
Mitigating API Misuse for Browser Re-Identification, otherwise known as Script Blocking, is a feature that will block scripts engaging in known, prevalent techniques for browser re-identification in third-party contexts. These techniques typically involve the misuse of existing browser APIs to extract additional information about the user's browser or device characteristics.

This feature uses a list-based approach, where only domains marked as “Impacted by Script Blocking” on the Masked Domain List (MDL) in a third-party context will be impacted. When the feature is enabled, Chrome will check network requests against the blocklist. The Chromium's subresource_filter component will be reused, which is responsible for tagging and filtering subresource requests based on page-level activation signals, and a ruleset is used to match URLs for filtering. The enterprise policy name is PrivacySandboxFingerprintingProtectionEnabled.
- Chrome 140 on Windows, macOS, Linux, Android

SharedWorker script inherit controller for blob script URL
According to Worker client case (github), workers should inherit controllers for the blob URL. However, existing code allows only dedicated workers to inherit the controller, and shared workers do not inherit the controller. This is the fix to make Chromium behavior adjust to the specification. An enterprise policy SharedWorkerBlobURLFixEnabled is available to control this feature.
- Chrome 140 on Windows, macOS, Linux, Android

Strict Same Origin Policy for Storage Access API
We plan to adjust the Storage Access API semantics to strictly follow the Same Origin Policy, to enhance security. Using document.requestStorageAccess() in a frame only attaches cookies to requests to the iframe's origin (not site) by default. The CookiesAllowedForUrls policy or Storage Access Headers can still be used to unblock cross-site cookies.
- Chrome 140 on Windows, macOS, Linux, Android

Web App Manifest: specify update eligibility, icon URLs are Cache-Control: immutable
As early as Chrome 139, the Web App manifest will specify an update eligibility algorithm. This makes the update process more deterministic and predictable, giving the developer more control over whether (and when) updates should apply to existing installations, and allowing removal of the 'update check throttle' that user agents currently need to implement to avoid wasting network resources.
- Chrome 141 on Windows, macOS, Linux
- Chrome 142 on Android

Clear window name for cross-site navigations that switches browsing context group
The value of the window.name property is currently preserved throughout the lifetime of a tab, even with navigation that switches browsing context groups, which can leak information and potentially be used as a tracking vector. Clear the window.name property in this case addresses this issue.

This update will introduce a new temporary enterprise policy, ClearWindowNameCrossSiteBrowsing, which will stop working in Chrome 146.
- Chrome 142 on Windows, macOS, Linux, Android, iOS

Disallow non-trustworthy plaintext HTTP prerendering
This launch will provide the capability to disallow non-trustworthy plaintext HTTP prerendering.
- Chrome 142 on Windows, macOS, Linux, Android

HSTS tracking prevention
This update will mitigate user tracking by third-parties via the HTTP Strict Transport Security (HSTS) cache. This feature only allows HSTS upgrades for top-level navigations and blocks HSTS upgrades for sub-resource requests. Doing so makes it infeasible for third-party sites to use the HSTS cache in order to track users across the web.
- Chrome 142 on Windows, macOS, Linux, Android

Disallow spaces in non-file:// URL hosts
According to the URL Standard specification, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host. This causes Chromium to fail several tests included in the Interop2024 HTTPS URLs for WebSocket and URL focus areas. To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github).
- Chrome 145 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia

Remove Third-party storage partitioning policies
Third-party storage partitioning became the default in Chrome 115. The chrome:// flag that allowed users to disable this feature was removed in Chrome 128, and the deprecation trial ended with Chrome 139. In Chrome 145, the enterprise policies DefaultThirdPartyStoragePartitioningSetting and ThirdPartyStoragePartitioningBlockedForOrigins will be removed. Users are advised to transition to alternative storage solutions, either by adapting to third-party storage partitioning or by using document.requestStorageAccess({...}) where needed.

If you have any feedback, you can add it here in the Chromium bug.
- Chrome 145 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Removal of DefaultThirdPartyStoragePartitioningSetting and ThirdPartyStoragePartitioningBlockedForOrigins

SafeBrowsing API v4 → v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5. If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users. For more details, see Migration From V4 - Safe Browsing.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows: Feature would gradually roll-out

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.

In this initial release, IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 146 on Windows This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators may use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 146, and will be removed in Chrome 147. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt in early to the new behavior, or to temporarily opt out through Chrome 146.
- Chrome 147 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core updates

Inactive profile deletion in Chrome Enterprise Core

In June 2025, the inactive period for profile deletion setting started to roll out. In August 2025, the setting will begin to automatically delete managed profiles in the Admin console that have been inactive for more than the defined inactivity period. When releasing the setting, the inactivity period of time has a default value of 90 days. Meaning that by default, all managed profiles that have been inactive for more than 90 days are deleted from your account. Administrators can change the inactive period value using this setting. The maximum value to determine the profile inactivity period is 730 days and the minimum value is 28 days.

If the set value is lowered, it might have a global impact on any currently managed profiles. All impacted profiles will be considered inactive and, therefore, be deleted. This does not delete the user account. If an inactive profile is reactivated on a device, that profile will reappear in the console.
- Chrome 140 on Android, ChromeOS, Linux, macOS, Windows: Policy was rolled out in June. Deletion will start in August and the initial wave of deletion will complete by the beginning of September. After the initial deletion rollout, inactive profiles will continue to be deleted once they have reached their inactivity period.

Chrome Enterprise Overview page

This feature is introducing a new Overview page in the Chrome browser section of the Google Admin console. The Overview page allows IT administrators to quickly find key information about their deployment:

- Active & inactive profiles and enrolled browsers

- Identify browsers out-of-date and with pending updates

- Identify high-risk extensions (according to Spin.AI) and get a preview of most requested extensions

- Security Insights (for example, sensitive file uploads or downloads)

The Overview page also allows admins to quickly access key actions such as managing extensions, accessing the browser or profile list and setting Update policies, to name a few.
- Chrome 137 on Android, iOS, Linux, macOS, Windows
- Chrome 141 on Android, iOS, Linux, macOS, Windows: New filtering available on the Overview page for Organization Unit and Activity Dates

Upcoming Chrome Enterprise Premium changes

Increased file size support for Data Loss Prevention scans
Chrome Enterprise Premium now extends its Data Loss Prevention (DLP) and malware scanning capabilities to include large and encrypted files. Previously, files larger than 50 MB and all encrypted files were skipped during content scanning. This update closes that critical security gap. For policies configured to save evidence, files up to 2GB can now be sent to the Evidence Locker. This provides administrators with greater visibility and control, significantly reducing the risk of data exfiltration through large file transfers.

No new policy is required to enable this feature. It is automatically controlled by the existing DLP rule configurations in the Google Admin Console. If admins have rules that apply to file uploads, downloads, or printing, they will now also apply to large and encrypted files.
- Chrome 140 on Linux, macOS, Windows: Feature is rolled out

Watermarking customization
Chrome Enterprise Premium now allows administrators to customize the appearance of watermarks. This enhancement is motivated by the need to improve user experience, addressing concerns such as eyestrain and readability on pages with existing watermarks.

To control the watermark's appearance, administrators should use the new WatermarkStyle policy. Within this policy, admins can configure the following:
- 'font_size': Sets the font size of the text in pixels.
- 'fill_opacity': Sets the fill opacity of the text, from 0 (transparent) to 100 (opaque).
- 'outline_opacity': Sets the outline opacity of the text, from 0 (transparent) to 100 (opaque).
This provides administrators with greater flexibility to balance security requirements with end-user productivity.
- Chrome 140 on ChromeOS, Linux, macOS, Windows: This launch enables administrators to customize watermark font size and opacity using the new WatermarkStyle policy in the Google Admin Console.
- Chrome 141 on ChromeOS, Linux, macOS, Windows: As an enhancement, a new chrome:// enterprise page is introduced that allows administrators to preview their configured watermark style before deployment.

Chrome browser rule UX refactor
To enhance the Data Loss Prevention (DLP) rule creation experience, the Google Admin console is being updated to streamline how administrators define policies for different applications like Chrome and Workspace. This first introduces mutually exclusive application groups, meaning that a single DLP rule can now only target one application group at a time—either Workspace apps (like Drive, Gmail), Chrome browser triggers (like file upload, URL visited), or ChromeOS triggers. This change simplifies rule configuration, eliminates potential conflicts from overlapping app selections, and lays the groundwork for more specialized and user-friendly workflows tailored to each platform's needs.

Administrators will see an updated "Apps" selection interface using radio buttons to enforce this single-group selection for new rules. Existing rules that previously combined applications from multiple groups will be transparently migrated by the system into separate, compliant, single-platform rules to ensure continued protection and a seamless transition. Banners within the Admin console will provide information regarding these changes and the migration process. No new enterprise policies are introduced with this update; the changes are to the rule configuration interface.
- Chrome 141 on ChromeOS, Linux, macOS, Windows: Enables mutually exclusive app selection for DLP rule configuration in Admin Console

↑ back to top

ChromeOS 139 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
ChromeOS desk sync		✓
Chrome apps changes	✓		✓
Native Client (NaCl) deprecation	✓		✓
Touchscreen calibration tool		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Chrome Sign Builder Deprecation		✓	✓
EAP/TLS server certificate validation	✓		✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

ChromeOS desk sync
Starting from ChromeOS 139, ChromeOS desk sync helps users quickly pick up from where they left off when switching to another device. Desk sync restores all windows, tabs, and even cookies from the previous session to allow for a seamless transition. Admins can switch on this feature for managed users. Desk sync is particularly useful for shared devices and frontline workers in healthcare, hospitality, and manufacturing settings. For more details, see our blog post or our help center.

Chrome apps changes
Starting with ChromeOS 139, planned for stable release on August 19th, user-installed Chrome apps on ChromeOS will stop working. Apps that are force-installed through the admin console for Managed Guest sessions (MGS) and user sessions will continue to be supported. For more details, see End of support for Chrome apps.

A new policy, KioskChromeAppsForceAllowed, is available for administrators to re-enable Chrome apps in kiosk sessions. With this policy turned on, Chrome apps in kiosk sessions will be supported through ChromeOS 150.

Native Client (NaCl) deprecation
ChromeOS 139 and later no longer supports Native Client (NaCl) in managed environments with the NaCl allow policy enabled. For devices on the Long-term Support (LTS) channel with this policy active, NaCl support will continue to be supported until the ChromeOS 138 LTS Last Refresh in April 2026.

Touchscreen calibration tool
With ChromeOS 139, you can now calibrate boundaries of external touch screen displays. Chromebook users can now calibrate boundaries of external touch screen displays connected to a Chromebook. This setting helps with aligning external display boundaries, so that touch inputs correspond correctly to the displayed content. To calibrate the external touch screen display, go to Settings > Device > Display, go to the corresponding external touchscreen display and access Calibrate touchscreen. For more details, see Connect your Chromebook to a monitor.

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Chrome Sign Builder deprecation

The Chrome Sign Builder Chrome App is scheduled to reach its end of life in July 2026, with ChromeOS M150 being the final release to support it in kiosk mode. Devices on the Long-term Support (LTS) channel will continue to receive support until April 2027. This deprecation means that after the specified timelines, Chrome Sign Builder will no longer be available for installation or configuration, potentially leading to service disruptions for organizations currently utilizing it for digital signage.

To avoid any interruptions, organizations must migrate to an alternative solution before July 2026. Two recommended options are
- Migrate to Comeen: A Chrome Enterprise Recommended Partner that offers a web app replacement (comeen.com)
- Deploy alternative web apps: Utilize the Google Admin console to deploy other web apps to ChromeOS kiosk devices.

EAP/TLS server certificate validation

Note: This change only affects customers utilizing EAP/TLS network setups and only affects networks set up before January of 2022.

Starting October 1, 2025, we will roll out this fix to the ChromeOS stable channel. A very small number of customers using EAP/TLS configurations might experience connectivity issues if their server certificates are signed by a Certificate Authority (CA) that is currently included in ChromeOS as a System CA.

To minimize disruption, admins can perform one of the following actions:

Option 1 (providing a higher level of security):
1. Generate a new certificate for your Authentication Server, and ensure it is signed by the same Certificate Authority (CA) as used previously.
2. Replace the existing certificates on your Authentication Server with the newly-generated certificates.
Option 2 ( if more time is needed before implementing Option 1):
1. Sign in to Google Admin console.
2. From August 15 to October 1, to check for affected devices, admins can follow these instructions on the Beta channel:
  - Access chrome://histograms in Chrome browser.
  - Perform several disconnect and reconnect cycles for your Ethernet or Wi-Fi network.
  - Allow approximately 10 seconds for data aggregation.
  - Within the chrome://histograms page, search the histogram identified as Network.Shill.Eap.EventCaCertExperiment1:
    1. If the histogram is not present, your configuration is not impacted.
    2. Your configuration is likely to be impacted if a positive value is observed for both Event 8 (FirstCertVerificationFailure) and Event 9 (CertVerificationRetryAttempt).
3. Navigate to the configuration settings for the affected EAP/TLS network.
4. Modify the Server Certificate Authority setting to System default certificate authorities.

↑ back to top

Chrome 138

Chrome 138 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
AI Mode for search recommendations in Chrome		✓
Bookmarks and reading list improvements on Chrome Desktop	✓	✓
Client’s LLM assistance in mitigating scams	✓
Contextual search suggestions in Chrome Address bar		✓
Enhanced Safe Browsing is a synced setting	✓
Generating insights for Chrome DevTools console warnings and errors			✓
History sync opt-in via profile pill	✓
New tab page footer	✓	✓	✓
Per-extension user script toggle	✓
Removal of Private Network Access enterprise policies	✓
Search your screen with Google Lens on iPad		✓
Shared tab groups		✓
Speculation rules prefetch for ServiceWorker		✓
TLS 1.3 Early Data		✓
Deprecate asynchronous range removal for Media Source extensions	✓
Language Detector API		✓
Summarizer API		✓
Translator API		✓
Web serial over Bluetooth on Android		✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Agentspace recommendations in the Chrome search bars		✓	✓
Deprecation of the Chrome browser page on the Chrome Insights report			✓
Inactive profile deletion in Chrome Enterprise Core	✓		✓
New LayerX risk assessment in the Admin console	✓
Multiple identity support on iOS		✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
SecOps integration	✓		✓
URL Filtering capabilities on iOS	✓		✓
DLP download support for File System Access API (FSA)	✓		✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Chrome on Android no longer supports Android Oreo or Android Pie			✓
Gemini in Chrome		✓
Malicious APK download checks	✓
Upcoming change for CA certificates included in the Chrome Root Store	✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
Promotional notifications			✓
Remove risky extension flags in Google Chrome	✓
Remove SwiftShader fallback	✓
Support accounts in pending state on Chrome iOS	✓
Chrome to remove support for macOS 11		✓
Clear window name for cross-site navigations that switches browsing context group			✓
Fire error event instead of throwing for CSP blocked worker			✓
Web App Manifest: specify update eligibility, icon urls are Cache-Control: immutable		✓
2SV enforcement for admins			✓
Happy Eyeballs V3		✓
Isolated Web Apps		✓
Disallow non-trustworthy plaintext HTTP prerendering	✓
HSTS tracking prevention	✓
IP Protection	✓
Strict Same Origin Policy for Storage Access API	✓	✓
Disallow spaces in non-file:// URL hosts			✓
SafeBrowsing API v4 → v5 migration	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
New remote commands and CSV export for the Managed Profile list			✓
New tab page cards for Microsoft 365		✓	✓
Chrome Enterprise Overview page			✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Chrome browser rule UX refactor	✓		✓
Copy and paste rules protection	✓		✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

AI Mode for search recommendations in Chrome
AI Mode is a feature that helps users dive deeper into topics they care about by showing AI Mode for search recommendations in Chrome. A new policy, AIModeSettings, is available to control search recommendations in the address bar and New tab page search box.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Feature starts rollout in the address bar.
- Chrome 139 on Android, iOS: Feature starts rollout in the address bar.

Bookmarks and reading list improvements on Chrome Desktop
For Chrome 138 on Desktop, some users who sign in to Chrome upon saving a new bookmark can now use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies controlling bookmarks, as well as BrowserSignin, SyncDisabled or SyncTypesListDisabled, continue to work as before, so admins can configure whether or not users can use and save items in their Google Account. Setting EditBookmarksEnabled to false also prevents users from uploading a bookmark saved on their device to their Google Account.
- Chrome 138 on Linux, macOS, Windows

Client’s LLM assistance in mitigating scams
Users on the web are facing significant amounts of different kinds of scams a day. To combat these scams, Chrome now uses on-device LLM to identify scam websites for Enhanced Safe Browsing users. Chrome sends the page content to an on-device LLM to infer security-related signals of the page and send these signals to the Safe Browsing server for a final verdict. When enabled, Chrome can consume more bandwidth to download the LLM.

Enhanced Safe Browsing is an existing feature, controlled by the SafeBrowsingProtectionLevel policy.
- Chrome 134 on Linux, macOS, Windows: Gather the brand name and intent summary of the page that triggers keyboard lock to identify scam websites.
- Chrome 135 on Linux, macOS, Windows: Show the warnings to the user based on the server verdict, which uses the brand and intent summary of the page that triggered keyboard lock.
- Chrome 137 on Linux, macOS, Windows: Gather brand and intent summary of the page based on server reputation scoring system.
- Chrome 138 on Linux, macOS, Windows: Show the warnings to the user based on the server verdict, which uses the brand and intent of the pages that the server reputation system scored.

Contextual search suggestions in Chrome Address bar
With this feature you can ask anything about the page you’re on, directly in context. Building on the existing Search habit of the address bar, users can ask a question with Google Lens by selecting anything on screen or asking with words. A Google Lens action in the address bar and contextual suggestions guide people to the feature when it’s most helpful. This feature is gated by the existing LensOverlaySettings policy.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Feature starts rollout
- Chrome 140 on ChromeOS, Linux, macOS, Windows: If the LensOverlaySettings policy is not set this feature will respect the GenAiDefaultSettings policy if present.

Enhanced Safe Browsing is a synced setting
In Chrome 138, Chrome's Enhanced Safe Browsing is a synced feature. This means that if a user opts into Enhanced Safe Browsing on one device, this protection level automatically applies across all other devices where they are signed into Chrome with the same account. The goal is to provide stronger, more consistent security protection and a standardized user experience.

Users who enable Enhanced Safe Browsing benefit from its protections, for example, proactive phishing protection, improved detection of malware and malicious extensions consistently across their synced Chrome instances on Desktop (Windows, macOS, Linux, ChromeOS), Android, and iOS. Users receive onscreen notifications when their Enhanced Safe Browsing setting is synced.

The Safe Browsing protection level is an existing feature, controlled by the SafeBrowsingProtectionLevel policy.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows

Generating insights for Chrome DevTools console warnings and errors
A new Generative AI (GenAI) feature is now available for unmanaged users: Generating insights for Chrome DevTools console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is available to users (18+) in English only. Admins can control this feature using the DevToolsGenAiSettings policy.
- Chrome 131 on ChromeOS, Linux, macOS, Windows: In Chrome 131, a new Generative AI (GenAI) feature becomes available for managed users: a dedicated AI assistance panel in Chrome DevTools which assists the human operator investigating & fixing styling challenges and helps debugging the CSS.
- Chrome 132 on ChromeOS, Linux, macOS, Windows: The AI assistance panel can now explain resources in the Performance panel, Sources panel, and Network panel, in addition to the previous support for style debugging.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: The AI assistance panel exposes an internal API that simplifies the use of AI assistance panel features by external tools such as Model Context Protocol (MCP) servers.

History sync opt-in using the profile pill
In Chrome 138, some signed-in users see a new option to opt in to history and tab sync. This change is designed to offer the benefits of history sync in a non-disruptive way by using the profile pill to display a short in-line message. Users who click on the profile pill are taken to their profile menu where they can choose to turn on sync. The goal is to provide users with an intuitive and contextually relevant entry point for syncing data like browsing history, separate from the sign-in flow. For Enterprise users, the expanded profile pill only appears after 4 hours of browser inactivity.

Relevant enterprise policies controlling History or Tab sync (SyncDisabled, SyncTypesListDisabled and SavingBrowserHistoryDisabled) continue to work as before.
- Chrome 138 on Linux, macOS, Windows: Feature starts gradual rollout.

New tab page footer
An update to the New tab page includes a new footer designed to provide users with greater transparency and control over their Chrome experience.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Extension Attribution will begin to show on the NTP. If an extension has changed your default New tab page, you'll now see a message in the footer that attributes the change to that specific extension. This message often includes a link directly to the extension in the Chrome Web Store, making it easier to identify and manage unwanted extensions. If you're an administrator, you can disable this attribution using the NTPFooterExtensionAttributionEnabled policy.
- Chrome 139 on Linux, macOS, Windows: Browser management disclosure will be shown if one of the policies to customize the footer is set by an enterprise admin. For users whose Chrome browser is managed by a trusted source, the New tab page footer will now display a management disclosure notice. This helps you understand how your browser is being managed. Administrators can disable this notice with the NTPFooterManagementNoticeEnabled policy. Additionally, organizations can customize the footer's appearance using the EnterpriseLogoUrlForBrowser and EnterpriseCustomLabelForBrowser policies to display a custom logo and label.
- Chrome 140 on Linux, macOS, Windows: A default notice (Managed by <domain name>) will start to be shown in the New tab page footer for all managed browsers. Visibility can be changed with the NTPFooterManagementNoticeEnabled policy.

Per-extension user script toggle
In Chrome 138, the way that users and administrators control an extension’s ability to run user created scripts and use the userScripts API is changing. This change enhances security. Users won’t unintentionally grant user script permissions to every extension when enabling Developer mode by explicitly deciding which extensions can run these potentially powerful scripts. For more detail on the motivation for the change, see this Chrome for developers blog.

End users will now toggle this per extension on the chrome://extensions page via a Allow User Scripts toggle, replacing the global Developer mode toggle for more granular control. Existing extensions will have this toggle automatically enabled if Developer mode is on and the extension has been granted the User Scripts permission.

Administrators who currently manage user scripts by disabling developer mode should now use the blocked_permissions field of the ExtensionSettings policy or the Google Admin console to independently control the User Scripts permission and extension Developer mode.

Extension developers are advised to update their documentation to reflect the new toggle. See the Chromium Extensions Google Groups mailing list for more information and other changes to usage of the API.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Feature rolls out

Removal of Private Network Access enterprise policies
Private Network Access (PNA 1.0) is an unshipped security feature designed to limit website access to local networks. Due to deployability concerns, PNA 1.0 was never able to ship by default, as it was incompatible with too many existing devices.

PNA 1.0 required changes to devices on local networks. Instead, Chrome is implementing an updated proposal, Private Network Access 2.0 (PNA 2.0) (Github). PNA 2.0 only requires changes to sites that need to access the local network, rather than requiring changes to devices on the local network. Sites are much easier to update than devices, and so this approach should be much more straightforward to roll out.

The only way to enforce PNA 1.0 is via enterprise policy. To avoid regressing security for enterprise customers opting-in to PNA 1.0 prior to shipping PNA 2.0, we will maintain the PrivateNetworkAccessRestrictionsEnabled policy, which causes Chrome to send special preflight messages, until such time that it becomes incompatible with PNA 2.0.

The InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies, which loosen PNA 1.0 restrictions, will be removed immediately. These policies currently have no effect, since PNA 1.0 is not shipped, and they will have no meaning once PNA 1.0 is removed.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Deprecate InsecurePrivateNetworkRequestsAllowedForUrls, InsecurePrivateNetworkRequestsAllowed, and PrivateNetworkAccessRestrictionsEnabled policies.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Removal of PrivateNetworkAccessRestrictionsEnabled, InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed. There should be a PNA2 replacement policy available in Chrome 138.

Search your screen with Google Lens on iPad
Expand Search your screen with Google Lens on iOS so it is available on iPad devices. iPad is a form factor typically associated with more complex tasks, for example, shopping, and expanding Lens functionality on iPad enables users to perform these tasks easily. Admins can control this feature using the LensOverlaySettings policy.
- Chrome 138 on iOS: Feature rolls out gradually.

Shared tab groups
Users can now collaborate on tabs using the shared tab groups feature. With this feature, users can create and use a set of tabs on their desktop or mobile device and their collaborative partners can browse the same tabs on their devices. When one person changes a tab in the group, the changes are reflected across all users’ browsers in the group. An enterprise policy, TabGroupSharingSettings, is available to control this feature.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Rollout of the ability to join and use a shared tab group. Users on Stable Chrome will not be able to create a shared tab group (the entry point will not be available) - this part of the feature will only be available on Beta/Dev/Canary for this phase of rollout.
- Chrome 139 on iOS: As early as Chrome 139, support for iOS will roll out.

Speculation rules prefetch for ServiceWorker
This feature enables Service Worker-controlled prefetches, that is, a speculation rules prefetch to URLs controlled by a Service Worker. Previously, the prefetch is cancelled upon detecting a controlling Service Worker, thus subsequent navigation to the prefetch target is served by the non-prefetch path. This feature enables the prefetch request to go through the Service Worker's fetch handler and the response with the Service Worker interception is cached in the prefetch cache, resulting in a subsequent navigation being served by the prefetch cache. Please use the enterprise policy PrefetchWithServiceWorkerEnabled to control this feature. For more details, see this explainer.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows

TLS 1.3 Early Data
TLS 1.3 Early Data allows GET requests to be sent during the handshake when resuming a connection to a compatible TLS 1.3 server. The feature is expected to demonstrate performance improvements and will be available in Chrome 138 with a policy (TLS13EarlyDataEnabled) to control this change.

TLS 1.3 Early Data is an established protocol. Existing TLS servers, middleboxes, and security software are expected to either handle or reject TLS 1.3 Early Data without dropping the connection. However, devices that do not correctly implement the TLS standard (RFC8446) might malfunction and disconnect when TLS 1.3 Early Data is in use. If this occurs, administrators should contact the vendor for a fix.

The TLS13EarlyDataEnabled policy is a temporary measure to control the feature and will be removed in a future milestone. You can turn on the feature using the policy to allow you to test for issues and turn it off again as issues are resolved.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows

Deprecate asynchronous range removal for Media Source extensions
The Media Source standard changed in the past to disallow ambiguously-defined behavior involving asynchronous range removals:
- SourceBuffer.abort() no longer aborts SourceBuffer.remove() operations
- Setting MediaSource.duration can no longer truncate currently buffered media
Exceptions are thrown in both of these cases now. Safari and Firefox have long shipped this behavior; Chromium is the last browser remaining with the old behavior. Use counters show ~0.001%-0.005% of page loads hit the deprecated behavior. If a site hits this issue, playback may now break. Usage of abort() cancelling removals is increasing, so it's prudent to resolve this deprecation before more incompatible usage appears.
- Chrome 138 on Windows, macOS, Linux, Android

Language Detector API
Language Detector API is a JavaScript API for detecting the language of text, with confidence levels. An important supplement to translation is language detection. This can be combined with translation, for example, taking user input in an unknown language and translating it to a specific target language. Browsers today often already have language detection capabilities, and we want to offer them to web developers through a JavaScript API, supplementing the translation API. An enterprise policy, GenAILocalFoundationalModelSettings, is available to disable the underlying model downloading, which would render this API unavailable.
- Chrome 138 on Windows, macOS, Linux

Summarizer API
Summarizer API is a JavaScript API for producing summaries of input text, backed by an AI language model. Browsers and operating systems are increasingly expected to gain access to a language model. By exposing this built-in model, we avoid every website needing to download their own multi-gigabyte language model, or send input text to third-party APIs. The Summarizer API, in particular, exposes a high-level API for interfacing with a language model to summarize inputs for a variety of use cases (Github), in a way that does not depend on a specific language model.

An enterprise policy (GenAILocalFoundationalModelSettings) is available to disable the underlying model downloading, which would render this API unavailable.
- Chrome 138 on Windows, macOS, Linux

Translator API
Translator API is a JavaScript API to provide language translation capabilities to web pages. Browsers are increasingly offering language translation to their users. Such translation capabilities can also be useful to web developers. This is especially the case when the browser's built-in translation abilities cannot help. An enterprise policy, GenAILocalFoundationalModelSettings, is available to disable the underlying model downloading, which would render this API unavailable.
- Chrome 138 on Windows, macOS, Linux

Web serial over Bluetooth on Android
This feature allows web pages and web apps to connect to serial ports over Bluetooth on Android devices. Chrome on Android now supports Web Serial API over Bluetooth RFCOMM. Existing enterprise policies (DefaultSerialGuardSetting, SerialAllowAllPortsForUrls, SerialAllowUsbDevicesForUrls, SerialAskForUrls and SerialBlockedForUrls) on other platforms are enabled in future_on states for Android. All policies except SerialAllowUsbDevicesForUrls will be enabled after the feature is enabled. SerialAllowUsbDevicesForUrls will be enabled in a future launch after Android provides system level support of wired serial ports.
- Chrome 138 on Android

New policies in Chrome browser

Policy	Description
AIModeSettings	Settings for Google's AI Mode integrations in the address bar and New Tab page search box.
PdfAnnotationsEnabled	Enable PDF Annotations.
TLS13EarlyDataEnabled	Enable TLS 1.3 Early Data.
NTPFooterExtensionAttributionEnabled	Control the visibility of the extension attribution on the New tab page
PrefetchWithServiceWorkerEnabled	Allow SpeculationRules prefetch to ServiceWorker-controlled URLs.
EnterpriseRealTimeUrlCheckMode	Check Safe Browsing status of URLs in real time.
LocalNetworkAccessRestrictionsEnabled	Apply restrictions to requests to local network endpoints.
PrivacySandboxIpProtectionEnabled	Choose whether the IP Protection feature should be enabled.
PasswordManagerBlocklist	Configure the list of domains for which the Password Manager will be disabled.

Removed policies in Chrome browser

Policy	Description
PrivateNetworkAccessRestrictionsEnabled	Apply restrictions to requests to more-private network endpoints.
InsecurePrivateNetworkRequestsAllowed	Allow websites to make requests to more-private network endpoints in an insecure manner.
InsecurePrivateNetworkRequestsAllowedForUrls	Allow the listed sites to make requests to more-private network endpoints in an insecure manner.

Chrome Enterprise Core changes

Agentspace recommendations in Chrome search bars
To help enterprise users with their internal information needs, you can now add enterprise search results, such as people, file, or query suggestions, from Agentspace to the Chrome address bar and realbox (search bar on the New tab page). Results can be shown by default or only when triggered by a custom keyword.

With keyword mode in the address bar, users can trigger actions through Agentspace, such as, "help me write an email that summarizes the current project status".

The enterprise search provider is shown when the user types @ in the address bar. The organization can customize a keyword or shortcut and the icon shown.

This can be configured via the EnterpriseSearchAggregatorSettings policy.
- Chrome 135 on ChromeOS, Linux, macOS, Windows: Trusted Tester
- Chrome 138 on ChromeOS, Linux, macOS, Windows: General Availability

Deprecation of the Chrome browser page on the Chrome Insights report
As early as July 1st, the Chrome browser page on the Chrome Insights report will be deprecated. This page is replaced by the Chrome Overview page that was launched in Chrome 137. The information, which was displayed on the Chrome browser page of the Chrome Insights report, can now be found on the Overview page.
- Chrome 138 on Android, iOS, Linux, macOS, Windows

Inactive profile deletion in Chrome Enterprise Core
In June 2025, the inactive period for profile deletion setting started to roll out. In July 2025, the setting will begin to automatically delete managed profiles in the Admin console that have been inactive for more than the defined inactivity period. The inactivity period of time has a default value of 90 days. By default, all managed profiles that have been inactive for more than 90 days are deleted from your account. Administrators can change the inactive period value using this setting. The maximum value to determine the profile inactivity period is 730 days and the minimum value is 28 days.

If you lower the set value, it might have a global impact on any currently managed profiles. All impacted profiles will be considered inactive and, therefore, be deleted. This does not delete the user account. If an inactive profile is re-activated on a device, that profile will reappear in the console.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Policy will roll out in June. Deletion will start in July and the initial wave of deletion will complete by the end of August. After the initial deletion rollout, inactive profiles will continue to be deleted once they have reached their inactivity period.

New LayerX risk assessment in the Admin console
We are adding a new extension risk assessment provider: LayerX Security to the Admin console. This score is available to Admins in the Apps and Extensions Usage report.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: The score would be available to admins as early as Chrome 138.

Multiple identity support on iOS
Chrome on iOS now supports multiple accounts, particularly for managed (work or school) accounts. This update introduces separate browser profiles for each managed account, ensuring strict data separation between work and personal browsing. Regular accounts continue to share a single profile.

This change aims to improve Chrome's enterprise offering and provide a more secure and organized browsing experience, especially for end users with both personal and work accounts on their device. Users experience a one-time onboarding flow when adding a managed account to the device. They can switch between accounts by tapping on the account particle disk on the New tab page.

Admins who enabled Chrome policies on iOS (see instructions) can continue to use existing policies.
- Chrome 138 on iOS

Chrome Enterprise Premium changes

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

SecOps integration
This feature delivers a native integration between Chrome Enterprise Premium (CEP) and Google Security Operations (SecOps), enabling organizations to send a richer set of security events and detailed browser telemetry from Chrome directly to their SecOps instance. The motivation for this change is to use the browser as a primary security sensor for web-based threats like phishing, malware, and data exfiltration. This can significantly improve an organization's ability to:
- prevent
- detect
- investigate
- and respond to web-based threats.
For administrators, this integration introduces new, enhanced security event types, including URL navigation telemetry and suspicious URL visits. These events are automatically enriched with Safe Browsing risk scores and other threat intelligence before being sent to SecOps. The launch also includes a new, streamlined "one-click" setup process in the Admin console to replace the previous manual workflow, simplifying the connection to SecOps.

To use this feature, administrators must have a Chrome Enterprise Premium subscription and will need to enable the integration through the new workflow in the Admin console. The collection of certain high-volume event types, such as URL navigation events, is an opt-in setting within the connector configuration. This feature does not add or modify any enterprise policies.
- Chrome 137 on Linux, macOS, Windows: Adds referrer data to URLFilteringInterstitialEvent and SafeBrowseInterstitialEvent
- Chrome 138 on Linux, macOS, Windows: Extends referrer data population to SafeBrowseDangerousDownloadEvent and DlpSensitiveDataEvent

URL Filtering capabilities on iOS
The current WebProtect URL Filtering capabilities on Desktop are being extended to mobile so that organizations can audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This feature is part of Chrome Enterprise Premium and aims to provide secure and safe internet access for enterprise users on any device. Admins can create URL filtering rules to ensure that employees can only access safe and authorized URLs on iOS devices. Chrome reports URL filtering events and unsafe site events via the Reporting Connector on mobile. This feature allows administrators to manage which URLs can be accessed on managed Chrome browsers or profiles on company-owned or BYOD iOS devices.

Key changes include:

- Admins can block, warn, or audit users when accessing certain sites or categories.

- Users see interstitial pages when attempting to visit blocked or warned URLs.

- Chrome reports URL filtering events.

- Updates to the chrome://management page reflect the new functionality.
- Chrome 138 on iOS: The URL Filtering feature becomes available on iOS.

DLP Download Support for File System Access API (FSA)
Data Loss Prevention (DLP) protection now covers files and directories downloaded using the File System Access (FSA) API. This enhancement ensures that downloads from modern web applications, such as browser-based editors, are scanned according to your organization's DLP rules. Users and websites receive notifications on scan verdicts, strengthening data security and compliance. If a download violates a DLP policy, it is blocked, resulting in an empty file, and the website might indicate a "Blocked by Safe Browsing" error. This change primarily benefits security by preventing data exfiltration through this vector. Administrators should test this with web applications using the FSA API to observe the behavior with their current DLP configurations.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Enables DLP content analysis for downloads initiated via File System Access API on selected platforms, governed by existing enterprise policies.

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Chrome on Android no longer supports Android Oreo or Android Pie
The last version of Chrome that supports Android Oreo or Android Pie is Chrome 138, and it includes a message to affected users informing them to upgrade their operating system. Chrome 139 and newer versions will not be supported on, nor shipped or available to, users running Android Oreo or Android Pie.
- Chrome 139 on Android: Chrome on Android no longer supports Android Oreo or Android Pie.

Gemini in Chrome
Gemini is now integrated into Chrome on macOS and Windows, and can understand the content of your current page. Users can now seamlessly get key takeaways, clarify concepts, and find answers, all without leaving their Chrome tab. This integration includes both chat—where users can interact with Gemini via text, and “Gemini Live” , by which users can interact with Gemini via voice.

In Chrome 137, Gemini in Chrome is available for Google AI Pro and Ultra subscribers in the US. A broader rollout will come in future milestones. Admins can turn off this feature (value 1) using the GeminiSettings policy or by using the GenAiDefaultSettings (value 2). For more details, see Gemini in Chrome in the Help Center.
- Chrome 137 on macOS, Windows: Feature is available for some Google AI Pro and Ultra subscribers in the US and on pre-Stable (Dev, Canary, Beta) channels in the US.
- Chrome 139 on macOS, Windows: Feature gradually rolls out on Stable for users signed into Chrome in the US.

Malicious APK download checks
Chrome on Android will now contact Google servers about APK files downloaded in Chrome, to get a verdict about their safety. If a downloaded APK file is determined to be dangerous, Chrome will show a warning and block the download, to protect users against mobile malware. Such download warnings will be bypassable by the user through the Chrome UI. These malicious APK download checks will be performed for users enrolled in Standard Protection or Enhanced Protection from Google Safe Browsing. This feature can be disabled by setting the Safe Browsing mode to "No Protection" via the SafeBrowsingProtectionLevel policy.
- Chrome 139 on Android

Upcoming change for CA certificates included in the Chrome Root Store
In response to sustained compliance failures, Chrome 139 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Chunghwa Telecom and Netlock, are trusted by default. This applies to Chrome 139 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Chunghwa Telecom or Netlock root CA certificates included in the Chrome Root Store and issued:

    - after July 31, 2025, will no longer be trusted by default.

    - on or before July 31, 2025, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Chunghwa Telecom or Netlock certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 139 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 139 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after July 31, 2025.

Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

In June 2024, Chrome began to gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core.
- Chrome 127 on ChromeOS, LaCrOS, Linux, macOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Remove ExtensionManifestV2Availability policy.

Promotional notifications
From Chrome 128, promotional OS-level notifications are shown to users. These notifications are governed by the PromotionsEnabled enterprise policy.
- Chrome 128 on ChromeOS, Linux, macOS, Windows
- Chrome 139 on Windows: In Chrome 138, promo notifications were only activated on Chrome clients when upgrading from Windows 10 to Windows 11. From Chrome 139, this is being extended to all Windows Chrome installations. Notifications will still be only shown to a subset of low-engaged users, and these can be disabled through the PromotionsEnabled enterprise policy.

Remove risky extension flags in Google Chrome
To enhance the security and stability of the Chrome browser for our users, official Chrome branded builds will be removing --extensions-on-chrome-urls and --disable-extensions-except command-line flags starting in Chrome 139. This change aims to mitigate the risks associated with harmful and unwanted extensions.

Developers can still use the both flags in non-branded builds such as Chromium and Chrome For Testing.
- Chrome 139 on Linux, macOS, Windows: Gradual roll-out

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation now fails instead of falling back to SwiftShader. This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content. To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the javascript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. It is important to test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user. A temporary enterprise policy will be available in Chrome 138 to revert the change.
- Chrome 137 on Windows: SwiftShader will be disabled and replaced with another software WebGL fallback, WARP. Tests depending on the exact pixel values generated by SwiftShader may start failing.
- Chrome 139 on Linux, macOS: Swiftshader will be disabled on macOS and Linux as early as Chrome 138. Users on machines without a GPU will not be able to use WebGL.

Support accounts in pending state on Chrome iOS
Accounts whose credentials somehow became invalid will no longer be automatically signed out and removed from Chrome on iOS. Instead, these accounts will stay signed in to the browser, in a newly introduced "pending state" associated with a persistent error indication in the UI so users are encouraged to resolve it. This also means that local data associated with these accounts will no longer be automatically deleted, but instead kept on disk. Existing policies controlling sign-in (for example, BrowserSignin) will continue to work as before.
- Chrome 139 on iOS: Feature will gradually roll out

Chrome to remove support for macOS 11
Chrome 138 will be the last release to support macOS 11; Chrome 139+ will no longer support macOS 11, which is outside of its support window with Apple. Running on a supported operating system is essential to maintaining security.

On Macs running macOS 11, Chrome will continue to work, showing a warning infobar, but will not update any further. If a user wishes to have their Chrome updated, they need to update their computer to a support version of macOS. For new installations of Chrome 139+, macOS 12+ will be required.
- Chrome 139 on Windows, macOS, Linux

Clear window name for cross-site navigations that switches browsing context group
The value of the window.name property is currently preserved throughout the lifetime of a tab, even with navigation that switches browsing context groups, which can leak information and potentially be used as a tracking vector. Clear the window.name property in this case addresses this issue.

This update will introduce a new temporary enterprise policy, ClearWindowNameCrossSiteBrowsing, which will stop working in Chrome 142.
- Chrome 139 on Windows, macOS, Linux, Android, iOS

Fire error event instead of throwing exception for CSP blocked worker
When blocked by Content Security Policy (CSP), Chromium currently throws a SecurityError from the constructor of Worker and SharedWorker. To be spec-compliant, the CSP needs to be checked as part of fetch and then fire error events asynchronously instead of throwing an exception when the script runs "new Worker(url)" or "new SharedWorker(url)".

This update aims to make Chromium spec-conformant, which is, it no longer throws exceptions following constructor calls, and fires error events asynchronously.
- Chrome 139 on Windows, macOS, Linux, Android

Web App Manifest: specify update eligibility, icon URLs are Cache-Control: immutable
As early as Chrome 139, the Web App manifest will specify an update eligibility algorithm. This makes the update process more deterministic and predictable, giving the developer more control over whether (and when) updates should apply to existing installations, and allowing removal of the 'update check throttle' that user agents currently need to implement to avoid wasting network resources.
- Chrome 139 on Windows, macOS, Linux
- Chrome 140 on Android

2SV enforcement for admins
To better protect your organization’s information, Google will soon require all accounts with access to admin.google.com to have 2-Step Verification (2SV) enabled. As a Google Workspace administrator, you need to confirm your identity with 2SV, which requires your password plus something additional, such as your phone or a security key.

The enforcement will be rolled out gradually over the coming months. You should enable 2SV for the admin accounts in your organization before Google enforces it. For more information, see this Help Center article.
- Chrome 137 on ChromeOS, Linux, macOS, Windows: 2SV enforcement starts
- Chrome 140 on ChromeOS, Linux, macOS, Windows: 2SV mandatory

Happy Eyeballs V3
This launch is an internal optimization in Chrome that implements Happy Eyeballs V3 to achieve better network connection concurrency. Happy Eyeballs V3 performs DNS resolutions asynchronously and staggers connection attempts with preferable protocols (H3/H2/H1) and address families (IPv6 or IPv4) to reduce user-visible network connection delay. This feature is gated by a temporary policy HappyEyeballsV3Enabled.
- Chrome 140 on Android, ChromeOS, Linux, macOS, Windows

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.

In this initial release, IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 140 on Windows This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

Disallow non-trustworthy plaintext HTTP prerendering
This launch will provide the capability to disallow non-trustworthy plaintext HTTP prerendering.
- Chrome 140 on Windows, macOS, Linux, Android

HSTS tracking prevention
This update will mitigate user tracking by third-parties via the HTTP Strict Transport Security (HSTS) cache. This feature only allows HSTS upgrades for top-level navigations and blocks HSTS upgrades for sub-resource requests. Doing so makes it infeasible for third-party sites to use the HSTS cache in order to track users across the web.
- Chrome 140 on Windows, macOS, Linux, Android

IP Protection
This feature limits availability of a user’s original IP address in third-party contexts in Incognito mode, enhancing Incognito's protections against cross-site tracking when users choose to browse in this mode. IP addresses facilitate a range of use cases, including routing traffic and preventing fraud and spam. However, they can also be used for tracking. For Chrome users who choose to browse in Incognito mode, we want to provide additional control over their IP address, without breaking essential web functionality. To strike this balance between protection and usability, this proposal focuses on limiting the use of IP addresses in a third-party context in Incognito mode. To that end, this proposal uses a list-based approach, where only domains on the Masked Domain List (MDL) in a third-party context will be impacted. For enterprises, this feature can be controlled via the PrivacySandboxIpProtectionEnabled enterprise policy.
- Chrome 140 on Windows, macOS, Linux, Android

Strict Same Origin Policy for Storage Access API
We plan to adjust the Storage Access API semantics to strictly follow the Same Origin Policy, to enhance security. Using document.requestStorageAccess() in a frame only attaches cookies to requests to the iframe's origin (not site) by default. The CookiesAllowedForUrls policy or Storage Access Headers can still be used to unblock cross-site cookies.
- Chrome 140 on Windows, macOS, Linux, Android

Disallow spaces in non-file:// URL hosts
According to the URL Standard specification, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host. This causes Chromium to fail several tests included in the Interop2024 HTTPS URLs for WebSocket and URL focus areas. To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github).
- Chrome 141 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia

SafeBrowsing API v4 → v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5. If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users. For more details, see Migration From V4 - Safe Browsing.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows: Feature would gradually roll-out

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators may use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 146, and will be removed in Chrome 147. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt in early to the new behavior, or to temporarily opt out through Chrome 146.
- Chrome 147 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core changes

New remote commands and CSV export for the Managed profiles list

The Admin console will support profile-level "Clear cache" and "Clear cookies" remote commands, and CSV export for the Managed Profiles list. You can select one or multiple profiles and perform a remote command.
- Chrome 137 on Android, Linux, macOS, Windows: Adding CSV export for Managed profiles.
- Chrome 139 on Linux, macOS, Windows: Profile-level support for remote commands.

New tab page cards for Microsoft 365

Enterprise users with Outlook or SharePoint will be able to access their upcoming meetings or suggested files directly from the New tab page. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most. Admins can enable the cards with NTPSharepointCardVisible and NTPOutlookCardVisible. For Microsoft tenants who do not allow for self-authorization, the admin must also consent to the app permissions during first authentication or approve the app for use in Microsoft Entra.
- Chrome 134 on Linux, macOS, Windows: Available to Trusted Testers
- Chrome 137 on Linux, macOS, Windows: Gradual rollout to all customers
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Users will not need to be signed into Chrome to use this feature

Chrome Enterprise Overview page

This launch is introducing a new Overview page in the Chrome browser section of the Google Admin console. The Overview page allows IT administrators to quickly find key information about their deployment:

- Active & inactive profiles and enrolled browsers

- Identify browsers out-of-date and with pending updates

- Identify high-risk extensions (according to Spin.AI) and get a preview of most requested extensions

- Security Insights (for example, sensitive file uploads or downloads)

The Overview page also allows admins to quickly access key actions such as managing extensions, accessing the browser or profile list and setting Update policies, to name a few.
- Chrome 137 on Android, iOS, Linux, macOS, Windows
- Chrome 140 on Android, iOS, Linux, macOS, Windows: New filtering available on the Overview page for Organization Unit and Activity Dates

Upcoming Chrome Enterprise Premium changes

Chrome browser rule UX refactor
To enhance the Data Loss Prevention (DLP) rule creation experience, the Google Admin console is being updated to streamline how administrators define policies for different applications like Chrome and Workspace. This first introduces mutually exclusive application groups, meaning that a single DLP rule can now only target one application group at a time—either Workspace apps (like Drive, Gmail), Chrome browser triggers (like file upload, URL visited), or ChromeOS triggers. This change simplifies rule configuration, eliminates potential conflicts from overlapping app selections, and lays the groundwork for more specialized and user-friendly workflows tailored to each platform's needs.

Administrators will see an updated "Apps" selection interface using radio buttons to enforce this single-group selection for new rules. Existing rules that previously combined applications from multiple groups will be transparently migrated by the system into separate, compliant, single-platform rules to ensure continued protection and a seamless transition. Banners within the Admin console will provide information regarding these changes and the migration process. No new enterprise policies are introduced with this update; the changes are to the rule configuration interface.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Enables mutually exclusive app selection for DLP rule configuration in Admin console

Copy and Paste rules protection
To help organizations better prevent data exfiltration on mobile devices, Chrome is extending its existing desktop clipboard data controls. Administrators can now use the DataControlsRules policy to set rules that block or warn users when they attempt to copy or paste content that violates organizational policies. This feature allows admins to define data boundaries and prevent sensitive information from being pasted from a work context into personal apps or websites on their mobile fleet. This addresses a significant security gap and a frequently requested feature from enterprise customers who have cited the lack of mobile data controls as a concern. To use this feature, administrators can configure clipboard restrictions within the DataControlsRules policy, providing a consistent management experience across desktop and mobile to strengthen their organization's overall security posture.
- Chrome 139 on Android: Copy and Paste rules protection available on Android

↑ back to top

ChromeOS 138 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Class Tools		✓	✓
ChromeOS freeform wallpapers		✓
Help me read on ChromeOS		✓
Accessibility updates		✓
Expansion of the Disabled System Features policy			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Chrome apps changes		✓
Native Client (NaCl) deprecation	✓
EAP/TLS server certificate validation	✓		✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Class Tools

Class Tools are premium teaching and learning tools built for Chromebooks. They aim to provide teachers with real-time classroom management tools and enhance learning for students. Class Tools help teachers to:
- send and lock website content on student Chromebooks.
- offer students on-screen captions and real-time translations.
- view and share students' screens.
To learn more, see Overview of Class Tools in the Help Center. To use Class Tools, your organization needs to have a Google Workspace for Education Plus or a Teaching and Learning add-on license. For more details, see Education Plus edition.

ChromeOS freeform wallpapers

As early as ChromeOS 138, freeform wallpapers offer an unrestricted input field that empowers users to express their individuality, creativity, and passions by turning their background into a personal canvas. Users can generate wallpapers by inputting different prompts in the text field, or use the Inspire me feature, which will generate random prompts and wallpapers until you find one you like. This feature is available on Chromebook Plus devices only. For more information, see Wallpaper settings.

Admins can control this feature using the GenAIWallpaperSettings policy.
- For 18+ consumers, the default is Allow with data collection.
- For 18+ managed users, the default is Allow without data collection.
- Users under 18 cannot access the feature.

Help me read on ChromeOS

As early as ChromeOS 138, Help me read on ChromeOS provides an AI-powered solution to help you quickly understand text information written in verbose and convoluted language or with jargon. Select a piece of text and right-click on it to reveal the simplify button that can give you a straightforward version of the source, which can be digested at a glance.

Admins can control access to this feature using the HelpMeReadSettings policy, but users need to explicitly opt in to use Help me read on ChromeOS. This feature is available on Chromebook Plus devices only. For more details, see Chrome—Generative AI features and policies.

Expansion of the Disabled system features policy

We're releasing a significant expansion of the Disabled system features policy. You now have granular control over a wider range of applications, to allow for more tailored device management.
ChromeOS 138 supports disabling the following additional applications:

This update provides administrators with enhanced flexibility to configure available apps according to specific organizational needs and security requirements.
- Web Store
- Canvas
- Explore
- Gallery
- Terminal
- Print Jobs
- Key Shortcuts
- YouTube
- Google Maps
- Gmail
- Google Docs
- Google Slides
- Google Sheets
- Google Drive
- Google Keep
- Google Calendar
- Google Chat

Accessibility updates

In ChromeOS 138, we've focused on refining the accessibility experience by addressing several key issues to improve usability and conformance.

Resolved issues:
- Incorrect Heading Levels: The Wallpaper and style page now uses correct heading levels, improving navigation for screen reader users.
- Gallery App - Date Announcement: ChromeVox now accurately announces date information when browsing the Google Photos image list within the Gallery App.
- Gallery App - px Unit Announcement: To provide clearer context, the px unit is now announced by ChromeVox when navigating Width and Height fields for image rescaling in the Gallery App.
- Out-of-Box Experience (OOBE) - Redundant Announcements: We've streamlined ChromeVox announcements during OOBE updates. The progress indicator is now hidden from screen readers to prevent redundant announcements like Progress indicator, min 0 max 100 and incorrect image announcements.
- Out-of-Box Experience (OOBE) - Focus Disruption: We’ve addressed an issue in OOBE where switching between personal and corporate account enrollment buttons with ChromeVox incorrectly shifted focus to the calendar. Focus now correctly remains on the updated screen or dialog.

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Chrome apps changes

Starting with ChromeOS 138, admin-installed Chrome apps in kiosk sessions will be disabled by default. A new policy, KioskChromeAppsForceAllowed, will be available prior to the release of ChromeOS 138 for administrators to re-enable Chrome apps in kiosk sessions. With this policy turned on, Chrome apps in kiosk sessions will be supported through ChromeOS 150.

Starting with ChromeOS 139, planned for stable release on August 19th, user-installed Chrome apps on ChromeOS will stop working. Apps that are force-installed through the admin console for Managed Guest sessions (MGS) and user sessions will continue to be supported. For more details, see End of support for Chrome apps.

Native Client (NaCl) deprecation

ChromeOS 138 will be the final release to support Native Client (NaCl) in managed environments with the NaCl allow policy enabled. For devices on the Long-term Support (LTS) channel with this policy active, NaCl support will continue until the LTS Last Refresh in April 2026.

EAP/TLS server certificate validation

Note: This change only affects customers utilizing EAP/TLS network setups and only affects networks set up before January of 2022.

Starting October 1, 2025, we will roll out this fix to the ChromeOS stable channel. A very small number of customers using EAP/TLS configurations might experience connectivity issues if their server certificates are signed by a Certificate Authority (CA) that is currently included in ChromeOS as a System CA.

To minimize disruption, admins can perform one of the following actions:

Option 1 (providing a higher level of security):
1. Generate a new certificate for your Authentication Server, and ensure it is signed by the same Certificate Authority (CA) as used previously.
2. Replace the existing certificates on your Authentication Server with the newly-generated certificates.
Option 2 ( if more time is needed before implementing Option 1):
1. Sign in to Google Admin console.
2. From August 15 to October 1, to check for affected devices, admins can follow these instructions on the Beta channel:
  - Access chrome://histograms in Chrome browser.
  - Perform several disconnect and reconnect cycles for your Ethernet or Wi-Fi network.
  - Allow approximately 10 seconds for data aggregation.
  - Within the chrome://histograms page, search the histogram identified as Network.Shill.Eap.EventCaCertExperiment1:
    1. If the histogram is not present, your configuration is not impacted.
    2. Your configuration is likely to be impacted if a positive value is observed for both Event 8 (FirstCertVerificationFailure) and Event 9 (CertVerificationRetryAttempt).
3. Navigate to the configuration settings for the affected EAP/TLS network.
4. Modify the Server Certificate Authority setting to System default certificate authorities.

↑ back to top

Chrome 137

Chrome 137 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Gemini in Chrome		✓
Blob URL Partitioning: Fetching/Navigation	✓
Client’s LLM assistance in mitigating scams	✓
DTLS 1.3	✓
Remove --load-extension command line switch in Google Chrome	✓
Remove SwiftShader fallback	✓
Customizing managed profiles with custom logo and label			✓
Align error type thrown for payment WebAuthn credential creation: SecurityError => NotAllowedError	✓
HSTS tracking prevention	✓
2SV enforcement for admins	✓
Autofill with AI		✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
IP Address Logging & Reporting			✓
Chrome Enterprise Overview page			✓
New remote commands and CSV export for the Managed Profile list			✓
New tab page cards for Microsoft 365		✓	✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
DLP download support for File System Access API (FSA)	✓		✓
Reporting Connector on Mobile	✓		✓
Reporting Safe Browsing events on iOS	✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Bookmarks and reading list improvements on Chrome Desktop	✓	✓
Per-extension user script toggle			✓
Enhanced Safe Browsing as a synced setting	✓
Shared tab groups		✓
Generating insights for Chrome DevTools Console warnings and errors			✓
Removal of Private Network Access enterprise policies	✓
TLS 1.3 Early Data		✓
Predictable reported storage quota		✓
Strict Same Origin Policy for Storage Access API		✓
Summarizer API		✓
Language Detector API		✓
Translator API		✓
Web serial over Bluetooth on Android			✓
Upcoming change for CA certificates included in the Chrome Root Store	✓
Chrome on Android no longer supports Android Oreo or Android Pie			✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
Chrome will remove support for macOS 11			✓
Happy Eyeballs V3		✓
Isolated Web Apps	✓		✓
Disallow spaces in non-file:// URL hosts	✓
SafeBrowsing API v4 → v5 migration	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Agentspace recommendations in the Chrome omnibox		✓	✓
Inactive profile deletion in Chrome Enterprise Core	✓		✓
Multiple Identity Support on iOS		✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
URL Filtering capabilities on iOS	✓
DLP Download Support for File System Access API (FSA)	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Gemini in Chrome
Gemini is now integrated into Chrome on macOS and Windows, and can understand the content of your current page. Users can now seamlessly get key takeaways, clarify concepts, and find answers, all without leaving their Chrome tab. This integration includes both chat—where users can interact with Gemini via text, and Gemini Live , by which users can interact with Gemini via voice.

In Chrome 137, Gemini in Chrome is available for Google AI Pro and Ultra subscribers in the US. A broader rollout will come in future milestones. You can check the upcoming publications of these Enterprise Release Notes for availability updates.

Admins can turn off this feature (value 1) using the GeminiSettings policy or by using the GenAiDefaultSettings (value 2). For more details, see Gemini in Chrome in the Help Center.
- Chrome 137: Feature becomes available for some Google AI Pro and Ultra subscribers in the US and on pre-Stable (Dev, Canary, Beta) channels in the US.
- A broader rollout will come in future milestones. You can check the upcoming publications of the Enterprise Release Notes for availability updates.

Blob URL Partitioning: Fetching/Navigation
As a continuation of Storage Partitioning, Chrome 137 now implements partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of top-level navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chrome 137 now enforces noopener on renderer-initiated top-level navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chrome with similar behavior in Safari, and the relevant specs have been updated to reflect these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 137 on Android, ChromeOS, Linux, macOS, Windows

Client’s LLM assistance in mitigating scams
Users on the web are facing significant amounts of different kinds of scams a day. To combat these scams, Chrome now leverages on-device LLM to identify scam websites for Enhanced Safe Browsing users. Chrome sends the page content to an on-device LLM to infer security-related signals of the page and send these signals to Safe Browsing server side for a final verdict. When enabled, Chrome might consume more bandwidth to download the LLM.

Enhanced Safe Browsing is an existing feature, controlled by the SafeBrowsingProtectionLevel policy.
- Chrome 134 on Linux, macOS, Windows: Gather the brand name and intent summary of the page that triggers keyboard lock to identify scam websites.
- Chrome 135 on Linux, macOS, Windows: Show the warnings to the user based on the server verdict which uses the brand and intent summary of the page that triggered keyboard lock.
- Chrome 137 on Linux, macOS, Windows: Gather brand and intent summary of the page based on server reputation scoring system.
- Chrome 138 on Linux, macOS, Windows: Show the warnings to the user based on the server verdict which uses the brand and intent of the pages that the server reputation system scored.

DTLS 1.3
Chrome 137 adds support for Datagram Transport Layer Security (DTLS) 1.3 for Web Realtime Communication (WebRTC) connections. Previously, DTLS 1.2 was used for all WebRTC connections. This is required to add quantum-resistant cryptography to WebRTC.
- Chrome 137 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

Remove --load-extension command line switch in Google Chrome
To enhance the security and stability of the Chrome browser for our users, official Chrome-branded builds now deprecate the ability to load extensions via the --load-extension command-line flag, starting in Chrome 137. This change aims to mitigate the risks associated with harmful and unwanted extensions.

Unpacked extensions can be loaded via the Load Unpacked button on the extension management page (chrome://extensions/) with developer mode enabled. Developers can still use the --load-extension switch in non-branded builds such as Chromium and Chrome For Testing.
- Chrome 137 on Linux, macOS, Windows

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation now fails instead of falling back to SwiftShader.

This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content. To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. It is important to test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user. A temporary enterprise policy will be available in Chrome 138 to revert the change.
- Chrome 137 on Windows: SwiftShader will be disabled and replaced with another software WebGL fallback, WARP. Tests depending on the exact pixel values generated by SwiftShader may start failing.
- Chrome 138 on Linux, macOS: Swiftshader will be disabled on macOS and Linux as early as Chrome 138. Users on machines without a GPU will not be able to use WebGL.

Customizing managed profiles with custom logo and label
Chrome 137 has a new toolbar and profile menu customizations that help users easily identify if their Chrome profile is managed, whether they're on a work or personal device. This is especially useful for BYOD scenarios where employees use their own devices with managed accounts.

To help tailor this experience, we're adding three new policies:

- EnterpriseCustomLabel: Customize the text displayed on the toolbar element to match your organization's branding.

- EnterpriseLogoUrl: Add your company logo to the profile menu.

- EnterpriseProfileBadgeToolbarSettings: This policy can disable the default label for a managed profile in the Chrome toolbar.

In Chrome 134, these policies became available to customize the logo and label shown on a managed profile. Starting Chrome 137, there are updates to the default behavior of the profile label and icon overlaid on the account avatar. In Chrome 138, managed profiles will show a work or school label in addition to the profile disk. In the profile menu, there will be a building icon overlaid on the account avatar. The expanded profile disk can be disabled via EnterpriseProfileBadgeToolbarSettings.
- Chrome 134 on LaCrOS, macOS, Windows: Policies to customize the toolbar label and icon (in profile menu).
- Chrome 136 on Linux, macOS, Windows: Rollout of Managed by your organization in profile menu . The logo can be customized via EnterpriseLogoUrl policy.
- Chrome 137 on Linux, macOS, Windows: Rollout of default work and school labels in Chrome toolbar. The label can be turned off via EnterpriseProfileBadgeToolbarSettings.

Align error type thrown for payment WebAuthn credential creation: SecurityError => NotAllowedError
This change corrects the error type thrown during WebAuthn credential creation for payment credentials. Due to a historic specification mismatch, creating a payment credential in a cross-origin iframe without a user activation would throw a SecurityError instead of a NotAllowedError, which is what is thrown for non-payment credentials.

Code that previously detected the type of error thrown, for example, `e instanceof SecurityError`, would be affected. Code that just generally handles errors during credential creation, for example, `catch (e)`, will continue to function correctly.
- Chrome 137 on Windows, macOS, Linux, Android

HSTS tracking prevention
HTTP Strict Transport Security (HSTS) tracking prevention mitigates user tracking by third-parties via the HSTS cache. This feature only allows HSTS upgrades for top-level navigations and blocks HSTS upgrades for sub-resource requests. Doing so makes it infeasible for third-party sites to use the HSTS cache in order to track users across the web.
- Chrome 137 on Windows, macOS, Linux, Android

2SV enforcement for admins
To better protect your organization’s information, Google will soon require all accounts with access to admin.google.com to have 2-Step Verification (2SV) enabled. As a Google Workspace administrator, you need to confirm your identity with 2SV, which requires your password plus something additional, such as your phone or a security key.

The enforcement will be rolled out gradually over the coming months. You should enable 2SV for the admin accounts in your organization before Google enforces it. For more information, see this Help Center article.

Autofill with AI
Starting in Chrome 137, some users can turn on Autofill with AI, a new feature that helps users fill out online forms more easily. On relevant forms, Chrome can use AI to better understand the form and offer users to automatically fill in previously saved info. Admins can control the feature using the existing GenAiDefaultSettings policy and a new AutofillPredictionSettings policy.
- Chrome 137 on Linux, macOS, Windows, ChromeOS

New policies in Chrome browser

Policy	Description
GeminiSettings	Settings for Gemini integration
AutofillPredictionSettings	Settings for Autofill with AI
ProvisionalNotificationsAllowed	Allows the app to use provisional notification authorization on iOS
RelaunchFastIfOutdated	Relaunch fast if outdated
UserSecurityAuthenticatedReporting	Enable cloud reporting of security signals in managed profiles
BuiltInAIAPIsEnabled	Allow pages to use the built-in AI APIs
OnSecurityEventEnterpriseConnector	Configuration policy for the OnSecurityEvent Chrome Enterprise Connector (now available on iOS)
UserSecuritySignalsReporting	Enable cloud reporting of security signals in managed profiles

Removed policies in Chrome browser

Policy	Description
MutationEventsEnabled	Re-enable deprecated/removed Mutation Events
TabOrganizerSettings	Settings for Tab Organizer
ZstdContentEncodingEnabled	Enable zstd content-encoding support

Chrome Enterprise Core changes

IP Address Logging & Reporting
Chrome Enterprise will enhance security monitoring and incident response capabilities by collecting and reporting local and remote IP addresses and sending those IP addresses to the Security Investigation Tool (SIT) logs. In addition, Chrome Enterprise will allow admins to optionally send the IP addresses to first-party and third-party security information and event management (SIEM) providers via the Chrome Enterprise reporting connector. For more details, see Manage Chrome Enterprise reporting connectors. This will be available for Chrome Enterprise Core and Chrome Enterprise Premium customers.
- Chrome 137 on Windows, macOS, Linux

Chrome Enterprise Overview page
Chrome Browser Enterprise is introducing a new Overview page in the Chrome browser section of the Google Admin console. The Overview page allows IT administrators to quickly find key information about their deployment:

- Active and inactive profiles and enrolled browsers

- Identify browsers out-of-date and with pending updates

- Identify high-risk extensions (according to Spin.AI) and get a preview of most requested extensions

The Overview page also allows you to quickly access key actions, such as, managing extensions (block and allow) and accessing browser and profile lists.
- Chrome 137 on Android, iOS, Linux, macOS, Windows

New remote commands and CSV export for the Managed profiles list
The Admin console will support profile-level "Clear cache" and "Clear cookies" remote commands, and CSV export for the Managed Profiles list. You can select one or multiple profiles and perform a remote command.
- Chrome 137 on Android, Linux, macOS, Windows: Adding CSV export for Managed profiles. You can export the Managed profile data outside of the Admin console.
- Chrome 138 on Linux, macOS, Windows: Profile-level support for the Clear cache and Clear cookies remote commands. In the Managed profile list, you will be able to select one or multiple profiles and perform a remote command.

New tab page cards for M365
Enterprise users with Outlook or Sharepoint can now access their upcoming meetings or suggested files directly from the New tab page. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most.

Admins can enable the cards with NTPSharepointCardVisible and NTPOutlookCardVisible. For Microsoft tenants who do not allow for self-authorization, the admin must also consent to the app permissions during first authentication or approve the app for use in Microsoft Entra.
- Chrome 134 on Linux, macOS, Windows: Trusted Testers
- Chrome 137 on Linux, macOS, Windows: Rollout starts

Chrome Enterprise Premium changes

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

DLP download support for File System Access API (FSA)
Chrome Enterprise Premium's Data Loss Prevention (DLP) content analysis and Safe Browse deep scans now extend to folder and directory downloads initiated via the File System Access (FSA) API, for example, in web-based IDEs. This addresses a gap, enhancing data security by applying existing DLP rules (configured via DataLeakPreventionRulesList and SafeBrowsingDeepScanningEnabled policies) to these operations.

If a download violates a DLP policy, it will be blocked, resulting in an empty file, and the website might indicate a Blocked by Safe Browse error. This change primarily benefits security by preventing data exfiltration through this vector. Administrators should test this with web applications using the FSA API to observe the behavior with their current DLP configurations.
- Chrome 137 on ChromeOS, Linux, macOS, Windows: Enables DLP content analysis for downloads initiated via File System Access API on selected platforms, governed by existing enterprise policies.

Reporting Connector on Mobile
The Chrome Enterprise Reporting Connector is being updated to include security event reporting from Chrome on mobile devices (Android and iOS). This will provide IT admins with visibility into events such as unsafe site visits, sensitive data transfers (as per Data Protection rules), and URL Filtering matches occurring on mobile, achieving feature parity with existing desktop reporting. This enhancement aims to improve the organization's overall security posture by extending threat detection and data protection capabilities to mobile platforms.

For customers utilizing the Security Investigation Tool (SIT), these new mobile browser events will be available for investigation; this SIT integration is a feature of Chrome Enterprise Premium. IT admins should be aware that these additional event types from mobile will begin to flow through their configured Reporting Connector.

No new, specific enterprise policies are being introduced to control this mobile reporting extension itself; existing configurations for the Reporting Connector, Data Protection rules, and URL Filtering policies will determine the events generated and reported.
- Chrome 137 on Android, iOS: Enables security event reporting, for example, unsafe sites, sensitive data transfers, URL filtering, via the Reporting Connector for Chrome on Mobile

Reporting Safe Browsing events on iOS
The feature will enable Safe Browsing events reporting on iOS to help increase the security of enterprise environments. This feature has already been implemented on Desktop and Android, we are now extending it to iOS. For details on how to turn on this feature, see this Help Center article.
- Chrome 137 on iOS: Reporting Safe Browsing events become available on iOS

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Bookmarks and reading list improvements on Chrome Desktop
On Chrome 138 on Desktop, some users who sign in to Chrome upon saving a new bookmark can now use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies controlling bookmarks, as well as BrowserSignin, SyncDisabled or SyncTypesListDisabled, will continue to work as before, so admins can configure whether users can use and save items in their Google Account. Setting EditBookmarksEnabled to false will also prevent users from uploading a bookmark saved on their device to their Google Account.
- Chrome 138 on Linux, macOS, Windows

Per-extension user script toggle
In Chrome 138, the way that users and administrators control an extension’s ability to run user created scripts and use the userScripts API is changing. This change enhances security. End-users won’t unintentionally grant user script permissions to every extension when enabling Developer mode by explicitly deciding which extensions can run these potentially powerful scripts. For more detail on the motivation for the change, see this Chrome for developers blog.

End users will now toggle this per extension on the chrome://extensions page via a Allow User Scripts toggle, replacing the global Developer mode toggle for more granular control. Existing extensions will have this toggle automatically enabled if Developer mode is on and the extension has been granted the User Scripts permission.

Administrators who currently manage user scripts by disabling developer mode should now use the `blocked_permissions` policy or the Google Admin console to independently control the User Scripts permission and extension Developer mode.

Extension developers are advised to update their documentation to reflect the new toggle. See the Chromium Extensions Google Groups mailing list for more information and other changes to usage of the API.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: Feature rolls out

Enhanced Safe Browsing as a synced setting
Chrome's Enhanced Safe Browsing is becoming a synced feature. This means that if a user opts into Enhanced Safe Browsing on one device, this protection level will automatically apply across all other devices where they are signed into Chrome with the same account. The goal is to provide stronger, more consistent security protection and a standardized user experience.

Users who enable Enhanced Safe Browsing will benefit from its protections, for example, proactive phishing protection, improved detection of malware and malicious extensions) consistently across their synced Chrome instances on Desktop (Windows, macOS, Linux, ChromeOS), Android, and iOS. Users will be notified of this change via UI elements when their Enhanced Safe Browsing setting is synced.

The Safe Browsing protection level is an existing feature, controlled by the SafeBrowsingProtectionLevel policy.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows

Shared tab groups
Users will be able to collaborate on tabs via the shared tab groups feature. With this feature users can create and use a set of tabs on their desktop or mobile device and their collaborative partners will browse the same tabs on their devices. When one person changes a tab in the group, the changes are reflected across all user's browsers in the group. An enterprise policy, TabGroupSharingSettings, will be available to control this feature.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Rollout of the ability to join and use a shared tab group. Users on Stable Chrome will not be able to create a shared tab group (the entry point will not be available) - this part of the feature will only be available on Beta/Dev/Canary for this phase of rollout.

Generating insights for Chrome DevTools console warnings and errors
A new Generative AI (GenAI) feature is now available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, macOS, Windows: Feature becomes available to managed Chrome Enterprise & Education users in supported regions.
- Chrome 131 on ChromeOS, Linux, macOS, Windows: In Chrome 131, a new Generative AI (GenAI) feature becomes available for managed users: a dedicated AI assistance panel in Chrome DevTools which assists the human operator investigating & fixing styling challenges and helps debugging the CSS.
- Chrome 132 on ChromeOS, Linux, macOS, Windows: The AI assistance panel can now explain resources in the Performance panel, Sources panel, and Network panel, in addition to the previous support for style debugging.
- Chrome 138 on ChromeOS, Linux, macOS, Windows: The AI assistance panel exposes an internal API that simplifies the use of AI assistance panel features by external tools such as Model Context Protocol (MCP) servers.

Removal of Private Network Access enterprise policies
Private Network Access (PNA 1.0) is an unshipped security feature designed to limit website access to local networks. Due to deployability concerns, PNA 1.0 was never able to ship by default, as it was incompatible with too many existing devices.

PNA 1.0 required changes to devices on local networks. Instead, Chrome is implementing an updated proposal, Private Network Access 2.0 (PNA 2.0) (Github). PNA 2.0 only requires changes to sites that need to access the local network, rather than requiring changes to devices on the local network. Sites are much easier to update than devices, and so this approach should be much more straightforward to roll out.

The only way to enforce PNA 1.0 is via enterprise policy. To avoid regressing security for enterprise customers opting-in to PNA 1.0 prior to shipping PNA 2.0, we will maintain the PrivateNetworkAccessRestrictionsEnabled policy, which causes Chrome to send special preflight messages, until such time that it becomes incompatible with PNA 2.0.

The InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies, which loosen PNA 1.0 restrictions, will be removed immediately. These policies currently have no effect, since PNA 1.0 is not shipped, and they will have no meaning once PNA 1.0 is removed.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Deprecate InsecurePrivateNetworkRequestsAllowedForUrls, InsecurePrivateNetworkRequestsAllowed, and PrivateNetworkAccessRestrictionsEnabled policies.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Removal of PrivateNetworkAccessRestrictionsEnabled, InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed. There should be a PNA2 replacement policy available in Chrome 138.

TLS 1.3 Early Data
TLS 1.3 Early Data allows GET requests to be sent during the handshake when resuming a connection to a compatible TLS 1.3 server. The feature is expected to demonstrate performance improvements and will be available in Chrome 138 with a policy (TLS13EarlyDataEnabled) to control this change.

TLS 1.3 Early Data is an established protocol. Existing TLS servers, middleboxes, and security software are expected to either handle or reject TLS 1.3 Early Data without dropping the connection. However, devices that do not correctly implement the TLS standard (RFC8446) may malfunction and disconnect when TLS 1.3 Early Data is in use. If this occurs, administrators should contact the vendor for a fix.

This policy is a temporary measure to control the feature and will be removed in a future milestone. The policy may be enabled to allow you to test for issues and disabled while issues are being resolved.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows

Predictable reported storage quota
Chrome 138 will introduce a predictable storage quota from StorageManager's estimate API for sites that do not have unlimited storage permissions.

It is possible to detect a user's browsing mode via the reported storage quota because the storage space made available is significantly smaller in incognito mode than in regular mode. This is a mitigation that prevents detection of a user's browsing mode via the storage API by reporting an artificial quota, equal to usage + min(10 GiB, disk rounded up to the nearest 1 GiB), in all browsing modes for sites with limited storage permissions. Sites with unlimited storage permissions will be unaffected. Enforced quota will also be unaffected.
- Chrome 138 on Windows, macOS, Linux, Android

Strict Same Origin Policy for Storage Access API
We plan to adjust the Storage Access API semantics to strictly follow the Same Origin Policy, to enhance security. Using document.requestStorageAccess() in a frame only attaches cookies to requests to the iframe's origin (not site) by default. The CookiesAllowedForUrls policy or Storage Access Headers can still be used to unblock cross-site cookies.
- Chrome 138 on Windows, macOS, Linux, Android

Summarizer API
Summarizer API is a JavaScript API for producing summaries of input text, backed by an AI language model. Browsers and operating systems are increasingly expected to gain access to a language model. By exposing this built-in model, we avoid every website needing to download their own multi-gigabyte language model, or send input text to third-party APIs. The summarizer API in particular exposes a high-level API for interfacing with a language model in order to summarize inputs for a variety of use cases (Github), in a way that does not depend on the specific language model in question.

An enterprise policy, GenAILocalFoundationalModelSettings, is available to disable the underlying model downloading which would render this API unavailable.
- Chrome 138 on Windows, macOS, Linux

Language Detector API
Language Detector API is a JavaScript API for detecting the language of text, with confidence levels. An important supplement to translation is language detection. This can be combined with translation, for example, taking user input in an unknown language and translating it to a specific target language. Browsers today often already have language detection capabilities, and we want to offer them to web developers through a JavaScript API, supplementing the translation API. An enterprise policy, GenAILocalFoundationalModelSettings, is available to disable the underlying model downloading which would render this API unavailable.
- Chrome 138 on Windows, macOS, Linux

Translator API
The Translator API is a JavaScript API to provide language translation capabilities to web pages. Browsers are increasingly offering language translation to their users. Such translation capabilities can also be useful to web developers. This is especially the case when the browser's built-in translation abilities cannot help. An enterprise policy, GenAILocalFoundationalModelSettings, is available to disable the underlying model downloading which would render this API unavailable.
- Chrome 138 on Windows, macOS, Linux

Web serial over Bluetooth on Android
This feature allows web pages and web apps to connect to serial ports over Bluetooth on Android devices. Chrome on Android now supports Web Serial API over Bluetooth RFCOMM. Existing enterprise policies (DefaultSerialGuardSetting, SerialAllowAllPortsForUrls, SerialAllowUsbDevicesForUrls, SerialAskForUrls and SerialBlockedForUrls) on other platforms are enabled in future_on states for Android. All policies except SerialAllowUsbDevicesForUrls will be enabled after the feature is enabled. SerialAllowUsbDevicesForUrls will be enabled in a future launch after Android provides system level support of wired serial ports.
- Chrome 138 on Android

Upcoming change for CA certificates included in the Chrome Root Store
In response to sustained compliance failures, Chrome 139 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Chunghwa Telecom and Netlock, are trusted by default. This applies to Chrome 139 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Chunghwa Telecom or Netlock root CA certificates included in the Chrome Root Store and issued:

    - after July 31, 2025, will no longer be trusted by default.

    - on or before July 31, 2025, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Chunghwa Telecom or Netlock certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 139 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 139 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after July 31, 2025.

Chrome on Android no longer supports Android Oreo or Android Pie
The last version of Chrome that supports Android Oreo or Android Pie is Chrome 138, and it includes a message to affected users informing them to upgrade their operating system. Chrome 139 and newer versions will not be supported on, nor shipped or available to, users running Android Oreo or Android Pie.
- Chrome 139 on Android: Chrome on Android no longer supports Android Oreo or Android Pie.

Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core.
- Chrome 127 on ChromeOS, LaCrOS, Linux, macOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Remove ExtensionManifestV2Availability policy.

Chrome will remove support for macOS 11
Chrome 138 will be the last release to support macOS 11; Chrome 139 and later will no longer support macOS 11, which is outside of its support window with Apple. Running on a supported operating system is essential to maintaining security.

On Macs running macOS 11, Chrome will continue to work, showing a warning infobar, but will not update any further. If a user wishes to have their Chrome updated, they need to update their computer to a supported version of macOS. For new installations of Chrome 139 and later, macOS 12 or later will be required.
- Chrome 139 on Windows, macOS, Linux

Happy Eyeballs V3
This launch is an internal optimization in Chrome that implements Happy Eyeballs V3 to achieve better network connection concurrency. Happy Eyeballs V3 performs DNS resolutions asynchronously and staggers connection attempts with preferable protocols (H3/H2/H1) and address families (IPv6/IPv4) to reduce user-visible network connection delay. This feature is gated by a temporary policy HappyEyeballsV3Enabled.
- Chrome 140 on Android, ChromeOS, Linux, macOS, Windows

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.

In this initial release, IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 140 on Windows: This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

Disallow spaces in non-file:// URL hosts
According to the URL Standard specification, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host. This causes Chromium to fail several tests included in the Interop2024 HTTPS URLs for WebSocket and URL focus areas. To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github).
- Chrome 141 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia

Safe Browsing API v4 → v5 migration
Chrome calls into the Safe Browsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5. If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users. For more details, see Migration From V4 - Safe Browsing.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators may use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 146, and will be removed in Chrome 147. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 146.
- Chrome 147 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider

Upcoming Chrome Enterprise Core changes

Agentspace recommendations in the Chrome omnibox

This launch helps Enterprise users with their internal information needs by adding Enterprise Search results, such as people, file, or query suggestions, from Agentspace to the Chrome address bar. Results can be shown by default in Chrome's address bar recommendations or only when triggered by a custom keyword.

Users can also leverage the keyword mode to trigger actions through Agentspace, such as "help me write an email that summarizes the current project status".

The enterprise search provider will be shown when the user types "@" in the address bar. The organization will be able to customize a keyword or shortcut and the icon shown.

This can be configured via the EnterpriseSearchAggregatorSettings policy.
- Chrome 135 on ChromeOS, Linux, macOS, Windows: Trusted Tester
- Chrome 138 on ChromeOS, Linux, macOS, Windows: General Availability

Inactive profile deletion in Chrome Enterprise Core

In June 2025, the inactive period for profile deletion setting started to roll out. In July 2025, the setting will begin to automatically delete managed profiles in the Admin console that have been inactive for more than the defined inactivity period. When releasing the setting, the inactivity period of time has a default value of 90 days. Meaning that by default, all managed profiles that have been inactive for more than 90 days are deleted from your account. Administrators can change the inactive period value using this setting. The maximum value to determine the profile inactivity period is 730 days and the minimum value is 28 days.

If you lower the set value, it might have a global impact on any currently managed profiles. All impacted profiles will be considered inactive and, therefore, be deleted. This does not delete the user account. If an inactive profile is re-activated on a device, that profile will reappear in the console.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Policy will roll out in June. Deletion will start in July and the initial wave of deletion will complete by the end of August. After the initial deletion rollout, inactive profiles will continue to be deleted once they have reached their inactivity period.

Multiple Identity Support on iOS

Chrome on iOS is introducing support for multiple accounts, particularly for managed (work or school) accounts. This update introduces separate browser profiles for each managed account, ensuring strict data separation between work and personal browsing. Regular accounts will continue to share a single profile.

This change aims to improve Chrome's enterprise offering and provide a more secure and organized browsing experience, especially for end users with both personal and work accounts on their device. Users will experience a one-time onboarding flow when adding a managed account to the device. They will be able to switch between accounts by tapping on the account particle disk on the New tab page.

Admins who enabled Chrome policies on iOS (instructions here) can continue to leverage existing policies.
- Chrome 138 on iOS

Upcoming Chrome Enterprise Premium changes

URL filtering capabilities on iOS
The current WebProtect URL Filtering capabilities on Desktop are being extended to mobile so that organizations can audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This feature is part of Chrome Enterprise Premium and aims to provide secure and safe internet access for enterprise users on any device. Admins will be able to create URL filtering rules to ensure that employees can only access safe and authorized URLs on iOS devices. Chrome will report URL filtering events and unsafe site events via the Reporting Connector on mobile.
- Chrome 138 on iOS: The URL Filtering feature becomes available on iOS.

DLP Download Support for File System Access API (FSA)
Data Loss Prevention (DLP) protection will be extended to cover files and directories downloaded using the File System Access (FSA) API. This enhancement will ensure that downloads from modern web applications, such as browser-based editors, are scanned according to your organization's DLP rules. Users and websites will receive notifications on scan verdicts, strengthening data security and compliance.
- Chrome 138 on Windows, macOS, Android, ChromeOS, Linux

↑ back to top

ChromeOS 137 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Face control policy on ChromeOS			✓
Crosstalk cancellation		✓
ChromeVox keyboard shortcut to caption audio with braille devices		✓
Event-based log collection			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Chrome apps changes		✓
Upcoming Native Client (NaCl) deprecation	✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Face Control policy on ChromeOS

With ChromeOS 137, we introduce a new policy, FaceGazeEnabled, to allow admins to have more control over access to Face Control on an organizational level.

For more details, see Use facial gestures & head movements to control your Chromebook with Face control.

Crosstalk cancellation

Crosstalk cancellation provides an immersive audio experience when using the internal speaker. Users can feel the audio surrounding their head instead of coming from the geometric position of the internal speaker. Any playable audio content benefits from this feature, especially when playing games or watching videos with spatialized audio. Users experience immersive, surround-sound audio, similar to wearing a headset.

ChromeVox keyboard shortcut to caption audio with braille devices

ChromeVox now enables a command that displays spoken text as braille captions on connected (USB or Bluetooth) braille displays.

The ChromeVox command is Search + O + C and stands for Search Open Captions.

The braille command is space + dots 1-4-7. For more details, see Use a braille device with your Chromebook - Google Accessibility Help.

Event-based log collection

For event-based log collection, when an event occurs—for example, an OS crash or update failure—you'll see a notification on the device details page. You can also view device events in the device details page, to see when events occurred and to get detailed information. Google uploads any logs relevant to the specific event type, which makes troubleshooting more efficient.

To enable this feature:
- Turn on the Device system log upload setting.
- Turn on OS update status reporting—For the Report device OS information setting, select OS update status.
- Turn on device telemetry reporting on crash information—For the Report device telemetry setting, select Crash information.
These uploads can happen at most two times per day on one device.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Chrome apps changes

Starting with ChromeOS 138, planned for stable release on July 22nd, admin-installed Chrome apps in kiosk sessions will be disabled by default. A new policy, KioskChromeAppsForceAllowed, will be available prior to the release of ChromeOS 138 for administrators to re-enable Chrome apps in kiosk sessions. With this policy turned on, Chrome apps in kiosk sessions will be supported through ChromeOS 150.

Additionally, as a reminder, as early as ChromeOS 139, planned for stable release on August 19th, user-installed Chrome apps will stop working.

For more details, see End of support for Chrome apps.

Upcoming Native Client (NaCl) deprecation

ChromeOS 138 will be the final release to support Native Client (NaCl) in managed environments with the NaCl allow policy enabled. For devices on the Long-term Support (LTS) channel with this policy active, NaCl support will continue until the LTS Last Refresh in April 2026.

↑ back to top

Chrome 136

Chrome 136 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Google Lens result presentation updates		✓
Malicious APK download checks (telemetry-only)	✓
Proactive notifications for Chrome Tips on iOS		✓
Custom data directory required for remote debugging	✓
Partitioning :visited links history	✓
Rename string attr() type to raw-string	✓
Update ProgressEvent to use double type for loaded and total	✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
WebAuthn Support for Remote Desktop Clients on managed devices	✓		✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
New reporting connector: CrowdStrike Falcon Next-Gen SIEM	✓		✓
URL filtering capabilities on Android	✓		✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Removal of Private Network Access enterprise policies	✓
Remove --load-extension command line switch	✓
Remove SwiftShader fallback	✓
Align error type thrown for payment WebAuthn credential creation: SecurityError => NotAllowedError	✓
Blob URL Partitioning: Fetching/Navigation	✓
Web serial over Bluetooth on Android	✓
Happy Eyeballs V3	✓
Strict Same Origin policy for Storage Access API	✓
Web App Manifest: update_token and update eligibility	✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
Chrome will remove support for macOS 11			✓
Isolated Web Apps	✓		✓
Disallow spaces in non-file:// URL hosts	✓
SafeBrowsing API v4 → v5 migration	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
IP Address logging and reporting	✓
Inactive profile deletion in Chrome Enterprise Core	✓		✓
Multiple identity support on iOS		✓
Google Agentspace recommendations in Chrome omnibox		✓	✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
URL filtering capabilities on iOS	✓		✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Google Lens result presentation updates
Search results for Google Lens queries originating from the device camera and from searching images on web pages are presented on a native UI panel that slides from the bottom of the screen. Previously, these answers were presented on a separate web page on a new tab. Admins can control this feature with the existing policy LensCameraAssistedSearchEnabled.
- Chrome 136 on iOS

Malicious APK download checks (telemetry-only)
Chrome on Android now contacts Google about Android Package Kit (APK) files downloaded in Chrome, to verify their safety. This is a telemetry-only experimental state of a feature that will eventually show warnings and block downloads of malicious APK files, to protect users against mobile malware. At this time, the malicious APK download check is telemetry-only: no warnings will be shown and downloads will not be blocked. In telemetry-only mode, the malicious APK download check will only be performed for users enrolled in Enhanced Protection from Google Safe Browsing.

This feature can be disabled by setting the Safe Browsing mode to NoProtection (value 0) via the SafeBrowsingProtectionLevel policy.
- Chrome 136 on Android

Proactive notifications for Chrome Tips on iOS
Users can now receive Chrome Tips as provisional notifications. Previously, only users who have explicitly opted into Chrome Tips notifications would receive these helpful notifications.

In this release, Chrome sends these proactively as notifications to users who have installed Chrome on iOS, but have been inactive for several days. In this way, users won't even have to open the app to learn about useful features such as Google Lens or Enhanced Safe browsing. Admins can turn these off by using the policy ProvisionalNotificationsAllowed (policy will be available in Chrome 137).
- Chrome 136 on iOS

Custom data directory required for remote debugging
Remote debugging via a TCP port or a pipe is no longer possible in Google Chrome with the default data directory on Windows, Linux, and macOS. A custom data directory must be specified to remotely debug Google Chrome using the --user-data-dir switch, when using the --remote-debugging-pipe or --remote-debugging-port switches.

We’ve made this change because these remote debugging switches are being abused by infostealers and malware to extract data from Google Chrome. A custom user data directory uses a different encryption key and so it prevents malware stealing encrypted data such as cookies.

This change does not affect Chrome for Testing and Chromium.
- Chrome 136 on Linux, macOS, Windows

Partitioning :visited links history
To eliminate user browsing history leaks, anchor elements are styled as :visited only if they have been clicked from this top-level site and frame origin before. On the browser-side, this means that the VisitedLinks hashtable is now partitioned by triple-keying, that is, by storing the following for each visited link: <link URL, top-level site, frame origin>. By only styling links that have been clicked on this site and frame before, the many side-channel attacks that have been developed to obtain :visited links styling information are now obsolete, as they no longer provide sites with new information about users.

There is an exception for self-links, where links to a site's own pages can be styled as :visited even if they have not been clicked on in this exact top-level site and frame origin before. This exemption is only enabled in top-level frames or subframes which are same-origin with the top-level frame. The privacy benefits above are still achieved because sites already know which of its subpages a user has visited, so no new information is exposed. This was a community-requested exception which improves user experience as well.
- Chrome 136 on Windows, macOS, Linux, Android

Rename attr() type string keyword to raw-string
The attr() type argument specifies how the attribute value is parsed into a CSS value. In a recent decision by the W3C CSS Working Group, it was resolved to rename the attr() type string keyword to the more explicit raw-string. If the attribute value is given as the raw-string keyword, or omitted entirely, it causes the attribute’s literal value to be treated as the value of a CSS string, with no CSS parsing performed at all (including CSS escapes, whitespace removal, comments, etc). No value triggers fallback; only the lack of the attribute entirely does.

For more details about attr() notation, see CSS Values and Units Module Level 5.
- Chrome 136 on Windows, macOS, Linux, Android

Update ProgressEvent to use double type for loaded and total
The ProgressEvent has attributes loaded and total indicating the progress, and their type is unsigned long long now.

With this feature, the type for these two attributes is changed to double instead, which gives the developer more control over the value. For example, the developers can now create a ProgressEvent with the total of 1 and the loaded increasing from 0 to 1 gradually. This is aligned with the default behavior of the <progress> HTML element if the max attribute is omitted. For more details, see this Web Hypertext Application Technology working group (WHATWG) discussion on GitHub.
- Chrome 136 on Windows, macOS, Linux

New policies in Chrome browser

Policy	Description
OnSecurityEventEnterpriseConnector	Configuration policy for the OnSecurityEvent Chrome Enterprise Connector (now available on Android).
WebAuthenticationRemoteDesktopAllowedOrigins	Allowed Origins for Proxied WebAuthn Requests from Remote Desktop Applications.
ReduceAcceptLanguageEnabled	Control Accept-Language Reduction.
HappyEyeballsV3Enabled	Use the Happy Eyeballs V3 algorithm.
EnterpriseRealTimeUrlCheckMode	Check Safe Browsing status of URLs in real time (now available on Android).
ProvisionManagedClientCertificateForBrowser	Enables the provisioning of client certificates for managed browsers.

Removed policies in Chrome browser

Policy	Description
ThirdPartyBlockingEnabled	Enable third party software injection blocking.
ProfilePickerOnStartupAvailability	Profile picker availability on startup.

Chrome Enterprise Core changes

WebAuthn support for Remote Desktop Clients on managed devices
This change allows users on managed devices to securely access websites on remote hosts using their local security keys or passkeys. With the new WebAuthenticationRemoteDesktopAllowedOrigins enterprise policy, administrators will be able to specify which remote desktop client applications can make WebAuthn requests on behalf of other origins.

This addresses the challenge of using local authenticators with remote desktops, thereby enhancing both security and user experience. Administrators configure this policy by providing a comma-separated list of allowed remote desktop client app origins.
- Chrome 136 on Android, ChromeOS, Linux, macOS, Windows

Chrome Enterprise Premium changes

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

New reporting connector: CrowdStrike Falcon Next-Gen SIEM
Chrome 136 introduces a new Chrome Enterprise reporting connector for Crowdstrike Falcon Next-Gen SIEM. Admins can configure this connector in the Admin console to forward selected Chrome event data to Crowdstrike for enhanced security monitoring and analysis. This provides more flexibility in SIEM choices and helps improve threat detection.
- Chrome 136 on ChromeOS, Linux, macOS, Windows

URL filtering capabilities on Android
WebProtect URL filtering is now extended to Android for Chrome Enterprise Premium customers. This allows admins to apply URL block, warn, or audit rules on managed Android devices via the EnterpriseRealTimeUrlCheckMode policy, providing consistent web content control across platforms. Filter events are reported via the Reporting Connector, and configuration is done in the Admin console.
- Chrome 136 on Android

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Removal of Private Network Access enterprise policies
Private Network Access (PNA 1.0) is an unshipped security feature designed to limit website access to local networks. Due to deployability concerns, PNA 1.0 was never able to ship by default, as it was incompatible with too many existing devices.

PNA 1.0 required changes to devices on local networks. Instead, Chrome is implementing an updated proposal, Private Network Access 2.0 (PNA 2.0). PNA 2.0 (Github) only requires changes to sites that need to access the local network, rather than requiring changes to devices on the local network. Sites are much easier to update than devices, and so this approach should be much more straightforward to roll out.

The only way to enforce PNA 1.0 is via enterprise policy. To avoid regressing security for enterprise customers opting-in to PNA 1.0 prior to shipping PNA 2.0, we will maintain the PrivateNetworkAccessRestrictionsEnabled policy, which causes Chrome to send special preflight messages, until such time that it becomes incompatible with PNA 2.0.

The InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies, which loosen PNA 1.0 restrictions, will be removed immediately. These policies currently have no effect, since PNA 1.0 is not shipped, and they will have no meaning once PNA 1.0 is removed.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Removal of InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies.
- Chrome 137 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia: Removal of PrivateNetworkAccessRestrictionsEnabled. This is dependent on a not-yet-defined replacement policy to enable PNA 2.0 being available.

Remove --load-extension command line switch
To enhance the security and stability of the Chrome browser for our users, official Chrome branded builds will begin to deprecate the ability to load extensions using the --load-extension command-line flag, starting in Chrome 137. This change aims to mitigate the risks associated with harmful and unwanted extensions.

Unpacked extensions can be loaded with the Load unpacked button on the Extensions management page (chrome://extensions/) with Developer mode enabled.

Developers can still use the --load-extension switch in non-branded builds such as Chromium and Chrome For Testing.
- Chrome 137 on ChromeOS, Linux, macOS, Windows

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation will fail instead of falling back to SwiftShader. This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content. To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the javascript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. It is important to test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user. A temporary enterprise policy will be available to revert the change.
- Chrome 137 on Linux, macOS: Swiftshader will be disabled on macOS and Linux as early as Chrome 137. Users on machines without a GPU will not be able to use WebGL.
- Chrome 137 on Windows: SwiftShader will be disabled and replaced with another software WebGL fallback, WARP. Tests depending on the exact pixel values generated by SwiftShader may start failing.

Align error type thrown for payment WebAuthn credential creation: SecurityError => NotAllowedError
This change corrects the error type thrown during WebAuthn credential creation for payment credentials. Due to a historic specification mismatch, creating a payment credential in a cross-origin iframe without a user activation would throw a SecurityError instead of a NotAllowedError, which is what is thrown for non-payment credentials. Code that previously detected the type of error thrown, for example, e instanceof SecurityError, would be affected. Code that just generally handles errors during credential creation, for example, catch (e), will continue to function correctly.
- Chrome 137 on Windows, macOS, Linux, Android

Blob URL Partitioning: Fetching/Navigation
As a continuation of Storage Partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of top-level navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated top-level navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and the relevant specs have been updated to reflect these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 137 on Windows, macOS, Linux, Android

Web serial over Bluetooth on Android
This feature allows web pages and web apps to connect to serial ports over Bluetooth on Android devices. Chrome on Android now supports Web Serial API over Bluetooth RFCOMM. Existing enterprise policies (DefaultSerialGuardSetting, SerialAllowAllPortsForUrls, SerialAllowUsbDevicesForUrls, SerialAskForUrls, and SerialBlockedForUrls) on other platforms are enabled in future_on states for Android. All policies except SerialAllowUsbDevicesForUrls will be enabled after the feature is enabled. SerialAllowUsbDevicesForUrls will be enabled in a future launch after Android provides system level support of wired serial ports.
- Chrome 137 on Android

Happy Eyeballs V3
This launch is an internal optimization in Chrome that implements Happy Eyeballs V3 to achieve better network connection concurrency. Happy Eyeballs V3 performs DNS resolutions asynchronously and staggers connection attempts with preferable protocols (H3/H2/H1) and address families (IPv6/IPv4) to reduce user-visible network connection delay. This feature is gated by a temporary policy HappyEyeballsV3Enabled.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows

Strict Same Origin policy for Storage Access API
This feature updates the Storage Access API semantics to strictly follow the Same Origin policy, to enhance security. This means using document.requestStorageAccess() in a frame only attaches cookies to requests to the iframe's origin (not site) by default. Note: the CookiesAllowedForUrls policy or Storage Access Headers might still be used to unblock cross-site cookies.
- Chrome 138 on Windows, macOS, Linux, Android

Web App Manifest: update_token and update eligibility
Introduces an update_token field and updates the eligibility algorithm to the manifest spec. This makes the update process more deterministic and predictable, giving the dev more control over whether (and when) updates should apply to existing installations, and allowing removal of the update check throttle that user agents currently need to implement to avoid wasting network resources.
- Chrome 138 on Windows, macOS, Linux
- Chrome 139 on Android

Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An enterprise policy, ExtensionManifestV2Availability, can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core.
- Chrome 127 on ChromeOS, LaCrOS, Linux, macOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, Linux, macOS, Windows: Removal of ExtensionManifestV2Availability policy.

Chrome will remove support for macOS 11
Chrome 138 will be the last release to support macOS 11; Chrome 139+ will no longer support macOS 11, which is outside of its support window with Apple. Running on a supported operating system is essential to maintaining security.

On Macs running macOS 11, Chrome will continue to work, showing a warning infobar, but will not update any further. If a user wishes to have their Chrome be updated, they need to update their computer to a support version of macOS.

For new installations of Chrome 139+, macOS 12+ will be required.
- Chrome 139 on Windows, macOS, Linux

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the Isolated Web Apps explainer on GitHub.

In this initial release, IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 140 on Windows: This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

Disallow spaces in non-file:// URL hosts
According to the URL Standard specification, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host. This causes Chromium to fail several tests included in the Interop2024 HTTPS URLs for WebSocket and URL focus areas. To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github).

Thus this status entry tracks the work to bring Chromium closer to spec compliance by forbidding spaces for non-file URLs only.
- Chrome 141 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia

SafeBrowsing API v4 → v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5. If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users. For more details, see Migration From V4 - Safe Browsing.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators can use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 146, and will be removed in Chrome 147. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt in early to the new behavior, or to temporarily opt out through Chrome 146.
- Chrome 147 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core changes

IP Address logging and reporting

Chrome Enterprise will enhance security monitoring and incident response capabilities by collecting and reporting local and remote IP addresses and sending those IP addresses to the Security Investigation Tool (SIT) logs. In addition, Chrome Enterprise will allow admins to optionally send the IP addresses to first-party and third-party security information and event management (SIEM) providers via the Chrome Enterprise reporting connector. For more details, see Manage Chrome Enterprise reporting connectors. This will be available for Chrome Enterprise Core and Chrome Enterprise Premium customers.
- Chrome 137 on Windows, macOS, Linux

Inactive profile deletion in Chrome Enterprise Core

In April 2025, the inactive period for profile deletion policy starts rolling out. In June 2025 (Chrome 138), the policy will begin to automatically delete managed profiles in the Admin console that have been inactive for more than the defined inactivity period. When releasing the policy, the inactivity period of time has a default value of 90 days. Meaning that by default, all managed profiles that have been inactive for more than 90 days are deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the profile inactivity period is 730 days and the minimum value is 28 days.

If you lower the set policy value, it might have a global impact on any currently managed profiles. All impacted profiles will be considered inactive and, therefore, be deleted. This does not delete the user account. If an inactive profile is reactivated on a device, that profile will reappear in the console.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows: Policy will roll out in April. Deletion will start in June and the initial wave of deletion will complete by the end of July. After the initial deletion rollout, inactive profiles will continue to be deleted once they have reached their inactivity period.

Multiple identity support on iOS

Chrome on iOS is introducing support for multiple accounts, particularly for managed (work/school) accounts. This update introduces separate browser profiles for each managed account, ensuring strict data separation between work and personal browsing. Regular accounts will continue to share a single profile. This change aims to improve Chrome's enterprise offering and provide a more secure and organized browsing experience, especially for end users with both personal and work accounts on their device. Users will experience a one-time onboarding flow when adding a managed account to the device. They will be able to switch between accounts by tapping on the account particle disk on the New tab page.

Admins can continue to use the following existing policies to manage iOS accounts:
- Chrome on iOS: Allows admins to apply policies to signed in users on iOS. For more information, see Turn on Chrome browser management (Android and iOS).
- ProfileSeparationDataMigrationSettings: This policy affects the onboarding experience and how prior browsing data is handled when a user adds a work profile.
- BrowserSignin: It allows you to specify if the user can sign in to Google Chrome.
- RestrictAccountsToPatterns: Controls which accounts are visible on the device.
- Chrome 138 on iOS

Google Agentspace recommendations in the Chrome omnibox

To help enterprise users with their internal information needs, Admins will soon be able to add enterprise search results, such as people, file, or query suggestions, from Google Agentspace to the Chrome address bar. Results can be shown by default in Chrome's address bar recommendations or only when triggered by a custom keyword. Users can also use keyword mode to trigger actions through Agentspace, such as help me write an email that summarizes the current project status.

The enterprise search provider will be shown when the user types @ in the address bar. The organization will be able to customize a keyword or shortcut and the icon shown.

This can be configured via the policy called EnterpriseSearchAggregatorSettings.
- Chrome 139 on ChromeOS, Linux, macOS, Windows

Upcoming Chrome Enterprise Premium changes

URL filtering capabilities on iOS
The current WebProtect URL filtering capabilities on Desktop are being extended to mobile so that organizations can audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This feature is part of Chrome Enterprise Premium and aims to provide secure and safe internet access for enterprise users on any device. Admins will be able to create URL filtering rules to ensure that employees can only access safe and authorized URLs on iOS devices. Chrome will report URL filtering events and unsafe site events via the Reporting Connector on mobile.
- Chrome 137 on iOS: In this milestone, the URL Filtering feature will be launched on iOS for Chrome Enterprise Premium customers. This will enable administrators to manage which URLs can be accessed on managed Chrome browsers or profiles on company-owned or BYOD iOS devices.
  Key changes include:
  
  - Admins can block, warn, or audit users when accessing certain sites or categories.
  
  - End users will see interstitial pages when attempting to visit blocked or warned URLs.
  
  - Chrome will report URL filtering events.
  
  - Updates to the chrome://management page will reflect the new functionality.

↑ back to top

ChromeOS 136 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Quick Share enhancements		✓
Admin initiated Chrome Remote Desktop (CRD) sessions			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Event-based device log collection for troubleshooting (Admin console)			✓
Face control policy on ChromeOS			✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Quick Share enhancements

As early as ChromeOS 136, Quick Share extends Visible to everyone mode duration to a maximum of 10 minutes from 5. This feature allows your device to share files with and receive files from Android devices and other Chromebooks. Users can set device visibility, enter Visible to everyone mode, toggle Quick Share, and go to the Quick Share settings page, all from quick settings. This setting can be managed with the NearbyShareAllowed policy.

Admin initiated Chrome Remote Desktop (CRD) sessions

Starting in ChromeOS 136, auto-approved Chrome Remote Desktop (CRD) connections allow IT teams to better support their ChromeOS users.

In previous releases, users had to manually accept remote CRD connections via a notification to allow for remote connections. The new feature automatically accepts remote connections after 30 seconds (if the user does not decline) while ensuring user privacy through a combination of measures, for example, requirement of connection to managed network and end user activity in the last 5 minutes. Auto-accepted CRD connections are expected to significantly streamline support workflows by removing the need for additional end user intervention.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Event-based device log collection for troubleshooting (Admin console)

To help troubleshoot device issues (like crashes or failed OS updates), ChromeOS automatically collects and uploads device logs. This happens when these specific settings are turned on:
- Enable device system log upload: turns on the overall log collection
- Report device OS information -> OS update status: collects data about OS updates
- Report device telemetry -> Crash information: gathers fatal crash information
As early as ChromeOS 137, when a problem occurs, IT admins will see a notification with a direct link to the uploaded logs on the ChromeOS device's details page in the Admin console. You can also see a history of device events. Log uploads happen a maximum of two times a day, and each file is typically 400KB to 1MB in size.

For details, see these articles in the Chrome Enterprise and Education Help Center:
- Remote log collection for ChromeOS devices
- View ChromeOS Device List and Details

Face control policy on ChromeOS

With ChromeOS 137, we will introduce a new policy to allow admins to have more control over access to face control on an organisational level.

For more details, see Use facial gestures & head movements to control your Chromebook with face control.

↑ back to top

Chrome 135

Chrome 135 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
3P profile enrollment migrates to OIDC auth code flow	✓
Auto-deletion of downloads for Chrome on iOS	✓
Better password form detection with ML	✓
Client’s LLM assistance in mitigating scams	✓
Deprecate mutation events	✓
Download file type extension-based warnings - documentation correction	✓
Extensions improvements on Chrome Desktop	✓	✓
Generic Device Trust Connector	✓
Remove Private Network Access enterprise policies	✓
Remove ThirdPartyBlockingEnabled policy	✓
Settings, site shortcuts, and themes improvements on Chrome Desktop	✓
Sunsetting the legacy Password Manager in Chrome on Android	✓
Third-party cookies always blocked in Incognito mode	✓
Create service worker client and inherit service worker controller for srcdoc iframe	✓
HSTS tracking prevention	✓
Remove deprecated navigator.xr.supportsSession method	✓
Remove --load-extension Command Line switch in Google Chrome	✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Apple extensible SSO support for Chrome on macOS		✓	✓
New content on the Chrome Web Store Discover page for managed users		✓	✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
No updates in Chrome 135.
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Remote debugging port custom data directory requirement	✓
Blob URL Partitioning: Fetching/Navigation	✓
Deprecate getters of Intl Locale Info API	✓
FedCM updates			✓
Partitioning :visited links history	✓
Strict Same Origin Policy for Storage Access API	✓
Remove SwiftShader fallback	✓
Disallow spaces in non-file:// URL host	✓
Chrome will remove support for macOS 11			✓
Isolated Web Apps	✓
SafeBrowsing API v4 to v5 migration	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Improved Admin console reporting performance and scalability			✓
New remote commands and CSV export for the Managed Profile List			✓
New Overview landing page for Chrome Enterprise Core			✓
IP Address logging and reporting	✓
Inactive profile deletion in Chrome Enterprise Core	✓		✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
URL filtering on iOS and Android	✓
Refactor DLP rules user experience	✓
Reporting connector for mobile	✓
Connectors API	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

3P profile enrollment migrates to OIDC auth code flow
Chrome 135 migrates the landing page for profile registration from the marketing website to a dynamic website. This update also migrates the OpenID Connect (OIDC) implicit flow to an auth code flow. This aims to improve both the security and the user experience for third party (3P) managed profiles.
- Chrome 135 on Windows

Auto-deletion of downloads for Chrome on iOS
Users of Chrome browser on iOS can now choose to automatically delete their browser downloads on a scheduled basis.

This feature is likely to both improve device performance related to storage capacity, and to improve privacy by automating the deletion of files that users might otherwise forget to on their own.
- Chrome 135 on iOS
  Initial experiment at 1% in 135 for Chrome for iOS only. No planned rollout for other platforms.

Better password form detection with ML
Chrome 135 introduces a new client-side Machine Learning (ML) model to better parse password forms on the web to increase detection and filling accuracy. You can control this feature using the PasswordManagerEnabled policy.
- Chrome 135 on Android, iOS, ChromeOS, Linux, macOS, Windows

Client’s LLM assistance in mitigating scams
Users on the web are facing significant amounts and varieties of scams on a daily basis. To combat these scams, Chrome 135 uses on-device Large Language Models (LLMs) to identify scam websites for Enhanced protection users. Chrome sends the page content to an on-device LLM to infer security-related signals for that page. Chrome then sends these signals to Safe Browsing server side for a final verdict. When turned on, Chrome might consume more bandwidth to download the LLM.
- Chrome 134 on Linux, macOS, Windows
  Gather the brand name and intent summary of the page that requested keyboard lock API to identify scam websites.
- Chrome 135 on Linux, macOS, Windows
  Show the warnings to the user based on the server verdict which uses the brand and intent summary of the page that requested keyboard lock API.

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer.

Since Chrome 124, a temporary enterprise policy, MutationEventsEnabled, is available to re-enable deprecated or removed mutation events. To read more, see this Chrome for Developers blog post. If you encounter any issues, you can file a Chromium bug.

Mutation event support is disabled by default, since Chrome 127, or around July 30, 2024. Code should have been migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used up until Chrome 135, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 135.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.

Download file type extension-based warnings - documentation correction
We’ve updated the policy documentation for ExemptDomainFileTypePairsFromFileTypeDownloadWarnings to correctly reflect its interaction with the DownloadRestrictions policy. The behavior in Chrome has not changed.

The behavior is: ExemptDomainFileTypePairsFromFileTypeDownloadWarnings can specify exemptions that override DownloadRestrictions settings for blocking dangerous file types. Other types of security measures specified by DownloadRestrictions, such as blocking malicious downloads, cannot be overridden by ExemptDomainFileTypePairsFromFileTypeDownloadWarnings.
- Chrome 135 on ChromeOS, Linux, macOS, Windows
  No Chrome changes - documentation change only.

Extensions improvements on Chrome Desktop
On Chrome 135 on Desktop, some users who sign in to Chrome when installing a new extension can now use and save extensions in their Google Account.

Relevant enterprise policies controlling extensions, as well as BrowserSignin, SyncDisabled or SyncTypesListDisabled, continue to work as before, so admins can configure whether users can use and save items in their Google Account.

For more information about how to use extensions on any computer, see Install and manage extensions in the Chrome Web Store Help Center.

Note: This change is a follow-up to the launch of the new identity model on Chrome Desktop. For more details, see Sign in and sync in Chrome.
- Chrome 135 on Linux, macOS, Windows

Generic Device Trust Connector
Integrations created through the Device Trust Connector allow customers to implement granular controls for authentication into enterprise resources, for example, SaaS apps or your corporation intranet, based on the properties of the end user’s device and browser instance sent by Chrome. For more details, see Manage Chrome Enterprise device trust connectors.
- Chrome 135 on Windows

Remove Private Network Access enterprise policies
Private Network Access (PNA 1.0) is an unshipped security feature designed to limit website access to local networks. Due to deployability concerns, PNA 1.0 was never able to ship by default, as it was incompatible with too many existing devices.

PNA 1.0 required changes to devices on local networks. Instead, Chrome is implementing an updated proposal, Private Network Access 2.0 (PNA 2.0). PNA 2.0 only requires changes to sites that need to access the local network, rather than requiring changes to devices on the local network. Sites are much easier to update than devices, and so this approach should be much more straightforward to roll out.

The only way to enforce PNA 1.0 is via enterprise policy. To avoid regressing security for enterprise customers opting-in to PNA 1.0 prior to shipping PNA 2.0, we will maintain the PrivateNetworkAccessRestrictionsEnabled policy, which causes Chrome to send special preflight messages, until such time that it becomes incompatible with PNA 2.0.

Chrome 135 removes the InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies, which loosen PNA 1.0 restrictions. These policies currently have no effect, since PNA 1.0 is not shipped, and they will have no meaning once PNA 1.0 is removed.

PNA 2.0 is described in this explainer on GitHub.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
  Removal of InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies.
- Chrome 137 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
  Removal of PrivateNetworkAccessRestrictionsEnabled.

Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, we plan to remove the ThirdPartyBlockingEnabled policy in Chrome 135. If you have feedback about this removal, you can file a Chromium bug.
- Chrome 132 on Windows
  Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows
  Removal of ThirdPartyBlockingEnabled policy

Settings, site shortcuts, and themes improvements on Chrome Desktop
On Chrome 135 on Desktop, for users who newly sign in to Chrome or who have Sync enabled, settings, site shortcuts and themes synced to their Google Account will now be kept separate from the local ones, that is, settings from when they’re signed out or when Sync is turned off.

This allows for strictly less data sharing than previously: local settings don’t get automatically uploaded when signing in or turning on Sync, and no settings from the account are left behind on the device when Sync is turned off.

Existing enterprise policies SyncDisabled and SyncTypesListDisabled will continue to apply so admins can restrict or disable the Sync feature if they want to. For more details, see Manage who can sync browser settings.

Note: This change is a follow-up to the launch of the new identity model on Chrome Desktop.
- Chrome 135 on Linux, macOS, Windows

Sunsetting the legacy Password Manager in Chrome on Android
Users with old versions of Google Play Services will lose Password Manager functionality in Chrome. This is a step towards sunsetting the legacy Password Manager in Chrome on Android. These users can download a CSV file with their passwords from Chrome Settings and import it to their preferred Password Manager. The new Google Password Manager is available on devices with a recent version of Google Play Services.
- Chrome 135 on Android

Third-party cookies always blocked in Incognito mode
Starting in Chrome 135, users have third-party cookies blocked in Incognito mode with no way to globally re-enable them. Site-level controls for allowing third-party cookies will not be changed.

With this launch, the BlockThirdPartyCookies policy applies to regular mode only when set to false, not Incognito mode. There are no changes when the policy is true or unset. There are also no changes to the CookieAllowedForUrls policy, which continues to apply in both regular and Incognito modes, as it applies at the site level and not globally.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows

Create service worker client and inherit service worker controller for srcdoc iframe
Srcdoc context documents were previously not service worker clients and were not covered by their parent page’s service worker. This resulted in some discrepancies (for example, Resource Timing reports the URLs that these documents load, but the service worker doesn’t intercept them).

To fix these discrepancies, Chrome 135 creates service worker clients for srcdoc iframes and makes them inherit the parent page's service worker controller.
- Chrome 135 on Windows, macOS, Linux, Android

HSTS tracking prevention
HTTP Strict Transport Security (HSTS) allows sites to declare themselves accessible through secure connections only.

In Chrome 135, HSTS tracking prevention mitigates user tracking by third-parties using the HSTS cache. It only allows HSTS upgrades for top-level navigations and blocks HSTS upgrades for sub-resource requests. This prevents third-party sites using the HSTS cache to track users across the web. For more information, see this HSTS Tracking Prevention explainer on Github.
- Chrome 135 on Windows, macOS, Linux, Android

Remove deprecated navigator.xr.supportsSession method
Chrome 135 removes the navigator.xr.supportsSession method, which was replaced in the WebXR spec by the navigator.xr.isSessionSupported method in September of 2019 after receiving feedback on the API shape from the TAG. It has been marked as deprecated in Chromium since then, producing a console warning redirecting developers to the updated API.

Usage of the call is very low, as shown by Chrome Status usage metrics. Additionally, all major frameworks that are used to build WebXR content have been confirmed to have been updated to use the newer call.
- Chrome 135 on Windows, macOS, Linux, Android

Remove --load-extension command line switch in Google Chrome
Starting in Chrome 137, to enhance the security and stability of the Chrome browser for our users, official Chrome branded builds will be deprecating the ability to load extensions via the --load-extension command-line flag. This change aims to mitigate the risks associated with harmful and unwanted extensions.

With developer mode enabled, you can load unpacked extensions using the Load Unpacked button on the extension management page (chrome://extensions/). Developers can still use the --load-extension switch in non-branded builds such as Chromium and Chrome For Testing.
- Chrome 135 on Windows, macOS, Linux, ChromeOS

New policies in Chrome browser

Policy	Description
DownloadRestrictions	Blocks malicious downloads and dangerous file types
PartitionedBlobUrlUsage	Choose whether Blob URLs are partitioned during fetching and navigations
ExtensibleEnterpriseSSOBlocklist	Blocklist of identity providers that cannot use Extensible Enterprise SSO for the browser
EnterpriseSearchAggregatorSettings	Enterprise search aggregator settings (Beta)
ProfilePickerOnStartupAvailability	Profile picker availability on startup

Removed policies in Chrome browser

Policy	Description
ThirdPartyBlockingEnabled	Enable third party software injection blocking
KeyboardFocusableScrollersEnabled	Enable keyboard focusable scrollers

Chrome Enterprise Core changes

Apple extensible SSO support for Chrome on macOS
Chrome 135 on macOS enables seamless authentication for identity providers that are enabled via an OS-configured Enterprise Single Sign On (SSO) extension. For this initial release, Chrome allows end users on managed browsers to sign in to any Microsoft Entra-authenticated resources without the need to enter any credentials. Extensible SSO needs to be pre-configured in your environment and deployed with its respective enterprise device management solution. For more details, see Use Apple Extensible Single Sign-on support in Chrome.
- As early as Chrome 135 on macOS

New content on the Chrome Web Store Discover page for managed users
The Chrome Web Store now displays new curated collections related to productivity, project management and collaboration on the Discover page for managed users. The goal is to help end-users find useful and more relevant work-related extensions faster.

As an Administrator, you can control the display of the Chrome Web Store for your managed users using the Chrome Web Store settings (previously announced in Chrome 132).
- Chrome 135: Gradual release as early as April 1, 2025.

Chrome Enterprise Premium changes

There are no updates for Chrome Enterprise Premium in Chrome 135.

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Remote debugging port custom data directory requirement
Remote debugging via a TCP port or a pipe will no longer be possible in Google Chrome with the default data directory on Windows, Linux and macOS.

A custom data directory must be specified to remotely debug Google Chrome using the --user-data-dir switch, when using the --remote-debugging-pipe or --remote-debugging-port switches.

The motivation for this change is because these remote debugging switches are being abused by infostealers and malware to extract data from Google Chrome. A custom user data directory uses a different encryption key and so it becomes no longer possible for malware to steal encrypted data such as cookies.

This change does not affect Chrome for Testing and Chromium.
- Chrome 136 on Linux, macOS, Windows

Blob URL Partitioning: Fetching/Navigation
As a continuation of Storage Partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of top-level navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated top-level navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and the relevant specs have been updated to reflect these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 136 on Windows, macOS, Linux, Android

Deprecate getters of Intl Locale Info API
Intl Locale Info API is a Stage 3 ECMAScript TC39 proposal to enhance the Intl.Locale object by exposing locale information, such as week data (first day in a week, weekend start day, weekend end day, minimum day in the first week), and text direction hour cycle used in the locale.

We shipped our implementation in Chrome 99 but later on the proposal made some changes in Stage 3 and moved several getters to functions. We plan to remove the deprecated getters and relaunch the renamed functions.
- Chrome 136 on Windows, macOS, Linux, Android

FedCM updates
As early as Chrome 136, Federated Credential Management API (FedCM) will be able to show multiple identity providers in the same dialog. This will provide developers with a convenient way to present all supported identity providers to users. We are planning to first tackle the simple case of having all providers in the same get() call.

We plan to remove support for adding another account in FedCM passive mode. This feature allows showing a Use another account button alongside other IdP accounts in the chooser. The feature is currently unused, and UX conversations indicate that supporting this leads to a more complicated flow without much benefit. This feature will still work in FedCM active mode.
- Chrome 136 on Windows, macOS, Linux, Android

Partitioning :visited links history
To eliminate user browsing history leaks, anchor elements are styled as :visited only if they have been clicked from this top-level site and frame origin before. On the browser-side, this means that the VisitedLinks hashtable is now partitioned by triple-keying, or by storing the following for each visited link: <link URL, top-level site, frame origin>. By only styling links that have been clicked on this site and frame before, the many side-channel attacks that have been developed to obtain :visited links styling information are now obsolete, as they no longer provide sites with new information about users.

There is an exception for self-links, where links to a site's own pages can be styled as :visited even if they have not been clicked on in this exact top-level site and frame origin before. This exemption is only enabled in top-level frames or subframes, which are same-origin with the top-level frame. The privacy benefits above are still achieved because sites already know which of its subpages a user has visited, so no new information is exposed. This was a community-requested exception that improves user experience as well.
- Chrome 136 on Windows, macOS, Linux, Android

Strict Same Origin Policy for Storage Access API
Chrome 136 will adjust Storage Access API semantics to strictly follow the Same Origin policy, to enhance security. This means that using document.requestStorageAccess() in a frame will only attach cookies to requests to the iframe's origin (not site) by default.

Note: the CookiesAllowedForUrls policy or Storage Access headers can still be used to unblock cross-site cookies.
- Chrome 136 on Windows, macOS, Linux, Android

Remove SwiftShader fallback
As early as Chrome 137, we plan to deprecate automatic fallback to WebGL backed by SwiftShader. WebGL context creation will fail instead of falling back to SwiftShader. We plan to remove SwiftShader fallback for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.

To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 137 on Windows, macOS, Linux, Android

Disallow spaces in non-file:// URL host
As stated in the WhatWG.org spec, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.

This causes Chromium to fail several tests included in the Interop2024 'HTTPS URLs for WebSocket' and URL focus areas.

To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs. To read more, see the discussion on Github.

This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces in non-file URLs only.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

Chrome will remove support for macOS 11
Chrome 138 will be the last release to support macOS 11; Chrome 139+ will no longer support macOS 11, which is outside of its support window with Apple. Running on a supported operating system is essential to maintaining security.

On Macs running macOS 11, Chrome will continue to work, showing a warning infobar, but will not update any further. If a user wishes to have their Chrome be updated, they need to update their computer to a support version of macOS.

For new installations of Chrome 139+, macOS 12+ will be required.
- Chrome 139 on Windows, macOS

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering, which is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in Getting started with Isolated Web Apps.

In the initial release, IWAs will only be installable through a policy on enterprise-managed ChromeOS devices.
- Chrome 140 on Windows
  This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.

If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows
  This will be a gradual rollout.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Admins might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that admins can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise admins may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 147 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core changes

Improved Admin console reporting performance and scalability for large customers

Chrome Enterprise Core will roll out software infrastructure changes that aim to improve the performance, accuracy and scalability of many pages and reports in the Admin console. The pages and reports impacted in the Admin console include (but are not limited to):
- Versions report
- Apps & Extension Usage report
- Extension Details page
- Chrome Insights page for browsers
The changes are planned to gradually roll out between April and July 2025.
- As early as April 2025, until July 2025

New remote commands and CSV export for the Managed Profile List

We plan to add a CSV export action and Clear cache and Clear cookies remote commands on the Managed profile list. You will be able to select one or multiple profiles and perform a remote command.
- CSV Export: As early as Chrome 135 on Android, Linux, macOS, Windows
- Remote Commands: As early as Chrome 136 on Linux, macOS, Windows

New Overview landing page for Chrome Enterprise Core

This new overview page will be located in the Chrome browser section of the Admin console and it will display insightful information about your deployment, such as a summary of your browser and profiles deployment, a summary of Chrome versions reported and extensions installed. For example, those insights will allow you to quickly identify inactive browsers and browsers with a pending update. You will also be able to quickly see your queue of extension requests and review extensions that have been configured.
- As early as Chrome 135 for early Trusted Testers access

IP Address logging and reporting

Chrome Enterprise is enhancing its security monitoring and incident response capabilities by collecting and reporting local and remote IP addresses and sending those IP addresses to the Security Investigation Logs (SIT). In addition, Chrome Enterprise will allow admins to optionally send the IP addresses to both in-house and third-party Security and Information Event Management (SIEM) providers via the Chrome Enterprise Reporting connector.

This will be available for Chrome Enterprise Core customers.
- Chrome 136 on Windows, macOS, Linux

Inactive profile deletion in Chrome Enterprise Core

In April 2025 (Chrome 136), the inactive period for profile deletion policy will start rolling out. In June 2025 (Chrome 138), the policy will begin to automatically delete managed profiles in the Admin console that have been inactive for more than the defined inactivity period. When releasing the policy, the inactivity period of time has a default value of 90 days. Meaning that by default, all managed profiles that have been inactive for more than 90 days are deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the profile inactivity period is 730 days and the minimum value is 28 days.

If you lower the set policy value, it might have a global impact on any currently managed profiles. All impacted profiles will be considered inactive and, therefore, be deleted. This does not delete the user account. If an inactive profile is re-activated on a device, that profile will reappear in the console.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows
  Policy will roll out in April (Chrome 136). Deletion will start in June (Chrome 138) and the initial wave of deletion will complete by the end of July (Chrome 139). After the initial deletion rollout, inactive profiles will continue to be deleted once they have reached their inactivity period.

Upcoming Chrome Enterprise Premium changes

URL filtering on iOS and Android
We will extend the existing URL filtering capabilities from desktop to mobile platforms, providing organizations with the ability to audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This includes ensuring the functionality works seamlessly with Context-Aware Access (CAA) which allows admins to set access policies based on user context (for example, user role, location) and device state (for example, managed device, security compliance).
- Chrome 136 on Android
- Chrome 137 on Android, iOS

Refactor DLP rules user experience
We aim to create a more user-friendly and efficient interface for Chrome-specific DLP rules. This involves redesigning the rule creation workflow in the Admin console to better accommodate existing and upcoming security features for Chrome Enterprise Premium customers.
- Chrome 137 on Windows, macOS, Linux, ChromeOS

Reporting connector for mobile
We are working towards feature parity with the desktop version, enabling organizations to monitor and respond to security events on mobile devices, such as unsafe site visits and potential data exfiltration attempts. This helps ensure consistent security and policy enforcement across different platforms.
- Chrome 137 on Android, iOS

Connectors API
We plan to simplify the setup process for third-party security connectors and enable providers to manage configurations directly from their own UI. This aims to make it easier for organizations to integrate their preferred security tools and services with Chrome, enhancing security and management across different platforms.
- Chrome 137 on Windows, macOS, Linux, ChromeOS

↑ back to top

ChromeOS 135 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
ChromeOS policy for battery longevity			✓
Android Bluetooth stack, Fluoride, on ChromeOS Flex			✓
External storage allowlist policy	✓
Image content search		✓
Fast Pair for compatible input devices		✓
Mouse Keys on ChromeOS		✓
Face control enhancements		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Upcoming deprecation of user-installed Chrome Apps		✓	✓
ChromeOS freeform wallpapers		✓
Quick Share enhancements		✓
Event-based device log collection for troubleshooting			✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

ChromeOS policy for battery longevity

ChromeOS 135 introduces a new battery charge limit policy, DevicePowerBatteryChargingOptimization , which offers more optimization options. Battery charging optimization helps extend the lifespan of Chromebooks.

Administrators can set a maximum charge limit, with 100% as the default, to minimize battery degradation and improve long-term reliability.

The new policy benefits both administrators managing fleets of devices, such as in educational settings, and individual users seeking to maximize their Chromebook's longevity. This policy does not require user interaction though administrators may wish to inform end users of the change to charging limits.

Android Bluetooth stack, Fluoride, on ChromeOS Flex

In ChromeOS 122, we started rolling out Fluoride on ChromeOS devices and now it's being brought to ChromeOS Flex. The transition will happen seamlessly on login, preserving existing paired devices, and should work with Bluetooth devices today with no interruptions. For more details, see Android’s Bluetooth stack, Fluoride, comes to ChromeOS.

If you experience issues, please file feedback and, if necessary, disable the new stack via chrome://flags/#bluetooth-use-floss.

External storage allowlist policy

ChromeOS policy to specify devices to be exempt from external storage restrictions. The new ExternalStorageAllowlist policy lets administrators specify certain devices that will be exempt from previously-set external storage restrictions. By setting the policy, administrators can now restrict access to all external storage, but still allow trusted devices to have read/write access.

Image content search

Instead of searching by file names, users can now search by the content of their images in Launcher.

Fast Pair for mice on ChromeOS

Fast Pair is now available for mice on ChromeOS. You can now bring a Fast Pair-compatible mouse close to your ChromeOS device, and be prompted to pair it with one click. For details, see Connect Chromebook to Bluetooth devices.

Mouse Keys on ChromeOS

Mouse Keys is an accessibility feature that allows customers to control their mouse pointer using the keyboard. This is helpful for people who have difficulty or pain using a traditional mouse.

Face control enhancements

We've made it clearer when Face control is active and simplified the process of turning it off. You'll now see a prominent Face control active message with a convenient close button directly in the UI. Additionally, you’ll see a notification to inform you when Face control is turned on.

To reduce unintended session transitions, we have removed Face control accessibility settings on the login screen for managed devices.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Upcoming deprecation of user-installed Chrome apps

As early as ChromeOS 139 (currently planned for stable release on August 19th), user-installed Chrome apps will stop working. Starting in ChromeOS M135, a notification displays to remind users of the upcoming deprecation. For more details, see End of support for Chrome apps.

ChromeOS freeform wallpapers

As early as ChromeOS 136, freeform wallpapers will offer an unrestricted input field that empowers users to express their individuality, creativity, and passions by turning their background into a personal canvas. Users will be able to generate wallpapers by inputting different prompts in the text field, or use the Inspire me feature, which will generate random prompts and wallpapers until you find one you like. This feature will be available on Chromebook Plus devices only. For more information, see Wallpaper settings .

Admins can control this feature using the GenAIWallpaperSettings policy.
- For 18+ consumers, the default is Allow with data collection. Users under 13 cannot access the feature.
- For 18+ managed users, the default is Allow without data collection.
- Users under 18 cannot access the feature.

Quick Share enhancements

As early as ChromeOS 136, Quick Share extends Visible to everyone mode duration to a maximum of 10 minutes from 5. This feature allows your device to share files with and receive files from Android devices and other Chromebooks. Users can set device visibility, enter Visible to everyone mode, toggle Quick Share, and go to the Quick Share settings page all from quick settings.

Event-based device log collection for troubleshooting (Admin console)

To help troubleshoot device issues (like crashes or failed OS updates), ChromeOS automatically collects and uploads device logs. This happens when these specific settings are turned on:
- Enable device system log upload: turns on the overall log collection
- Report device OS information -> OS update status: collects data about OS updates
- Report device telemetry -> Crash information: gathers fatal crash information
As early as ChromeOS 136, when a problem occurs, IT admins will see a notification with a direct link to the uploaded logs on the ChromeOS device's details page in the Admin console. You can also see a history of device events. Log uploads happen a maximum of two times a day, and each file is typically 400KB to 1MB in size.

For details, see these articles in the Chrome Enterprise and Education Help Center:
- Remote log collection for ChromeOS devices
- View ChromeOS Device List and Details

↑ back to top

Chrome 134

Chrome 134 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Search your screen with Google Lens on Desktop and iOS		✓
Security & Privacy panel in Chrome DevTools	✓	✓
Better password form detection with ML	✓
Client’s LLM assistance in mitigating scams	✓
LLM-powered on-device detection of abusive notifications on Android			✓
Customizing managed profiles with custom logo and label		✓	✓
Device Bound Session Credentials google.com prototype	✓
Password change	✓
Read aloud in Reading mode in Chrome 134		✓
Restrict unpacked extensions to developer mode	✓
Show settings for AI features in policy level 2 in settings			✓
Customizable <select> element		✓
HTML parser relaxation for <select>	✓
Remove nonstandard getUserMedia audio constraints	✓
Updates to Chrome sign-in flows for managed users	✓
New tab page cards for Microsoft Outlook and Sharepoint		✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Chrome Enterprise Companion			✓
DownloadRestrictions policy support on iOS	✓
Recommended policies (User override)			✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Evidence Locker	✓
Screenshot prevention	✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Deprecate mutation events		✓
Extensions improvements on Chrome Desktop	✓	✓
Removal of Private Network Access enterprise policies	✓
Remove ThirdPartyBlockingEnabled policy			✓
Settings, site shortcuts, and themes improvements on Chrome Desktop	✓
Sunsetting the legacy Password Manager in Chrome on Android	✓
Third-party cookies always blocked in Incognito mode	✓
Blob URL Partitioning: Fetching/Navigation	✓
Create service worker client and inherit service worker controller for srcdoc iframe	✓
Deprecate getters of Intl Locale Info	✓
Partitioning :visited links history	✓
HSTS tracking prevention	✓
Remove deprecated navigator.xr.supportsSession method	✓
Strict same-origin policy for Storage Access API	✓
UI Automation accessibility framework provider on Windows		✓
Remove SwiftShader fallback	✓
Disallow spaces in non-file:// URL hosts	✓
SafeBrowsing API v4 → v5 migration	✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Extensible SSO support for Chrome on macOS		✓	✓
Isolated Web Apps	✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Refactor DLP rules user experience	✓
URL filtering on iOS and Android	✓
Reporting connector for mobile	✓
Connectors API	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Search your screen with Google Lens on Desktop and iOS
Admins can control all elements of this feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged. To contextualize the search to the document or website the user is viewing, the PDF bytes or website HTML is sent to Google servers but is not linked to any IDs or accounts, not viewable by any human, and the data or data generated about its contents is not logged.

Desktop

Since Chrome 126, users can search any images or text they see on their Desktop screen with Google Lens. To use this feature, go to a website and click the Google Lens chip on the on-focus omnibox or right-click an image and select Search with Google Lens. Users can select anywhere on the screen to search its contents, and refine their search by adding questions to the search box. Starting in Chrome 132, users can also ask questions about entire web pages or PDF documents and answers will reference their current document and the web. To use this feature, invoke Search with Google Lens as described above and enter queries into the search box on the top right corner of the Chrome window. A side panel will open on the right side of the browser window with search results.

iOS

Since Chrome 131, users can search any images or text they see on their iOS Chrome screen with Google Lens. To use this feature, go to a website and click on the 3-dot menu > Search with Google Lens. Starting in Chrome 134, users can also invoke this feature by clicking the Google Lens icon on the left side of the omnibox. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the search box.

Rollout details:
- Chrome 126 on ChromeOS, Linux, macOS, Windows: Rollout of the feature to 1% Stable
- Chrome 127 on ChromeOS, Linux, macOS, Windows: Rollout to 100% Stable
- Chrome 131 on iOS: Rollout of the feature to 1% Stable
- Chrome 132 on ChromeOS, Linux, macOS, Windows: Rollout of the expanded feature to 1% Stable
- Chrome 133 on iOS: Rollout to 100% Stable
- Chrome 134 on iOS: Rollout of the expanded feature to 100% Stable

Security & Privacy panel in Chrome DevTools
Starting in Chrome 134, developers can use the new Security & Privacy panel in Chrome DevTools to test how their site behaves when third-party cookies are limited. Developers can temporarily limit third-party cookies, observe how their site behaves, and review the status of third-party cookies on their site.

This feature does not make any permanent changes to existing enterprise policies, but it lets third-party cookie related enterprise policies (that is, BlockThirdPartyCookies and CookiesAllowedForUrls) be temporarily overridden, to test enhanced restrictions. If your enterprise policy already blocks third-party cookies using BlockThirdPartyCookies, this feature will be disabled.

The new Security & Privacy panel replaces the existing Security panel. TLS connection and certificate information continue to be available on the Security menu on the left, within the Security & Privacy panel.
- Chrome 134 on ChromeOS, Linux, macOS, Windows

Better password form detection with ML
Chrome 134 introduces a new client-side Machine Learning (ML) model to better parse password forms on the web to increase detection and filling accuracy. You can control this feature using the PasswordManagerEnabled policy.
- Chrome 134 on Android, iOS, ChromeOS, Linux, macOS, Windows

Client’s LLM assistance in mitigating scams
Users on the webs are facing enormous amounts of several kinds of scams a day. To combat these scams, Chrome will leverage on-device Large Language Model (LLM) to identify scam websites for Enhanced Safe Browsing users. Chrome will send the page content to an on-device LLM to infer security-related signals of the page and send these signals to Safe Browsing server side for a final verdict. When enabled, Chrome may consume more bandwidth to download the LLM.

An enterprise policy SafeBrowsingProtectionLevel is available to control safe browsing and the mode it operates in.
- Chrome 134 on Linux, macOS, Windows
  Gather the brand name and intent summary of the page that requested keyboard lock API to identify scam websites.

LLM-powered on-device detection of abusive notifications on Android
This launch aims to hide the contents of notifications that are suspected to be abusive. The user then has the options to dismiss, show the notification, or unsubscribe from the origin. This detection is to be done by an on-device model.
- Chrome 134 on Android

Customizing managed profiles with custom logo and label
New toolbar and profile menu customizations that help users easily identify if their Chrome profile is managed, whether they're on a work or personal device. This is especially useful for scenarios where employees use their own devices with managed accounts.

To help tailor this experience, we're adding three new policies:
- EnterpriseCustomLabel: Customize the text displayed on the toolbar element to match your organization's branding.
- EnterpriseLogoUrl: Add your company logo to the profile menu.
- EnterpriseProfileBadgeToolbarSettings: This policy can disable the default label for a managed profile in the Chrome toolbar.
In Chrome 134, these policies will be available to customize the logo and label shown on a managed profile. The policies will take effect on user’s managed profiles.

Starting Chrome 135, there will be updates to the default behavior of the profile label and icon overlaid on the account avatar. Managed profiles will show a work or school label in addition to the profile disk. In the profile menu, there will be a building icon overlaid on the account avatar. The expanded profile disk can be disabled via EnterpriseProfileBadgeToolbarSettings.
- Chrome 134 on macOS, Windows, Linux
  Policies to customize the toolbar label and icon (in profile menu) are available in the Admin console. If policies have already been set, the user will see the customized logo and label.
- Chrome 135: Starting rollout of defaults including:
  - 1) work or school label shown in toolbar, next to user avatar
  - 2) A building icon overlayed on the user's account photo in the profile menu. The label can be turned off via EnterpriseProfileBadgeToolbarSettings. Starting with 1% and gradual slow rollout thereafter.

Device Bound Session Credentials google.com prototype
The Device Bound Session Credentials (DBSC) project is intended to move the web away from long-lived bearer credentials like cookies, which can be stolen and reused, to credentials which are either short-lived or cryptographically bound to a device.

The feature aims at protecting users against credential theft which is typically performed by malware running on the user's device.

The current launch is a proof-of-concept targeting the google.com website. In the future, we plan to standardize this approach for other websites and web browsers.

Enterprise admins can control the feature state using the BoundSessionCredentialsEnabled boolean policy.
- Chrome 124 on Windows
  Planned 1% rollout on Chrome stable for google.com cookie binding for the general population.
- Chrome 134 on Windows
  Added binding support for OAuth2.0 refresh tokens that are used for Chrome sign-in.

Password change
This feature gives users the option to change leaked credentials immediately. The feature can only be triggered from the Check your Password dialog. When users see a warning for an eligible website, they can change the password there and then.
- Chrome 134 on Linux, macOS, Windows

Read aloud in Reading mode in Chrome 134
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode now includes a Read aloud feature that allows users to hear the text they are reading spoken out loud. You can choose different natural voices and speeds, and see visual highlights as the text is spoken.
- Chrome 134 on Linux, macOS, Windows

Restrict unpacked extensions to developer mode
Starting in Chrome 134, unpacked extensions loaded from the chrome://extensions page will only be enabled if the developer mode switch is turned on. This change is intended to improve security by mitigating the risks associated with harmful unpacked extensions and developer mode tampering exploitation. An enterprise policy, ExtensionDeveloperModeSettings, is available to gate the existing developer mode switch.
- Chrome 134 on ChromeOS, Linux, macOS, Windows
  The feature will roll out to 100% of users on Chrome 134.

Show enterprise settings for AI features
Previously, AI features were hidden from settings when they are disabled by enterprise policy. Now, we will keep showing the features and show a Disabled by your organization notice, similar to other settings when they are disabled by policy.
- Chrome 134 on ChromeOS, Linux, macOS, Windows

Customizable <select> element
Customizable <select> allows developers to take complete control of the rendering of <select> elements by adding the appearance:base-select CSS property.

This feature relies on the SelectParserRelaxation flag, which changes the HTML parser to allow more tags within the <select> tag. Sites that include additional tags inside <select>, which were getting removed before, such as <span> tags, or sites that include an extremely large number of <option> tags in their <select>, might be affected by SelectParserRelaxation. This feature and SelectParserRelaxation can be controlled with the SelectParserRelaxation enterprise policy. Some issues that have come up in prior launches of SelectParserRelaxation include <select> elements taking a very long time to open or <option> tags not showing up anymore.
- Chrome 134 on Windows, macOS, Linux, Android

HTML parser relaxation for <select>
In Chrome 134, the HTML parser allows more tags in <select> in addition to <option>, <optgroup>, and <hr>.

This supports the customizable <select> feature but is being shipped first because it can be done separately and has some compatibility risk.

This feature is gated by the temporary policy SelectParserRelaxationEnabled. This is a temporary transition period, and the policy will stop working by Chrome 141.

For more details, see the Customizable Select Element (Explainer).
- Chrome 134 on Windows, macOS, Linux, Android

Remove nonstandard getUserMedia audio constraints
Chrome 134 removes a number of nonstandard goog-prefixed constraints for getUserMedia, which existed before audio constraints were properly standardized.

Usage has gone down significantly ~0.000001% to 0.0009% (depending on the constraint) and some of them do not even have an effect due to changes in the Chromium audio-capture stack. Soon none of them will have any effect due to other upcoming changes.

We do not expect any major regressions due to this change. Applications using these constraints will continue to work, but will get audio with default settings (as if no constraints were passed). They can easily migrate to standard constraints.
- Chrome 134 on Windows, macOS, Linux, Android

Updates to Chrome sign-in flows for managed users
Enterprise users signing into the web or Chrome now see refreshed sign-in flows and management disclosures. In addition, the user might be prompted to create a new profile or continue working in the existing profile. Admins can continue to use BrowserSignIn or ProfileSeparationSettings to enforce a managed profile.
- Chrome 134 on Linux, macOS, Windows Roll-out continues

New tab page cards for Microsoft Outlook and Sharepoint
Enterprise users with Outlook or Sharepoint can now access their upcoming meetings or suggested files directly from the New tab page. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most. Admins who are interested in testing out this feature can Sign up to become a Trusted Tester.
- Available to Trusted Testers Chrome 134 on Windows, macOS, Linux

New policies in Chrome browser

Policy	Description
ProfileSeparationDataMigrationSettings	Profile separation data migration settings
NTPSharepointCardVisible	Show SharePoint and OneDrive File Card on the New Tab Page
NTPOutlookCardVisible	Show Outlook Calendar card on the New Tab Page
ServiceWorkerToControlSrcdocIframeEnabled	Allow ServiceWorker to control srcdoc iframes
PasswordManagerPasskeysEnabled	Enable saving passkeys to the password manager

Removed policies in Chrome browser

Policy	Description
No policies removed in Chrome 134

Chrome Enterprise Core changes

Chrome Enterprise Companion
Chrome Enterprise Companion is a new administrative binary that will be automatically installed with Chrome browsers enrolled into Chrome Enterprise Core or Chrome Enterprise Premium. It is meant to support Enterprise use cases, policies, and reporting.
- Chrome 134 on Windows, macOS

DownloadRestrictions policy support on iOS
DownloadRestrictions is a universal policy available to Chrome Enterprise Core users on Desktop platforms and on Android. The DownloadRestrictions policy is now supported on iOS. This allows admins to block all downloads on mobile Chrome on iOS.
- Chrome 135 on iOS

Recommended policies (User override)
Chrome has introduced the User override configuration in the Google Admin console for policies that can be set as recommended. This means that IT administrators can apply a policy value and allow users to override the policy value.
- On Chrome 134: the following policies are supported: BookmarkBarEnabled, PasswordManagerEnabled, PinUnlockAutosubmitEnabled, SchedulerConfiguration, PrintHeaderFooter, TranslateEnabled, SpellCheckServiceEnabled, ShowFullUrlsInAddressBar

Chrome Enterprise Premium changes

Evidence Locker
Evidence Locker allows Chrome Enterprise Premium administrators to store and inspect files that are flagged as malware or those that violate a Data Protection rule. A copy of the file is saved to the Google Cloud Storage bucket that is owned and specified by the organization. The security administrator can investigate the incidents using the security investigation tool and download the files that triggered the incident to analyze further. For more details, see Investigate and take action on suspicious files.
- Chrome 134 on ChromeOS, Linux, macOS, Windows

Screenshot prevention
Chrome 134 enhances the existing screenshot prevention feature by extending screen-sharing blocking to meeting apps like Google Meet, Zoom, Teams, and Slack. With this update, we build upon the successful release of data protection controls by adding key features and addressing gaps and user feedback.
- Chrome 134 on Windows, macOS

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer.

Since Chrome 124, a temporary enterprise policy, MutationEventsEnabled, is available to re-enable deprecated or removed mutation events. To read more, see this Chrome for Developers blog post. If you encounter any issues, you can file a Chromium bug.

Mutation event support is disabled by default, since Chrome 127, or around July 30, 2024. Code should have been migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used up until Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.

Extension improvements on Chrome Desktop
On Chrome 135 on Desktop, some users who sign in to Chrome when installing a new extension can now use and save extensions in their Google Account.

Relevant enterprise policies controlling extensions, as well as BrowserSignin, SyncDisabled or SyncTypesListDisabled, will continue to work as before, so admins can configure whether users can use and save items in their Google Account.

For more information about how to use extensions on any computer, see Install and manage extensions in the Chrome Web Store help center.

Note: this change is a follow-up to the launch of the new identity model on Chrome Desktop.
- Chrome 135 on Linux, macOS, Windows

Removal of Private Network Access enterprise policies
Private Network Access (PNA 1.0) is an unshipped security feature designed to limit website access to local networks. Due to deployability concerns, PNA 1.0 was never able to ship by default, as it was incompatible with too many existing devices.

PNA 1.0 required changes to devices on local networks. Instead, Chrome is implementing an updated proposal, Private Network Access 2.0 (PNA 2.0). PNA 2.0 only requires changes to sites that need to access the local network, rather than requiring changes to devices on the local network. Sites are much easier to update than devices, and so this approach should be much more straightforward to roll out.

The only way to enforce PNA 1.0 is via enterprise policy. To avoid regressing security for enterprise customers opting-in to PNA 1.0 prior to shipping PNA 2.0, we will maintain the PrivateNetworkAccessRestrictionsEnabled policy, which causes Chrome to send special preflight messages, until such time that it becomes incompatible with PNA 2.0.

The InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies, which loosen PNA 1.0 restrictions, will be removed in Chrome 135. These policies currently have no effect, since PNA 1.0 is not shipped, and they will have no meaning once PNA 1.0 is removed.

PNA 2.0 is described in this explainer on GitHub.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
  Removal of InsecurePrivateNetworkRequestsAllowedForUrls and InsecurePrivateNetworkRequestsAllowed policies.
- Chrome 137 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia
  Removal of PrivateNetworkAccessRestrictionsEnabled.

Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, ThirdPartyBlockingEnabled will be removed in Chrome 135. If you have feedback about this removal, you can file a Chromium bug.
- Chrome 132 on Windows
  Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows
  Removal of ThirdPartyBlockingEnabled policy

Settings, site shortcuts, and themes improvements on Chrome Desktop
On Chrome 135 on Desktop, for users who newly sign in to Chrome or who have Sync enabled, settings, site shortcuts and themes synced to their Google Account will now be kept separate from the local ones, that is, settings from when they’re signed out or when Sync is turned off.

This allows for strictly less data sharing than previously: local settings don’t get automatically uploaded when signing in or turning on Sync, and no settings from the account are left behind on the device when Sync is turned off.

Existing enterprise policies SyncDisabled and SyncTypesListDisabled will continue to apply so admins can restrict or disable the Sync feature if they want to.

Note: This change is a follow-up to the launch of the new identity model on Chrome Desktop. For more details, see Chrome Platform Status.
- Chrome 135 on Linux, macOS, Windows

Sunsetting the legacy Password Manager in Chrome on Android
Users with old versions of Google Play Services will lose Password Manager functionality in Chrome. This is a step towards sunsetting the legacy Password Manager in Chrome on Android. These users can download a CSV file with their passwords from Chrome Settings and import it to their preferred Password Manager. The new Google Password Manager is available on devices with a recent version of Google Play Services.
- Chrome 135 on Android

Third-party cookies always blocked in Incognito mode
Starting in Chrome 135, users will start having third-party cookies blocked in Incognito mode with no way to globally re-enable them. Site-level controls for allowing third-party cookies will not be changed.

With this launch, the BlockThirdPartyCookies policy will only apply to regular mode when set to false, not Incognito mode. There will be no changes when the policy is true or unset. There will also be no changes to the CookieAllowedForUrls policy, which will continue to apply in both regular and Incognito modes, as it applies at the site level and not globally.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows

Blob URL Partitioning: Fetching/Navigation
As a continuation of Storage Partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of top-level navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated top-level navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and the relevant specs have been updated to reflect these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 135 on Windows, macOS, Linux

Create service worker client and inherit service worker controller for srcdoc iframe
Srcdoc context documents are currently not service worker clients and are not covered by their parent page’s service worker. This results in some discrepancies (for example, Resource Timing reports the URLs that these documents load, but the service worker doesn’t intercept them). We aim to fix the discrepancies by creating service worker clients for srcdoc iframes and make them inherit the parent page's service worker controller.
- Chrome 135 on Windows, macOS, Linux, Android

Deprecate getters of Intl Locale Info API
Intl Locale Info API is a Stage 3 ECMAScript TC39 proposal to enhance the Intl.Locale object by exposing locale information, such as week data (first day in a week, weekend start day, weekend end day, minimum day in the first week), and text direction hour cycle used in the locale.

We shipped our implementation in Chrome 99 but later on the proposal made some changes in Stage 3 and moved several getters to functions. We need to remove the deprecated getters and relaunch the renamed functions.
- Chrome 135 on Windows, macOS, Linux, Android

Partitioning :visited links history
To eliminate user browsing history leaks, anchor elements are styled as :visited only if they have been clicked from this top-level site and frame origin before. On the browser-side, this means that the VisitedLinks hashtable is now partitioned by triple-keying, or by storing the following for each visited link: <link URL, top-level site, frame origin>. By only styling links that have been clicked on this site and frame before, the many side-channel attacks that have been developed to obtain :visited links styling information are now obsolete, as they no longer provide sites with new information about users.

There is an exception for self-links, where links to a site's own pages can be styled as :visited even if they have not been clicked on in this exact top-level site and frame origin before. This exemption is only enabled in top-level frames or subframes, which are same-origin with the top-level frame. The privacy benefits above are still achieved because sites already know which of its subpages a user has visited, so no new information is exposed. This was a community-requested exception that improves user experience as well.
- Chrome 135 on Windows, macOS, Linux, Android

HSTS tracking prevention
HTTP Strict Transport Security (HSTS) allows sites to declare themselves accessible through secure connections only. As early as Chrome 135, HSTS tracking prevention will mitigate user tracking by third-parties using the HSTS cache. It only allows HSTS upgrades for top-level navigations and blocks HSTS upgrades for sub-resource requests. This will prevent third-party sites using the HSTS cache to track users across the web. For more information, see this HSTS tracking prevention explainer on Github.
- Chrome 135 on Windows, macOS, Linux, Android

Remove deprecated navigator.xr.supportsSession method
navigator.xr.supportsSession was replaced in the WebXR spec by the navigator.xr.isSessionSupported method in September of 2019 after receiving feedback on the API shape from the TAG. It has been marked as deprecated in Chromium since then, producing a console warning redirecting developers to the updated API.

Usage of the call is very low, as shown by Chrome Status usage metrics. Additionally, all major frameworks that are used to build WebXR content have been confirmed to have been updated to use the newer call.
- Chrome 135 on Windows, macOS, Linux, Android

Strict Same Origin policy for Storage Access API
Chrome 135 will adjust Storage Access API semantics to strictly follow the Same Origin policy, to enhance security. This means that using document.requestStorageAccess() in a frame will only attach cookies to requests to the iframe's origin (not site) by default.

Note: the CookiesAllowedForUrls policy or Storage Access headers can still be used to unblock cross-site cookies.
- Chrome 135 on Windows, macOS, Linux, Android

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Admins might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that admins can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise admins may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Remove SwiftShader fallback
As early as Chrome 137, we plan to deprecate automatic fallback to WebGL backed by SwiftShader. WebGL context creation will fail instead of falling back to SwiftShader. We plan to remove SwiftShader fallback for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.

To opt-in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 137 on Windows, macOS, Linux, Android

Disallow spaces in non-file:// URL host
As stated in the WhatWG.org spec, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.

This causes Chromium to fail several tests included in the Interop2024 HTTPS URLs for WebSocket and URL focus areas.

To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs. To read more, see the discussion on Github.

This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces in non-file URLs only.
- Chrome 138 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.

If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users.
- Chrome 145 on Android, iOS, ChromeOS, Linux, macOS, Windows
  This will be a gradual roll-out.

Upcoming Chrome Enterprise Core changes

Apple Extensible SSO support for Chrome on macOS

Chrome 135 on macOS will enable seamless authentication for identity providers that are enabled via an OS-configured Enterprise Single Sign On (SSO) extension. For this initial release, it will allow end users on managed browsers to sign in to any Microsoft Entra-authenticated resources without the need to enter any credentials. Extensible SSO needs to be pre-configured in your environment and deployed with its respective enterprise device management solution. Additional identity providers might be supported in the near future.
- As early as Chrome 135 on macOS

Isolated Web Apps

Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering, which is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in Getting started with Isolated Web Apps.

In the initial release, IWAs will only be installable through a policy on enterprise-managed ChromeOS devices.
- Chrome 140 on Windows
  This rollout adds support for Isolated Web Apps in enterprise-managed browser configurations on Windows.

Upcoming Chrome Enterprise Premium changes

Refactor DLP rules user experience
We aim to create a more user-friendly and efficient interface for Chrome-specific DLP rules. This involves redesigning the rule creation workflow in the Admin console to better accommodate existing and upcoming security features for Chrome Enterprise Premium customers.
- Chrome 135 on Windows, macOS, Linux, ChromeOS

URL filtering on iOS and Android
We will extend the existing URL filtering capabilities from desktop to mobile platforms, providing organizations with the ability to audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This includes ensuring the functionality works seamlessly with Context-Aware Access (CAA) which allows admins to set access policies based on user context (for example, user role, location) and device state (for example, managed device, security compliance).
- Chrome 137 on Android, iOS

Reporting connector for mobile
We are working towards feature parity with the desktop version, enabling organizations to monitor and respond to security events on mobile devices, such as unsafe site visits and potential data exfiltration attempts. This helps ensure consistent security and policy enforcement across different platforms.
- Chrome 136 on Android
- Chrome 137 on iOS

Connectors API
We plan to simplify the setup process for third-party security connectors and enable providers to manage configurations directly from their own UI. This aims to make it easier for organizations to integrate their preferred security tools and services with Chrome, enhancing security and management across different platforms.
- Chrome 137 on Windows, macOS, Linux, ChromeOS

↑ back to top

ChromeOS 134 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Isolated Web Apps in ChromeOS kiosk mode		✓
Migrate data for graduating students		✓	✓
Slow Keys		✓	✓
GIFs with Quick Insert		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
ChromeOS policy for battery longevity			✓
Kiosk Heartbeat change			✓
Event-based device log collection for troubleshooting			✓
AI wallpapers and backgrounds		✓
Deprecating Chrome Apps support on ChromeOS			✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Isolated Web Apps in ChromeOS kiosk mode

In ChromeOS 134, ChromeOS kiosk mode supports Isolated Web Apps, a more secure and versatile app solution with access to deep system integrations and powerful capabilities. Administrators can configure IWAs for kiosk and digital signage deployments on Chrome Enterprise⁠ managed devices through the Admin console⁠.

Migrate data for graduating students

As early as March 2025, the new content transfer tool will guide graduating students or other EDU-managed users who want to migrate their data through an updated data transfer process. This will allow them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.

This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use content transfer.

For more details, see our article describing how to Allow data transfer in schools in the Chrome Enterprise and Education Help Center.

Slow Keys

Slow Keys is an accessibility feature designed to assist individuals with limited dexterity in typing more accurately. This feature is particularly helpful for those who have conditions such as tremors, arthritis, or numbness in their fingertips, which can make it difficult to press keys with precision.

Slow Keys works by introducing a delay, requiring keys to be held down for a set amount of time before they are registered. This will prevent unintended keystrokes from being pressed.

GIFs with Quick Insert

Quick Insert will soon support direct GIF insertion! Quickly add GIFs to your messages and documents without leaving the Quick Insert menu. For more details, see Use Quick Insert to add & create content.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

ChromeOS policy for battery longevity

ChromeOS 135 introduces a new battery charge limit policy, DevicePowerBatteryChargingOptimization , which offers more optimization options. Battery charging optimization helps extend the lifespan of Chromebooks.

Administrators can still set a maximum charge limit, with 100% as the default, to minimize battery degradation and improve long-term reliability.

The new policy benefits both administrators managing fleets of devices, such as in educational settings, and individual users seeking to maximize their Chromebook's longevity. This policy automatically applies and requires no user interaction.

Kiosk Heartbeat change

Last summer, we sent out an MSA to inform the customer about a migration of the Kiosk Heartbeat API that ultimately needs an update to ChromeOS 126.

If your organization is running a version older than ChromeOS 126, you need to update your device fleet. This kiosk heartbeat change requires an update to ChromeOS 126 or ChromeOS LTS 126 or to update to the current stable ChromeOS release.
- What do you need to do?
  Please ensure you have activated (value: 0) DeviceChromeVariation for your organization until all devices have been updated to ChromeOS LTS 132. Once all devices are on ChromeOS LTS 132, DeviceChromeVariation is not needed anymore and can be changed to any value.
- What happens when DeviceChromeVariation is deactivated?
  Devices on LTS versions older than ChromeOS LTS 132 will keep using the old Kiosk Heartbeat infrastructure until April 7th, 2025.
Starting April 8th, 2025, all devices on LTS versions older than ChromeOS LTS 132 will stop sending device heartbeats. For more information, see Monitor kiosk health.

Event-based device log collection for troubleshooting (Admin console)

As early as ChromeOS 135, to help troubleshoot device issues (like crashes or failed OS updates), our system will automatically be able to collect and upload device logs. This will happen when these specific settings are turned on:
- Enable device system log upload: turns on the overall log collection
- Report device OS information -> OS update status: collects data about OS updates
- Report device telemetry -> Crash information : gathers fatal crash information
When a problem occurs, IT admins will see a notification with a direct link to the uploaded logs on the ChromeOS device's details page in the Admin console. You can also see a history of device events. Log uploads happen a maximum of two times a day, and each file is typically 400KB to 1MB in size.

For more details, see these articles in the Chrome Enterprise and Education Help Center:
- Remote log collection for ChromeOS devices
- View ChromeOS device list and details

AI wallpapers and backgrounds

As early as ChromeOS 136, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.

Deprecating Chrome Apps support on ChromeOS

In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that support for Chrome Apps for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome Apps discontinuation dates.
- July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M139).
  - Chrome Apps that are force-installed through the admin console will continue to be supported.
- July 2026: Last ChromeOS release with support for Chrome Apps in Kiosk Mode (scheduled for ChromeOS M150).
  - Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
- February 2028: Last ChromeOS release with support for Chrome Apps (scheduled for ChromeOS M168), marking the end of life for all Chrome Apps.
  - Devices on the LTS channel can continue to use Chrome Apps until October 2028.
  - No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.

While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.

If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.

In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.

↑ back to top

Chrome 133

Chrome 133 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Search with Google Lens on Desktop and iOS		✓
Ad-hoc code signatures for PWA shims on macOS		✓
Chrome Sync stops support for Chrome versions more than four years old		✓
New option in HttpsOnlyMode policy	✓		✓
Tab freezing on Energy saver		✓
V8 security setting on Android	✓
Chrome Welcome page no longer triggered using initial_preferences	✓
Support for non-special scheme URLs	✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
DownloadRestrictions policy support on iOS	✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
No updates in Chrome 133.
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Privacy and security panel in Chrome DevTools	✓	✓
Read aloud in Reading mode in Chrome 134		✓
Highlight settings for AI features disabled by policy	✓
Blob URL Partitioning: Fetching/Navigation	✓
Create service worker client and inherit service worker controller for srcdoc iframe	✓
Fire error event instead of throwing exception for CSP blocked worker	✓
Remove nonstandard getUserMedia audio constraints	✓
Deprecate mutation events		✓
Cross-device synchronization of Chrome settings and themes on Desktop at sign-in	✓
Disallow spaces in non-file:// URL hosts	✓
Remove ThirdPartyBlockingEnabled policy			✓
Deprecate getters of Intl Locale Info API	✓
Remove SwiftShader fallback	✓
UI Automation accessibility framework provider on Windows		✓
SafeBrowsing API v4 to v5 migration	✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
New Chrome Enterprise Companion		✓	✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Refactor DLP rules user experience	✓
Screenshot prevention	✓
URL filtering on iOS/Android	✓
Reporting connector for mobile	✓
Connectors API	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Search with Google Lens on Desktop and iOS
Admins can control all elements of this feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged. To contextualize the search to the document or website the user is viewing, the PDF bytes or website HTML is sent to Google servers but is not linked to any IDs or accounts, not viewable by any human, and the data or data generated about its contents is not logged.

Desktop

Since Chrome 126, users can search any images or text they see on their Desktop screen with Google Lens. To use this feature, go to a website and click the Google Lens chip on the on-focus omnibox or by right-clicking on an image and selecting Search with Google Lens. Users can select anywhere on the screen to search its contents, and refine their search by adding questions to the search box. Starting in Chrome 132, users can also ask questions about entire web pages or PDF documents and answers will reference their current document and the web. To use this feature, invoke Search with Google Lens as described above and enter queries into the search box on the top right corner of the Chrome window. A side panel will open on the right side of the browser window with search results.

iOS

Since Chrome 131, users can search any images or text they see on their iOS Chrome screen with Google Lens. To use this feature, go to a website and click on the 3-dot menu > Search with Google Lens. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the search box.

Rollout details:
- Chrome 126 on ChromeOS, Linux, mac, Windows: Rollout of the feature at 1% Stable
- Chrome 127 on ChromeOS, Linux, mac, Windows: Rollout to 100% Stable
- Chrome 131 on iOS: Rollout of the feature at 1% Stable
- Chrome 132 on ChromeOS, Linux, mac, Windows: Rollout of the expanded feature at 1% Stable
- Chrome 133 on iOS: Rollout to 100% Stable

Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures result in each PWA shim having a unique identity to macOS, where previously every PWA looked like the same application to macOS.

This update addresses problems when attempting to include multiple PWAs in the Open at Login preference pane on macOS, and permits future improvements to handling of user notifications within PWAs on macOS.

Admins should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be enabled for this testing using chrome://flags/#use-adhoc-signing-for-web-app-shims. They can then install a Progressive Web App and ensure that it launches as expected.

If there is an incompatibility between the feature and their current security policies, the AdHocCodeSigningForPWAsEnabled policy can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS
  Feature disabled behind a flag (chrome://flags/#use-adhoc-signing-for-web-app-shims) so that enterprises can test for compatibility with their endpoint security tools, such as Santa. If it is not currently compatible they can disable the feature via the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated.
- Chrome 133 on macOS
  Feature will begin to roll out to stable 100%.

Chrome Sync stops support for Chrome versions more than four years old
Starting in February 2025, Chrome Sync (using and saving data in your Google Account) no longer supports Chrome versions that are more than four years old. To continue using Chrome Sync, you need to upgrade to a more recent version of Chrome. To read more, see this discussion: Chrome Sync will be sunset on versions of Chrome that are more than four years old.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows
  This change affects only the old versions of Chrome and will be rolled out server-side. Chrome 133 is specified only to reflect the timeline when the change will take effect.

New option in HttpsOnlyMode policy
Ask Before HTTP (ABH), previously named HTTPS Only/First Modes, allows Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.

In Chrome 129, we added a new middle-ground variant of ABH called "balanced mode". This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible (such as when connecting to a single-label hostname like internal/).

We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.

To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 133 on Android

Tab freezing on Energy saver
When Energy saver is active, Chrome freezes a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- The tab provides audio- or video- conferencing functionality (detected via microphone, camera or screen/window/tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack).
- The tab controls an external device (detected via usage of Web USB, Web Bluetooth, Web HID or Web Serial).
This will extend battery life and speed up Chrome through reduced CPU usage.
The feature can be tested using a flag, chrome://flags/#freezing-on-energy-saver. Alternatively, it can be tested with chrome://flags/#freezing-on-energy-saver-testing, which simulates Energy saver being active and all tabs using a lot of CPU; this allows you to verify whether tabs are eligible for freezing and would be frozen if using a lot of CPU.
- Chrome 133 on ChromeOS, Linux, macOS, Windows
  The feature will start rolling out to 1% of stable in Chrome 133.
  Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).

V8 security setting on Android
V8 is Chrome’s JavaScript and WebAssembly engine used to improve site performance. To reduce the attack surface of Chrome, Chrome 133 on Android now includes a new setting on chrome://settings/security to disable the V8 Just-in-Time (JIT) optimizers. This maintains compatibility with Web Assembly. Admins can continue to control this feature using the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.
- Chrome 122 on ChromeOS, Linux, macOS, Windows, Fuchsia
  The setting rolls out in Chrome 121. The enterprise policies have been available since Chrome 93.
- Chrome 133 on Android
  The setting is available on Android in Chrome 133, under Site Settings. The enterprise policies are no longer marked experimental.

Chrome Welcome page no longer triggered using initial_preferences
We have removed the Chrome Welcome page from initial_preferences because that page is redundant with the First Run Experience that triggers on desktop platforms. Including chrome://welcome in the first_run_tabs property of the initial_preferences file now has no effect.

For more details about the context of the initial_preferences file, see Configuring Other Preferences.
- Chrome 133 on Windows, macOS, Linux

Support for non-special scheme URLs
Since Chrome 130, Chrome browser supports non-special scheme URLs, for example, git://example.com/path. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. In Chrome 133, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Chrome 133 on Windows, macOS, Linux, Android
- Chrome 134 on Windows, macOS, Linux, Android: Feature flag being removed

New policies in Chrome browser

Policy	Description
LiveTranslateEnabled	Enable translation of live captions. Captions will be sent to Google for translation.
WebRtcIPHandling	This policy allows restricting which IP addresses and interfaces WebRTC uses when attempting to find the best available connection.
DefaultJavaScriptOptimizerSetting	Allows you to set whether Chrome browser will run the v8 JavaScript engine with more advanced JavaScript optimizations enabled.
JavaScriptOptimizerBlockedForSites	Allows you to set a list of site URL patterns that specify sites for which advanced JavaScript optimizations are disabled.
JavaScriptOptimizerAllowedForSites	Allows you to set a list of site URL patterns that specify sites for which advanced JavaScript optimizations are enabled.
SafeBrowsingAllowlistDomains	Setting the policy to Enabled means Safe Browsing will trust the domains you designate.
FilePickerChooseFromDriveSettings	Allow choosing files directly from Google Drive.

Removed policies in Chrome browser

Policy	Description
CSSCustomStateDeprecatedSyntaxEnabled	Controls whether the deprecated syntax for CSS custom state is enabled.

Chrome Enterprise Core changes

DownloadRestrictions policy support on iOS
DownloadRestrictions is a universal policy available to Chrome Enterprise Core users on Desktop platforms and on Android. DownloadRestrictions policy is now supported on iOS. This will allow admins to block all downloads on mobile Chrome on iOS.
- Chrome 133 on iOS

Chrome Enterprise Premium changes

There are no updates to Chrome Enterprise Premium in Chrome 133.

Read more about the differences between Chrome Enterprise Core and Chrome Enterprise Premium.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Privacy and security panel in Chrome DevTools
Starting in Chrome 134, developers will be able to use the new Privacy and security panel in Chrome DevTools to test how their site will behave when third-party cookies are limited. Developers will be able to temporarily limit third-party cookies, observe how their site behaves, and review the status of third-party cookies on their site.

This feature will not make any permanent changes to existing enterprise policies, but it will let third-party cookie related enterprise policies (that is, BlockThirdPartyCookies and CookiesAllowedForUrls) be temporarily overridden to be more restrictive. If your enterprise policy already blocks third-party cookies using BlockThirdPartyCookies, this feature will be disabled.

The new Privacy & security panel will replace the existing Security panel. TLS connection and certificate information will continue to be available on the Security tab in the Privacy & security panel.
- Chrome 134 on ChromeOS, Linux, macOS, Windows

Read aloud in Reading mode in Chrome 134
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will include a Read aloud feature that will allow users to hear the text they are reading spoken out loud. You can choose different natural voices and speeds, and see visual highlights.
- Chrome 134 on Linux, macOS, Windows

Highlight settings for AI features disabled by policy
In Chrome settings, we will list AI features that are disabled by enterprise policy. We will also show a Disabled by your organization notice similar to other settings when they are disabled by policy.
- Chrome 134 on ChromeOS, Linux, macOS, Windows

Blob URL Partitioning: Fetching/Navigation
As a continuation of Storage Partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of top-level navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated top-level navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and the relevant specs have been updated to reflect these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 134 on Windows, macOS, Linux

Create service worker client and inherit service worker controller for srcdoc iframe
Srcdoc context documents are currently not service worker clients and are not covered by their parent page’s service worker. This results in some discrepancies (for example, Resource Timing reports the URLs that these documents load, but the service worker doesn’t intercept them). We aim to fix the discrepancies by creating service worker clients for srcdoc iframes and make them inherit the parent page's service worker controller.
- Chrome 134 on Windows, macOS, Linux, Android

Fire error event instead of throwing exception for CSP blocked worker
When blocked by the Content Security Policy (CSP), Chromium currently throws a SecurityError exception from the "new Worker(url)" or "new SharedWorker(url)" constructors. According to the CSP specification, the CSP check is performed as part of a fetch and an error event should fire after the object is returned. This update aims to make Chromium spec-conformant, by not throwing an exception from the constructor but instead firing an error event asynchronously.
- Chrome 134 on Windows, macOS, Linux, Android

Remove nonstandard getUserMedia audio constraints
Blink supports a number of nonstandard goog-prefixed constraints for getUserMedia from some time before constraints were properly standardized.

Usage has gone down significantly ~0.000001% to 0.0009% (depending on the constraint) and some of them do not even have an effect due to changes in the Chromium audio-capture stack. Soon none of them will have any effect due to other upcoming changes.

We do not expect any major regressions due to this change. Applications using these constraints will continue to work, but will get audio with default settings (as if no constraints were passed). They can easily migrate to standard constraints.
- Chrome 134 on Windows, macOS, Linux, Android

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer.

Since Chrome 124, a temporary enterprise policy, MutationEventsEnabled, is available to re-enable deprecated or removed mutation events. To read more, see this blog post. If you encounter any issues, file a bug here.

Mutation event support is disabled by default, since Chrome 127, or around July 30, 2024. Code should have been migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used up until Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.

Cross-device synchronization of Chrome settings and themes on Desktop at sign-in
Following the launch of the new identity model on Chrome Desktop, we plan to enable account settings, themes and site shortcuts to users at sign-in (rather than needing to sync).

To do this, we will introduce local and account storage for each of these data types.

This means:
- For Chrome users on Desktop who sign in to Chrome or who have Sync enabled, settings, site shortcuts and themes synced to their Google Account will be kept separate from the local ones, that is, settings from when they’re signed out or when Sync is turned off.
- This allows for strictly less data sharing than previously: local settings don’t get automatically uploaded when users sign in or turn on Sync, and no settings from their account storage are left behind on the device when Sync is turned off.
- Existing Chrome policies SyncDisabled and SyncTypesListDisabled will continue to apply so admins can restrict or disable the Sync feature if they want to.
- Chrome 135 on Linux, MacOS, Windows

Disallow spaces in non-file:// URL host
As stated in the WhatWG.org spec, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.

This causes Chromium to fail several tests included in the Interop2024 'HTTPS URLs for WebSocket' and URL focus areas.

To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs. To read more, see the discussion on Github.

This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces for non-file URLs only.
- Chrome 135 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, ThirdPartyBlockingEnabled will be removed in Chrome 135. If you have feedback about this removal, please file a bug here.
- Chrome 132 on Windows
  Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows
  Removal of ThirdPartyBlockingEnabled policy

Deprecate getters of Intl Locale Info API
Intl Locale Info API is a Stage 3 ECMAScript TC39 proposal to enhance the Intl.Locale object by exposing locale information, such as week data (first day in a week, weekend start day, weekend end day, minimum day in the first week), and text direction hour cycle used in the locale.

We shipped our implementation in Chrome 99 but later on the proposal made some changes in Stage 3 and moved several getters to functions. We need to remove the deprecated getters and relaunch the renamed functions.
- Chrome 135 on Windows, macOS, Linux, Android

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation will fail instead of falling back to SwiftShader. This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.

To opt-in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 135 on Windows, macOS, Linux, Android

SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.

If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users.
- Chrome 135 on Android, iOS, ChromeOS, Linux, macOS, Windows
This will be a gradual roll-out.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Admins might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that admins can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise admins may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.
Upcoming Chrome Enterprise Core changes
- New Chrome Enterprise Companion App
  
  Chrome Enterprise Companion App is a new administrative binary that will be automatically installed with Chrome browsers enrolled into Chrome Enterprise Core or Chrome Enterprise Premium. It is meant to support Enterprise use cases, policies, and reporting.
  - Chrome 134 on Windows, macOS

Upcoming Chrome Enterprise Premium changes

Refactor DLP rules UX
We aim to create a more user-friendly and efficient interface for Chrome-specific DLP rules. This involves redesigning the rule creation workflow in the Admin console to better accommodate existing and upcoming security features for Chrome Enterprise Premium customers.
- Chrome 134 on Windows, macOS, Linux, ChromeOS

Screenshot prevention
We plan to enhance the existing screenshot prevention feature by extending screen-sharing blocking to meeting apps like Google Meet, Zoom, Teams, and Slack. We will build upon the successful release of data protection controls by adding key features and addressing gaps and user feedback.
- Chrome 134 on Windows, macOS

URL filtering on iOS and Android
We will extend the existing URL filtering capabilities from desktop to mobile platforms, providing organizations with the ability to audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This includes ensuring the functionality works seamlessly with Context-Aware Access (CAA) which allows admins to set access policies based on user context (for example, user role, location) and device state (for example, managed device, security compliance).
- Chrome 135 on Android, iOS

Reporting connector for mobile
We are working towards feature parity with the desktop version, enabling organizations to monitor and respond to security events on mobile devices, such as unsafe site visits and potential data exfiltration attempts. This helps ensure consistent security and policy enforcement across different platforms.
- Chrome 135 on Android, iOS

Connectors API
We plan to simplify the setup process for third-party security connectors and enable providers to manage configurations directly from their own UI. This aims to make it easier for organizations to integrate their preferred security tools and services with Chrome, enhancing security and management across different platforms.
- Chrome 135 on Windows, macOS, Linux, ChromeOS

↑ back to top

ChromeOS 133 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Enhanced Office file handling for managed users		✓	✓
Make cloud storage the sole data storage option on ChromeOS devices	✓		✓
Bounce Keys on ChromeOS		✓
Enhanced Welcome Tour		✓
ChromeOS policy for keyboard languages		✓	✓
Screencast language update		✓
New toggle for Bluetooth mic super resolution		✓
ChromeOS LTS 132 release candidate			✓
Kiosk health monitoring			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Kiosk Heartbeat change			✓
Isolated Web Apps in ChromeOS kiosk mode		✓
Migrate data for graduating students			✓
ChromeOS policy for battery longevity			✓
Slow Keys		✓	✓
GIFs with Quick Insert		✓
AI wallpapers and backgrounds		✓
Deprecating Chrome Apps support on ChromeOS		✓	✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Enhanced Office file handling for managed users

Starting from ChromeOS 133, managed users can now seamlessly open and edit their Microsoft Office files (Word, PowerPoint, Excel), regardless of whether they use Office for the web in Microsoft 365 or Google Workspace.

Organizations using Office for the web benefit from OneDrive integration into the Files app, Microsoft 365 PWA system integrations for a desktop-like experience, SSO for all required applications, and advanced policy controls for preconfiguration.

For Google Workspace customers, the transition of local files to Google Workspace is optimized.

For more information, see Set up Office file handling for managed users in the Chrome Enterprise and Education Help Center.

New policies for Microsoft Office file handling include:

Make cloud storage the sole data storage option on ChromeOS devices

ChromeOS 133 introduces a true cloud-first experience, allowing admins to ensure that all files are stored on either Google Workspace or Microsoft OneDrive by blocking local storage. This feature prevents data loss, reduces security risks, supports legal hold requirements, and is particularly beneficial for shared devices.

For more information, see Use cloud storage as sole storage option on ChromeOS devices in the Chrome Enterprise and Education Help Center.

New policies for cloud storage include:
- LocalUserFilesAllowed
- LocalUserFilesMigrationDestination
- DownloadDirectory (OneDrive support)
- ScreenCaptureLocation

Bounce Keys on ChromeOS

Bounce Keys is an accessibility feature designed to make computer use easier for individuals with limited dexterity or tremors. It works by ignoring repeated keystrokes within a short time interval, which you can customize to fit your needs. This prevents unintended characters being entered due to unintentional key presses.

Enhanced Welcome Tour

New ChromeOS users are now greeted with a Welcome Tour immediately after device setup. Welcome Tour provides an interactive way for users to learn the basics and to get up and running on their new Chromebook quickly.

New ChromeOS policy for keyboard languages

As early as ChromeOS 133, a new AllowedInputMethodsForceEnabled policy allows administrators to automatically install keyboard languages previously set by AllowedInputMethods. The user can not add new or remove selected keyboard languages when the policy is set.

Screencast language update

Screencast now supports over 50 languages. To use Screencast, press the Launcher icon and search for Screencast. You can find the list of languages in the Help Center article: Use the Screencast app to record and share on your ChromeOS devices.

New toggle for Bluetooth mic Super Resolution

ChromeOS 133 adds a toggle to control Bluetooth mic Super Resolution. The toggle is added in the audio setting page and is only visible when the feature is supported and the selected input device is a Bluetooth headset.

ChromeOS LTS 132

ChromeOS LTS 132 release candidate is now available. For details, see ChromeOS Long-term Support (LTS) release notes.

Health monitoring for Kiosk devices

ChromeOS 133 improves status update latency for health monitoring for Kiosk devices. Under ideal conditions, status updates for Kiosk devices are now reported in about a minute. Offline status should now be sent or updated within 11 minutes. For more information, see Monitor kiosk health in the Chrome Enterprise and Education Help Center.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

Kiosk Heartbeat change

Last summer, we sent out an MSA to inform the customer about a migration of the Kiosk Heartbeat API that ultimately needs an update to ChromeOS 126.

If your organization is running a version older than ChromeOS 126, you need to update your device fleet. This kiosk heartbeat change requires an update to ChromeOS 126 or ChromeOS LTS 126 or to update to the current stable ChromeOS release.
- What do you need to do?
Please ensure you have activated (value: 0) DeviceChromeVariation for your organization until all devices have been updated to LTS132.

Once all devices are on LTS132, DeviceChromeVariation is not needed anymore and can be changed to any value.
- What happens when DeviceChromeVariation is deactivated?
Devices on LTS versions older than LTS132 will keep using the old Kiosk Heartbeat infrastructure until April 7th, 2025.

Starting April 8th, 2025, all devices on LTS versions older than ChromeOS LTS 132 will stop sending device heartbeats.

Isolated Web Apps in ChromeOS kiosk mode

In ChromeOS 134, ChromeOS kiosk mode will support Isolated Web Apps, a more secure and versatile app solution with access to deep system integrations and powerful capabilities. Administrators will be able to configure IWAs for kiosk and digital signage deployments on Chrome Enterprise⁠ managed devices through the Admin console⁠.

Migrate data for graduating students

As early as March 2025, the new content transfer tool will guide graduating students or other EDU-managed users who want to migrate their data through the updated Google Takeout transfer process. This will allow them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.

This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use content transfer.

New ChromeOS policy for battery longevity

In ChromeOS 134, we will introduce a new battery charge limit policy that will offer more optimization options, which will help extend the lifespan of Chromebooks. Administrators will still be able to set a maximum charge limit, with 100% as the default, to minimize battery degradation and improve long-term reliability. This new policy will benefit both administrators managing fleets of devices, such as in educational settings, and individual users seeking to maximize their Chromebook's longevity. This policy will automatically apply and will require no user interaction.

Slow Keys

Slow Keys is an accessibility feature designed to assist individuals with limited dexterity in typing more accurately. This feature is particularly helpful for those who have conditions such as tremors, arthritis, or numbness in their fingertips, which can make it difficult to press keys with precision. Slow Keys will work by introducing a delay, requiring keys to be held down for a set amount of time before they are registered. This will prevent unintended keystrokes from being pressed.

GIFs with Quick Insert

Quick Insert will soon support direct GIF insertion! Quickly add GIFs to your messages and documents without leaving the Quick Insert menu. For more details, see Use Quick Insert to add & create content.

AI wallpapers and backgrounds

As early as ChromeOS 135, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.

Deprecating Chrome Apps support on ChromeOS

In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that support for Chrome Apps for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome Apps discontinuation dates.
- July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).
  - Chrome Apps that are force-installed through the Admin console will continue to be supported.
- July 2026: Last ChromeOS release with support for Chrome Apps in Kiosk Mode (scheduled for ChromeOS M150).
  - Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
- February 2028: Last ChromeOS release with support for Chrome Apps (scheduled for ChromeOS M168), marking the end of life for all Chrome Apps.
  - Devices on the LTS channel can continue to use Chrome Apps until October 2028.
  - No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.

While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.

If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.

In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.

↑ back to top

Chrome 132

Chrome 132 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Search with Google Lens		✓
Network Service sandboxed on Windows	✓
Ad-hoc code signatures for Progressive Web App shims on macOS		✓
Batch upload		✓
Connectors Disclaimer workflow updates	✓
DownloadRestrictions is stricter on file type restrictions	✓
Updates to desktop identity model		✓
HTTPS-First Mode for Typically Secure Users	✓
Passkeys on iOS	✓	✓
Password Leak Toggle Move	✓
Removal of old Headless from the Chrome binary		✓
Remove ThirdPartyBlockingEnabled policy			✓
Remove enterprise policy used for legacy same site behavior			✓
Support non-special scheme URLs	✓
Translate for Search with Google Lens		✓
User Link capturing on PWAs		✓	✓
Keyboard-focusable scroll containers		✓
Remove prefixed HTMLVideoElement fullscreen APIs		✓
Throw exception for popovers or dialogs in non-active documents		✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Customized Chrome Web Store for enterprises		✓	✓
New Chrome user management capabilities in the Admin console			✓
Copy Source conditions in Chrome DLP Paste rule	✓
Generating insights for Chrome DevTools Console warnings and errors			✓
Professional Chrome Enterprise Administrator certification			✓
Server Root Certificates for Chrome Enterprise	✓		✓
Legacy Technology Report			✓
Recommended policies (user can override a policy value)		✓	✓
Updated Managed browser list: Most Recent Google Update Activity			✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
File Download Encryption for DLP Rules	✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Disallow spaces in non-file:// URL hosts	✓
Read aloud in Reading mode in Chrome 133		✓
Tab freezing on Energy saver		✓
Deprecate getters of Intl Locale Info	✓
Popover invoker and anchor positioning improvements		✓
Remove Chrome Welcome page triggering via initial prefs first run tabs	✓
Remove nonstandard getUserMedia audio constraints	✓
Remove SwiftShader fallback	✓
Privacy & security panel in Chrome DevTools	✓	✓
Chrome Sync will stop supporting Chrome versions that are more than four years old		✓
V8 security setting	✓
New option in HttpsOnlyMode policy	✓		✓
SafeBrowsing API v4 → SafeBrowsing API v5 migration	✓
Blob URL partitioning: Fetching or Navigation	✓
SharedWorker script inherit controller for blob script URL	✓
Deprecate mutation events		✓
UI Automation accessibility framework provider on Windows		✓
Customizing managed profiles with custom logo and label		✓	✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
New Chrome Enterprise Companion App		✓	✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Screenshot prevention V2	✓
URL filtering on iOS/Android	✓
Reporting connector for mobile	✓
Refactor DLP rules UX	✓
Connectors API	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Search with Google Lens
In Chrome 132, we begin to roll out this enhanced feature across all platforms. Admins can control all elements of this feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged. To contextualize the search to the document or website the user is viewing, the PDF bytes or website HTML is sent to Google servers but is not linked to any IDs or accounts, not viewable by any human, and the data or data generated about its contents is not logged.

Desktop

Since Chrome 126, users can search any images or text they see on their Desktop screen with Google Lens. To use this feature, go to a website and click the Google Lens chip on the on-focus omnibox or by right-clicking on an image and selecting Search with Google Lens. Users can select anywhere on the screen to search its contents, and refine their search by adding questions to the search box. Starting in Chrome 132, users can also ask questions about entire web pages or PDF documents and answers will reference their current document and the web. To use this feature, invoke Search with Google Lens as described above and enter queries into the search box on the top right corner of the Chrome window. A side panel will open on the right side of the browser window with search results.

iOS

Since Chrome 131, users can search any images or text they see on their iOS Chrome screen with Google Lens. To use this feature, go to a website and click on the 3-dot menu > Search with Google Lens. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the search box.

Rollout details:
- Chrome 126 on ChromeOS, Linux, macOS, Windows: Rollout of the feature at 1% Stable
- Chrome 127 on ChromeOS, Linux, macOS, Windows: Rollout to 100% Stable
- Chrome 131 on iOS: Rollout of the feature at 1% Stable
- Chrome 132 on ChromeOS, Linux, macOS, Windows: Rollout of the expanded feature at 1% Stable

Network Service sandboxed on Windows
To improve security and reliability, the network service, already running in its own process, is now sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions.

You can report any issues you encounter.
- Chrome 132 on Windows
  Network Service sandboxed on Windows

Ad-hoc code signatures for Progressive Web App shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures result in each PWA app shim having a unique identity to macOS, where previously every PWA looked like the same application to macOS.

This update addresses problems when attempting to include multiple Progressive Web Applications in macOS's Open at Login preference pane, and permits future improvements to handling of user notifications within PWAs on macOS.

Admins should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be enabled for this testing using chrome://flags/#use-adhoc-signing-for-web-app-shims. They can then install a Progressive Web App and ensure that it launches as expected.

If there is an incompatibility between the feature and their current security policies, the AdHocCodeSigningForPWAsEnabled policy can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS
  Feature disabled behind a flag (chrome://flags/#use-adhoc-signing-for-web-app-shims) so that enterprises can test for compatibility with their endpoint security tools, such as Santa. If it is not currently compatible they can disable the feature via the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated.
- Chrome 132 on macOS
  This feature will begin to roll out to stable, starting at 1% rollout.

Batch upload
Since Chrome 128, users have access to their passwords and addresses from their Google Account at the point of sign-in (in addition to their payment methods, which was an existing sign-in feature). These data-types have two distinct storages: local and account. With Chrome 132, we are providing users an opportunity to upload any local data they have to their Google Account. This will first be made available for passwords and addresses and will be expanded to include other data types in the future.

The SyncTypesListDisabled policy applies equally to sync and data upload. Therefore, if either passwords or addresses are disabled, they are not made available for upload in the batch uploader.
- Chrome 132 on Linux, macOS, Windows

Connectors Disclaimer workflow updates
We have made updates to our Terms of Service for Chrome Enterprise Core that includes a section on 3rd party data-sharing. These updates improve the sign-up flow for Chrome browser Enterprise connectors.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

DownloadRestrictions is stricter on file type restrictions
You can control downloads within your organization using the DownloadRestrictions policy, with options to allow you select an appropriate level of file type restrictions:

0 = No special restrictions. Default.
1 = Block malicious downloads and dangerous file types.
2 = Block malicious downloads, uncommon or unwanted downloads and dangerous file types.
3 = Block all downloads.
4 = Block malicious downloads. Recommended.
Where option value = 1, this means:
- Chrome browser blocks malicious files flagged by the Safe Browsing server AND blocks all dangerous file types. Only recommended for OUs, browsers, or users that have a high tolerance for false positives.
Where option value = 2, this means:
- Chrome browser blocks malicious files flagged by the Safe Browsing server AND blocks uncommon or unwanted files flagged by the Safe Browsing server AND blocks all dangerous file types. Only recommended for OUs, browsers, or users that have a high tolerance for false positives.
Previously, the dangerous file types blocking was not being correctly applied by Chrome, and this has now been fixed. This means, however, that the policy is now much stricter on certain file types that could be dangerous to the user, like `.exe` or `.msi` files on Windows. If this induces too many false positives, you can leave the policy unset or set the policy value to 4.
- Chrome 132 on Windows

Updates to Chrome Identity model on desktop
Instead of having to set up Chrome sync on your device, you can now simply sign in to Chrome to access and save items to your Google Account. This new identity model on Desktop also includes an explicit sign-in to Chrome from a web sign-in.

Signing into the web (using Gmail) prompts users to sign-in to Chrome. If they decline, they won’t be signed-in to Chrome, only to the web.
- If they accept, profile management (user-based policies), payments (already available today), passwords, addresses, bookmarks*, extensions*, search engine prefs*, themes* and PWAs* will be enabled.
- If they decline, Chrome can still use the sign-in credentials to facilitate a one-click sign-in to Chrome.
- Synchronizing history, Open tabs and tab groups still exist behind a separate opt-in for now.
- Invalidated credentials (e.g. signing out of the web or remote sign-out) will put Chrome in a ‘pending’ state, previously ‘sync paused’. Autofill data will not be available from the user’s Google Account. Users in this state will be prompted to “Verify it’s you” in the Chrome toolbar.
*These data types will be enabled behind sign-in (instead of sync opt in) in upcoming Chrome milestones.

Web sign-in intercepts can be controlled using the SigninInterceptionEnabled policy. For more details, see Force users to create a separate profile.
- Chrome 132 on Linux, macOS, Windows Roll-out starts

HTTPS-First Mode for Typically Secure Users
HTTPS-First Mode (HFM) enables a default-HTTPS experience in Chrome by automatically upgrading sites to HTTPS. If a site doesn’t support HTTPS, HFM shows a warning before loading the HTTP version. HFM significantly improves the security guarantees of HTTPS by preventing loading of HTTP URLs without explicit user approval.

HFM for typically secure users (this feature) is a heuristic that can automatically enable HFM for the user if the user has a typically secure browsing pattern. Typically secure browsing pattern is determined by keeping track of HTTPS-Upgrade fallbacks (failed HTTPS Upgrades, which would be HFM interstitials if the user manually enabled HFM) and a few other factors such as profile age and overall site engagement score.

If these signals indicate that the user mostly visits secure sites, the heuristic will automatically enable HFM setting. HFM interstitials caused by this heuristic will display a custom message. The user can disable HFM by simply turning off the UI setting and the heuristic will never kick in again.

This feature can be controlled using the existing enterprise policies HttpsOnlyMode and HttpAllowlist.
- Chrome 132 on ChromeOS, Linux, macOS, Windows, Fuchsia

Passkeys on iOS
Passkeys are a more secure alternative to passwords. Unlike passwords, which can be phished or guessed, passkeys let users authenticate to sites and apps using public-key cryptography, as defined in the Webauthn standard.

Google Password Manager passkeys are already available in Chrome on other platforms; this launch brings them to the iOS platform, through enhancements to Chrome's existing Credential Provider Extension ("Passwords in Other Apps"). Using the Extension, Google Password Manager passkeys can be used to sign in to pages in Chrome and other browsers, as well as to native apps.

Passkeys are saved to a user's Google Account and available whenever the user is signed in to Chrome. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 132 on iOS

Password Leak toggle move
The PasswordLeakDetectionEnabled toggle that was originally found on chrome://settings/security is moving from under the standard protection heading to further down on the page under the Advanced section.

This feature will also remove the PasswordLeakDetectionEnabled dependency on a user's safe browsing status. Previously, a user who had no protection or no safe browsing would not get the PasswordLeakDetectionEnabled functionality. Now, a user has free choice to select the PasswordLeakDetectionEnabled toggle regardless of their safe browsing protection level.
- Chrome 132 on ChromeOS, Linux, macOS, Windows, Fuchsia

Removal of old Headless from the Chrome binary
Running Chrome with `--headless=old` no longer launches the old Headless mode, and instead prints the following log message:

Old Headless mode has been removed from the Chrome binary. Please use the new Headless mode or the chrome-headless-shell which is a standalone implementation of the old Headless mode.
- Chrome 132 on Linux, macOS, Windows

Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, ThirdPartyBlockingEnabled will be removed in Chrome 135. If you have feedback about this removal, please file a bug here.
- Chrome 132 on Windows
  Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows
  Removal of ThirdPartyBlockingEnabled policy

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed in Chrome 132.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows
  Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example, git://example.com/path. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Chrome 132 on Windows, macOS, Linux, Android
- Chrome 134 on Windows, macOS, Linux, Android: Feature flag being removed

Translate for Search with Google Lens
Augmented Reality-based (AR) Translation capabilities are being implemented to the Search with Google Lens feature. The LensOverlaySettings enterprise policy is in place allowing you to turn the feature on or off.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
- Chrome 132 on ChromeOS, Linux, macOS, Windows
  In Chrome 131, the translate feature was introduced. In Chrome 132, the translate feature is being expanded with additional language support.

User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar and clicking the chip launches the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 132 on Linux, macOS, Windows
  Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Keyboard-focusable scroll containers
Improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.

Note: The previous rollout of this feature (started first in Chrome 127 and again in Chrome 130) was stopped due to an accessibility regression, which should be fixed in the current implementation shipping in Chrome 132.
- Chrome 132 on Windows, macOS, Linux, Android

Remove Prefixed HTMLVideoElement Fullscreen APIs
The prefixed HTMLVideoElement-specific fullscreen APIs have been deprecated since Chrome 38. They were replaced by the Element.requestFullscreen() API, which first shipped un-prefixed in Chrome 71, in 2018. As of 2024, most browsers have had support for the un-prefixed APIs for a few years now.

This feature tracks removing the following APIs from HTMLVideoElement:

- readonly attribute boolean webkitSupportsFullscreen;

- readonly attribute boolean webkitDisplayingFullscreen;

- void webkitEnterFullscreen();

- void webkitExitFullscreen();

// Note the different capitalization of the "S" in FullScreen.

- void webkitEnterFullScreen();

- void webkitExitFullScreen();

These methods are now only aliases for the modern API. Their use has declined steadily over the years.
- Chrome 132 on Windows, macOS, Linux, Android

Throw exception for popovers or dialogs in non-active documents
This is a corner case change that does not impact developers. Previously calling `showPopover()` or `showModal()` on a popover or dialog that resides within an inactive document would silently fail. This means that no exception would be thrown, but since the document is inactive, no popover or dialog would be shown. These situations now throw InvalidStateError. For more information, see the relevant spec pull request on Github.
- Chrome 132 on Windows, macOS, Linux, Android

New policies in Chrome browser

Policy	Description
CACertificates	TLS certificates that should be trusted for server authentication
CACertificateManagementAllowed	Allow users to manage all certificates
CADistrustedCertificates	TLS certificates that should be distrusted for server authentication
CAHintCertificates	TLS certificates that are not trusted or distrusted but can be used in path-building for server authentication
CACertificatesWithConstraints	TLS certificates that should be trusted for server authentication with constraints
PasswordManagerPasskeysEnabled	Enable saving passkeys to the password manager
SharedWorkerBlobURLFixEnabled	Make SharedWorker blob URL behavior aligned with the specification
TranslatorAPIAllowed	Allows the use of Translator API

Removed policies in Chrome browser

Policy	Description
LegacySameSiteCookieBehaviorEnabledForDomainList	Revert to legacy behavior for cookies on all sites
NativeClientForceAllowed	Forces Native Client (NaCl) to be allowed to run
PrefixedVideoFullscreenApiAvailability	Manage the deprecated prefixed video fullscreen API's availability

Chrome Enterprise Core changes

Customized Chrome Web Store for enterprises
Admins can leverage new settings to customize the Chrome Web Store for their managed users, which includes the ability to:
- Add company logos
- Add hero banners and custom announcements
- Curate extension collections
- Hide extension categories
These settings are configurable via the Admin console (learn more) and are available to all signed-in managed users (users signed-in to the Chrome Web Store with a managed Google Account).

Additionally, all managed users who sign in to the Chrome Web Store will see the following changes:
- New tags for items “Blocked by their admin” when searching for an item
- Private domain item search and advanced filtering capabilities
- Private items and recommended items are relocated to the “Extensions” tab
Enrolled browsers (without the need to sign in) will be supported later in 2025.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

New Chrome user management capabilities in the Admin console
Admins can now get more visibility into Chrome user profiles in their organization with a new profile list and reporting features for signed-in Google Accounts. This centralized view in the Google Admin console provides detailed reports about user profiles in your organization, including profile information, browser version, applied policies and installed extensions. For more details, see View Chrome browser profile details.

To get started, IT administrators can simply turn on the new Chrome Managed profile reporting policy to view the reporting information about managed profiles.
- Chrome 132 on Android, Linux, macOS, Windows

Copy Source conditions in Chrome DLP paste rule
In this feature, we are adding copy source conditions, namely Source URL, Source URL category and Source Chrome context in Paste trigger rule for all customers. Admins can now create paste rules using the OnBulkDataEntryEnterpriseConnector policy, with conditions matching where the data or text being pasted is copied from.

For more details, see Use Chrome Enterprise Premium to integrate DLP with Chrome.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
  In this rollout, we are adding copy source conditions, namely Source URL category and Source Chrome context in Paste trigger rule for all customers. Admins will be able to create Paste rules (policy) with conditions matching where the data/text being pasted is copied from.

Generating insights for Chrome DevTools console warnings and errors
A new Generative AI (GenAI) feature is now available for unmanaged users, generating insights for Chrome DevTools Console warnings and errors.

These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, macOS, Windows
  Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, macOS, Windows
  Feature becomes available to managed Chrome Enterprise & Education users in supported regions.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
  In Chrome 131, a new Generative AI (GenAI) feature becomes available for managed users: a dedicated “AI assistance” panel in Chrome DevTools which assists the human operator investigating & fixing styling challenges and helps debugging the CSS.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
  The AI assistance panel can now explain resources in the Performance panel, Sources panel, and Network panel, in addition to the previous support for style debugging.

Professional Chrome Enterprise Administrator certification
For organizations using Chrome Enterprise Core, we offer a new certification opportunity – the Professional Chrome Enterprise Administrator certification. This certification is designed to validate your expertise in managing Chrome Enterprise browser environments, with a focus on using Chrome Enterprise Core to implement policies, establish controls, and analyze reports.

Designed for Chrome Enterprise Administrators with at least one year of experience with application, policy, and endpoint management, the exam is a two-hour exam consisting of about 70 multiple choice questions. The exam assesses your familiarity with both local and cloud-based solutions to manage, maintain, troubleshoot, secure, and integrate with services related to Chrome.

Google is waiving the exam fee of $125 until March 2025 and admins can now take the Professional Chrome Enterprise Administrator certification exam for free.
- Chrome 132 on Android, iOS, ChromeOS

Server Root Certificates for Chrome Enterprise
Chrome 132 adds the capability for enterprise customers or partners to deploy custom Server Root Certificates or Trust Anchors into Chrome’s Root Store on fully managed browsers via Chrome Browser Cloud Management or into managed Chrome profiles on managed or unmanaged devices.
- Chrome 132 on Linux, macOS, Windows

Legacy Technology Report
The Legacy Tech Report allows IT administrators to have visibility on websites (both internal and external) that are using deprecated or soon-to-be deprecated technologies (for example, CSS property changes or older security protocols like TLS 1.0 & 1.1). This launch is available in the Google Admin console to all Chrome Enterprise Core. For more details, see View legacy technology usage details.

This gives an opportunity to IT administrators to have the ability to work with developers to proactively plan technical migrations before a deprecation goes into effect.
- Chrome 132 on Linux, macOS, Windows

Recommended policies (users can override a policy value)
Chrome is introducing the User override configuration in the Google Admin console for policies that can be set as recommended. This means that IT administrators can apply a policy value and allow users to override the policy value.

On Chrome 132: the following policies are supported: ShowHomeButton, HomepageIsNewTabPage, HomepageLocation, DownloadRestrictions, SafeBrowsingProtectionLevel, AlwaysOpenPdfExternally, BackgroundModeEnabled, MetricsReportingEnabled, WarnBeforeQuitting, PrintPreviewUseSystemDefaultPrinter, BatterySaverModeAvailability

As early as Chrome 133: the following policies will be supported: ImportAutofillFormData, ImportBookmarks, ImportHistory, ImportSavedPasswords, ImportSearchEngine

Updated managed browser list: Most recent Google Update activity
Chrome Enterprise Core is adding the Most recent Google Update activity column on the managed browser list. The Most recent Google Update activity represents the last recorded time when the GoogleUpdater service interacted with a managed browser.
- Chrome 132 on Linux, macOS, Windows

Chrome Enterprise Premium changes

File download encryption for DLP Rules
When a file downloaded Data Loss Prevention (DLP) rule is triggered, the file is now encrypted on the fly to ensure that end users cannot access that file when a verdict is being returned. This means that users can no longer bypass the rule by moving or renaming the file.

This feature is gated by the existing policy OnFileDownloadedEnterpriseConnector and is only available to Chrome Enterprise Premium users.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Disallow spaces in non-file:// URL hosts
As stated in the WhatWG.org spec, URL hosts cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.

This causes Chromium to fail several tests included in the Interop2024 'HTTPS URLs for WebSocket' and URL focus areas.

To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (see the discussion on Github).

This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces for non-file URLs only.
- Chrome 133 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

Read aloud in Reading mode in Chrome 133
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will include a Read aloud feature which will allow users to hear the text they are reading spoken out loud. Users will be able to choose different natural voices and speeds, and see visual highlights.
- Chrome 133 on Linux, macOS, Windows

Tab freezing on Energy saver
When Energy saver is active, Chrome will freeze a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- The tab provides audio- or video- conferencing functionality (detected via microphone, camera or screen/window/tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack).
- The tab controls an external device (detected via usage of Web USB, Web Bluetooth, Web HID or Web Serial).
This will extend battery life and speed up Chrome through reduced CPU usage.
The feature can be tested in Chrome 131 via chrome://flags/#freezing-on-energy-saver. Alternatively, it can be tested with chrome://flags/#freezing-on-energy-saver-testing, which simulates Energy saver being active and all tabs using a lot of CPU; this allows you to verify whether tabs are eligible for freezing and would be frozen if using a lot of CPU.
- Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).
- Chrome 133 on ChromeOS, Linux, macOS, Windows
  The feature will start rolling out to 1% of stable in Chrome 133.

Deprecate getters of Intl Locale Info
Intl Locale Info API is a Stage 3 ECMAScript TC39 proposal to enhance the Intl.Locale object by exposing Locale information, such as week data (first day in a week, weekend start day, weekend end day, minimum day in the first week), and text direction hour cycle used in the locale.

We shipped our implementation in Chrome 99 but later on the proposal made some changes in Stage 3 and moved several getters to functions. We need to remove the deprecated getters and relaunch the renamed functions.
- Chrome 133 on Windows, macOS, Linux, Android

Popover invoker and anchor positioning improvements
This update represents the following related set of changes, which were resolved and landed

1. add an imperative way to set invoker relationships between popovers:

popover.showPopover({source})

2. invoker relationships create implicit anchor element references.
- Chrome 133 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

Remove Chrome Welcome page triggering via initial prefs first run tabs
Including chrome://welcome in the first_run_tabs property of the initial_preferences file will now have no effect. This is removed because that page is redundant with the First Run Experience that triggers on desktop platforms.

For more details about the context of the initial_preferences file, see Configuring Other Preferences.
- Chrome 133 on Windows, macOS, Linux

Remove nonstandard getUserMedia audio constraints
Blink supports a number of nonstandard goog-prefixed constraints for getUserMedia from some time before constraints were properly standardized.

Usage has gone down significantly ~0.000001% to 0.0009% (depending on the constraint) and some of them do not even have an effect due to changes in the Chromium audio-capture stack. Soon none of them will have any effect due to other upcoming changes.

We do not expect any major regressions due to this change. Applications using these constraints will continue to work, but will get audio with default settings (as if no constraints were passed). They can easily migrate to standard constraints.
- Chrome 133 on Windows, macOS, Linux, Android

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation will fail instead of falling back to SwiftShader. This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.

To opt-in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 133 on Windows, macOS, Linux, Android

Privacy & security panel in Chrome DevTools
Starting in Chrome 133, developers will be able to use the new Privacy & security panel in Chrome DevTools to test how their site will behave when third-party cookies are limited. Developers will be able to temporarily limit third-party cookies, observe how their site behaves, and review the status of third-party cookies on their site.

This feature will not make any permanent changes to existing enterprise policies, but it will let third-party cookie related enterprise policies (that is, BlockThirdPartyCookies and CookiesAllowedForUrls) be temporarily overridden to be more restrictive. If your enterprise policy already blocks third-party cookies using BlockThirdPartyCookies, this feature will be disabled.

The new Privacy & security panel will replace the existing Security panel. TLS connection and certificate information will continue to be available on the Security tab in the Privacy & security panel.
- Chrome 133 on ChromeOS, Linux, macOS, Windows

Chrome Sync to end support for Chrome versions more than four years old
Starting in February 2025, Chrome Sync (using and saving data in your Google Account) will no longer support Chrome versions that are more than four years old. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows
This change affects only the old versions of Chrome and will be rolled out server-side. Chrome 133 is specified only to reflect the timeline when the change will make an effect.

V8 Security Setting
Add a setting on chrome://settings/security to disable the V8 JIT optimizers, in order to reduce the attack surface of Chrome. This maintains compatibility with Web Assembly. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.
- Chrome 122 on ChromeOS, Linux, macOS, Windows, Fuchsia
  The setting rolls out in Chrome 121. The enterprise policies have been available since Chrome 93.
- Chrome 133 on Android
  The setting is available on Android in Chrome 133, under Site Settings. The enterprise policies are no longer marked experimental.

New option in HttpsOnlyMode policy
Ask Before HTTP (ABH, formerly HTTPS Only/First Modes) is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMod policy allows force-enabling, or force-disabling, ABH.

In Chrome 129, we are adding a new middle-ground variant of ABH called "balanced mode". This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible (such as when connecting to a single-label hostname like internal/).

We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.

To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 133 on Android

SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.

If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users.
- Chrome 134 on Android, iOS, ChromeOS, Linux, macOS, Windows: This will be a gradual rollout.

Blob URL Partitioning: Fetching or Navigation
As a continuation of Storage Partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of navigations which will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and we will pursue spec updates to reflect both of these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy, which will be available in Chrome 134. The policy will be deprecated when the other storage partitioning related enterprise policies are deprecated.
- Chrome 134 on Windows, macOS, Linux

SharedWorker script inherit controller for blob script URL
Service Workers should inherit controllers for the blob URL. However, existing code allows only dedicated workers to inherit the controller, and shared workers do not inherit the controller.

This is the fix to make Chromium behavior adjust to the specification.

An enterprise policy SharedWorkerBlobURLFixEnabled is available to control this feature.
- Chrome 134 on Windows, macOS, Linux

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.

Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
To read more, see this blog post. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Admins might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that admins can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise admins may continue to use the UiAutomationProviderEnabled policy to either opt in early to the new behavior, or to temporarily opt out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Customizing managed profiles with custom logo and label
New toolbar and profile menu customizations that help users easily identify if their Chrome profile is managed, whether they're on a work or personal device. This is especially useful for scenarios where employees use their own devices with managed accounts.

To help tailor this experience, we're adding three new policies:
- EnterpriseCustomLabel: Customize the text displayed on the toolbar element to match your organization's branding.
- EnterpriseLogoUrl: Add your company logo to the profile menu.
- EnterpriseProfileBadgeToolbarSettings: This policy can disable the default label for a managed profile in the Chrome toolbar.
In Chrome Chrome 133, these policies will be available to customize the logo and label shown on a managed profile.

Starting Chrome 134, there will be updates to the default behavior of the profile label and icon overlaid on the account avatar. Managed profiles will show a work or school label in addition to the profile disk. In the profile menu, there will be a building icon overlaid on the account avatar. The expanded profile disk can be disabled via EnterpriseProfileBadgeToolbarSettings.
- Chrome 133 on macOS, Windows
  Policies to customize the toolbar label and icon (in profile menu)
- Chrome 134: Starting rollout of defaults including:
  - 1) work or school label shown in toolbar, next to user avatar
  - 2) A building icon overlayed on the user's account photo in the profile menu. The label can be turned off via EnterpriseProfileBadgeToolbarSettings. Starting with 1% and gradual slow rollout thereafter.

Upcoming Chrome Enterprise Core changes

New Chrome Enterprise Companion App

Chrome Enterprise Companion App (CECA) is a new administrative binary that will be automatically installed with Chrome browsers enrolled into Chrome Enterprise Core or Chrome Enterprise Premium. It is meant to support Enterprise use cases, policies and reporting.
- Chrome 133 on Windows, macOS

Upcoming Chrome Enterprise Premium changes

Screenshot prevention
We plan to enhance the existing screenshot prevention feature by extending screen-sharing blocking to meeting apps like Google Meet, Zoom, Teams, and Slack. We will build upon the successful release of data protection controls by adding key features and addressing gaps and user feedback.
- Chrome 134 on Windows, macOS

URL filtering on iOS and Android
We will extend the existing URL filtering capabilities from desktop to mobile platforms, providing organizations with the ability to audit, warn, or block certain URLs or categories of URLs from loading on managed Chrome browsers or managed user profiles on mobile devices. This includes ensuring the functionality works seamlessly with Context-Aware Access (CAA) which allows admins to set access policies based on user context (for example, user role, location) and device state (for example, managed device, security compliance).
- Chrome 135 on Android, iOS

Reporting connector for mobile
We are working towards feature parity with the desktop version, enabling organizations to monitor and respond to security events on mobile devices, such as unsafe site visits and potential data exfiltration attempts. This helps ensure consistent security and policy enforcement across different platforms.
- Chrome 135 on Android, iOS

Refactor DLP rules UX
We aim to create a more user-friendly and efficient interface for Chrome-specific DLP rules. This involves redesigning the rule creation workflow in the Admin Console to better accommodate existing and upcoming security features for Chrome Enterprise Premium customers.
- Chrome 134 on Windows, macOS, Linux, ChromeOS

Connectors API
We plan to simplify the setup process for third-party security connectors and enable providers to manage configurations directly from their own UI. This aims to make it easier for organizations to integrate their preferred security tools and services with Chrome, enhancing security and management across different platforms.
- Chrome 135 on Windows, macOS, Linux, ChromeOS

↑ back to top

ChromeOS 132 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Customized Chrome Web Store for enterprises		✓
Native Client (NaCl) support ending on ChromeOS		✓
Onboarding refresh		✓
Migrate data for graduating students		✓	✓
Rounded corners for Apps		✓
ChromeOS Passwordless Authentication	✓
Face control on ChromeOS	✓	✓
Turn off the touchpad		✓
Password Manager biometric authentication	✓
Apps discovery removed from Explore		✓
Remote management for idle devices			✓
ChromeOS device Bedtime Hours policy			✓
Improved management disclosure on locked device	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
AI wallpapers and backgrounds		✓
Deprecating Chrome Apps support on ChromeOS		✓	✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Customized Chrome Web Store for enterprises

Admins can now use new settings to customize the Chrome Web Store for their managed users, which includes the ability to:
- Add company logos
- Add hero banners and custom announcements
- Curate extension collections
- Implement category-based controls
These settings are configurable using the Admin console and are available to all signed-in managed users (users signed-in to the Chrome Web Store with a managed Google Account). For more details, see Customized Chrome Web Store for enterprises.

Additionally, all managed users who sign in to the Chrome Web Store will see the following changes:
- New tags for items Blocked by their admin when searching for an item
- Private domain item search and advanced filtering capabilities
- Private items and recommended items are relocated to the Extensions tab
Enrolled browsers (without the need to sign in) will be supported later in 2025.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

Native Client (NaCl) support ending on ChromeOS

ChromeOS 132 is the last release with NaCl support for unmanaged or consumer devices, followed by ChromeOS 138 in July 2025 for managed devices. For more details, see About ChromeOS device management.

In 2017, we announced the end of support of Native Client (NaCl) in favor of WebAssembly. With most developers and users having migrated away from NaCl, we confirm the following NaCl discontinuation dates:
- January 2025: Native Client (NaCl) will be disabled from ChromeOS 132 onwards.
  - For unmanaged and consumer users, ChromeOS 132 will be the last ChromeOS release with support for NaCl.
  - For managed environments (including Kiosk sessions), administrators who manage ChromeOS devices for a business or school will have the option of extending the ability to use NaCl with a DeviceNativeClientForceAllowed NaCl allow policy through the ChromeOS 138 release. To enable device policies, please refer to Set ChromeOS device policies in the Chrome Enterprise and Education Help Center.
- July 2025: ChromeOS 138 will be the last version with NaCl support.
  - For managed environments, ChromeOS 138 is a Long-term Support (LTS) ChromeOS release available to administrators who manage ChromeOS devices for a business or school.
  - For devices that have been switched to the LTS channel and have the NaCl allow policy enabled, NaCl will be available until LTS Last Refresh in April 2026.
  - No exceptions will be granted.
For Chrome Apps that use NaCl, migrate to WebAssembly (WASM). To help you with the transition, we've published the WebAssembly Migration Guide.

For more information about this change or if you need assistance, you can refer to any of the following:
- WebAssembly Migration Guide.
- ChromeOS developer community on Discord.
- ChromeOS release schedule for release dates and updates.
To find out more, see Manage policies for ChromeOS devices in the Chrome Enterprise and Education Help Center.

Onboarding refresh

There are many different setup items that users might look to change once they've started using their devices, including setting up a printer, connecting Bluetooth devices, changing touchpad direction, and so on. This feature consolidates many of these common setup items into a simple task list, with deep linking to where a user can change a particular setting, to simplify the process of completing many of these steps.

Migrate data for graduating students

As early as ChromeOS 132, a new Content transfer tool will guide graduating students or other EDU-managed users who want to migrate their data through the updated Google Takeout Transfer process. This allows them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.

This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use Content transfer.

Rounded corners for Apps

As part of a new UI design, ChromeOS now features rounded corners on all app windows on Chromebook Plus devices.

ChromeOS passwordless authentication

The passwordless ChromeOS feature allows users to access their device with PIN or a local password as their primary authentication factor. This means that you will be able to log in to your ChromeOS device with a password you set explicitly for your device, as well as with a PIN no longer tying your gmail password with your device password.

It is not possible to enable the PIN feature on managed devices.

Face control on ChromeOS

ChromeOS now features AI-powered face control; you can now use face and gesture tracking to navigate your Chromebook, open apps, and even compose emails – all without a keyboard or mouse. This built-in technology, inspired by Project Gameface, provides greater accessibility for users with motor disabilities and offers a more efficient way for everyone to interact with their devices. To read more about this feature, see this Google blog post.

Turn off the touchpad

Chromebook users can now disable their touchpads. This accessibility improvement helps those who rely on screen readers or may experience accidental clicks. To turn it off, go to Settings > Accessibility > Cursor and Touchpad.

Password Manager biometric authentication

ChromeOS 132 enables biometrics in Password Manager and autofill on Chrome for ChromeOS devices.

Apps discovery removed from Explore

ChromeOS 132 removes the Apps & Games module in the Explore app. To discover new apps for your ChromeOS device, navigate to https://discover.apps.chrome.

.

Remote management for idle devices

Chrome Remote Desktop (CRD) is a feature that allows for remote control of ChromeOS devices, primarily for troubleshooting purposes, where a device is idle and unused. Admins can now initiate a CRD connection to a ChromeOS device sitting on the login screen. This enables an admin to sign-in to a managed device with their own set of credentials for troubleshooting or testing.

ChromeOS device Bedtime Hours policy

The new DeviceRestrictionSchedule policy allows ChromeOS administrators to disallow users from logging in to specified Chromebooks during certain hours on specified days of the week. During these hours, kiosk apps are also unavailable.

Improved management disclosure on locked device

This feature improves the management disclosure on the device's lock screen. To enhance user understanding before using their device for personal tasks or work, we provide a clear explanation of what managed devices entail. This way, users can make informed decisions regarding their device usage. By providing necessary information, users gain the knowledge needed to make choices that align with their privacy and security concerns and preferences.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

AI wallpapers and backgrounds

As early as ChromeOS 134, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.

Deprecating Chrome Apps support on ChromeOS

In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that support for Chrome Apps for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome Apps discontinuation dates.
- July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).
  - Chrome Apps that are force-installed through the admin console will continue to be supported.
- July 2026: Last ChromeOS release with support for Chrome Apps in Kiosk Mode (scheduled for ChromeOS M150).
  - Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
- February 2028: Last ChromeOS release with support for Chrome Apps (scheduled for ChromeOS M168), marking the end of life for all Chrome Apps.
  - Devices on the LTS channel can continue to use Chrome Apps until October 2028.
  - No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.

While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.

If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.

In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.

↑ back to top

Chrome 131

Chrome 131 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Search with Google Lens on iOS		✓
Asynchronous real-time Safe Browsing check	✓
Ad-hoc code signatures for PWA shims on macOS		✓
Choose from Google Drive on iOS		✓
Chrome PDF Viewer OCR		✓
Chrome on iOS promo on Desktop NTP		✓
Cross profile password-reuse detection	✓
Chrome on Android now supports 3P autofill and password providers	✓	✓
Deprecate Safe Browsing Extended reporting	✓
Entrust certificate distrust	✓
Insecure form warnings on iOS	✓
PartitionAlloc with Advanced Checks (PA/AC)	✓
Simplified sign-in and sync experience	✓
Tab freezing on Energy saver		✓
Update Google Play Services to fix issues with on-device passwords		✓
X25519Kyber768 key encapsulation for TLS	✓
Deprecation of CSS Anchor Positioning property inset-area	✓
Improvements to styling structure of <details> and <summary> elements		✓
Keyboard Lock and Pointer Lock permissions	✓
Remove non-standard GPUAdapter requestAdapterInfo() method	✓
<select> parser relaxation	✓
Support external SVG resources for clip-path, fill, stroke, and marker-* properties	✓
Support non-special scheme URLs	✓
Translate for Search with Google Lens		✓
New policies in Chrome browser			✓
Removed policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
GenAI Defaults policy			✓
Chrome extension telemetry integration with SecOps	✓
Customized Chrome Web Store for Enterprises			✓
DownloadRestrictions policy support on Android	✓		✓
Enterprise Policy to force adaptive buffering for WebAudio Rendering			✓
Generating insights for Chrome DevTools Console warnings and errors			✓
Recommended policies in the Admin console			✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Chrome Enterprise Data Controls: Clipboard	✓
Screenshot protections	✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Read aloud in Reading mode in Chrome 132		✓
Removal of old Headless from the Chrome binary		✓
Capture all screens	✓
Remove prefixed HTMLVideoElement fullscreen APIs		✓
Remove ThirdPartyBlockingEnabled policy			✓
Keyboard-focusable scroll containers		✓
Throw exception for popovers or dialogs in non-active documents		✓
User Link capturing on PWAs		✓	✓
Network Service on Windows will be sandboxed	✓
Remove SwiftShader fallback	✓
Privacy & security panel in Chrome DevTools	✓
Chrome Sync to end support for Chrome versions more than four years old		✓
Disallow spaces in non-file:// URL hosts	✓
SafeBrowsing API v4 to v5 migration	✓
Blob URL partitioning: Fetching or Navigation	✓
Deprecate mutation events		✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Remove enterprise policy used for legacy same site behavior			✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
DLP file download access prevention	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Search with Google Lens on iOS
Since Chrome 126, users can search any images or text they see on their screen with Google Lens. To use this feature, go to a website and click Search with Google Lens on the on-focus omnibox chip and on the right-click menus on desktop, or on the 3-dot menu on both desktop and mobile. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the search box. Admins can control the feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged. We are starting the rollout of this feature gradually on iOS in Chrome 131 and we plan to launch fully in Chrome 132.
- Chrome 126 on ChromeOS, Linux, macOS, Windows: Rollout of the feature at 1% Stable
- Chrome 127 on ChromeOS, Linux, macOS, Windows: Rollout to 100% Stable
- Chrome 131 on iOS: Rollout of the feature starts
- Chrome 132 on iOS: Rollout to 100% Stable

Asynchronous real-time Safe Browsing check on iOS
Today Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. To improve Chrome's loading speed, real-time Safe Browsing checks will no longer block page loads after Chrome 122, and after Chrome 131 on iOS.

We have evaluated the risk and put mitigations in place:
1. For malware and 0-day attacks, local-blocklist checks will still be conducted in synchronous manner so that malicious payloads are still blocked by Safe Browsing.
2. For phishing attacks, we've looked at data and it is unlikely the user would have interacted with the page (for example, typed a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, Linux, macOS, Windows
- Chrome 131 on iOS

Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures result in each PWA app shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.

This addresses problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and permits future improvements to handling of user notifications within PWAs on macOS.

Administrators should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be switched on for testing using the chrome://flags/#use-adhoc-signing-for-web-app-shims flag. Admins can then install a PWA and ensure that it launches as expected.

If there is an incompatibility between the feature and their current security policies, the AdHocCodeSigningForPWAsEnabled policy can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS
  This feature is turned on with a flag (chrome://flags/#use-adhoc-signing-for-web-app-shims) so that enterprises can test for compatibility with their endpoint security tools, such as Santa. If it is not currently compatible, they can control the feature using the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated.
- Chrome 131 on macOS: Feature begins to roll out to stable, starting at 1% rollout.

Choose from Google Drive
From Chrome 131 onwards, Chrome on iOS users can upload a file from Google Drive directly to a web page, without the need to download it on the device first.
- Chrome 131 on iOS: Includes core functionality for uploading a single file.

Chrome PDF Viewer OCR
Chrome Desktop now makes scanned PDFs more accessible. Using on-device Optical Character Recognition (OCR) to maintain privacy (no content is sent to Google), Chrome automatically converts scanned PDFs, allowing you to select text, Ctrl+F, copy, and paste. The feature does not bypass secure PDFs. It only uses OCR on PDFs the user has access to. The solution unlocks PDF accessibility to Chrome users without any extra steps, making PDFs as accessible as the rest of the web.
- Chrome 131 on ChromeOS, Linux, macOS, Windows

Chrome on iOS promo on Desktop NTP
A Chrome on iOS promo on the Desktop new tab page. This promo aims to increase awareness of Chrome on iOS and present a simple way to install.

You can control this feature using the existing policies PromotionsEnabled and NTPMiddleSlotAnnouncementVisible.
- Chrome 131 on Linux, macOS, Windows

Cross profile password-reuse detection
Previously, password-reuse detection of corporate credentials was only detectable in the corporate profile. Now, password-reuse detection detects corporate credential reuse across all non-Incognito profiles on the managed browser.

We've updated the cross profile password-reuse detection criteria to more accurately reflect managed enterprise accounts. We’ve also updated the on-screen message to make it clearer to users that their organization is monitoring their corporate password reuse.
- Chrome 123 on Android, iOS, ChromeOS, Linux, macOS, Windows, Fuchsia
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows, Fuchsia
  We've updated the cross profile password-reuse detection criteria to more accurately reflect managed enterprise accounts, and updated the UX message to make it clearer to users that their organization is monitoring their corporate password reuse.

Chrome on Android now supports 3P autofill and password providers
Until now, third-party autofill and password providers could be used in Chrome on Android via accessibility APIs.

In Chrome M131, we're adding direct support for Android Autofill, which means these providers will work with Chrome on Android without the need for accessibility APIs. This should improve the performance of Chrome on Android and third-party autofill providers.

To take advantage of this, users will need to configure their third-party provider in Android settings. Then, in Chrome, users select Settings > Autofill services and choose Autofill using another service.

If users do not change both settings, they will continue to use Google to autofill their passwords, payment and address information. Whether users can use a third-party autofill service or not can be controlled by a new policy called ThirdPartyPasswordManagersAllowed.
- Chrome 131 on Android
  The new setting will be available from Chrome 131. If users use the new setting, it will take immediate effect. If the new setting is not used, users will continue to use either Google or a third party via accessibility (if installed).
  
  The support for accessibility APIs will be deprecated in early 2025, at which point the new policy settings will apply to all users.

Deprecate Safe Browsing Extended reporting
We are deprecating the Safe Browsing Extended reporting feature, which previously enhanced the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content.

This feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows
  Deprecation of Safe Browsing Extended Reporting. Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows
  Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request

Entrust certificate distrust
In response to sustained compliance failures, Chrome is changing how publicly-trusted TLS server authentication (website) certificates issued by Entrust will be trusted by default in Chrome 131 and greater on Windows, macOS, ChromeOS, Android, and Linux. iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:
- after November 11, 2024, will no longer be trusted by default.
- on or before November 11, 2024, will be unaffected by this change.
Should a Chrome user or enterprise explicitly trust any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, explicit trust is conveyed through a Windows Group Policy Object, the SCT-based constraints described above will be overridden and certificates will function as they do today.

Additional information and testing resources are the Google Security blog.

To learn more, see this FAQ about the Chrome Root Store.
- Chrome 131 on Android, ChromeOS, Linux, macOS, Windows
  All versions of Chrome 131 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after November 11, 2024.

Insecure form warnings on iOS
Since Chrome 125, Chrome browser blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it displays a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without the user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 131 on iOS: InsecureFormsWarningsEnabled policy will be removed

PartitionAlloc with Advanced Checks (PA/AC)
PartitionAlloc (PA) and its associated memory security projects have an array of advanced safeguards that are deactivated by default (or exclusively in debug builds) due to their potential impact on performance. While enabling the feature for all users might not be immediately possible, there is still an opportunity to partially enable it under specific, limited conditions.

This project seeks to achieve advanced safeguards for the enterprise customers. Enterprise administrators have the option to apply enhanced security measures through enterprise policies. Security tends to be prioritized over performance in enterprise. There's a likelihood that they desire advanced checks, even if it comes at a cost to performance.

PA with Advanced Checks is advanced memory security. The feature is OFF by default due to expected performance regression. Enterprise customers have an option to enable it to achieve advanced security via enterprise policy.
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows, Fuchsia

Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on now experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync is no longer shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be switched off via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android

Tab freezing on Energy saver
When Energy saver is active, Chrome freezes a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- The tab provides audio- or video- conferencing functionality, detected via microphone, camera or screen, window, or tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack.
- The tab controls an external device, detected via usage of Web USB, Web Bluetooth, Web HID or Web Serial.
This extends battery life and speeds up Chrome through reduced CPU usage.
- Chrome 130 on ChromeOS, Linux, macOS, Windows
  The feature can be tested in Chrome 130 using the #freezing-on-energy-saver entry in about:flags. Alternatively, it can be tested with the #freezing-on-energy-saver-testing flag, which simulates that Energy saver is active and that all tabs use a lot of CPU; this allows verifying whether a tab is eligible for freezing and would be frozen if it used a lot of CPU. Energy saver availability can be controlled using the BatterySaverModeAvailability policy. This change has no effect when Energy save is inactive.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
  The feature will start rolling out to 1% of stable in Chrome 131. It will gradually be ramped up to 100% of Stable. Energy saver availability can be controlled via the BatterySaverModeAvailability policy. This change has no effect when Energy saver is inactive.

Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Google Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 131 on Android

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, macOS, Linux: new post-quantum secure TLS key encapsulation mechanism X25519Kyber768 is enabled
- Chrome 131 on Linux, macOS, Windows: Chrome will switch the key encapsulation mechanism to the final standard version of ML-KEM
- Chrome 141 on Windows, macOS, Linux: Remove enterprise policy

Deprecation of CSS Anchor Positioning property inset-area
The CSS working group (CSSWG) resolved to rename the inset-area property to position-area. For more details, see the CSSWG discussion on github. The new property name, position-area, as a synonym for inset-area shipped via this feature update described on Chrome Platform Status, describing the deprecation and removal of the inset-area property.
- Chrome 131 on Windows, macOS, Linux, Android

Improvements to styling structure of <details> and <summary> elements
Support more CSS styling for the structure of <details> and <summary> elements to allow these elements to be used in more cases where disclosure widgets or accordion widgets are built on the web. In particular, this change removes restrictions that prevented setting the display property on these elements, and adds a ::details-content pseudo-element to style the container for the part that expands and collapses.
- Chrome 131 on Windows, macOS, Linux, Android

Keyboard Lock and Pointer Lock permissions
May show a permission prompt to the user when Keyboard Lock or Pointer Lock is requested by a website, and saves the user preferences as content settings. The settings can be queried for via the Permissions API. This helps mitigate the abusive use of the APIs.
- Chrome 131 on Windows, macOS, Linux

Remove non-standard GPUAdapter requestAdapterInfo() method
The WebGPU WG decided it was impractical for requestAdapterInfo() to trigger a permission prompt so they’ve removed that option and replaced it with the GPUAdapter info attribute so that web developers can get the same GPUAdapterInfo value synchronously this time. To read more, see the previous Intent to Ship: WebGPU: GPUAdapter info attribute .
- Chrome 131 on Windows, macOS, Linux, Android

<select> parser relaxation
This change makes the HTML parser allow additional tags in <select> besides <option>, <optgroup>, and <hr>.

This change is in support of the customizable <select> feature but is being shipped first because it can be done separately and has some compact risks.

This feature is gated by the temporary policy, SelectParserRelaxationEnabled. This is a temporary transition period, and the policy will stop working in milestone Chrome 136.

For more details, see the Open UI Customizable <select> explainer and the What Working Group HTML parser changes for customizable <select> article.
- Chrome 131 on Windows, macOS, Linux, Android

Support external SVG resources for clip-path, fill, stroke and marker-* properties
Allow external references for clip paths, markers, and paint servers (for the fill and stroke properties). For example, clip-path: url("resources.svg#myPath").
- Chrome 131 on Windows, macOS, Linux, Android

Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example, git://example.com/path. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android
- Chrome 131 on Windows, macOS, Linux, Android
- Chrome 134 on Windows, macOS, Linux, Android: Feature flag being removed

Translate for Search with Google Lens
Augmented reality (AR) translation capabilities are being implemented to the Search with Google Lens feature. An enterprise policy is already in place enabling enterprises to turn the feature on or off using LensOverlaySettings.
- Chrome 131 on ChromeOS, Linux, macOS, Windows

New policies in Chrome browser

Policy	Description
DownloadRestrictions	Allow download restrictions
CAPlatformIntegrationEnabled	Use user-added TLS certificates from platform trust stores for server authentication
SelectParserRelaxationEnabled	Controls whether the new HTML parser behavior for the <select> element is enabled
EnterpriseProfileBadgeToolbarSettings	Controls visibility of enterprise profile badge in the toolbar
WebAudioOutputBufferingEnabled	Enable adaptive buffering for Web Audio

Removed policies in Chrome browser

Policy	Description
ProfileLabel	This policy controls a label used to identify a signed in profile. This label will be shown in various locations to help users identify the profile such as next to the toolbar profile icon.
ToolbarAvatarLabelSettings	Managed toolbar avatar label setting
BeforeunloadEventCancelByPreventDefaultEnabled	Control new behavior for the cancel dialog produced by the beforeunload event.

Chrome Enterprise Core changes

GenAI Defaults policy
Starting in 131, Chrome Enterprise Core introduces a policy, GenAiDefaultSettings, to control the default behavior of multiple GenAI policies as part of our Trusted Tester program. You can sign up for our Trusted Tester program here. This policy does not impact any manually-set policy values for generative AI features. This policy controls the default settings for the following policies:
For more details about the default settings, see Chrome—Generative AI features and policies.
- Only available to Trusted Testers. You can sign up for our Trusted Tester program here.

Chrome extension telemetry integration with SecOps
We begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps analyzes the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, Linux, macOS, Windows

Customized Chrome Web Store for Enterprises
IT admins will be able to customize the Chrome Web Store for their managed end-users using company-specific branding, custom messaging and tailored navigation. Admins can personalize the store with logos, banners, and recommended extensions, while also hiding irrelevant categories and improving extension discovery.

This feature is configurable via the Admin console and this milestone 1 custom configurations will be available to all signed-in managed users (users signed-in to the Chrome Web Store with a managed Google Account). Milestone #2 will support this feature for CEC enrolled browsers (without the need to sign in) and will only be available later in 2025.

Additionally, all managed users who sign in to the Chrome Web Store will see the following changes:
- New tags for items blocked by their admin and filter by private items in the search results
- Private items and recommended items will be relocated to the “Extensions” tab only.
As early as Chrome 131 on Linux, macOS, Windows and ChromeOS: Milestone #1 rolls out

DownloadRestrictions policy support on Android
DownloadRestrictions is a universal policy available to Chrome Enterprise Core users on Desktop. DownloadRestrictions policy is now supported on Android. This policy allows admins to block all downloads on mobile Chrome on Android.
- Chrome 131 on Android

Enterprise policy to force adaptive buffering for WebAudio rendering
Chromium's WebAudio implementation includes an adaptive buffering mechanism, which was added to resolve numerous glitching issues especially on Android with the AAudio backend. While this mechanism reduced glitches significantly, it also increased audio latency. Chrome is running an experiment that will disable the adaptive buffering mechanism and run the rendering synchronously on all platforms besides Android.

Starting Chrome 131, an enterprise policy, WebAudioOutputBufferingEnabled, is available that will force Chrome to default to the previous behavior of using adaptive buffering for WebAudio rendering.
- Chrome 131 on ChromeOS, Linux, macOS, Windows

Generating insights for Chrome DevTools Console warnings and errors
A new Generative AI (GenAI) feature is now available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors.

These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, macOS, Windows
  Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, macOS, Windows
  Feature becomes available to managed Chrome Enterprise & Education users in supported regions.
- Chrome 131 on ChromeOS, Linux, macOS, Windows
  In Chrome 131, a new Generative AI (GenAI) feature becomes available for managed users: a dedicated AI assistance panel in Chrome DevTools which assists the human operator investigating and fixing styling challenges and helps debugging the CSS.
- Chrome 132 on ChromeOS, Linux, macOS, Windows
  The AI assistance panel can now explain resources in the Performance panel, Sources panel, and Network panel, in addition to the previous support for style debugging

Recommended policies in the Admin console
As early as November 1st, admins will be able to choose whether some settings are recommended or mandatory using the User override control. This control will gradually roll out for policies that can be recommended, starting with the following policies:

- Warn before quitting
- System Default Printer
- Battery Saver Mode
- Homepage
- Safe Browsing protection
- Download Restrictions
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows

Chrome Enterprise Premium changes

Chrome Enterprise Data Controls: Clipboard
Admins can set data control rules in the Google Admin console to protect end users from data leakage on Chrome browser. Data Controls are lightweight rules set in the Google Admin console that allow admins to set a Chrome policy to control sensitive user actions, such as, copying and pasting sensitive data and taking screenshots or screen sharing.

This feature can be controlled using the DataControlsRules policy.

This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 128 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out

Screenshot protections
Admins can prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. Admins create a DLP URL filtering rule to block users taking screenshots or screen sharing specific URLs or categories of URLs. This feature can be controlled using the same EnterpriseRealTimeUrlCheckMode policy that enables all real-time URL lookups.

This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Read aloud in Reading mode in Chrome 132
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will include a Read aloud feature which allows users to hear the text they are reading spoken out loud. Users can choose different natural voices and speeds, and see visual highlights.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

Removal of old Headless from the Chrome binary
Running Chrome with `--headless=old` no longer launches the old Headless mode, and instead prints the following log message:

The old Headless mode has been removed from the Chrome binary. You can use the new Headless mode or the chrome-headless-shell, which is a standalone implementation of the old Headless mode.
- Chrome 132 on Linux, macOS, Windows

Capture all screens
This feature captures all the screens currently connected to the device using getAllScreensMedia(). Calling getDisplayMedia() multiple times requires multiple user gestures, burdens the user with choosing the next screen each time, and does not guarantee to the app that all the screens were selected. getAllScreensMedia() improves on all of these fronts.

This feature is only exposed behind the MultiScreenCaptureAllowedForUrls enterprise policy, and users are warned before recording even starts, that recording could start at some point. The API will only work for origins that are specified in the MultiScreenCaptureAllowedForUrls allowlist. Any origin not specified there, will not have access to it.
- Chrome 132 on Windows, macOS, Linux

Remove prefixed HTMLVideoElement fullscreen APIs
The prefixed HTMLVideoElement-specific fullscreen APIs have been deprecated since approximately M38. They were replaced by the Element.requestFullscreen() API, which first shipped un-prefixed in M71, in 2018. As of 2024, most browsers have had support for the un-prefixed APIs for a few years now.

This feature tracks removing the following APIs from HTMLVideoElement:

- readonly attribute boolean webkitSupportsFullscreen;

- readonly attribute boolean webkitDisplayingFullscreen;

- void webkitEnterFullscreen();

- void webkitExitFullscreen();

// Note the different capitalization of the "S" in FullScreen.

- void webkitEnterFullScreen();

- void webkitExitFullScreen();

These methods are now only aliases for the modern API. Their use has declined steadily over the years.
- Chrome 132 on Windows, macOS, Linux, Android

Remove ThirdPartyBlockingEnabled policy
Due to unexpected issues, ThirdPartyBlockingEnabled will be removed in Chrome 135. If you have feedback about this removal, please file a bug here.
- Chrome 132 on Windows: Deprecation of ThirdPartyBlockingEnabled policy
- Chrome 135 on Windows: Removal of ThirdPartyBlockingEnabled policy

Keyboard-focusable scroll containers
We plan to improve accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using their tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.

Note: The previous rollout of this feature (started in Chrome 127) was stopped due to web compatibility issues, which should be fixed in the current implementation shipping in 130.

Note: The previous rollout of this feature (started in 130) was stopped due to an accessibility regression, which should be fixed in the implementation shipping in 132.
- Chrome 132 on Windows, macOS, Linux, Android

Throw exception for popovers or dialogs in non-active documents
This is a corner case change that hopefully does not impact developers. A corner case is where multiple unique conditions occur simultaneously. Previously, calling `showPopover()` or `showModal()` on a popover or dialog that resides within an inactive document would silently fail, that is, no exception would be thrown. Since the document is inactive, however, no popover or dialog would be shown. As of the https://github.com/whatwg/html/pull/10705 spec pull request (PR), these situations now throw the InvalidStateError exception.
- Chrome 132 on Windows, macOS, Linux, Android

User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows
  When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 132 on Linux, macOS, Windows
  Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions.

You can report any issues you encounter.
- Chrome 132 on Windows
  Network Service sandboxed on Windows

Remove SwiftShader fallback
Allowing automatic fallback to WebGL backed by SwiftShader is deprecated and WebGL context creation will fail instead of falling back to SwiftShader. This was done for two primary reasons:
1. SwiftShader is a high security risk due to JIT-ed code running in Chromium's GPU process.
2. Users have a poor experience when falling back from a high-performance GPU-backed WebGL to a CPU-backed implementation. Users have no control over this behavior and it is difficult to describe in bug reports.
SwiftShader is a useful tool for web developers to test their sites on systems that are headless or do not have a supported GPU. This use case will still be supported by opting in but is not intended for running untrusted content.

To opt in to lower security guarantees and allow SwiftShader for WebGL, run the chrome executable with the --enable-unsafe-swiftshader command-line switch.

During the deprecation period, a warning will appear in the JavaScript console when a WebGL context is created and backed with SwiftShader. Passing --enable-unsafe-swiftshader will remove this warning message.

Chromium and other browsers do not guarantee WebGL availability. You can test and handle WebGL context creation failure and fall back to other web APIs such as Canvas2D or an appropriate message to the user.
- Chrome 133 on Windows, macOS, Linux, Android

Privacy & security panel in Chrome DevTools
Starting in Chrome 133, developers will be able to use the new Privacy & security panel in Chrome DevTools to test how their site will behave when third-party cookies are limited. Developers will be able to temporarily limit third-party cookies, observe how their site behaves, and review the status of third-party cookies on their site.

This feature will not make any permanent changes to existing enterprise policies, but it will let third-party cookie related enterprise policies (that is, BlockThirdPartyCookies and CookiesAllowedForUrls) be temporarily overridden to be more restrictive. If your enterprise policy already blocks third-party cookies using BlockThirdPartyCookies, this feature will be disabled.

The new Privacy & security panel will replace the existing Security panel. TLS connection and certificate information will continue to be available on the Security tab in the Privacy & security panel.
- Chrome 133 on ChromeOS, Linux, macOS, Windows

Chrome Sync to end support for Chrome versions more than four years old
Starting in February 2025, Chrome Sync (using and saving data in your Google Account) will no longer support Chrome versions that are more than four years old. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows
  This change affects only the old versions of Chrome and will be rolled out server-side. Chrome 133 is specified only to reflect the timeline when the change will make an effect.

Disallow spaces in non-file:// URL hosts
Per spec URL hosts [1] cannot contain the space character, but currently URL parsing in Chromium allows spaces in the host.

This causes Chromium to fail several tests included in the Interop2024 'HTTPS URLs for WebSocket' [2] and 'URL' focus areas [3].

To bring Chromium into spec compliance, we would like to remove spaces from URL hosts altogether, but a difficulty with this is that they are used in the host part in Windows file:// URLs (Github)[4].

This feature will be part of the ongoing work to bring Chromium closer to spec compliance by forbidding spaces for non-file URLs only.
- Chrome 133 on Android, ChromeOS, Linux, macOS, Windows, Fuchsia

SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.

If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users.
- Chrome 133 on Android, iOS, ChromeOS, Linux, macOS, Windows: This will be a gradual roll-out.

Blob URL partitioning: Fetching or Navigation
As a continuation of Storage partitioning, Chromium will implement partitioning of Blob URL access by Storage Key (top-level site, frame origin, and the has-cross-site-ancestor boolean), with the exception of navigations that will remain partitioned only by frame origin. This behavior is similar to what’s currently implemented by both Firefox and Safari, and aligns Blob URL usage with the partitioning scheme used by other storage APIs as part of Storage Partitioning. In addition, Chromium will enforce noopener on renderer-initiated navigations to Blob URLs where the corresponding site is cross-site to the top-level site performing the navigation. This aligns Chromium with similar behavior in Safari, and we will pursue spec updates to reflect both of these changes.

This change can be temporarily reverted by setting the PartitionedBlobURLUsage policy. The policy will be deprecated when the other storage partitioning-related enterprise policies are deprecated.
- Chrome 134 on Windows, macOS, Linux

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.

Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
To read more, see this blog post. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome started directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core changes

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy.

Upcoming Chrome Enterprise Premium changes

DLP file download access prevention
When a file download DLP rule is set by the admin, a scan is triggered after the download is completed, this feature prevents Chrome Enterprise enrolled users from accessing the contents of a downloaded file before a deep scan verdict is returned.

This feature is gated by the existing policy, OnFileDownloadedEnterpriseConnector, and is only available to Chrome Enterprise Premium users.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

↑ back to top

ChromeOS 131 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Flex auto-enrollment			✓
ChromeOS Flex forced re-enrollment			✓
Quick Answers styling refresh		✓
Split DNS for ChromeOS	✓
ChromeOS Back To Safety	✓	✓
Flash notifications		✓
Microsoft SCEP SID update reminder	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
AI wallpapers and backgrounds		✓
Graduate data migration		✓	✓
Native Client (NaCl) support ending on ChromeOS	✓		✓
Chrome App support ending on ChromeOS		✓	✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

ChromeOS Flex auto-enrollment

In ChromeOS 131, ChromeOS Flex auto-enrollment now allows you to deploy ChromeOS Flex devices at scale. Similar to ChromeOS zero-touch enrollment, automatic enrollment embeds an enrollment token created by an organization's administrator into a ChromeOS Flex image. This will determine which customer organization and organizational unit a device will enroll into during initial device setup. For more information, see Enroll ChromeOS devices and the ChromeOS Flex help center.

ChromeOS Flex forced re-enrollment

In ChromeOS 131, enrolled ChromeOS Flex devices support manual forced re-enrollment. If the policy is set to enforce either automatic or manual re-enrollment, ChromeOS Flex devices will prompt users to manually re-enroll after a factory reset. For more information, see Force wiped ChromeOS devices to re-enroll and the Forced re-enrollment device setting.

Quick Answers styling refresh

Quick Answers is a GenAI-powered reading assistant for ChromeOS, giving users quick insights into web pages and PDF documents. This includes summaries, interactive outlines, and document Q&A. In ChromeOS 131, we introduce an updated styling for Quick Answers. For more information, see Quick Answers—definition. This feature can be controlled using Quick Answers policies.

Split DNS for ChromeOS

You can now configure Secure DNS to be used on specified domains only. Admins can configure a list of domains to be included or excluded from using Secure DNS. You can configure this feature using these policies: DnsOverHttpsIncludedDomains and DnsOverHttpsExcludedDomains.

ChromeOS Back To Safety

This feature gives users a way to get back to a good known state by disabling extensions and resetting settings that could hurt their experience. In past releases, in order to get your ChromeOS device to a known good state, you would have to powerwash. Thanks to this feature, there are now ways to non-destructively get your device to a state you feel comfortable with again!

When a user selects Safety reset, this action will:
- Reset Chrome settings and Chrome shortcuts
- Disable extensions
- Delete cookies and other temporary site data
Bookmarks, history, and saved passwords won't be affected. For more details, see Wipe ChromeOS device data.

Flash notifications

Customers who frequently miss notifications that appear in the corner of the screen can now enable a setting that will flash the screen whenever a new notification arrives. This feature is particularly beneficial for customers who are hard of hearing or who use screen magnification and are often zoomed in, making it difficult to see corner notifications. This new setting can be found under Settings > Accessibility > Audio and captions > Flash notifications.

Microsoft SCEP SID update reminder

Only for SCEP deployments using Microsoft NPS for RADIUS. If you are not using SCEP certificates in combination with Microsoft NPS for Radius for Chromebook network connectivity, you may disregard the remainder of these instructions. We expect this to be a setup more common in enterprise rather than in education.

Microsoft has announced a security update that will add a new required field, a Security Identifier (SID), to SCEP certificates in environments utilizing NPS for Radius for network authentication. This addition is due to a security vulnerability on Windows devices where usable certificates with private keys can be exported from one Windows device to be used on any other device. Addition of the SID means that the certificate becomes linked to a device or user in your Active Directory environment so that an unknown device/user cannot use it. This is not a security issue for Chromebooks, as they do not allow the exporting of certificates with private keys in them and they are protected by the TPM. However, any certificate lacking this new field will fail to authenticate against a NPS for Radius server after the hard enforcement deadline of February 11th, 2025.

What do you need to do?

As soon as possible, verify if your deployment relies on both SCEP certificates and NPS for Radius for network authentication. This can be done by going into event viewer on your Domain Controller > System, and searching for event ID #39. If you see this event ID:

Actions to take if you see the event ID #39:
1. Create a new object, or reuse an existing one, in your Active Directory environment for SCEP use
2. Extract the SID for the AD object, for example, PS> (Get-ADUser username).SID.value
3. Create a new SCEP profile with all settings duplicated from your current setup and add in the SID of the newly created, or existing, AD object from step 1.
4. Under the Subject Alternative name section select the Custom radio button. Add a new Subject Alternative name using the + button with the type Uniform Resource Identifier from the dropdown. Under string, the value should be similar to:
tag:microsoft.com,2022-09-14:sid:S-1-2-3-4-5-6-8

where S-1-2-3-4-5-6-8 is the SID of the AD object
1. Deploy this new certificate to all potentially affected Chromebooks in your fleet
  1. Wait, AT LEAST ONE MONTH, to reasonably guarantee that all devices have picked up the new certificate.
2. Re-link any and all policies from the old certificate to the new one from Step 2.
3. Verify functionality using the new certificate.
4. Delete the old profile.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

AI wallpapers and backgrounds

As early as ChromeOS 132, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.

Graduate data migration

As early as ChromeOS 132, a new Content Transfer tool will guide graduate students or other EDU-managed users who want to migrate their data through the updated Google Takeout Transfer process. This allows them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.

This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use the existing Takeout Transfer process.

Native Client (NaCl) support ending on ChromeOS

ChromeOS 132, scheduled for release in January 2025, will be the last release with NaCl support for unmanaged or consumer devices, followed by ChromeOS 138 in July 2025 for managed devices.

In 2017, we announced the end of support of Native Client (NaCl) in favor of WebAssembly. With most developers and users having migrated away from NaCl, we confirm the following NaCl discontinuation dates:
- January 2025: Native Client (NaCl) will be disabled from ChromeOS 132 onwards.
  - For unmanaged and consumer users, ChromeOS 132 will be the last ChromeOS release with support for NaCl.
  - For managed environments (including Kiosk sessions), administrators who manage ChromeOS devices for a business or school, will have the option of extending the ability to use NaCl with a NaCl allow policy (DeviceNativeClientForceAllowed) through the ChromeOS 138 release. This policy will be available in the admin console from late December 2024 to early January 2025 before the release of ChromeOS 132.
- July 2025: ChromeOS 138 will be the last version with NaCl support.
  - For managed environments, ChromeOS 138 is a Long-term Support (LTS) ChromeOS release available to administrators who manage ChromeOS devices for a business or school.
  - For devices that have been switched to the LTS channel and have the NaCl allow policy enabled, NaCl will be available until LTS Last Refresh in April 2026.
  - No exceptions will be granted.
For Chrome Apps that use NaCl, migrate to WebAssembly (WASM). To help you with the transition, we've published the WebAssembly Migration Guide.

For more information about this change or if you need assistance, you can refer to any of the following:
- WebAssembly Migration Guide.
- Please refer to the Chrome Enterprise and Education Help Center to learn more about managing policies for ChromeOS devices.
- ChromeOS developer community on Discord.
- ChromeOS release schedule for release dates and updates.

Chrome App support ending on ChromeOS

In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that Chrome App support for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome App discontinuation dates.
July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).
- Chrome Apps that are force-installed through the Admin console will continue to be supported.
July 2026: Last ChromeOS release with support for Chrome Apps in Kiosk Mode (scheduled for ChromeOS M150).
- Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
February 2028: Last ChromeOS release with support for Chrome Apps (scheduled for ChromeOS M168), marking the end of life for all Chrome Apps.
- Devices on the LTS channel can continue to use Chrome Apps until October 2028.
- No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.

While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.

If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.

In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.

↑ back to top

Chrome 130

Chrome 130 release summary

Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Desktop toasts		✓
Platform picker for screen sharing on macOS		✓
New Account menu		✓
PDF Viewer on Android		✓
Tab freezing on Energy saver		✓
Compression dictionary transport with Shared Brotli and Shared Zstandard	✓
Keyboard-focusable scroll containers		✓
Support non-special scheme URLs	✓
Chrome on Android now supports third-party autofill and password providers		✓	✓
<meter> element fallback styles	✓
New and updated policies in Chrome browser			✓
Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
Default change for GenAI policies			✓
Support for user-level settings on Custom configurations			✓
Audit-only URL navigation rules			✓
Chrome Security Insights	✓		✓
Extension risk score Phase 2	✓		✓
Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
No updates in Chrome 130.
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Search and receive answers in your Chrome history with AI		✓
Ad-hoc code signatures for PWA shims on macOS		✓
Asynchronous real-time Safe Browsing check	✓
Remove non-standard GPUAdapter requestAdapterInfo() method	✓
Deprecate Safe Browsing Extended reporting	✓
Update Google Play Services to fix issues with on-device passwords			✓
Entrust certificate distrust	✓
Simplified sign-in and sync experience		✓	✓
User Link capturing on PWAs		✓	✓
Deprecation of CSS Anchor Positioning property inset-area	✓
X25519Kyber768 key encapsulation for TLS	✓
Chrome PDF Viewer OCR		✓
Insecure form warnings on iOS	✓
Network Service on Windows will be sandboxed			✓
Read aloud in Reading mode		✓
Capture all screens			✓
SafeBrowsing API v4 to v5 migration	✓
Private network access checks for navigation requests: warning-only mode			✓
Deprecate mutation events	✓		✓
UI Automation accessibility framework provider on Windows		✓
Upcoming Chrome Enterprise Core changes	Security/ Privacy	User productivity/ Apps	Management
GenAI Defaults policy			✓
Chrome extension telemetry integration with Google SecOps	✓		✓
New managed profile list and reporting for signed-in users
Remove enterprise policy used for legacy same site behavior			✓
Upcoming Chrome Enterprise Premium changes	Security/ Privacy	User productivity/ Apps	Management
Chrome Enterprise Data Controls: Clipboard	✓
Screenshot protections	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser changes

Desktop toasts
Chrome 130 introduces a new Toast pattern that will allow features to provide visual confirmation of user actions or a quick way to take a follow up action. For example, when adding something to a reading list, a Toast confirms that the item was added and offers a quick link to the reading list side panel. Toasts appear as a small chip that partially overlaps with the web contents and partially with the top toolbar of the browser.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: This will be enabled for an initial set of features in Chrome 130. Subsequent toasts will be rolled out independently by other teams utilizing the pattern.

Platform picker for screen sharing on macOS
When screen sharing in Chrome on macOS X Sequoia, users can now select a window or screen to share using the updated platform picker. This new platform picker removes the need for assigning screen recording permission to Chrome and is consistent with screen sharing in other macOS applications.

The new picker will not be activated before the first update of macOS Sequoia, version 15.1 expected a month after the initial version of 15.0. Before that Chrome users might see a warning dialog that Chrome is not using the new picker API yet.

To test the new screen share picker experience:
1. Update Chrome to version 129 or later.
2. On your macOS, open the Terminal.
3. At the prompt, type: open -b com.google.Chrome --args -enable-features=UseSCContentSharingPicker
4. To execute the command, on your keyboard, press Enter.
The feature can also be enabled in chrome://flags.
- Chrome 130 on macOS

New Account menu
Some users can now access a new Account menu by tapping on their avatar on the New tab page. The new Account menu allows them to sign out, switch accounts easily and resolve errors related to their account in Chrome. Existing policies like BrowserSignin and RestrictAccountsToPatterns can be used to determine which accounts a user can sign in or switch to.
- Chrome 130 on iOS

PDF Viewer on Android
This feature provides the ability to view PDFs within Chrome browser UI. Prior to this change, users have to complete many steps to view a PDF document. These steps force them out of Chrome to view the PDF document. With this feature, PDFs will render seamlessly in Chrome. Users will still be able to download PDFs and open with other first- or third-party apps of choice.
- Chrome 130 on Android

Tab freezing on Energy saver
When Energy saver is active, Chrome now freezes a tab that has been hidden and silent for >5 minutes and uses a lot of CPU, unless:
- the tab provides audio- or video- conferencing functionality (detected via microphone, camera or screen, window, or tab capture, or an RTCPeerConnection with an open RTCDataChannel or a live MediaStreamTrack).
- the tab controls an external device (detected using Web USB, Web Bluetooth, Web HID or Web Serial).
This will extend battery life and speed up Chrome through reduced CPU usage.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: The feature can be tested in Chrome 130 via the #freezing-on-energy-saver entry in about:flags. Alternatively, it can be tested with the #freezing-on-energy-saver-testing which simulates that Energy saver is active and that all tabs use a lot of CPU (this allows verifying whether a tab is eligible for freezing and would be frozen if it used a lot of CPU). Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).
- Chrome 131 on ChromeOS, Linux, macOS, Windows: The feature will start rolling out to 1% of Stable in Chrome 131. It will gradually be ramped up to 100% of Stable. Energy saver availability can be controlled via the BatterySaverModeAvailability policy (this change has no effect when Energy saver is inactive).

Compression dictionary transport with Shared Brotli and Shared Zstandard
This feature adds support for using designated previous responses as an external dictionary for content encoding compressing responses with Brotli or Zstandard.

Enterprises might experience potential compatibility issues with enterprise network infrastructure that intercepts HTTPS traffic and is sensitive to unknown content encodings. The enterprise policy CompressionDictionaryTransportEnabled is available to turn off the compression dictionary transport feature.
- Chrome 130 on Windows, macOS, Linux, Android

Keyboard-focusable scroll containers
Chrome 130 improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse can now focus clipped content using tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard-focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.

Note: The previous rollout of this feature (started in Chrome 127) was stopped due to web compatibility issues, which should be fixed in the implementation shipping in Chrome 130.
- Chrome 130 on Windows, macOS, Linux, Android

Support non-special scheme URLs
Chrome 130 supports non-special scheme URLs, for example, git://example.com/path. Previously, the Chromium URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL standard. Now, the Chromium URL parser parses non-special URLs correctly, following the URL standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android

Chrome on Android now supports third-party autofill and password providers
Until now, third-party autofill and password providers could be used in Chrome on Android via accessibility APIs. In Chrome 130, we're adding direct support for Android Autofill which means these providers now work with Chrome on Android without the need for accessibility APIs. This should improve the performance of Chrome on Android. To take advantage of this, users need to ensure they have their third party provider configured in Android settings. Then, in Chrome they'll need to open Settings > Autofill services and choose Autofill using another service. If users do not change both settings, they will continue to use Google to autofill their passwords, payment and address information.
- Chrome 130 on Android: The new setting will be available from Chrome 130. If users use the new setting it will take immediate effect. If the new setting is not used, users will continue to use either Google and a third party via accessibility (if installed). The support for accessibility APIs will be deprecated in early 2025, at which point the new settings will be honored for all users.

<meter> element fallback styles
In Chrome 130, <meter> elements with appearance: none now have a reasonable fallback style that matches Safari and Firefox, instead of just disappearing from the page. Additionally, developers can now custom style the <meter> elements.

A feature flag MeterAppearanceNoneFallbackStyle is available in chrome://flags until Chrome 133 to control this feature.
- Chrome 130 on Windows, macOS, Linux, Android

New policies in Chrome browser

Policy	Description
DataURLWhitespacePreservationEnabled	DataURL Whitespace Preservation for all media types
CloudProfileReportingEnabled	Enable Google Chrome cloud reporting for managed profile

Chrome Enterprise Core changes

Default change for GenAI policies
Starting with 130, we are changing the default setting for GenAI policies from switched off to allowed, without improving AI models, for Workspace for Education users. If you have devices enrolled in Chrome Enterprise Core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)
For more details about the default settings, see Chrome—Generative AI features and policies.

Support for user-level settings on Custom configurations
Custom configurations recently launched in Chrome 127 and this feature allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 15, Custom configurations will support applying settings at the user-level, in addition to device-level support. In order words, you will be able to enforce policies when users sign in to a managed Google account using Custom configurations.
- As early as October 15 2024, on Android, iOS, Linux, macOS, Windows: Feature rolls out
To get started, you can navigate to Chrome browser > Custom configurations in the Admin console; the Chrome Enterprise Core SKU is required to access this feature.

Audit-only URL navigation rules
This feature lets customers create Chrome URL navigation rules with the Audit action. These rules allow admins to dry-run URL navigation rules before starting to show user warnings. They also allow admins to silently audit users’ navigation to restricted or sensitive URLs.

URL auditing is part of the existing real-time URL check connector policy, EnterpriseRealTimeUrlCheckMode, which can be turned on by Organizational Unit or by Group.
- Chrome 130 on ChromeOS, Linux, macOS, Windows

Chrome Security Insights
You can now enable Chrome Security Insights to monitor insider risk and data loss with enhanced monitoring for Chrome activity. This feature is available for the following licenses:
- Chrome Enterprise Core
- Workspace Enterprise Standard
- Workspace Enterprise Plus.
For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature enabled for Chrome Enterprise Core
- Chrome 130 on ChromeOS, Linux, macOS, Windows: Feature enabled for EDU customers (except K-12)

Risk score on the Chrome Apps and extensions usage report
This feature adds a new column in the Admin console for browser management that displays the risk assessment for installed extensions in the admin's environment. This new addition allows IT admins to quickly identify extensions with a high, medium or low risk score using the sorting and filtering functionality of the report.
- Currently available to Trusted Testers. You can sign up for our Trusted Tester program here.
- As early as October 15 on Linux, macOS, Windows: Addition of risk assessment to summary view.

Chrome Enterprise Premium changes

In Chrome 130, there are no updates for Chrome Enterprise Premium.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

Search and receive answers in your Chrome history with AI
Starting in Chrome 131, users will be able to search their browsing history and receive generated answers based on page contents. Initially, this feature will only be available to users in English in the US. Admins can control this feature by using the HistorySearchSettings policy. You have the following options for your organization:
- 0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models.
- 1 = Enable the feature for users, but do not send data to Google to train or improve AI models.
- 2 = Fully disable feature
For more information, see Search your history in Chrome with AI.

● Chrome 131 on Linux, Mac, Windows: the feature generates answers to your search queries.

Ad-hoc code signatures for Progressive Web App shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.

This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.

Administrators should test for compatibility with any endpoint security or binary authorization tools they use (such as Santa). The feature can be enabled for this testing via chrome://flags/#use-adhoc-signing-for-web-app-shims. They can then install a Progressive Web Apps and ensure that it launches as expected.

If there is an incompatibility between the feature and their current security policies, the enterprise policy, AdHocCodeSigningForPWAsEnabled, can be used to disable the feature while they deploy an updated endpoint security policy. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated, at which point it should be unset.
- Chrome 129 on macOS: Feature disabled behind a flag (chrome://flags/#use-adhoc-signing-for-web-app-shims) so that enterprises can test for compatibility with their endpoint security tools, such as Santa (https://santa.dev/). If it is not currently compatible they can disable the feature via the enterprise policy while they update their endpoint security configurations. The enterprise policy is intended to be used to disable the feature only until endpoint security policies have been updated.
- Chrome 131 on macOS: Feature will begin to roll out to Stable, starting at 1% rollout.

Asynchronous real-time Safe Browsing check
Today, Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. In Chrome 122 and later on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, to improve Chrome's loading speed, real-time Safe Browsing checks no longer block page loads. We have evaluated the risk and put mitigations in place:
1. For malware and 0-day attacks, local-blocklist checks will still be conducted in a synchronous manner so that malicious payloads are still blocked by Safe Browsing.
2. For phishing attacks, we've looked at data and it is unlikely the user would have interacted with the page (for example, type a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows
- Chrome 131 on iOS

Remove non-standard GPUAdapter requestAdapterInfo() method
The WebGPU working group decided it was impractical for requestAdapterInfo() to trigger a permission prompt so they’ve removed that option and replaced it with the GPUAdapter info attribute. This means that web developers can get the same GPUAdapterInfo value synchronously. For more information, see the previous Intent to Ship: WebGPU: GPUAdapter info attribute.
- Chrome 131 on Windows, macOS, Linux, Android

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecation of Safe Browsing Extended Reporting. Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request

Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Google Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 131 on Android

Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:

    - after October 31, 2024, will no longer be trusted by default.

    - on or before October 31, 2024, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 131 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 131 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after November 11, 2024.

Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android

User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 131 on Linux, macOS, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Deprecation of CSS Anchor Positioning property inset-area
The CSS working group (CSSWG) resolved to rename the inset-area property to position-area. For more details, see the CSSWG discussion on github. The new property name, position-area, as a synonym for inset-area shipped via this feature update described on Chrome Platform Status, describing the deprecation and removal of the inset-area property.
- Chrome 131 on Windows, macOS, Linux, Android

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, Mac, Linux: new post-quantum secure TLS key encapsulation mechanism X25519Kyber768 is enabled
- Chrome 131 on Windows, Mac, Linux: Switch to standard version of ML-KEM
- Chrome 141 on Windows, Mac, Linux: Remove enterprise policy PostQuantumKeyAgreementEnabled

Chrome PDF Viewer OCR
Chrome Desktop now makes scanned PDFs more accessible. Using on-device OCR to maintain privacy (no content is sent to Google), Chrome automatically converts scanned PDFs, allowing you to select text, Ctrl+F, copy, and paste. The feature does not bypass secure PDFs. It will only OCR PDFs the user has access to. The solution unlocks PDF accessibility to Chrome users without any extra steps, making PDFs as accessible as the rest of the web.
- Chrome 131 on ChromeOS, Linux, macOS, Windows

Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without the user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 131.
- Chrome 125 on iOS: Feature rolls out
- Chrome 131 on iOS: InsecureFormsWarningsEnabled policy will be removed

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 132 on Windows: Network Service sandboxed on Windows

Read aloud in Reading mode
Reading mode is a side-panel feature that provides a simplified view of text-dense web pages. Reading mode will now include a Read aloud feature which allows users to hear the text they are reading spoken out loud. Users can choose different natural voices and speeds, and see visual highlights.
- Chrome 132 on ChromeOS, Linux, macOS, Windows

Capture all screens
This feature captures all the screens currently connected to the device using getAllScreensMedia(). Calling getDisplayMedia() multiple times requires multiple user gestures, burdens the user with choosing the next screen each time, and does not guarantee to the app that all the screens were selected. getAllScreensMedia() improves on all of these fronts.

This feature is only exposed behind the MultiScreenCaptureAllowedForUrls enterprise policy, and users are warned before recording even starts, that recording could start at some point. The API will only work for origins that are specified in the MultiScreenCaptureAllowedForUrls allowlist. Any origin not specified there, will not have access to it.
- Chrome 132 on ChromeOS

SafeBrowsing API v4 to v5 migration
Chrome calls into the SafeBrowsing v4 API will be migrated to call into the v5 API instead. The method names are also different between v4 and v5.

If admins have any v4-specific URL allowlisting to allow network requests to https://safebrowsing.googleapis.com/v4*, these should be modified to allow network requests to the whole domain instead: safebrowsing.googleapis.com. Otherwise, rejected network requests to the v5 API will cause security regressions for users.
- Chrome 133 on Android, iOS, ChromeOS, LaCrOS, Linux, macOS, Windows: This will be a gradual roll-out.

Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:

1. Checks whether the request has been initiated from a secure context.

2. Sends a preflight request, and checks whether B responds with a header that allows private network access.

There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.

Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 133 on Windows, macOS, Linux, Android

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.

Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail. Report any issues here.
- Chrome 135 on Android, Linux, macOS, Windows: The MutationEventsEnabled enterprise policy will be deprecated.

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming Chrome Enterprise Core changes

GenAI Defaults policy
Starting in 131, Chrome Enterprise Core will offer a policy to control the default behavior of multiple GenAI policies via our Trusted Tester program. You can sign up for our Trusted Tester program here. This policy will not impact any manually-set policy values for generative AI features. This policy will control the default settings for the following policies:
- CreateThemesSettings
- Only available to Trusted Testers. You can sign up for our Trusted Tester program here.

Chrome extension telemetry integration with SecOps
We will begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps will analyze the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, LaCrOS, Linux, macOS, Windows

New managed profile list and reporting for signed-in users
Chrome Enterprise Core will introduce a new Managed profile list and reporting in the Admin console. This feature will provide a list of profiles for managed users who sign in to Chrome using a Google Account. IT administrators will need to enable the new Chrome Profile Reporting policy to view more information about a managed profile. The reporting will include details on managed profiles such as the browser versions, policies applied (including conflicts), extensions installed, and more.
- Currently available on Android, Linux, macOS, Windows for the Trusted Tester program. You can sign up for our Trusted Tester program here.
- As early as Chrome 130 on Android, Linux, macOS, Windows

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy.

Upcoming Chrome Enterprise Premium changes

Chrome Enterprise Data Controls: Clipboard
Admins can set data control rules in the Google Admin console to protect end users from data leakage on Chrome browser. Data Controls are lightweight rules set in the Google Admin console that allow admins to set a Chrome policy to control sensitive user actions such as copying and pasting sensitive data and taking screenshots or screen sharing.

This feature can be controlled via DataControlsRules policy. This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 128 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out

Screenshot protections
Admins can prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. Admins create a DLP URL filtering rule to block users taking screenshots or screen sharing specific URLs or categories of URLs. This feature can be controlled via the same EnterpriseRealTimeUrlCheckMode policy that enables all real-time URL lookups.

This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Trusted Tester program
- Chrome 131 on ChromeOS, Linux, macOS, Windows: Feature rolls out.

↑ back to top

ChromeOS 130 release summary

ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Quick Insert		✓
Settings and shortcuts changes		✓
Focus on ChromeOS		✓
Enhanced access for Drive files		✓
New suggestions in Tote		✓
Welcome Recap		✓
Studio-style mic		✓
AI-powered Recorder app		✓
Content scanning for Managed Guest Sessions	✓		✓
Additional URLs allowed in Kiosk mode	✓		✓
Appearance effects		✓
More accessible privacy controls	✓
Enhanced keyboard brightness controls		✓
Enhanced display brightness controls		✓
Help me read on ChromeOS		✓
Multi-calendar support		✓
Picture-in-Picture windows		✓
Improved ARC++ user experience		✓
New policy to control Access Point Names			✓
Microsoft SCEP SID update			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
AI wallpapers and backgrounds		✓
ChromeOS Flex auto-enrollment			✓
Graduate data migration		✓	✓
Chrome App support ending on ChromeOS			✓
Native Client (NaCl) support ending on ChromeOS	✓

DOWNLOAD Release notes (PDF)

↑ back to top

ChromeOS updates

Quick Insert

Quick Insert provides a quick way to insert emojis, symbols, GIFs, Google Drive links, and quick calculations and unit conversions with a keyboard key (on select models) or a keyboard shortcut.

In ChromeOS 130, a new shortcut Launcher + f is available on all ChromeOS devices. A new hardware key is initially available on the Samsung Galaxy Chromebook Plus only, but the Quick Insert key will launch on a range of devices in 2025.

Settings and shortcuts changes

We’ve updated the shortcut and input device options in Settings to include:
- Quick Insert: Launcher + f

Focus on ChromeOS

We've designed Focus on ChromeOS to help users minimize distractions and create a more productive workspace. With Focus, you can effortlessly set and adjust your focus time, enable or disable Do-not-Disturb (DND) mode, sort through or create new Google Tasks, and immerse yourself in curated playlists that help you focus better with focus sound or YouTube Music Premium (subscription-based). To use Focus, go to Quick Settings > Focus.

Enhanced access for Drive files

In addition to files you’ve starred within Tote, access all your starred Drive files directly from the shelf, which is now available to you offline. Enhanced Drive suggestions in Launcher and Tote allow you shortcut access to your most important and frequently used files.

New suggestions in Tote

Quickly access and pin the files you need the most with local and Drive file suggestions. The new Suggestions section in Tote suggests files to users, up-leveling files that will be useful for them to pin and access offline.

Welcome Recap

The new Welcome Recap features help users resume their work and explore new options at start-up. Once you enable this feature you will be able to preview and restore apps and tabs from your previous session. Welcome Recap also provides helpful information like weather, your next calendar event, recent tabs from other devices and relevant Google Drive suggestions.

To turn on this feature, select Settings > System Preferences > Startup > Welcome Recap, and make sure Ask every time is chosen for your device.

Studio-style mic

Make your Chromebook's built-in microphone sound like a professional studio microphone by activating this feature in the video call controls. Studio-style mic includes the existing noise cancellation and de-reverberation effects, and further enhances them with advanced balancing, reconstruction of fine details, and room adaptation. Users who have enabled noise cancellation will get the Studio-style mic enhancements by default starting with this release. If a user wants to revert to the old noise cancellation-only effect, they can select the appropriate option in Settings > Device > Audio. This feature is only available on Chromebook Plus devices.

AI-powered Recorder app

ChromeOS 130 introduces the new Google AI-powered Recorder app to create transcriptions that can detect and label speakers, and provide a summary of recorded content. Our app goes beyond recording, offering speech-to-text, content summarization, and title suggestions, all powered by Google AI.

Content scanning for Managed Guest Sessions

We are now enabling organizations to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files in Managed Guest Sessions on ChromeOS. For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.

Additional URLs allowed in Kiosk mode

If a Kiosk app uses more than one URL origin, IT Admins can now enter the additional origins. All specified origins will get permissions automatically granted. Permissions will be rejected for any other origins not included in this list.

Appearance effects

Appearance effects have been popular among the products of cameras, virtual meetings, and short videos for a long time and launched on some Google products. In ChromeOS 130, we integrate this feature into Chromebook for video call controls. Available on Chromebook Plus devices only.

More accessible privacy controls

In this launch, we are making OS-level privacy controls more available to users of Chrome browser. This aims to make users more aware that to make the camera or microphone work, they need to enable OS-level privacy controls.

Enhanced keyboard brightness controls

Chromebook users can now easily adjust keyboard brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your keyboard brightness to the perfect level and turn the ambient light sensor on or off as needed. These updates make it simpler to use your device and help manage battery life. Meanwhile, if the Chromebook supports RGB, the Settings > Keyboard option now has a direct link to RGB color selection options. For more details, see Using gaming features on your Chromebook.

Enhanced display brightness controls

Chromebook users can now easily adjust display brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your screen brightness to the perfect level and turn the ambient light sensor on or off as needed in Settings. These updates make it simpler to use your device and help manage battery life.

Help me read on ChromeOS

Help me read on ChromeOS provides an AI-powered solution to help you quickly find the information you need in any text. Easily get to the heart of what you’re reading in the browser and in Gallery by right-clicking on an empty space to reveal the Help me read card above the existing contextual menu. The Help me read panel showcases a summary of the text and a freeform Q&A field where you can ask specific questions about the text. Available on Chromebook Plus devices only.

Multi-calendar support

We are launching Multi-calendar support to allow users to view all events from multiple calendars that they have selected within their Google Calendar.

Picture-in-Picture windows

ChromeOS users can now enjoy greater flexibility with Picture-in-Picture (PiP) windows. PiP Tuck allows users to temporarily move PiP windows to the side of their screen, freeing up valuable screen space while keeping the video easily accessible. Additionally, you can quickly adjust the size of PiP windows with a quick double-tap, toggling between two sizes for optimal viewing.

Improved ARC++ user experience

To improve ChromeOS and ARC++ user experience, we're moving ARC++ non-urgent background and error notifications to the system tray. This prevents these messages from unnecessarily popping up in the foreground and disrupting the user's journey. By moving these notifications to the system tray, we can ensure that users are still notified of potential issues but are not interrupted while using their Chromebook. For more information about ARC++, see this ChromeOS developer blog.

New policy to control Access Point Names

For Chromebooks with cellular capability, Access Point Name (APN) policies allow administrators to restrict usage of custom APNs. By setting the AllowAPNModification flag in general network settings to restrict, they can prevent end users from adding or using any custom APNs.

Microsoft SCEP SID update

Only for SCEP deployments using Microsoft NPS for RADIUS. If you are not using SCEP certificates in combination with Microsoft NPS for Radius for Chromebook network connectivity, you may disregard the remainder of these instructions. We expect this to be a setup more common in enterprise rather than in education.

Microsoft has announced a security update that will add a new required field, a Security Identifier (SID), to SCEP certificates in environments utilizing NPS for Radius for network authentication. This addition is due to a security vulnerability on Windows devices where usable certificates with private keys can be exported from one Windows device to be used on any other device. Addition of the SID means that the certificate becomes linked to a device or user in your Active Directory environment so that an unknown device/user cannot use it. This is not a security issue for Chromebooks, as they do not allow the exporting of certificates with private keys in them and they are protected by the TPM. However, any certificate lacking this new field will fail to authenticate against a NPS for Radius server after the hard enforcement deadline of February 11th, 2025.

What do you need to do?

As soon as possible, verify if your deployment relies on both SCEP certificates and NPS for Radius for network authentication. This can be done by going into event viewer on your Domain Controller -> System, and searching for event ID #39. If you see this event ID:

Actions to take if you see the event ID #39:
1. Create a new object, or reuse an existing one, in your Active Directory environment for SCEP use
2. Extract the SID for the AD object, for example, PS> (Get-ADUser username).SID.value
3. Create a new SCEP profile with all settings duplicated from your current setup and add in the SID of the newly created, or existing, AD object from step 1.
4. Under the Subject Alternative name section select the Custom radio button. Add a new Subject Alternative name using the + button with the type Uniform Resource Identifier from the dropdown. Under string, the value should be similar to:
tag:microsoft.com,2022-09-14:sid:S-1-2-3-4-5-6-8

where S-1-2-3-4-5-6-8 is the SID of the AD object
1. Deploy this new certificate to all potentially affected Chromebooks in your fleet:
  1. Wait, AT LEAST ONE MONTH, to reasonably guarantee that all devices have picked up the new certificate.
2. Relink any and all policies from the old certificate to the new one from Step 2.
3. Verify functionality using the new certificate.
4. Delete the old profile.

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming ChromeOS changes

AI wallpapers and backgrounds

As early as ChromeOS 131, we plan to introduce high-resolution, generative AI wallpapers and video call backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings. This feature will be available on Chromebook Plus devices only.

ChromeOS Flex auto-enrollment

As early as ChromeOS 131, ChromeOS Flex auto-enrollment will allow you to deploy ChromeOS Flex devices at scale. Similar to ChromeOS zero-touch enrollment, automatic enrollment embeds an enrollment token created by an organization's administrator into a ChromeOS Flex image. This will determine which customer organization and organizational unit a device will enroll into during initial device setup.

Graduate data migration

As early as ChromeOS 132, a new Content Transfer tool will guide graduate students or other EDU-managed users who want to migrate their data through the updated Google Takeout Transfer process. This allows them to take their Docs, Sheets, Slides, and Gmail content to a Gmail account of their choice.

This new application allows school administrators to pin an icon to the shelf, notify students and faculty on their Chromebooks, and set dates to trigger these nudges to encourage them to use the existing Takeout Transfer process.

Chrome App support ending on ChromeOS

In 2016, we announced the deprecation of Chrome Apps in favor of web apps, and in 2021, we announced on the Chromium Blog that Chrome App support for ChromeOS Enterprise and Education customers and developers on ChromeOS would be extended until at least January 2025. With the majority of our customers having migrated off of Chrome Apps (including Legacy (v1) packaged apps and Hosted apps), we can confirm the following updates about Chrome App discontinuation dates.
July 2025: End of support for user-installed Chrome Apps (scheduled for ChromeOS M138).
- Chrome Apps that are force-installed through the Admin console will continue to be supported.
July 2026: Last ChromeOS release with support for Chrome Apps in Kiosk Mode (scheduled for ChromeOS M150).
- Devices on the LTS channel with Chrome Apps in Kiosk Mode will receive support until April 2027.
February 2028: Last ChromeOS release with support for Chrome Apps (scheduled for ChromeOS M168), marking the end of life for all Chrome Apps.
- Devices on the LTS channel can continue to use Chrome Apps until October 2028.
- No exceptions will be granted.
These deprecation timelines also apply to self-hosted Chrome Apps.

While no new Chrome Apps can be added to the Chrome Web Store, existing Chrome Apps can continue to be updated through October 2028 when they will reach end of life on ChromeOS. After this date, Chrome Apps will be removed from the Chrome Web Store.

If your organization has developed in-house Chrome Apps and you need assistance, please refer to Transition from Chrome Apps guide. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.

In the coming weeks, additional detailed information will be sent to all remaining Chrome App developers and all ChromeOS Administrators.

Native Client (NaCl) support ending on ChromeOS

In 2017, we announced the deprecation of Native Client (NaCl) in favor of WebAssembly. With the majority of our customers having migrated off of NaCl, we can confirm some important changes coming to ChromeOS.
- January 2025: Native Client (NaCl) will be disabled by default from ChromeOS M132 onwards.
  - For unmanaged and consumer users, M131 will be the last ChromeOS release with support for NaCl.
  - For managed user environments, administrators who manage ChromeOS devices for a business or school already will have the option of extending the ability to use NaCl with a NaCl allow policy through the M138 release. Starting with M132, the policy will also be available for Kiosk sessions.
- July 2025: ChromeOS M138 will mark the end of life for NaCl technology on ChromeOS.
  - For managed environments, M138 is a Long-term Support (LTS) ChromeOS release available to administrators who manage ChromeOS devices for a business or school. Devices that have been switched to the LTS channel and have the NaCl allow policy enabled can continue to use NaCl until LTS Last Refresh in April 2026.
If your organization has developed in-house Chrome Apps with NaCl and you need assistance, please refer to Transition from Chrome Apps and WebAssembly Migration guides. You can also join us in the ChromeOS developer community on Discord, or reach out to us through the form at https://chromeos.dev/work-with-us. Refer to the ChromeOS release schedule for release dates and updates.

In the coming weeks, additional detailed information will be sent to NaCl developers and impacted ChromeOS Administrators.

↑ back to top

Chrome 129

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Tab compare		✓
Chrome no longer support macOS 10.15	✓		✓
Ad-hoc code signatures for PWA shims on macOS		✓
Certificate Manager on Windows and macOS	✓
Chrome Security Insights	✓		✓
Deprecate Safe Browsing Extended reporting	✓
Inactive tabs on Android		✓
New option in HttpsOnlyMode policy	✓		✓
Screenshot protections	✓
Sync tab group		✓
Google Play Services fixes issues with on-device passwords			✓
Deprecate the includeShadowRoots argument on DOMParser	✓
Deprecation of non-standard declarative shadow DOM serialization	✓
Rename inset-area to position-area	✓
Clear local device data on sign out on iOS	✓
Toolbar customization		✓
Google Password Manager Passkey usage on ChromeOS		✓
New and updated policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Enterprise Premium for file transfers on Managed Guest Sessions	✓
Educators Appreciation wallpaper		✓
Display brightness controls		✓
Peripheral Welcome experience		✓
Managed accounts no longer synced as secondary accounts on Android	✓		✓
Live Translate		✓
Keyboard brightness controls		✓
Keyboard shortcut for Select-to-Speak		✓
PIN as an authentication factor	✓
Automatic reload of sign-in screen	✓
CSE Workspace file types now supported in Google Drive			✓
Battery Icon updates		✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Extension Risk Score on the Apps and Extensions Usage report			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Entrust certificate distrust	✓
Fallback styles for <meter> element	✓
Compression dictionary transport with Shared Brotli and Shared Zstandard	✓
Keyboard-focusable scroll containers		✓
Support non-special scheme URLs	✓
Simplified sign-in and sync experience		✓
Chrome extension telemetry integration with SecOps	✓		✓
User Link capturing on PWAs		✓	✓
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Insecure form warnings on iOS	✓
Remove policy used for legacy same site behavior			✓
X25519Kyber768 key encapsulation for TLS	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Generative AI wallpapers and video conference backgrounds	✓
ChromeOS XDR window events	✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Chrome browser managed profile reporting			✓
Default change for GenAI policies		✓
GenAI control policy		✓
Support for user-level settings on the Custom configurations page			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser updates

Tab compare
Starting in Chrome 129 (US-only), we introduce Tab compare, a new feature that presents an AI-generated overview of products from across multiple tabs, all in one place. This feature is controlled through the TabCompareSettings policy. For more details, see our Tab compare article in the Chrome Enterprise and Education help center.
- Chrome 129 on Linux, macOS, Windows

Chrome no longer supports macOS 10.15
Chrome 129 no longer supports macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 no longer supports macOS 10.15.
- Chrome 129 on macOS: Chrome no longer supports macOS 10.15

Ad-hoc code signatures for PWA shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.

This addresses problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and permits future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on macOS

Certificate Manager on Windows and macOS
As early as Chrome 129, there is a new certificate management settings screen accessible from security settings on Windows and macOS. This replaces the link to Windows cert manager and macOS keychain, respectively, although these operating system surfaces are still accessible from the certificate management settings page.

The certificate manager displays certificates that are trusted or distrusted by Chrome, including the contents of the Chrome Root Store, and any certificates that have been imported from the underlying operating system. Users can access the page directly by navigating to chrome://certificate-manager.

A future release will introduce user and enterprise management of certificates added directly to Chrome.
- Chrome 129 on macOS, Windows

Chrome Security Insights
You can now enable Chrome Security Insights, which allows you to monitor insider risk and data loss enhanced monitoring for Chrome activity if you have Chrome Enterprise Core and Workspace Enterprise Standard or Workspace Enterprise Plus with assigned licenses. For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, macOS, Windows: Feature enabled for Chrome Enterprise Core
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Feature enabled for EDU customers (except K-12)

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecation of Safe Browsing Extended Reporting — Excluding real-time Client Safe Browsing Report Request
- Chrome 131 on Android, iOS, ChromeOS, Linux, macOS, Windows: Deprecating SafeBrowsingExtendedReportingEnabled for real-time Client Safe Browsing Report Request

Inactive tabs on Android
In Chrome 129, old tabs will be hidden under a new Inactive Tabs section in the tab switcher on Chrome on Android. Chrome users can access the inactive tabs section to view all old tabs or close them using the new bulk tab functionality. These tabs will be deleted after being in this section for over 60 days.
- Chrome 129 on Android: Feature rolls out to 1%

New option in HttpsOnlyMode policy
Ask Before HTTP (ABH), formerly named HTTPS Only/First Modes, is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.

In Chrome 129, we are adding a new middle-ground variant of ABH called balanced mode. This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible, such as when connecting to a single-label hostname like internal/.

We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.

To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on Android, ChromeOS, LaCrOS, Linux, macOS, Windows, Fuchsia

Screenshot protections
Screenshot protections allow Admins to prevent users from taking screenshots or screen sharing specific web pages considered to contain sensitive data. This feature is available to Chrome Enterprise Premium users only. This feature can be controlled via the same EnterpriseRealTimeUrlCheckMode Chrome Enterprise policy that enables all real-time URL lookups.
- Chrome 129 on ChromeOS, Linux, macOS, Windows

Sync tab group
The tab groups on iOS are now saved. Closing a tab group no longer deletes it. For users syncing their tabs across devices, the groups also sync.
- Chrome 129 on iOS

Google Play Services fixes issues with on-device passwords
Users with old versions of Google Play Services (<24w02) experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users need to update Play Services, otherwise they will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Password Manager.
- Chrome 129 on Android

Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, macOS, Windows, Android

Deprecation of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of the declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.

This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, macOS, Linux, Android

Rename inset-area to position-area
The CSS working group (CSSWG) resolved to rename this property from `inset-area` to `position-area`. For more details, see the CSSWG discussion in Github. Chrome will support both the old and new property names for a few milestones, to help developers migrate to the new position-area name. We are shipping the new property name, `position-area`, as a synonym for `inset-area` in Chrome 129 along with the deprecation DevTrial for `inset-area`.

The `inset-area` property is currently planned for removal in Chrome 131.
- Chrome 129 on Windows, macOS, Linux, Android

Clear local device data on sign out on iOS
Starting in Chrome 129, signing out from a managed account in an unmanaged browser deletes local browsing data that is saved on the device. Managed users are presented a confirmation dialog on sign-out explaining that unsaved data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.

The data that is deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 129 on iOS

Toolbar customization
We are introducing a toolbar customization feature in Chrome 129, which allows desktop browser users to pin and unpin icons to their toolbar via a new side panel.
- Chrome 129 on ChromeOS, Linux, macOS, Windows: Rolls out gradually

Google Password Manager Passkey usage on ChromeOS
Passkeys improve user security but until today have been slightly more difficult to use across devices. Now, users can save passkeys to Google Password Manager and use them across devices and platforms. This feature is already available on Windows, macOS, Linux and Android. It is now available on ChromeOS.
- Chrome 127 on Windows, Android and macOS
- Chrome 129 on Windows, Android, macOS and ChromeOS

New and updated policies in Chrome browser

Policy	Description
TabCompareSettings	Tab Compare settings
AdHocCodeSigningForPWAsEnabled	Ad-hoc code signing for Progressive Web App shims

ChromeOS updates

Chrome Enterprise Premium for file transfers on Managed Guest Sessions

In ChromeOS 129, organizations can extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS on Managed Guest Sessions.

For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.

Educators Appreciation wallpaper

In ChromeOS 129, we have added a new wallpaper collection to celebrate and share our gratitude and support to educators around the world.

Display brightness controls

Chromebook users can now easily adjust display brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your screen brightness to the perfect level and turn the ambient light sensor on or off as needed in the Settings app. These updates make it simpler to use your device and help manage battery life.

Peripheral Welcome experience

Knowing that a peripheral has been successfully connected, configuring it, and finding its companion app are critical steps in the peripheral user journey. This release aims to deliver a high-quality Welcome Experience by letting users know their peripheral is successfully connected and inviting them to configure it and make the most of it.

Managed accounts no longer synced as secondary accounts on Android

Starting from ChromeOS version 129, we enhance the data security for Android on ChromeOS. Enterprise accounts that are added as secondary accounts in-session will no longer automatically be added to the Android on ChromeOS environment. This change does not affect consumer accounts, education accounts, or accounts that were previously added.

Live Translate

Chromebook Plus devices are getting Live Translate which will allow a user to translate captionable content from Live Captions into a language of their choice. If an English speaking user is having a conversation with a person with whom they don't share the same language, so long as Live Captions is supported for the language of the person they're speaking with, it can be translated into English. This also works for videos as well and can be used on YouTube to Live Translate a video to English.

Keyboard brightness controls

Chromebook users can now easily adjust keyboard brightness and control the ambient light sensor directly from the Settings app. This new feature lets you set your keyboard brightness to the perfect level and turn the ambient light sensor on or off as needed. These updates make it simpler to use your device and help manage battery life. Meanwhile, if the Chromebook supports RGB, the Keyboard Settings page will have a direct link to the Personalization Hub's RGB color selection options.

Keyboard shortcut for Select-to-Speak

The Select-to-Speak keyboard shortcut (Search + s) now works when it is first pressed. You no longer need to enable it in Settings first. A dialog displays confirming that you want to turn on select to speak the first time you press the keyboard shortcut.

PIN as an authentication factor

This launch enables PIN as an authentication factor in all authentication surfaces across ChromeOS.

Automatic reload of sign-in screen

Starting from version 129, ChromeOS optimizes the support of 3P identity provider based logins. In the most common scenario, administrators show a permanent 3P identity provider login on the sign in screen. Many identity providers time out after a specific cadence, for example, 15 mins, leading to errors for the user. The new DeviceAuthenticationFlowAutoReloadInterval policy allows for a repeated refresh of 3P identity providers on the login screen, avoids timeouts, and therefore significantly increases the reliability of 3P identity provider logins.

CSE Workspace file types now supported in Google Drive

Client side encryption (CSE) is a Google Workspace and Drive feature that allows customers and users to encrypt files with customer provided keys so that data is encrypted and never stored on our servers in the clear. This launch provides basic CSE support in the Files app on ChromeOS. This includes making CSE files visible, opening CSE files in the browser and flagging non Google Workspace CSE files as unsupported.

Battery Icon updates

We are launching an update to the battery icon to ensure that the battery state no longer covers the battery level. Now you can easily see how much battery you have left.

Upcoming Admin console changes

Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 130 on Android, Linux, macOS, Windows

Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. If you have devices enrolled in Chrome Enterprise core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that will have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)

GenAI control policy
Starting with 130, Chrome Enterprise Core will include a policy to control the behavior of multiple GenAI policies. This will be a convenient feature, allowing Admins to control the default behavior of a set of policies in one place, for example, off by default. This policy will control the following policies:
- CreateThemesSettings
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings (launching in Chrome 130)
- GenAIWallpaperSettings (launching in Chrome 130)

Support for user-level settings on the Custom Configurations page
The Custom configurations page was recently launched in Chrome 127 and it allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 1st, Custom configurations will support applying settings at the user-level, in addition to machine-level support. In other words, you will be able to enforce policies when users sign in to a managed Google account using the Custom configurations page.
- As early as October 1st on Android, iOS, Linux, macOS, Windows: Feature rolls out for user policies
To get started, you can find the Custom configurations in the Admin console, under Chrome browser > Reports — you will need the Chrome Enterprise Core SKU:

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser updates

Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, website or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:

    - after October 31, 2024, will no longer be trusted by default.

    - on or before October 31, 2024, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, macOS, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, macOS, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.

Fallback styles for <meter> elements
As early as Chrome 130, HTML5 <meter> elements with `appearance: none` will have a reasonable fallback style that matches Safari and Firefox instead of just disappearing from the page. In addition, developers will be able to custom style the <meter> elements.

A temporary policy MeterAppearanceNoneFallbackStyle will be available until Chrome 133 to control this feature.
- Chrome 130 on Windows, macOS, Linux, Android

Compression dictionary transport with Shared Brotli and Shared Zstandard
This feature adds support for using designated previous responses, as an external dictionary for Brotli- or Zstandard-compressing HTTP responses.

Enterprises might experience potential compatibility issues with enterprise network infrastructure. The CompressionDictionaryTransportEnabled policy is available to turn off the compression dictionary transport feature.
- Chrome 130 on Windows, macOS, Linux, Android

Keyboard-focusable scroll containers
Improves accessibility by making scroll containers focusable using sequential focus navigation. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 130 on Windows, macOS, Linux, Android

Support non-special scheme URLs
Chrome 130 will support non-special scheme URLs, for example, git://example.com/path, correctly. Previously, Chromium's URL parser didn't support non-special URLs. The parser parses non-special URLs as if they had an opaque path, which is not aligned with the URL Standard. Now, Chromium's URL parser parses non-special URLs correctly, following the URL Standard. For more details, see http://bit.ly/url-non-special.
- Chrome 130 on Windows, macOS, Linux, Android

Simplified sign-in and sync experience
Starting in Chrome 131, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be controlled by SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 131 on Android

Chrome extension telemetry integration with Google SecOps
We will begin to collect relevant Chronicle extension telemetry data from within Chrome, for managed profiles and devices, and send it to Google SecOps. Google SecOps will analyze the data to provide instant analysis and context on risky activity; this data is further enriched to provide additional context and is searchable for a year.
- Chrome 131 on ChromeOS, LaCrOS, Linux, macOS, Windows

User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. Clicking a link always automatically opens the app.
- Chrome 121 on Linux, macOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 131 on Linux, macOS, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Chrome Third-Party Cookie Deprecation (3PCD)
On July 22nd, we announced a new path forward for Privacy Sandbox on the web. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.

For more details, see this Privacy Sandbox update.

Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, macOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some enterprise network devices such as firewalls and proxies (TLS middleboxes) might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through at least Chrome 141 in 2025. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

Starting in Chrome 131, Chrome will switch the key encapsulation mechanism from the draft version of Kyber, to the final standard version of ML-KEM. Using any form of post-quantum key exchange (Kyber or ML-KEM) will continue to be controlled by the PostQuantumKeyAgreementEnabled policy.

For more detail, see this Chromium blog post and this Google Security blog post.
- Chrome 124 on Windows, macOS, Linux
- Chrome 131

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators can use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

↑ back to top

Upcoming ChromeOS changes

ChromeOS XDR Window Events

In ChromeOS 130, window focus events will be available as part of Extended Threat Detection and Response (XDR) on ChromeOS. You will be able to bring windows into focus activities of devices in your managed fleet by simply updating XDR events in the Admin console!

Generative AI wallpapers and video conference backgrounds

As early as ChromeOS 130, we plan to introduce high-resolution, generative AI wallpapers and video-conference meeting backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings.

Upcoming Admin console changes

Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 130 on Android, Linux, macOS, Windows

Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. If you have devices enrolled in Chrome Enterprise core, this policy is automatically applied to those devices to prevent sending data for AI model training. The existing policies that will have the updated default setting are:
- CreateThemesSettings (available in the US-only for now)
- DevToolsGenAiSettings (available in most countries)
- HelpMeWriteSettings (available in the US-only for now)
- HistorySearchSettings (available in the US-only for now)
- TabOrganizerSettings (available in the US-only for now)
- TabCompareSettings (available in the US-only for now)

GenAI control policy
Starting with 130, Chrome Enterprise Core will include a policy to control the behavior of multiple GenAI policies. This will be a convenient feature, allowing Admins to control the default behavior of a set of policies in one place, for example, off by default. This policy will control the following policies:
- CreateThemesSettings
- DevToolsGenAiSettings
- HelpMeWriteSettings
- HistorySearchSettings
- TabOrganizerSettings
- TabCompareSettings
- GenAIVcBackgroundSettings (launching in Chrome 130)
- GenAIWallpaperSettings (launching in Chrome 130)

Support for user-level settings on the Custom Configurations page
The Custom configurations page was recently launched in Chrome 127 and it allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As early as October 1st, Custom configurations will support applying settings at the user-level, in addition to machine-level support. In other words, you will be able to enforce policies when users sign in to a managed Google account using the Custom configurations page.
- As early as October 1st on Android, iOS, Linux, macOS, Windows: Feature rolls out for user policies
To get started, you can find the Custom configurations in the Admin console, under Chrome browser > Reports — you will need the Chrome Enterprise Core SKU:

↑ back to top

Chrome 128

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Search your history in Chrome with AI		✓
Admin-configurable site search		✓	✓
Handling undecryptable passwords in Password Manager			✓
Inactive Tabs		✓
New PromotionsEnabled policy replaces PromotionalTabsEnabled			✓
Revamped Chrome Safety Check on Android	✓
Rust JSON Parser	✓
Tab Groups on iPad		✓
Updates for CookiePartitionKey of partitioned cookies	✓
Deprecate CHIPS and Relaunch in WebView	✓
Isolated Web Apps	✓
Rename position-try-options to position-try-fallbacks	✓
Google Calendar Card on the New tab page		✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Snap groups on ChromeOS		✓
Data processor mode: EU-wide rollout	✓
Privacy Controls: Geolocation	✓
ChromeOS privacy control reminders on app settings page	✓		✓
Store aggregated vitals data with one-year retention	✓
OCR in ChromeOS Camera App		✓
Magnifier follows Chromevox		✓
Auto Gain Control enabled by default		✓
APN management			✓
Pinned notifications on ChromeOS			✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Chrome profile separation - new deployment guide	✓
Chrome Enterprise Data Controls: Clipboard		✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Tab compare		✓
Ad-hoc code signatures for PWA shims on macOS		✓
Clear device data on sign out on iOS	✓
Fallback styles for HTML5 <meter> element	✓
Chrome will no longer support macOS 10.15	✓		✓
Deprecate Safe Browsing Extended reporting	✓
Certificate Manager on Windows and MacOS	✓
New option in HttpsOnlyMode policy	✓		✓
Sync Tab Group		✓
Update Google Play Services to fix issues with on-device passwords			✓
Deprecate non-standard declarative shadow DOM serialization	✓
Deprecate the includeShadowRoots argument on DOMParser	✓
Rename inset-area to position-area	✓
Entrust certificate distrust	✓
Support non-special scheme URLs	✓
Network Service on Windows will be sandboxed			✓
Chrome Third-Party Cookie Deprecation (3PCD)	✓
User Link capturing on PWAs		✓	✓
Private network access checks for navigation requests: warning-only mode			✓
Insecure form warnings on iOS	✓
Chrome extension telemetry integration with Chronicle	✓		✓
Remove policy used for legacy same site behavior			✓
X25519Kyber768 key encapsulation for TLS	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Update to keyboard shortcut for Select-to-speak		✓
Chrome Enterprise Premium for file transfers on Managed Guest Sessions		✓
ChromeOS XDR window events	✓
Generative AI wallpapers and video conference backgrounds	✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Chrome browser managed profile reporting			✓
Admin console widget for data controls			✓
Default change for GenAI policies			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser updates

Search your history in Chrome with AI
Starting in Chrome 128, users can search their browsing history based on page contents and not just the page title and URL. Initially, this feature is only available to users in English in the US. Admins can control this feature by using the HistorySearchSettings policy. You have the following options for your organization:
- 0 = Enable the feature for users, and send relevant data to Google to help train or improve AI models. Relevant data may include prompts, inputs, outputs, and source materials, depending on the feature. It may be reviewed by humans for the sole purpose of improving AI models.
- 1 = Enable the feature for users, but do not send data to Google to train or improve AI models.
- 2 = Fully disable feature
For more information, see Search your history in Chrome with AI.
- Chrome 128 on Linux, Mac, Windows

Admin-configurable site search
Site search shortcuts are a way to use the address bar (Omnibox) as a search box for a specific site without navigating directly to the site’s URL, similar to how you can use the Omnibox to perform a broad Google search of the web. You can now create site shortcuts on behalf of your managed users, to shortcut to the most critical enterprise sites. You can control this feature using the SiteSearchSettings policy.
- Chrome 128 on ChromeOS, Linux, Mac, Windows: Available for Chrome Browser Core customers signed up for Trusted Tester starting Chrome 128, followed by gradual rollout for all Chrome Browser Enterprise customers a few weeks later

Handling undecryptable passwords in Password Manager
Users sometimes end up with undecryptable passwords on their device, for example, if they've used third party software to move to a new device. We are launching a new policy called DeletingUndecryptablePasswordsEnabled that helps handle such passwords. When enabled, this policy deletes undecryptable passwords from the user's device, unless the UserDataDir policy is specified. When DeletingUndecryptablePasswordsEnabled is off, undecryptable passwords are untouched, but this will result in broken Password Manager functionality.
- Chrome 128 on iOS, Linux, Mac, Windows

Inactive tabs
In Chrome 128, we now hide old tabs under a new Inactive Tabs section in the tab switcher on Chrome on Android. Chrome users can access the Inactive Tabs section to view all old tabs or close them using the new bulk tab functionality. These tabs will be deleted if inactive for over 60 days.
- Chrome 128 on Android: Rolls out to 1%

New PromotionsEnabled policy replaces PromotionalTabsEnabled
In Chrome 128, new promotional OS-level notifications are shown to users. To include a larger number of promotional features under one policy, a new policy PromotionsEnabled has been created to replace PromotionalTabsEnabled, which will be deprecated in the future.
- Chrome 128 on ChromeOS, Linux, Mac, Windows: PromotionsEnabled will begin to roll out with Chrome 128. There is no flag.

Revamped Chrome Safety Check on Android
Chrome 128 introduces a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a re-designed Safety Check page, chrome://settings/safetyCheck, with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online. For more information, see Manage Chrome safety and security.
- Chrome 128 on Android

Rust JSON Parser
As early as Chrome 128, Chrome will parse JSON using Rust, rather than C++. This will remove the risk of memory safety vulnerabilities in the JSON parser, improving security. This change should be transparent to users. There is a small risk of certain invalid JSON, which Chrome currently accepts, no longer being accepted, although the Rust parser remains extremely lenient.

In the event that Chrome doesn't accept the invalid JSON, this will lead to 500s or other application-level errors, not crashes. If Chrome no longer accepts some invalid JSON, the JSON should be aimed to be fixed.
- Chrome 128

Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 128 on iOS

Updates for CookiePartitionKey of partitioned cookies
Chrome 128 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.

If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 128 on Windows, Mac, Linux

Deprecate CHIPS and relaunch in WebView
The WebViewClient supports a method, shouldInterceptRequest, which allows developers to intercept network activity and modify HTTP headers, etc. This API does not have access to the Cookie header and relies on the Android CookieManager API in order to query what cookies are available for a particular request URL. However, partitioned cookies are double-keyed on the top-level site and the site of the URL using the cookies.

Currently, the CookieManager API provides no way for developers to query partitioned cookies correctly, and this will cause a mismatch between what the Java API returns and what frames in WebView will actually be in their Cookie header. After discussing this with the WebView team, we believe that the option that will minimize potential app breakage is to disable Cookies Having Independent Partitioned State (CHIPS) on WebView until we are able to ship support for the Cookie header to shouldInterceptRequest. We will release the changes to shouldInterceptRequest in the next target SDK version (API level 36).

Enterprise workflows that use WebView to load web content that relies on partitioned cookies will have their state cleared. WebView apps still have access to unpartitioned 3P cookies and cookies set with Partitioned after the change will revert to their legacy pre-CHIPS behavior until we relaunch the feature.
- Chrome 128 on Android

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provides stronger protections against server compromise and other tampering, which is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these IWAs are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the Chromium project explainer.

In this initial release, IWAs are only installable using a new policy, IsolatedWebAppInstallForceList, on enterprise-managed ChromeOS devices.
- Chrome 128 on ChromeOS

Rename position-try-options to position-try-fallbacks
The CSS working group (CSSWG) resolved to rename this property, because fallbacks more accurately describe what this property controls. The word options is a bit unclear, since the styles outside of `position-try` blocks will be tested first, and if they result in a layout that fits within the containing block, none of the options will get used. So fallbacks is a better word to describe this behavior. For more details, see Github.
- Chrome 128 on Windows, Mac, Linux, Android

Google Calendar Card on the New tab page
Enterprise users can now access their upcoming meetings directly from the New tab page with the new calendar card. This streamlined experience eliminates the need to switch tabs or waste time searching for your next meeting, allowing you to focus on what matters most. You can control cards on the New tab page with the NTPCardsVisible policy.
- Chrome 128 on Linux, Mac, Windows

New and updated policies in Chrome browser

Policy	Description
DataControlsRules	Sets a list of Data Controls rules
PromotionsEnabled	Enable showing promotional content
SiteSearchSettings	Provides a list of sites that users can quickly search using shortcuts in the address bar
LensOverlaySettings	Settings for the Lens Overlay feature
ExtensionDeveloperModeSettings	Control the availability of developer mode on extensions page
QRCodeGeneratorEnabled	Enable QR Code Generator
PrintingLPACSandboxEnabled	Enable Printing LPAC Sandbox
HistorySearchSettings	Settings for AI-powered History Search
ChromeForTestingAllowed	Allow Chrome for Testing
ProvisionManagedClientCertificateForUser	Enables the provisioning of client certificates for a managed user or profile
StandardizedBrowserZoomEnabled	Enable Standardized Browser Zoom Behavior
DeletingUndecryptablePasswordsEnabled	Enable deleting undecryptable passwords
EnterpriseCustomLabel	Set a custom enterprise label

Removed policies in Chrome browser

Policy	Description
RemoteAccessHostTokenUrl	URL where remote access clients should obtain their authentication token
RemoteAccessHostTokenValidationUrl	URL for validating remote access client authentication token
EnterpriseBadgingTemporarySetting	Control the visibility of enterprise badging
RemoteAccessHostTokenValidationCertificateIssuer	Client certificate for connecting to RemoteAccessHostTokenValidationUrl
EnforceLocalAnchorConstraintsEnabled	Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store.
CertificateTransparencyEnforcementDisabledForLegacyCas	Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities

ChromeOS updates

Snap groups on ChromeOS

In ChromeOS 128, Snap groups allow you to group windows on ChromeOS. A snap group is formed when you pair two windows for a split-screen. You can bring the windows back together, resize them simultaneously, or move them both as a group.

Data processor mode: EU-wide rollout

New data processor mode features and ChromeOS terms are available to the entire EU through the Google Admin console. For more details, see Overview of ChromeOS data processor mode.

As a ChromeOS administrator, you can now activate Data processor mode, which covers a set of ChromeOS features and services referred to as Essential Services.

Privacy controls: Geolocation

Privacy on ChromeOS devices is now easier to manage by adding the ability to control geolocation access to the Settings > Privacy and security > Privacy controls page. Users can now set geolocation access to Allowed, Only allowed for system services, or Off, depending on their preference.

We allow users to block all apps or websites, or entire systems access to geolocation regardless of previously granted permissions, and provide users easy to use controls to re-enable them whenever it would be helpful.

We’ve added a new policy, GoogleLocationServicesEnabled. This controls the availability of geolocation on the device inside of user sessions. Unlike the now deprecated policy below, it affects the entire system, not just the Android VM (Arc).

Deprecation notice (6 months): ArcGoogleLocationServicesEnabled

This is being deprecated in favor of the added GoogleLocationServicesEnabled policy, as it covers the entire system and not just Android VM (Arc). Additionally, we are modifying the effect of the DefaultGeolocationSetting to no longer affect the system geolocation setting.

ChromeOS privacy control reminders on Apps settings page

To use the cameras and microphones on ChromeOS, you need to turn on both privacy controls and app permissions in two separate places.

We are making it easier for users to be aware of the states of the privacy controls and provide actionable reminders on the ChromeOS Apps settings page so that users have a smoother experience. To view the ChromeOS Apps settings page, click Settings >Apps > Manage your Apps, and select the desired app.

Store aggregated vitals data with one-year retention

From ChromeOS 128 onwards, we store aggregated vitals data for one-year retention to better track the progress over time. Vitals data includes Android app performance metrics, such as crash rate, and these metrics will help us improve Android app performance on ChromeOS devices.

OCR in ChromeOS Camera App

Optical Character Recognition (OCR) enables text extraction from images captured in the ChromeOS Camera App by integrating an ML-powered text extraction service. ChromeOS 128 supports 77 languages; it also supports both horizontal and vertical detection. This allows copying and searching text from images, speaking text from images by screen reader, and creating searchable PDFs from images. By default, text detection in Photo mode is disabled and can be enabled from Settings > Text detection in preview.

Magnifier follows ChromeVox

Magnifier following ChromeVox is designed for people who are blind or have low vision. When you read text aloud using ChromeVox, the screen magnifier now automatically follows the words, so you never lose your place. To try this out, you can enable both Magnifier and ChromeVox in your settings. Zoom in to your preferred zoom level using Ctrl + Alt + Brightness up and Ctrl + Alt + Brightness down. A setting is available under the Magnifier settings to adjust this behavior.

Auto Gain Control enabled by default

Auto Gain Control (AGC) allows apps, such as video calling apps, to automatically optimize microphone volume for best audio quality. When auto gain control is enabled and in-use, a message appears in the quick settings panel to inform the user that the microphone gain slider is being overridden. AGC is enabled by default in ChromeOS 128. If you want to manually control the microphone volume even for apps that support AGC, you can go to Settings > Device > Audio and deselect Allow apps to automatically adjust mic volume.

APN management

For ChromeOS cellular-enabled devices, we have made it easier to view, manage, and add Access Point Names (APNs). We’ve also improved registration failure handling and messaging.

Pinned notifications on ChromeOS

ChromeOS notifications help to visually separate pinned notifications from other notifications. ChromeOS 128 significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference - we notify the user of an ongoing process rather than an instantaneous event.

↑ back to top

Admin console updates

Chrome profile separation - new deployment guide

We have created a detailed deployment guide to help you control profile separation in your organization: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings and ProfileSeparationDomainExceptionList.
- Chrome 128 on Windows, Mac, Linux

Chrome Enterprise Data Controls: Clipboard

Data Controls are lightweight rules in the Admin console that set a Chrome policy to control security-sensitive user actions like file attachments, downloads, copy and paste actions, and printing. Chrome blocks or warns the user when these actions happen by applying those rules locally.

Chrome 128 releases the clipboard protection parts of Data Controls, that is, copy and paste actions. Other protections are planned in future releases.

You can control this feature with the DataControlsRules policy.
- Chrome 128 on ChromeOS, Linux, Mac, Windows

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser updates

Tab compare
Starting in Chrome 129 (US-only), we will introduce Tab compare, a new feature that presents an AI-generated overview of products from across multiple tabs, all in one place. This feature will be controlled through the TabCompareSettings policy.
- Chrome 129 on Linux, Mac, Windows

Ad-hoc code signatures for PWA shims on macOS
Code signatures for application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures, which are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.

This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on Mac

Clear device data on sign out on iOS
Starting in Chrome 129, signing out from a managed account in an unmanaged browser will delete browsing data that is saved on the device. Managed users will be presented a confirmation dialog on sign-out explaining that the data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.

The data that will be deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 129 on iOS

Fallback styles for HTML5 <meter> elements
As early as Chrome 129, HTML5 <meter> elements with `appearance: none` will have a reasonable fallback style that matches Safari and Firefox instead of just disappearing from the page. In addition, developers will be able to custom style the <meter> elements.

A temporary policy MeterAppearanceNoneFallbackStyle will be available until Chrome 133 to control this feature.
- Chrome 129 on Windows, Mac, Linux, Android

Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended Reporting

Certificate Manager on Windows and MacOS
As early as Chrome 129, there is a new certificate management settings screen accessible from security settings on Windows and MacOS. This replaces the link to Windows cert manager and MacOS keychain, respectively, although these operating system surfaces are still accessible from the certificate management settings page.

The certificate manager displays certificates that are trusted or distrusted by Chrome, including the contents of the Chrome Root Store, and any certificates that have been imported from the underlying operating system. Users can access the page directly by navigating to chrome://certificate-manager.

A future release will introduce user and enterprise management of certificates added directly to Chrome.
- Chrome 129 on Mac, Windows

New option in HttpsOnlyMode policy
Ask Before HTTP (ABH) , formerly named HTTPS Only/First Modes, is a setting that tells Chrome to ask for user consent before sending insecure HTTP content over the wire. The HttpsOnlyMode policy allows force-enabling, or force-disabling, ABH.

In Chrome 129, we are adding a new middle-ground variant of ABH called balanced mode. This variant aims to reduce user inconvenience by working like (strict) ABH most of the time, but not asking when Chrome knows that an HTTPS connection isn't possible, such as when connecting to a single-label hostname like internal/.

We are adding a force_balanced_enabled policy option to allow force-enabling this new variant. Setting force_balanced_enabled on browsers before Chrome 129 will result in the default behavior, which places no enterprise restrictions on the ABH setting.

To avoid unexpected impact, if you have previously set force_enabled, we recommend not setting force_balanced_enabled until your entire fleet has upgraded to Chrome 129 or higher. If you are not migrating from force_enabled to force_balanced_enabled, you will be unaffected by this change.
- Chrome 129 on Android, ChromeOS, Linux, Mac, Windows, Fuchsia

Sync Tab Group
The tab groups on iOS will now be saved. Closing a tab group will no longer delete it. For users syncing their tabs across devices, the groups will also sync.
- Chrome 129 on iOS

Update Google Play Services to fix issues with on-device passwords
Users with old versions of Google Play Services will experience reduced functionality with their on-device passwords, and Password Manager might soon stop working for them altogether. These users will need to update Play Services, or will be guided through other troubleshooting methods depending on their state. This is part of an ongoing migration that only affects Android users of Password Manager.
- Chrome 129 on Android

Deprecate of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of the declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.

This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, Mac, Linux, Android

Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android

Rename inset-area to position-area
The CSS working group (CSSWG) resolved to rename this property from `inset-area` to `position-area`. See the CSSWG discussion in Github.

Chrome has decided to release an interoperable solution, by supporting both property names. We will ship the new property name, `position-area`, as a synonym for `inset-area` first. Then after a suitable amount of time, we will remove `inset-area`. The latter removal will be done under a separate Intent.
- Chrome 129 on Windows, Mac, Linux, Android

Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, websites or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:

    - after October 31, 2024, will no longer be trusted by default.

    - on or before October 31, 2024, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.

Support non-special scheme URLs
Chrome 130 will support non-special scheme URLs correctly. Previously, Chromium's URL parser doesn't support non-special URLs. The parser parses non-special URLs as if they had an “opaque path”, which is not aligned with the URL Standard. Now, Chromium's URL parser parses non-special URLs correctly, following the URL Standard. For more details, see Support Non-Special Scheme URLs .
- Chrome 130 on Windows, Mac, Linux, Android

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 130 on Windows: Network Service sandboxed on Windows

Chrome Third-Party Cookie Deprecation (3PCD)
On July 22nd, we announced a new path forward for Privacy Sandbox on the web. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.

For more details, see this Privacy Sandbox update.

User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, Mac, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 130 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:

1. Checks whether the request has been initiated from a secure context.

2. Sends a preflight request, and checks whether B responds with a header that allows private network access.

There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.

Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android

Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed

Chrome extension telemetry integration with Chronicle
As early as Chrome 131, we will begin to collect relevant extension telemetry data from within Chrome, for managed profiles and devices, and send it to Chronicle. Chronicle will analyze the data to provide instant analysis and context on risky activity.
- Chrome 131 on ChromeOS, Linux, Mac, Windows

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

For more detail, see this Chromium blog post.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming ChromeOS changes

Update to keyboard shortcut for Select-to-speak

On Chromebooks, the Select-to-speak keyboard shortcut (Search + s) now works when it is first pressed. As early as ChromeOS 129, you will no longer need to enable it first in Settings > Accessibility > Text-to-Speech > Select-to-speak. A dialog appears confirming that you want to turn on Select-to-speak the first time you press the keyboard shortcut.

Chrome Enterprise Premium for file transfers on Managed Guest Sessions

As early as ChromeOS 129, organizations will be able to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS on Managed Guest Sessions.

For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.

ChromeOS XDR Window Events

In ChromeOS 130, window focus events will be available as part of Extended Threat Detection and Response (XDR) on ChromeOS. You will be able to bring windows into focus activities of devices in your managed fleet by simply updating XDR events in the Admin console!

Generative AI wallpapers and video conference backgrounds

As early as ChromeOS 130, we plan to introduce high-resolution, generative AI wallpapers and video-conference meeting backgrounds on ChromeOS. With this feature, you can unleash your creativity and turn your Chromebook into a canvas of personal expression. Choose from a diverse collection of templates and, in just a few clicks, infuse your Chromebook with your unique personality, mood, or interest.

Two new policies will be available to control these features; GenAIVcBackgroundSettings and GenAIWallpaperSettings.

Upcoming Admin console changes

Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- Chrome 130 on Android, Linux, Mac, Windows

Admin console widget for data controls
A new settings widget in the Admin console allows users to configure data controls policies for specific URLs.
- Chrome 128 on ChromeOS, Linux, Mac, Windows

Default change for GenAI policies
Starting with 130, we will change the default setting for GenAI policies from switched off to allowed, without improving AI models. This doesn't impact age restrictions on access to any relevant GenAI features. The existing policies that will have the updated default setting are:

↑ back to top

Chrome 127

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
App-bound encryption for cookies	✓
Chrome Profile Separation - policy improvements			✓
Enhanced Safe Browsing promos on iOS	✓
Entrust certificate distrust	✓
Generating insights for DevTools console warnings and errors			✓
HTTPS-First Mode in Incognito	✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
Policy to configure ACG for browser process			✓
Simplified sign-in and sync experience on Android		✓
Additional Safe Browsing telemetry about pages	✓
Updated password management experience on Android	✓	✓
Watermarking	✓
Automatic fullscreen content setting		✓
Deprecate mutation events	✓
Keyboard-focusable scroll containers	✓
Support for not condition in ServiceWorker static routing API	✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Enterprise Premium for file transfers on ChromeOS	✓
ChromeOS video conferencing: DLC states for features		✓
Audio Bluetooth telephony		✓
OCR on Backlight		✓
Firmware update instructions			✓
Read Aloud in Reading Mode		✓
Classroom Glanceables		✓
PDF page deletion and reordering		✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Configure ChromeOS User & browser settings with Google groups			✓
Add managed browsers to groups for group-based policy management			✓
Filter for popular and recently added settings with policy tags			✓
Revamped ChromeOS device list and details			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Isolated Web Apps	✓
Rust JSON parser	✓
Clear device data on sign out on iOS			✓
Attribution tags for search engine			✓
Tab Groups on iPad		✓
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies	✓
Rename position-try-options to position-try-fallbacks	✓
Ad-hoc code signatures for PWA shims on macOS		✓
Chrome will no longer support macOS 10.15	✓		✓
Deprecate Safe Browsing Extended reporting	✓
Deprecation of non-standard declarative shadow DOM serialization	✓
Deprecate the includeShadowRoots argument on DOMParser	✓
Network Service on Windows will be sandboxed			✓
Third-party cookie access in Chrome	✓
User Link capturing on PWAs		✓	✓
Private network access checks for navigation requests: warning-only mode			✓
Insecure form warnings on iOS	✓
Remove policy used for legacy same site behavior			✓
X25519Kyber768 key encapsulation for TLS	✓
UI Automation accessibility framework provider on Windows		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Snap Groups		✓
Data processor mode: EU-wide rollout	✓
Privacy Hub: Geolocation	✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Chrome browser managed profile reporting			✓
Admin console widget for data controls			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser updates

App-bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware running at the same privilege as Chrome that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.

App-bound Encryption strongly binds encryption keys to the local machine so customers who are using Chrome with roaming profiles may want to consider disabling this security feature otherwise cookies will not be portable between workstations.

An enterprise policy, ApplicationBoundEncryptionEnabled, is available to disable application-bound encryption.
- Chrome 127 on Windows

Chrome Profile Separation - policy improvements
Chrome profiles offer a user-friendly way to keep personal and work browsing data separate, simplifying the experience, preventing data breaches, and ensuring privacy and compliance. We have created three intuitive policies to help you control profile separation in your organization: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings and ProfileSeparationDomainExceptionList. These policies replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 127 on Windows, Mac, Linux

Enhanced Safe Browsing promos on iOS
In Chrome 127, users who do not already have Enhanced Safe Browsing enabled see an infobar promoting Enhanced Safe Browsing on the Safe Browsing warning page. We also show a promotion for Enhanced Safe Browsing on the Chrome settings page, for users who do not already have Enhanced Safe Browsing enabled. These promos are not shown to users when the SafeBrowsingProtectionLevel enterprise policy is set to any value.
- Chrome 127 on iOS

Entrust certificate distrust
In response to sustained compliance failures, Chrome 127 changes how publicly-trusted TLS server authentication, that is, website or certificates issued by Entrust, are trusted by default. This applies to Chrome 127 and later on Windows, macOS, ChromeOS, Android, and Linux; iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically, TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:

    - after October 31, 2024, will no longer be trusted by default.

    - on or before October 31, 2024, will be unaffected by this change.

If a Chrome user or an enterprise explicitly trusts any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, when explicit trust is conveyed through a Windows Group Policy Object, the Signed Certificate Timestamp (SCT) constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.

Generating insights for DevTools Console warnings and errors
In Chrome 127, this Generative AI (GenAI) feature becomes available for managed Chrome Enterprise and Education users in supported regions: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise and Education users in supported regions.

HTTPS-First Mode in Incognito
Starting in Chrome 127, as part of Chrome's move towards HTTPS by default, HTTPS-First Mode is enabled by default in Incognito mode. Users will see a warning before they navigate to sites over insecure HTTP. This can be controlled using the existing enterprise policies HttpsOnlyMode and HttpAllowlist.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows

Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. Beginning June 2024, starting with Chrome 127 pre-stable versions, Chrome begins to gradually disable Manifest V2 extensions running in the browser.

You can use the ExtensionManifestV2Availability policy to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 127 on ChromeOS, Windows, Mac, Linux: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

Policy to configure ACG for browser process
A new policy called DynamicCodeSettings is available in Chrome 127. Setting this policy to '1' switches on Arbitrary Code Guard (ACG) for the browser process. ACG prevents dynamic code being generated from within the browser process, which can help prevent potentially hostile code making unauthorized changes to the behavior of the browser process.

Switching on ACG might cause compatibility issues with third-party software that must run inside the browser process.
- Chrome 127 on Windows

Simplified sign-in and sync experience on Android
Chrome 127 launches a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync is no longer shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As in earlier releases, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can still be disabled via BrowserSignin.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.

The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android

Additional Safe Browsing telemetry about pages
When an Enhanced Safe Browsing user visits a page that triggers vibration, keyboard or pointer lock API, attributes of that page are now sent to Safe Browsing. If the telemetry is sent and the page seems to be malicious, users see a Safe Browsing warning and their keyboard or pointer is unlocked, if they were locked. If you'd like your users to avail of this feature, set MetricsReportingEnabled to true and set the SafeBrowsingProtectionLevel policy to 2.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia

Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled can now use and save passwords in their Google Account. Relevant policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 127 on Android

Watermarking
This feature allows admins to overlay a watermark on top of a webpage if navigating to it triggers a specific Data loss Prevention (DLP) rule. It will contain a static string displayed as the watermark. Watermarking is available to Chrome Enterprise Premium customers only.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 127 on Linux, Mac, Windows: Feature rolls out

Automatic Fullscreen content setting
A new Automatic Fullscreen content setting permits Element.requestFullscreen() without a user gesture, and permits browser dialogs to appear without exiting fullscreen.

The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (chrome://settings/content/automaticFullScreen) and the site info bubble. Users can allow Isolated Web Apps, and admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.

Combined with Window Management permission and unblocked popups (chrome://settings/content/popups), this unlocks valuable fullscreen capabilities:

- Open a fullscreen popup on another display, from one gesture

- Show fullscreen content on multiple displays from one gesture

- Show fullscreen content on a new display, when it's connected

- Swap fullscreen windows between displays with one gesture

- Show fullscreen content after user gesture expiry or consumption
- Chrome 127 on Windows, Mac, Linux

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. In Chrome 124, a temporary enterprise policy, MutationEventsEnabled, was introduced to re-enable deprecated or removed mutation events.

Starting in Chrome 127, mutation event support is disabled by default , from around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
For more details, see this post on the Chrome developer blog. You can report any issues on the Chromium issue tracker.
- Chrome 127 on Windows, Mac, Linux, Android

Keyboard-focusable scroll containers
Chrome 127 improves accessibility by making scroll containers focusable using sequential focus navigation.

In previous releases, the tab key did not focus scrollers unless tabIndex was explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse can now focus clipped content using keyboard tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 127 on Windows, Mac, Linux, Android

Support for not condition in ServiceWorker static routing API
The ServiceWorker static routing API is an API used for routing the request to the network, the ServiceWorker fetch handler, or directly looking up from cache, and so on. Each route consists of a condition and a source, and the condition is used for matching the request.

For Chromium implementations, the or condition is only the supported condition. However, to write the condition more flexibly, supporting the not condition is expected, which matches the inverted condition inside.
- Chrome 127 on Windows, Mac, Linux, Android

New and updated policies in Chrome browser

Policy	Description
DynamicCodeSettings	Policy controls the dynamic code settings
CSSCustomStateDeprecatedSyntaxEnabled	Controls whether the deprecated :--foo syntax for CSS custom state is enabled
KeyboardFocusableScrollersEnabled	Enable keyboard focusable scrollers

Removed policies in Chrome browser

Policy	Description
BlockTruncatedCookies	Block truncated cookies
UserAgentClientHintsGREASEUpdateEnabled	Control the User-Agent Client Hints GREASE Update feature

ChromeOS updates

Chrome Enterprise Premium for file transfers on ChromeOS

Chrome Enterprise Premium is a zero trust solution that enables secure access to applications and resources, and offers integrated threat and data protection.

We are now allowing organizations to extend Chrome Enterprise Premium’s powerful scanning and content and context-based protection to local files on ChromeOS.

For example, a misplaced file containing Social Security numbers is instantly blocked when a user attempts to copy it to an external drive, safeguarding this confidential information.

For more details, see Protect Chrome users with Chrome Enterprise Premium; this article contains detailed guidance for both IT administrators and users.

ChromeOS Video Conferencing: DLC States for features

ChromeOS 127 introduces a visual enhancement for Downloadable Content (DLC) in the video control panel. This release now adds status indicators for Noise Cancellation, Live Captions, Relighting, and Blur.

Audio Bluetooth Telephony

ChromeOS now supports call control buttons on compatible Bluetooth headsets, including answering, rejecting or terminating a call, and muting the microphone.

OCR on Backlight

ChromeOS is launching a PDF OCR AI reader on Gallery, enabling reading for inaccessible documents, further filling the gap in accessibility for low vision and blind users that use a screen reader. ChromeOS leverages its machine learning models to extract, compartmentalize, and section PDF documents to make them more accessible on the Gallery app for ChromeVox users.

Firmware update app: Update Instructions for peripheral devices

The Firmware Updates app on ChromeOS now supports updating peripherals that require user action during the update, for example, unplugging and re-plugging the peripheral. When an update is available for one of these devices, the user will be guided with clear, step-by-step instructions. For most existing peripherals, the update experience remains unchanged.

Read aloud in Reading Mode

As early as ChromeOS 127, Read Aloud will bring Google's high quality voices to Chrome Reading Mode for users to leverage Text to Speech to read content on the web. The goal of Read Aloud is to help people who have difficulty reading to understand long-form text. The new Read Aloud feature in Reading Mode on Chrome desktop allows users to hear the text they are reading, which improves focus and comprehension.

Classroom Glanceables

Students can now quickly view and access their upcoming Classroom assignments one click away on their Chromebook home screen. Users can see this new feature if they are logged into a Chromebook with an account where they are enrolled in active courses in Google Classroom. Users can find this feature by clicking on the date chip on the shelf of their Chromebook if they are logged into an account, where they will see the new panel which can view lists of their upcoming, due, missing and completed assignments.

PDF Page deletion and reordering

The Gallery app in ChromeOS now supports more options for editing PDF pages. You can now delete or reorder pages within a PDF via mouse or by using keyboard shortcuts.

PDF page deletion:

PDF page reorder:

↑ back to top

Admin console updates

Configure ChromeOS User & browser settings with Google groups

Admins can now use Google groups to manage ChromeOS User & browser settings in the Admin console and API. Admins can use new or existing Google Groups to configure User & browser settings in their organizations. When admins need to configure a policy for a specific set of users–who might belong to different organizational units (OUs)–they can use the flexibility of groups without needing to reconfigure their OUs. To learn more, see Managing group-based policies.

Today, the majority of user settings are configurable by Groups, with most of the remaining settings available in the coming months. Available settings are automatically filtered and displayed when admins select a particular group.

Add managed browsers to groups for group-based policy management

Admins can now add managed Chrome browsers to Google groups, thereby allowing them to specify User & browser policies and extension settings for a group of browsers. Managed browsers can be assigned to multiple groups, which allows IT administrators to have more flexibility to manage Chrome browsers using cloud management.

Filter for popular and recently added settings with policy tags

The Admin console now provides options to filter settings by recently added and popular. With these new filters, you’ll be able to see our newest settings as well as see some of our most popular and relevant Chrome settings.

Revamped ChromeOS device list and details

The Admin console devices page redesigned with a proactive and actionable notification for your fleet of devices.

Notifications module: Easily identify and address device issues with the new Notifications module, providing an overview of ongoing problems in your fleet.

Centralized dashboards: Quickly access all the information and reports you need about your fleet, all in one convenient location – the Dashboards tab.

Revamped device list page: Find more detailed information about your devices with new tabs (General, OS, Hardware, Network, and Policy), device-specific notifications, and a new card design for improved readability.

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Isolated Web Apps
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.

Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.

In this initial release IWAs will only be installable through an admin policy on enterprise-managed ChromeOS devices.
- Chrome 128 on ChromeOS

Rust JSON parser
As early as Chrome 128, Chrome will parse JSON using Rust, rather than C++. This will remove the risk of memory safety vulnerabilities in the JSON parser, improving security. This change should be transparent to users. There is a small risk that some invalid JSON (which Chrome currently accepts) no longer being accepted, although the Rust parser remains extremely lenient.
- Earliest Chrome 128: Chrome will parse JSON using Rust

Clear device data on sign out on iOS
Starting in Chrome 128, signing out from a managed account in an unmanaged browser will delete browsing data that is saved on the device. Managed users will be presented a confirmation dialog on sign-out explaining that the data will be cleared. Data will be cleared only from the time of sign-in, otherwise all data will be cleared; time of sign-in is only known if the user signed in on Chrome 122 or later.

The data that will be deleted includes:
- browsing history
- cookies and site data
- passwords
- site settings
- autofill
- cached images and files
- Chrome 128 on iOS

Attribution tags for Search Engine
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.

Selections from this screen will have their search URL appended with an attribution tag for use by third party search engines to attribute traffic from selections originating from the search engine choice screen. This change will not be applied for Education-configured organizations or Enterprises with metrics or usage statistics turned off.

For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.

Read more about these policies and the related atomic group.
- Chrome 128 on Android, iOS, ChromeOS, LaCrOS, Linux, Mac, Windows

Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 128 on iOS

Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 128 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.

If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 128 on Windows, Mac, Linux

Rename position-try-options to position-try-fallbacks
The CSS working group (CSSWG) resolved to rename this property, because fallbacks more accurately describe what this property controls. The word options is a bit unclear, since the styles outside of `position-try` blocks will be tested first, and if they result in a layout that fits within the containing block, none of the options will get used. So fallbacks is a better word to describe this behavior. For more details, see Github.
- Chrome 128 on Windows, Mac, Linux, Android

Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.

This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 129 on Mac

Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 129 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended Reporting

Deprecation of non-standard declarative shadow DOM serialization
The prototype implementation, which was shipped in 2020 and then updated in 2023, contained a method called `getInnerHTML()` that could be used to serialize DOM trees containing shadow roots. That part of the prototype was not standardized with the rest of declarative shadow DOM, and has only recently reached spec consensus (for details, see Github). As part of that consensus, the shape of the getInnerHTML API changed.

This feature represents the deprecation of the previously shipped `getInnerHTML()` method. The replacement is called `getHTML()`, which shipped in Chrome 125. For details, see this ChromeStatus feature description.
- Chrome 129 on Windows, Mac, Linux, Android

Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() shipped in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can use the Chromium bug tracker to report any issues you encounter.
- Chrome 130 on Windows: Network Service sandboxed on Windows

Third-party cookie access in Chrome

On 22 July 2024, we announced a new path forward for the Privacy Sandbox on the web. Instead of deprecating third-party cookies, we plan to introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing. They would be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.

For more details, see this Privacy Sandbox update.

User Link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, Mac, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 130 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:

1. Checks whether the request has been initiated from a secure context.

2. Sends a preflight request, and checks whether B responds with a header that allows private network access.

There are already features for subresources and workers, but this one is for navigation requests specifically. These checks protect the user's private network.

Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools console, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android

Insecure form warnings on iOS
Chrome 125 started to block form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it now displays a warning asking the user to confirm the submission. The goal is to prevent leaking of form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature, and will be removed in Chrome 130.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

For more detail, see this Chromium blog post.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators might use the UiAutomationProviderEnabled enterprise policy, available from Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows:The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Upcoming ChromeOS changes

Snap groups on ChromeOS

As early as ChromeOS 127, Snap groups will allow you to group windows on ChromeOS. A snap group is formed when a user pairs two windows for a split-screen. The windows can then be brought back together, resized simultaneously, or moved as a group.

Data processor mode: EU-wide rollout

In ChromeOS 128, new data processor mode features and ChromeOS terms will be made available to the entire EU through the Google Admin console. For more details, see Overview of ChromeOS data processor mode.

As a ChromeOS administrator, you’ll have the option to activate Data processor mode, which covers a set of ChromeOS features and services referred to as Essential Services.

Privacy Hub: Geolocation

As early as ChromeOS 128, we will make privacy on Chromebooks easier to manage by adding the ability to control geolocation access to the privacy controls page. Users will be able to set geolocation access to Allowed, System Only, or Blocked depending on their preference.

We will allow users to block all apps or websites, or entire systems access to geolocation regardless of previously granted permissions, and provide users easy to use controls to re-enable them whenever it would be helpful.

Upcoming Admin console changes

Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- Chrome 130 on Android, Linux, Mac, Windows

Admin console widget for data controls
A new settings widget in the Admin console allows users to configure data controls policies for specific URLs.
- Chrome 128 on ChromeOS, Linux, Mac, Windows

↑ back to top

Chrome 126

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Extract text from PDFs for screen reader users		✓
Memory Saver aggressiveness		✓
Out of process iframe PDF viewer		✓
Reactive prefetch on Desktop	✓
Tab Groups on iPad		✓
UI Automation accessibility framework provider on Windows			✓
Removing support for UserAgentClientHintsGREASEUpdateEnabled	✓		✓
Align navigator.cookieEnabled with spec	✓
Search with Google Lens		✓
New and updated policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Extended auto-update opt-in			✓
Digital zoom with super resolution		✓
Set up new Chromebook with Android phone		✓
Instant Hotspot		✓
Enhanced firmware updates	✓		✓
Web apps to capture multiple surfaces		✓
Captive portal for managed networks	✓		✓
Turn off overscroll behavior		✓
Turn off cursor blink rate		✓
Magnifier can follow Select to Speak focus		✓
Supervised user extensions installation flow		✓
Multi-calendar support		✓
New policy to control Kiosk wake and sleep times			✓
Locale expansion for Live Captions and Dictation		✓
Show wildcard URLs in Data Controls reporting			✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Custom configurations for IT admins			✓
Interactive setup guides for Chrome Enterprise Core			✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Entrust certificate distrust	✓
App-bound encryption for cookies	✓
Chrome extension telemetry integration with Chronicle	✓
Generating insights for DevTools console warnings and errors			✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
Network Service on Windows will be sandboxed	✓
Simplified sign-in and sync experience on Android		✓
Telemetry about pages that trigger keyboard and pointer Lock APIs	✓
Updated password management experience on Android	✓	✓
Watermarking	✓
Automatic fullscreen content setting		✓
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies			✓
Deprecate mutation events	✓
Keyboard-focusable scroll containers	✓
Support for not condition in Service Worker static routing API	✓
Ad-hoc code signatures for PWA shims on macOS		✓
Deprecate Safe Browsing Extended reporting	✓
Chrome will no longer support macOS 10.15	✓		✓
User link capturing on PWAs		✓	✓
Deprecate the includeShadowRoots argument on DOMParser	✓
Insecure form warnings on iOS	✓
Private network access checks for navigation requests: warning-only mode	✓
Remove enterprise policy used for legacy same site behavior			✓
X25519Kyber768 key encapsulation for TLS	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Snap Groups		✓
Read Aloud in Reading Mode		✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Filter for popular and recently added settings with policy tags			✓
Chrome browser managed profile reporting			✓
Group based policy for Chrome browser			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome Enterprise and Education release notes are published in line with the Chrome release schedule, on the Early Stable date for Chrome browser.

Chrome browser updates

Chrome Third-Party Cookie Deprecation (3PCD)
Third party cookies will be restricted in a future release of Chrome. Currently, they are restricted by default for 1% of Chrome users to allow sites to preview the user experience without third-party cookies. Most enterprises are excluded from this group automatically and admins can use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies if needed.

End users can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site when necessary. See this help article for more details on how to toggle these settings for the desired configuration. Bounce tracking protections are enforced when the bouncing site is not permitted to use 3P cookies, and are controllable with the same policies. Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.

For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Extract text from PDFs for screen reader users
Chrome browser now launches an optical character recognition (OCR) AI reader for PDFs, creating a built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.

This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, Mac, Windows: Already fully launched on ChromeOS. Ramping up from 50% Canary/Dev/Beta to Stable on Linux, Mac, and Windows.

Memory Saver aggressiveness
Memory Saver is a feature that deactivates unused tabs to free up memory on a user's device. There is an existing policy, HighEfficiencyModeEnabled, which allows administrators to control the Memory Saver feature. A new policy called MemorySaverModeSavings allows you to configure how aggressive the Memory Saver is when deciding to deactivate tabs. Choose the conservative option to deactivate fewer tabs or the aggressive one to get the most memory savings.
- Chrome 126 on ChromeOS, LaCrOS, Linux, Mac, Windows: The feature will roll out gradually to all platforms.

Out of process iframe PDF viewer
In Chrome 126, some users use an out-of-process iframe (OOPIF) architecture for the PDF viewer. This is the new PDF viewer architecture, as it is simpler and makes adding new features easier. An enterprise policy, PdfViewerOutOfProcessIframeEnabled, is available to revert to using the original PDF viewer architecture.
- Chrome 126 on Linux, Mac, Windows

Reactive prefetch on Desktop
This feature enables prefetching of subresources during a navigation, to speed up navigations and load new pages faster. The subresources prefetched are predicted by a Google-owned service, and the browser shares the URL of pages being navigated to with this service, to retrieve predictions. You can control this feature using the UrlKeyedAnonymizedDataCollectionEnabled policy.
- Chrome 126 on ChromeOS, LaCrOS, Linux, Mac, Windows

Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 126 on iOS

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome starts to directly support accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome using a compatibility shim in Microsoft Windows. This change improves the user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and it improves third-party apps that use Windows's UI Automation accessibility framework. Chrome users now find reduced memory usage and processing overhead when using accessibility tools. It also eases development of software using assistive technologies.
Administrators can use the UiAutomationProviderEnabled enterprise policy, introduced in Chrome 125, to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they can fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Removing support for UserAgentClientHintsGREASEUpdateEnabled
Chrome 126 removes the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year.
- Chrome 124 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed

Align navigator.cookieEnabled with spec
navigator.cookieEnabled currently indicates if the user agent attempts to handle cookies in a given context. A change in Chrome, shipping as part of third-party cookie deprecation (3PCD), would cause it to indicate whether unpartitioned cookie access is possible (causing it to return false in most cross-site iframes). We should restore the prior behavior of navigator.cookieEnabled which indicated only if cookies were enabled or disabled for the site and rely on the cross-vendor function document.hasStorageAccess to indicate if unpartitioned cookie access is possible.
- Chrome 126 on Windows, Mac, Linux, Android

Search with Google Lens
As early as Chrome 126, users will be able to search any images or text they see on their screen with Google Lens. To use this feature, go to a website and click Search with Google Lens on the on-focus omnibox chip, on the right-click menus, or on the 3-dot menu. Users can click, highlight, or drag anywhere on the screen to search its contents, and refine their search by adding keywords or questions to the searchbox. Admins can control the feature through a policy called LensOverlaySettings. To perform the search, a screenshot of the screen is sent to Google servers but it is not linked to any IDs or accounts, it is not viewed by any human, and data about its contents is not logged.

We are rolling out this feature gradually in Chrome 126 and we plan to launch fully in Chrome 127.
- Chrome 126 on ChromeOS, Linux, Mac, Windows: Rollout of the feature at 1% Stable and LensOverlaySettings becomes available
- Chrome 127: Rollout to 100% stable

New and updated policies in Chrome browser

Policy	Description
LensOverlaySettings	Settings for the Lens Overlay feature
MemorySaverModeSavings	Change Memory Saver Mode Savings
ProvisionManagedClientCertificateForUser	Enables the provisioning of client certificates for a managed user or profile
PdfViewerOutOfProcessIframeEnabled	Use out-of-process iframe PDF Viewer

ChromeOS updates

Extended auto-update opt-in and policy

ChromeOS provides 10 years of OS updates for security, stability, and performance improvements. Most devices will receive these updates automatically. For a subset of older devices, users and administrators can now opt in to extended updates to get a full 10 years of support.

For details, see our Help Center article.

Digital zoom with super resolution

The built-in Camera app now supports zooming on cameras that do not have optical zoom motors, including the built-in camera. On selected high-performance Chromebooks, AI-based super resolution may be applied to further enhance the images.

Set up new Chromebook with Android phone

You can now set up a new Chromebook using your Android phone. By establishing a secure connection between your phone and the Chromebook, you can automatically transfer your Wi-Fi and Google Account login information without needing to manually enter your passwords. This is available for unmanaged users only.

Instant Hotspot

ChromeOS 126 renames the Instant Tethering feature to Instant Hotspot.

Enhanced firmware updates

ChromeOS 126 supports firmware updates on a wide variety of additional peripherals. This significantly reduces the overhead and time needed to make new firmware updates available.

Web apps to capture multiple surfaces

Web apps can now capture multiple surfaces at once. This feature introduces a new API getAllScreensMedia() that allows developers to request several surfaces at once (instead of only one with getDisplayMedia()). This API auto-accepts capture requests, for managed sessions only, guarded by policies that have to be explicitly set by the device owners and with clear usage indicators so that users are aware of capturing at all times. For details, see our Help Center article.

Captive portal for managed networks

Given that captive portal detection is always disabled for managed networks, administrators are unable to configure the ChromeOS device to auto connect to captive portal networks or to detect that the captive portal exists. If they do make the captive portal network managed, users have to manually open a browser and connect to an HTTP site that can then be redirected to a portal sign in page. We’ve added a new policy, CaptivePortalAuthenticationIgnoresProxy, which allows admins to force portal detection.

Turn off overscroll behavior

A new setting is available to turn on and off the swipe gesture to navigate between pages. This feature is also known as overscroll or overscrolling pages. This setting is found under Settings > Accessibility > Cursor and touchpad > Use a swipe gesture to navigate between pages.

Turn off cursor blink rate

A new setting is available to turn off the blinking text cursor under Settings > Accessibility > Keyboard and text input > Text cursor blink rate. Customers with photosensitive seizure triggers and cognitive differences may want to turn off the blinking text cursor.

Magnifier to follow Select to Speak

Magnifier following Select to Speak is a feature designed for people who have low vision, but may be beneficial for anyone who enjoys reading text at larger sizes. When you read text aloud using Select to Speak, the screen magnifier will automatically follow the words, so you never lose your place. To try this out you can enable both Magnifier and Select to Speak in your settings. Zoom in to your preferred zoom level using Ctrl + Alt + Brightness up and Ctrl + Alt + Brightness down. Select the text you want to read out and press the Select to Speak play button, or Search + S. A setting is available under the Magnifier settings to adjust this behavior.

Supervised user extensions installation

For supervised accounts managed via Family Link, we are separating the parental control for Permissions for sites, extensions, and apps to give parents more granular control. Parents now have two options to choose from: Permissions for apps and Extensions. The impact on supervised accounts is that a parent can now allow extensions installations with or without approval. Previously, parents could block extensions but had no way to allow them without approval.

Multi-calendar support

We are launching multi-calendar support to allow users view all events from multiple calendars that they have selected within their Google Calendar.

New policy to control Kiosk wake and sleep times

ChromeOS 126 introduces a new kiosk device policy that allows Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.

Locale expansion for Live Captions and Dictation

ChromeOS 126 expands support for live captions from 1 to 6 languages and dictation from 1 to 18 locales. We now use a new voice recognition model that provides additional battery savings.

Live captions on ChromeOS can be used on videos played with the Gallery player app, in YouTube, in Google Meet, in Zoom, or social media sites. To see or change your current live captions language, select Settings > Audio and captions > Live Caption > Manage languages. For more information on live captions, see this Help Center article.

Dictation is available on Google Docs, or in any other text input by enabling dictation in the taskbar, clicking the Mic button, and speaking. To see or change your dictation language, select Settings > Accessibility > Keyboard and text input > Dictation > Language. For more information on dictation, see this Help Center article.

Show wildcard URLs in Data Controls reporting

ChromeOS Data Control rules allow admins to define source and destination URLs as a wildcard (*) value. ChromeOS data control events are reported under the Chrome audit report and can be viewed in the Admin console or other platforms through the Chrome Reporting Connector. When examining log events, the URL that triggered the rule is now reported, instead of the wildcard.

Admin console updates

Custom configurations for IT admins

The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as normal_installed. This feature is available for browsers enrolled at the machine-level.
- As early as Chrome 126 on Android, iOS, Linux, MacOS, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, MacOS, Windows: Feature rolls out

Interactive setup guides for Chrome Enterprise Core

The Chrome Enterprise team introduces new interactive setup guides for browser management in the Admin console, where administrators can choose a journey they’re interested in and get hands-on training in related Chrome setup guides. For example, the guides can be used to learn how to:
- Create test organizational units
- Turn on reporting
- Enroll browsers
- Apply browser policies
- Configure extension settings
- Create an admin user
These guides are ideal for new administrators or for administrators who wish to learn new journeys.
- As early as Chrome 126: Feature rolls out

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
DeviceExtendedAutoUpdateEnabled	Device	ChromeOS	Device update settings
LocalUserFilesAllowed	Users & Browser	ChromeOS	User experience
ScreenCaptureLocation	Users & Browser	ChromeOS	User experience

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Entrust certificate distrust
In response to sustained compliance failures, Chrome is changing how publicly-trusted TLS server authentication, that is, website, certificates issued by Entrust will be trusted by default in Chrome 127 and greater on Windows, macOS, ChromeOS, Android, and Linux. iOS policies do not allow use of the Chrome Root Store in Chrome for iOS.

Specifically:

- TLS certificates validating to the Entrust root CA certificates included in the Chrome Root Store and issued:

    - after October 31, 2024, will no longer be trusted by default.

    - on or before October 31, 2024, will be unaffected by this change.

Should a Chrome user or enterprise explicitly trust any of the affected Entrust certificates on a platform and version of Chrome relying on the Chrome Root Store, for example, explicit trust is conveyed through a Windows Group Policy Object, the SCT-based constraints described above will be overridden and certificates will function as they do today.

For additional information and testing resources, see Sustaining Digital Certificate Security - Entrust Certificate Distrust.

To learn more about the Chrome Root Store, see this FAQ.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: All versions of Chrome 127 and higher that rely on the Chrome Root Store will honor the blocking action, but the blocking action will only begin for certificates issued after October 31, 2024.
- Chrome 130 on ChromeOS, Linux, Mac, Windows: The blocking action will begin for certificates issued after October 31, 2024. This will also affect Chrome 127, 128 and 129.

App-bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.

An enterprise policy, ApplicationBoundEncryptionEnabled, is available to disable application-bound encryption.
- Chrome 127 on Windows

Chrome extension telemetry integration with Chronicle
We plan to collect relevant extension telemetry data from within Chrome, for managed profiles and devices, and send it to Chronicle. Chronicle will analyze the data to provide insight and context on risky activity.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows

Generating insights for DevTools console warnings and errors
In Chrome 125, a new Generative AI (GenAI) feature became available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise and Education users in supported regions.

Migrate extensions to Manifest V3 before June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. Beginning June 2024, starting with Chrome 127 pre-stable versions, Chrome will gradually disable Manifest V2 extensions running in the browser. An enterprise policy, ExtensionManifestV2Availability , can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year, June 2025, at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions. You can report any issues you encounter.
- Chrome 127 on Windows: Network Service sandboxed on Windows

Simplified sign-in and sync experience on Android
Chrome will launch a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.

The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android

Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhanced Safe Browsing user visits a page that triggers keyboard or pointer lock API, attributes of that page will be sent to Safe Browsing.

If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 127 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 127 on Android

Watermarking
This feature will allow admins to overlay a watermark on top of a web page if navigating to it triggers a specific DLP rule. It will contain a static string displayed as the watermark. Watermarking will be available to Chrome Enterprise Premium customers.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 127 on Linux, Mac, Windows: Feature rolls out

Automatic Fullscreen content setting
A new Automatic Fullscreen content setting permits Element.requestFullscreen() without a user gesture, and permits browser dialogs to appear without exiting fullscreen.

The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (chrome://settings/content/automaticFullScreen) and the site info bubble. Users can allow Isolated Web Apps, and enterprise admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.

Combined with Window Management permission and unblocked popups (chrome://settings/content/popups), this unlocks valuable fullscreen capabilities:

- Open a fullscreen popup on another display, from one gesture

- Show fullscreen content on multiple displays from one gesture

- Show fullscreen content on a new display, when it's connected

- Swap fullscreen windows between displays with one gesture

- Show fullscreen content after user gesture expiry or consumption
- Chrome 127 on Windows, Mac, Linux

Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 127 will add a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.

If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 127 on Windows, Mac, Linux

Deprecate mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.

Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:
- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.
- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.
Please see this blog post for more detail. Report any issues here.
- Chrome 127 on Windows, Mac, Linux, Android

Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 127 on Windows, MacOS, Linux, Android

Support for not condition in Service Worker static routing API
The Service Worker static routing API is an API used for routing the request to the network, the Service Worker fetch handler, or directly looking up from cache, and so on. Each route consists of a condition and a source, and the condition is used for matching the request.

For Chromium implementations, the or condition is the only supported condition. However, to write the condition more flexibly, supporting the not condition is expected, which matches the inverted condition inside.
- Chrome 127 on Windows, Mac, Linux, Android

Ad-hoc code signatures for PWA shims on macOS
Code signatures for the application shims that are created when installing a Progressive Web App (PWA) on macOS are changing to use ad-hoc code signatures that are created when the application is installed. The code signature is used by macOS as part of the application's identity. These ad-hoc signatures will result in each PWA shim having a unique identity to macOS; currently every PWA looks like the same application to macOS.

This will address problems when attempting to include multiple PWAs in the macOS Open at Login preference pane, and will permit future improvements for handling user notifications within PWAs on macOS.
- Chrome 128 on Mac

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 128 on Android, iOS, ChromeOS, Linux, Mac, Windows: Deprecation of Safe Browsing Extended reporting

Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on Mac: Chrome no longer supports macOS 10.15

User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 129 on Linux, Mac, Windows: Launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if the user clicks on chip on address bar).

Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.
Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 129, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
(new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
document.parseHTMLUnsafe(html);
- Chrome 129 on Linux, Mac, Windows, Android

Insecure form warnings on iOS
Chrome 125 blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it will display a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without user's explicit approval. A policy called InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed

Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:

1. Checks whether the request has been initiated from a secure context

2. Sends a preflight request, and checks whether B responds with a header that allows private network access.

There are already features for subresources and workers, but this one is for navigation requests specifically.

These checks protect the user's private network. Since this feature is the warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in the DevTools, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the InsecureFormsWarningsEnabled policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 132 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

Please see this blog post for more detail.
- Chrome 124 on Windows, Mac, Linux
- Chrome 135 on Android

↑ back to top

Upcoming ChromeOS changes

Snap groups on ChromeOS

As early as ChromeOS 127, Snap groups will allow you to group windows on ChromeOS. A snap group is formed when a user pairs two windows for a split-screen. The windows can then be brought back together, resized simultaneously, or moved as a group.

Read aloud in Reading Mode

As early as ChromeOS 127, Read Aloud will bring Google's high quality voices to Chrome Reading Mode for users to leverage Text to Speech to read content on the web. The goal of Read Aloud is to help people who have difficulty reading to understand long-form text. The new Read Aloud feature in Reading Mode on Chrome desktop allows users to hear the text they are reading, which improves focus and comprehension.

Upcoming Admin console changes

Filter for popular and recently added settings with policy tags
The Admin console will soon provide options to filter settings by recently added and popular. With these new filters, you’ll be able to see our newest settings as well as see some of our most popular and relevant Chrome settings.
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, Mac, Windows: Feature rolls out

Chrome browser managed profile reporting
Chrome Enterprise Core will introduce new Chrome browser managed profile reporting in the Admin console. This feature will provide a new Managed profile listing and detail pages. On these pages, IT administrators will be able to find reporting information on managed profiles such as profile details, browser versions, policies applied, and more.
- As early as Chrome 127 on Android, Linux, MacOS, Windows: Early Trusted Tester access
- As early as Chrome 130 on Android, iOS, Linux, MacOS, Windows: Feature rolls out

Group based policy for Chrome browser
As an administrator, you will be able to use Google groups to add managed Chrome browsers to groups and set User & browser policies and Extension settings to a group of browsers. Managed browsers can be assigned to multiple groups, which allows IT administrators to have more flexibility to manage Chrome browsers using cloud management.
- As early as Chrome 126 on Android, Linux, MacOS, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, MacOS, Windows: Feature rolls ou

Chrome 125

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Automatic deep file scanning for Enhanced Safe Browsing users	✓
Chrome Desktop support for Windows ARM64			✓
Chrome updater changes			✓
Chrome Security Insights	✓	✓	✓
Chrome bandwidth updates			✓
Extensions Safety Check	✓
Insecure form warnings on iOS	✓
Legacy Browser Support for Edge upgraded to Manifest V3			✓
Remove enterprise policy used for Base URL inheritance	✓
Send download reports without explicit user decision	✓		✓
Tab Groups on Tab Grid		✓
UI Automation accessibility framework provider on Windows		✓
Update Google Play Services to fix issues with account passwords		✓
Extending Storage Access API (SAA) to non-cookie storage	✓
Interoperable mousemove default action		✓
Remove window-placement alias for permission and permission policy descriptors			✓
Default Search Engine choice screen		✓	✓
Generating insights for Chrome DevTools Console warnings and errors			✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
SAML always-on VPN fix			✓
ChromeOS Passpoint settings	✓
ChromeOS Audio Bluetooth telephony			✓
Add PrivateIP to DoH with identifiers	✓
Gallery video playback speed control UI		✓
Reduce Animations toggle for ChromeOS		✓
Captive Portal sign-in window	✓
Install dialog for PWAs			✓
Warn users before disconnecting Bluetooth HID	✓		✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Inactive browser deletion in Chrome Enterprise Core	✓		✓
ChromeOS device enrollment and token generation redesign			✓
New ZTE pre-provisioning token features	✓
Expanded token management features	✓		✓
URL-keyed anonymized data collection in Managed Guest Session	✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Deprecate Safe Browsing Extended reporting	✓
Extract text from PDFs for screen reader users		✓
Network Service on Windows will be sandboxed	✓
Removing support for UserAgentClientHintsGREASEUpdateEnabled	✓
Tab Groups on iPad		✓
Telemetry about pages that trigger keyboard and pointer Lock APIs	✓
Updated password management experience on Android	✓	✓
Watermarking	✓
Align navigator.cookieEnabled with spec	✓
Automatic fullscreen content setting		✓
Keyboard-focusable scroll containers	✓
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies			✓
App-bound encryption for cookies	✓
Chrome extension telemetry integration with Chronicle	✓
Migrate extensions to Manifest V3 before June 2025	✓	✓	✓
Simplified sign-in and sync experience on Android		✓
Deprecate mutation events	✓
Remove enterprise policy used for legacy same site behavior			✓
User link capturing on PWAs		✓	✓
X25519Kyber768 key encapsulation for TLS	✓
Chrome will no longer support macOS 10.15	✓		✓
Deprecate the includeShadowRoots argument on DOMParser	✓
Private network access checks for navigation requests: warning-only mode			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
New policy to control Kiosk wake and sleep times			✓
Show wildcard URLs in Data Controls Reporting			✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Policy parity: Custom Configurations for IT admins			✓
Interactive setup guides for Chrome Enterprise Core			✓
Legacy Technology report			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Chrome Third-Party Cookie Deprecation (3PCD)
Third party cookies will be restricted in a future release of Chrome. Currently, they are restricted by default for 1% of Chrome users to allow sites to preview the user experience without third-party cookies. Most enterprises are excluded from this group automatically and admins can use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies if needed.

End users can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site when necessary. See this help article for more details on how to toggle these settings for the desired configuration. Bounce tracking protections are enforced when the bouncing site is not permitted to use 3P cookies, and are controllable with the same policies. Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.

For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, macOS, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Automatic deep file scanning for Enhanced Safe Browsing users
Deep scanning of downloads for Enhanced Safe Browsing users has been launched since Chrome 91. At that time, users had to consent to each file they wanted deep-scanned automatically. Starting in Chrome 125, users no longer have to do that. Deep scanning is performed automatically as part of the improved protections offered by Enhanced Safe Browsing. Admins wishing to disable this feature can ensure their users are not in Enhanced Safe Browsing mode at all with the SafeBrowsingProtectionLevel policy, or disable deep scans with SafeBrowsingDeepScanningEnabled.
- Chrome 125 on LaCrOS, Linux, Mac, Windows: Feature rolls out

Chrome Desktop support for Windows ARM64
Chrome rolled out support for Windows ARM64. Enterprise installers are coming soon, and the ARM64 version can be downloaded at google.com/chrome. If you encounter any issues, file a bug here. At this time, other versions of Chrome running on ARM64 devices will not be automatically upgraded. Please re-install Chrome if you're running on an ARM64 device.
- Chrome 125 on Windows: New Enterprise installers will be available towards mid-May

Chrome updater changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for GoogleUpdate.exe on Windows changes and it is renamed updater.exe. Note that the previous path continues to persist until the transition is fully completed. GoogleUpdate.exe is also modified to point to updater.exe.

* Previous: %PROGRAMFILES(X86)%\Google\Update\GoogleUpdate.exe
* Current: %PROGRAMFILES(X86)%\Google\GoogleUpdater\<VERSION>\updater.exe
- Chrome 125 on Windows: These changes appear on Windows

Chrome Security Insights
If you have Chrome Enterprise Core (Chrome Browser Cloud Management) and Workspace Enterprise Standard or Workspace Enterprise Plus with assigned licenses, you can now enable Chrome Security Insights. This tool allows you to monitor insider risk and data loss for Chrome activity. For more information, see Monitoring for insider risk and data loss.
- Chrome 125 on ChromeOS, Linux, Mac, Windows

Chrome bandwidth updates
Chrome introduces a new mechanism for updating certain Chrome components, which might result in extra bandwidth used within your fleet. You can control this with the GenAILocalFoundationalModelSettings policy.
- Chrome 125 on Linux, Mac, Windows

Extensions Safety Check
The Extensions Safety Check notifies users about extensions that might contain malware, policy violations, and extensions that have been unpublished long ago. It provides an interface for users to review these extensions and decide to keep or remove each flagged extension.

To expand the usefulness and the scope of this feature, Chrome 125 adds new triggers so that other potentially risky extensions can also be reviewed by users. There are two new extension types that we now flag for the user to review.

- Extensions that are not installed from the Chrome Web Store

- Extensions that violate store policy by using deceptive installation tactics and are considered unwanted software

Any extensions that are force-installed, installed by policy, version-pinned or blocked by policy are ignored and not flagged by these trigger criteria.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: During rollout, the two new triggers will be added to the extension safety check found on the chrome://extensions/ page

Insecure form warnings on iOS
Chrome 125 blocks form submissions from secure pages to insecure pages on iOS. When Chrome detects an insecure form submission, it displays a warning asking the user to confirm the submission. The goal is to prevent leaking form data over plain text without user's explicit approval. A policy InsecureFormsWarningsEnabled is available to control this feature.
- Chrome 125 on iOS: Feature rolls out
- Chrome 130 on iOS: InsecureFormsWarningsEnabled policy will be removed

Legacy Browser Support for Edge upgraded to Manifest V3
Legacy Browser Support for Edge is upgraded to Manifest V3. This is a major update with a possibility for bugs, so you can try the Beta version of this extension today. We encourage you to test it in your environment. If you encounter any issues, file a bug here.
- Chrome 125 on Linux, Mac, Windows: Microsoft Edge Add-ons Store doesn't support gradual rollouts, so this will roll out 0%=>100% in one step. Target release date is May 30th, so ~2 weeks into Chrome 125's lifecycle.

Remove enterprise policy used for Base URL inheritance
In Chrome 114, we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. Chrome 125 removes the temporary NewBaseUrlInheritanceBehaviorAllowed policy.
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.

Send download reports without explicit user decision
The Client Safe Browsing Report is a telemetry report sent to Safe Browsing when a warning is shown in Chrome. Today, download reports are sent when users discard or bypass a download warning. Based on the learnings from the initial tailored warning experiment, many download warnings are not explicitly discarded or bypassed. Reports are not sent for these warnings, so Safe Browsing doesn't have visibility on the effectiveness of these warnings. This feature aims to close this telemetry gap by sending reports when the download is auto-discarded or the browser is closed.
- Chrome 125 on ChromeOS, LaCrOS, Linux, Mac, Windows

Tab Groups on Tab Grid
Chrome for iPhone users can create and manage tab groups on their tab grids. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 125 on iOS

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows's UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.
Starting in Chrome 125, administrators can use the UiAutomationProviderEnabled enterprise policy to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Windows: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Update Google Play Services to fix issues with account passwords
Users with old versions of Google Play Services might be unable to access the passwords saved to their Google accounts. These users now see warnings to update Google Play Services in the password management surface to access their account passwords again. This is part of an ongoing migration that only affects Android users of Google Password Manager.
- Chrome 125 on Android

Extending Storage Access API (SAA) to non-cookie storage
Chrome extends the Storage Access API to allow access to unpartitioned cookie and non-cookie storage in a third-party context. The current API only provides access to cookies, which have different use-cases than non-cookie storage. The API can be used as follows (JS running in an embedded iframe):

// Request a new storage handle via rSA (this should prompt the user)
let handle = await document.requestStorageAccess({all: true});

// Write some cross-site localstorage
handle.localStorage.setItem("userid", "1234");

// Open or create an indexedDB that is shared with the 1P context
let messageDB = handle.defaultBucket.indexedDB.open("messages");

The same flow would be used by iframes to get a storage handle when their top-level ancestor successfully called rSAFor, just that in this case the storage-access permission was already granted and thus the rSA call would not require a user gesture or show a prompt, allowing for hidden iframes accessing storage.
- Chrome 125 on Windows, Mac, Linux, Android

Interoperable mousemove default action
Canceling mousemove does not prevent text selection or drag-and-drop. Chrome allowed canceling mousemove events to prevent other APIs like text selection (and even drag-and-drop in the past). This does not match other major browsers; nor does it conform to the W3 UI Events specification.

With this feature, text selection is no longer the default action of mousemove. Text selection and drag-and-drop can still be prevented through canceling selectstart and dragstart events respectively, which are spec-compliant and fully interoperable.
- Chrome 125 on Windows, Mac, Linux, Android

Remove window-placement alias for permission and permission policy descriptors
Chrome 125 removes the window-placement alias for permission and permission policy descriptors. All instances of window-placement are replaced with window-management, which better describes the related API functionality. This is a follow-up to Window Management API feature enhancements and renaming from Multi-Screen Window Placement API; for more details, see Chrome Platform Status.
- Chrome 125 on Windows, Mac, Linux

Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.

For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.

Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Chrome 125 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.

Generating insights for Chrome DevTools Console warnings and errors
In Chrome 125, a new Generative AI (GenAI) feature becomes available for unmanaged users: Generating insights for Chrome DevTools Console warnings and errors. These insights provide a personalized description and suggested fixes for the selected errors and warnings. Initially, this feature is only available to users (18+) in English. Admins can control this feature by using the DevToolsGenAiSettings policy.
- Chrome 125 on ChromeOS, Linux, Mac, Windows: Feature becomes available to unmanaged users globally, except Europe, Russia, and China.
- Chrome 127 on ChromeOS, Linux, Mac, Windows: Feature becomes available to managed Chrome Enterprise & Education users in supported regions.

New and updated policies in Chrome browser

Policy	Description
EnterpriseLogoUrl	Enterprise Logo URL: URL to an image that is used as an enterprise badge for the profile.
EnterpriseBadgingTemporarySetting	Control the visibility of enterprise badging.
ApplicationBoundEncryptionEnabled	Enable Application-bound encryption
UiAutomationProviderEnabled	Enable the browser's UI Automation accessibility framework provider on Windows
ToolbarAvatarLabelSettings	Managed toolbar avatar label setting

Removed policies in Chrome browser

Policy	Description
NewBaseUrlInheritanceBehaviorAllowed	Allows enabling the feature NewBaseUrlInheritanceBehavior

ChromeOS updates

Always-on VPN SAML fix

To better support Enterprise customers who use VPN in always-on strict mode, where no user traffic can get to the internet except via the VPN, and SAML authentication, we've added a new policy AlwaysOnVpnPreConnectUrlAllowlist. This policy allows you to specify URLs users are allowed to go to before the VPN has connected, so that your SAML services are reachable to authenticate the user to the VPN via the system browser.

ChromeOS Passpoint settings

You can now view and manage Wi-Fi Passpoint in ChromeOS Settings. You can view and remove your installed passpoint subscription under the passpoint detailed page.

ChromeOS Audio Bluetooth telephony

ChromeOS now supports call control buttons on compatible Bluetooth headsets, including answering, rejecting or terminating a call, and muting the microphone.

Add PrivateIP to DoH with identifiers

A network identifier was added to the secure DNS URI templates with identifiers policy. Admins can now configure a new placeholder in the DNS URI templates, which is replaced with the device local IP addresses when the users are connected to managed networks.

Gallery video playback speed control UI

ChromeOS Gallery video player now has a playback speed menu to control the playback rate.

Reduce Animations toggle for ChromeOS

A reduced animations setting is now available on ChromeOS. This setting is available under Accessibility > Display and Magnification > Reduced Animations. Customers who experience motion sickness, distractions or other types of discomfort when seeing animations can benefit from changing this setting.

Captive portal sign-in window

ChromeOS 125 allows easier captive portal sign-in with a dedicated window. The window opens as a tabless popup window; the URL is shown but it is not editable.

Install dialog for PWAs

ChromeOS 125 enables an installation dialog for web apps. This feature unblocks web app installation scenarios and is part of the work to create a more predictable, accessible, and trustworthy install surface for web apps.

Warn users before disconnecting Bluetooth HID

In ChromeOS 125 and later, Chromeboxes and Chromebases display a notification to prevent unintended Bluetooth device disconnections. This notification appears when you attempt to disable Bluetooth while only Human Interface Devices (HIDs) like keyboards or mice connected via Bluetooth are active.

Admin console updates

Inactive browser deletion in Chrome Enterprise Core

Starting in April 2024 until June 2024, the Inactive period for browser deletion policy has started to roll out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time has a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days are deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period is 730 days and the minimum value is 28 days (learn more).

If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.

ChromeOS device enrollment and token generation redesign

Beginning in April 2024, the zero-touch enrollment experience has been enhanced with a new enrollment entry point, token creation guide, the ability to specify SKU and partner permissions and improved token management

New ZTE pre-provisioning token features
Pre-provisioning tokens have gained the following features:
- Support for Kiosk & Signage Upgrade by allowing zero-touch enrollment pre-provisioning tokens to be created using either Chrome Enterprise Upgrade or Kiosk & Signage Upgrade
- Ability for pre-provisioning partners to specify custom fields (asset ID, location, and user)
- Multiple tokens per organizational unit

Expanded token management features
The Enrollment Tokens page has been updated with the following features:
- The page has been added to the left navigation panel for easier access
- Tokens are now filterable based on status, creation user, annotation and upgrade type
- A new button allows admins to copy the token and Customer ID with one click
- Additional columns provide more information about the token

URL-keyed anonymized data collection in Managed Guest Session

The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, is available in the Admin console. This policy will be enforced starting June 1st and will remain disabled until then.

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
DevToolsGenAiSettings	Users & Browsers	Chrome ChromeOS	Generative AI
UiAutomationProviderEnabled	Users & Browsers	Chrome	Accessibility
ContextualGoogleIntegrationsEnabled	Users & Browsers	ChromeOS	User experience
ContextualGoogleIntegrationsConfiguration	Users & Browsers	ChromeOS	User experience
ApplicationBoundEncryptionEnabled	Users & Browsers	Chrome	Security
DeviceExtensionsSystemLogEnabled	Device	ChromeOS	User and device reporting
EnterpriseBadgingTemporarySetting	Users & Browser	Chrome	General
EnterpriseLogoUrl	Users & Browser	Chrome	General
ToolbarAvatarLabelSettings	Users & Browser	Chrome	General
DeviceDlcPredownloadList	Device	ChromeOS	Other settings

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 126 on iOS, ChromeOS, Linux, MacOS, Windows: Deprecation of Safe Browsing Extended Reporting

Extract text from PDFs for screen reader users
Chrome browser is launching an Optical character recognition (OCR) AI reader for PDFs, creating the first browser built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.

This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, MacOS, Windows

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 125 on Windows: Network Service sandboxed on Windows.

Removing support for UserAgentClientHintsGREASEUpdateEnabled
Deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year and then eventually remove it.
- Chrome 124 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed

Tab Groups on iPad
Chrome for iPad users can create and manage tab groups. This helps users stay organized, reduce clutter and manage their tasks more efficiently.
- Chrome 126 on Android

Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhances Safe Browsing user visits a page that triggers keyboard or pointer lock API, attributes of that page will be sent to Safe Browsing. If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 126 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Updated password management experience on Android
On Chrome on Android, some users who are signed-in to Chrome but don't have Chrome sync enabled will be able to use and save passwords in their Google Account. Relevant enterprise policies such as BrowserSignin, SyncTypesListDisabled and PasswordManagerEnabled will continue to work as before and can be used to configure whether users can use and save passwords in their Google Account.
- Chrome 126 on Android

Watermarking
This feature will allow admins to overlay a watermark on top of a webpage if navigating to it triggers a specific DLP rule. It will contain a static string displayed as the watermark. Watermarking will be available to Chrome Enterprise Premium customers.
- Chrome 124 on Linux, Mac, Windows: Trusted Tester access
- Chrome 126 on Linux, Mac, Windows: Feature rolls out

Align navigator.cookieEnabled with spec
navigator.cookieEnabled currently indicates if “the user agent attempts to handle cookies” in a given context. A change in Chrome, shipping as part of third-party cookie deprecation (3PCD), would cause it to indicate whether unpartitioned cookie access is possible (causing it to return false in most cross-site iframes). We should restore the prior behavior of navigator.cookieEnabled which indicated only if cookies were enabled or disabled for the site and rely on the cross-vendor function document.hasStorageAccess to indicate if unpartitioned cookie access is possible.
- Chrome 126 on Windows, Mac, Linux, Android

Automatic fullscreen content setting
A new Automatic Fullscreen content setting permits Element.requestFullscreen() without a user gesture, and permits browser dialogs to appear without exiting fullscreen.

The setting is blocked by default and sites cannot prompt for permission. New UI controls are limited to Chrome's settings pages (chrome://settings/content/automaticFullScreen) and the site info bubble. Users can allow Isolated Web Apps, and enterprise admins can allow additional origins with the AutomaticFullscreenAllowedForUrls policy.

Combined with Window Management permission and unblocked popups (chrome://settings/content/popups), this unlocks valuable fullscreen capabilities:

- Open a fullscreen popup on another display, from one gesture

- Show fullscreen content on multiple displays from one gesture

- Show fullscreen content on a new display, when it's connected

- Swap fullscreen windows between displays with one gesture

- Show fullscreen content after user gesture expiry or consumption
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 125 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.
If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) or use the Cross-Origin Resource Sharing (CORS) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 126 on Windows, Mac, Linux

Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 127 on Windows, MacOS, Linux, Android

App-Bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.
An enterprise policy ApplicationBoundEncryptionEnabled is available to disable Application Bound Encryption.
- Chrome 127 on Windows

Chrome extension telemetry integration with Chronicle
Collect relevant extension telemetry data from within Chrome (managed profiles + devices) and send it to Chronicle. Chronicle will analyze the data to provide instant analysis and context on risky activity.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows

All extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

Simplified sign-in and sync experience on Android
Chrome will launch a simplified and consolidated version of sign-in and sync in Chrome on Android. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off via SyncTypesListDisabled. Sign-in to Chrome can be disabled via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.

The changes are virtually identical to the simplified sign-in and sync experience launched on iOS in 117.
- Chrome 127 on Android

Intent to deprecate: mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.

Mutation event support will be disabled by default starting in Chrome 127, around July 30, 2024. Code should be migrated before that date to avoid site breakage. If more time is needed, there are a few options:

- The Mutation Events Deprecation Trial can be used to re-enable the feature for a limited time on a given site. This can be used through Chrome 134, ending March 25, 2025.

- A MutationEventsEnabled enterprise policy can also be used for the same purpose, also through Chrome 134.

Please see this blog post for more detail.
- Chrome 127 on Windows, Mac, Linux, Android

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Earliest in Chrome 127 on Linux, MacOS, Windows: We will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This protects network traffic from Chrome with servers that also support ML-KEM from decryption by a future quantum computer. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. This cipher will be used for both TLS 1.3 and QUIC connections.

However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. Post-quantum cryptography is required for CSNA 2.0.

Please see this blog post for more detail.
- Chrome 124 on Windows, Mac, Linux
- Chrome 128 on Android

Chrome will no longer support macOS 10.15
Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems to continue to use Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on macOS: Chrome no longer supports macOS 10.15

Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.

Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
  (new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
  document.parseHTMLUnsafe(html);
- Chrome 129 on Windows, Mac, Linux, Android

Private network access checks for navigation requests: warning-only mode
Before a website A navigates to another site B in the user's private network, this feature does the following:

1. Checks whether the request has been initiated from a secure context

2. Sends a preflight request, and checks whether B responds with a header that allows private network access.

There are already features for subresources and workers, but this one is for navigation requests specifically. The above checks are made to protect the user's private network. Since this feature is the warning-only mode, we do not fail the requests if any of the checks fails. Instead, a warning will be shown in the DevTools, to help developers prepare for the coming enforcement.
- Chrome 130 on Windows, Mac, Linux, Android

↑ back to top

Upcoming ChromeOS changes

New policy to control Kiosk wake and sleep times

As early as ChromeOS 126, we will introduce a new kiosk device policy that will allow Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.

Show wildcard URLs in Data Controls reporting

ChromeOS Data Control rules allow admins to define source and destination URLs as a wildcard ( * ) value. ChromeOS data control events are reported under the Chrome audit report and can be viewed in the Google Admin console or other platforms through the Chrome Reporting Connector. When examining log events, the URL that triggered the rule is now reported, instead of the wildcard.

Upcoming Admin console changes

Policy parity: Custom Configurations for IT admins
The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core in the Admin console, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as “normal_installed”.
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 127 on Android, iOS, Linux, Mac, Windows: Feature rolls out

Interactive setup guides for Chrome Enterprise Core
The Chrome Enterprise team is introducing new interactive setup guides for browser management in the Admin console, where administrators can choose a journey they’re interested in exploring and get hands-on training directly in Chrome Setup Guides. For example, the guides can be used to learn how to:
- Creating test organizational units
- Turn on reporting
These guides are ideal for new administrators or for administrators who wish to learn new journeys.
- Enroll browsers
- Apply browser policies
- Configure extension settings
- Create an admin user
- As early as Chrome 125: Trusted Tester access
- As early as Chrome 126: Feature rolls out

Legacy Technology report
As early as Chrome 127, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 127 on Linux, MacOS, Windows: Legacy Technology report will be available in the Admin console.

Chrome 124

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Enterprise Premium product launch	✓		✓
Chrome Browser Cloud Management is now Chrome Enterprise Core	✓		✓
Watermarking (trusted tester)	✓
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Permissions prompt for Web MIDI API	✓
Two Chrome extensions will be upgraded to Manifest V3	✓		✓
Chrome Installer/Updater changes			✓
Bookmarks and reading list improvements on Android		✓
Default Search Engine choice screen		✓	✓
Deprecate enterprise policy used for throttling			✓
Chrome Desktop support for Windows ARM64			✓
Remove enterprise policy used for GREASE			✓
Deprecate and remove Web SQL	✓
Chrome bandwidth updates			✓
Form controls support direction value in vertical writing mode		✓
Remove enterprise policies used for TLS handshake and RSA key usage			✓
Shadow root cloneable attribute	✓
Local passwords stored in Play services on Android	✓
X25519Kyber768 key encapsulation for TLS	✓
Save to Drive and to Photos		✓
Device bound session credentials google.com prototype	✓
Windows ClearType Text Tuner integration		✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
WebHID permission delegation	✓
WiFi QoS on ChromeOS			✓
Scanning DLC	✓
Increase the max size for the mouse pointer slider		✓
Fast Pair for HID	✓
Extension Cache Invalidation for managed guest login screen	✓
Instant reboot in Managed Guest Session			✓
ChromeOS carrier lock	✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Inactive browser deletion in Chrome Enterprise Core			✓
New filter on the App details page			✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
UI Automation accessibility framework provider on Windows		✓
Keyboard-focusable scroll containers	✓
Interoperable mousemove default action		✓
Network Service on Windows will be sandboxed	✓
Telemetry about pages that trigger keyboard and pointer lock APIs	✓
Extending Storage Access API (SAA) to non-cookie storage	✓
Remove window-placement alias for permission and permission policy descriptors			✓
Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies	✓
Extract text from PDFs for screen reader users		✓
Deprecate Safe Browsing Extended reporting	✓
Remove enterprise policy used for Base URL inheritance		✓
App-Bound encryption for cookies			✓
Intent to deprecate: Mutation Events	✓
User link capturing on PWAs		✓
All extensions must be updated to leverage Manifest V3 by June 2025	✓	✓	✓
Remove enterprise policy used for legacy same site behavior			✓
Chrome will no longer support MacOS 10.15			✓
Deprecate the includeShadowRoots argument on DOMParser			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Passpoint settings			✓
New policy to control Kiosk wake and sleep times			✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Policy parity: Custom Configurations for IT admins			✓
Legacy Technology report			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Chrome Enterprise Premium product launch
Chrome Enterprise Premium is now available, providing a centralized solution for robust endpoint security, privacy, and control (setup guide). IT and security teams gain extensive network visibility and can easily deploy advanced protection features. Learn more.

Chrome Browser Cloud Management is now Chrome Enterprise Core
Chrome Enterprise’s cloud management offers a centralized tool for configuring and managing browser policies, settings, apps, and extensions across Chrome – no matter the operating system, device, or location. Learn more.
- Chrome 124 on Linux, MacOS, Windows: Trusted Tester access
- Chrome 126 on Linux, MacOS, Windows: feature rolls out

Watermarking (trusted tester)
This Chrome Enterprise Premium feature allows admins to overlay a watermark on top of a web page if navigating to it triggers a specific Data Loss Prevention (DLP) rule. You can specify a static string to be displayed as the watermark.

This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 124 on Linux, MacOS, Windows: Trusted Tester access
- Chrome 126 on Linux, MacOS, Windows: Feature rolls out

Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 120 started to restrict third-party cookies by default for 1% of Chrome users to facilitate testing, and subsequent releases will ramp up to 100% of users as early as Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group also see new Tracking Protection user controls. You can try out these changes in Chrome 120 or higher by enabling chrome://flags/#test-third-party-cookie-phaseout.

This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users are excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out managed browsers ahead of the experiment. This gives enterprises time to make the changes required to avoid relying on this policy or on third-party cookies.

We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to False to re-enable third-party cookies for all sites but this prevents users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue to receive third-party cookies.

For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this help article for more details on how to toggle these settings for the desired configuration.

Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.

Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.

The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.

For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Permissions prompt for Web MIDI API
The Web MIDI API connects to and interacts with Musical Instrument Digital Interface (MIDI) Devices. There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (see related Chromium bug). To address this problem, the W3C Audio Working Group decided to place an explicit permission on general Web MIDI API access. Originally, the explicit permission was only required for advanced Web MIDI usage in Chrome, including the ability to send and receive system exclusive (SysEx) messages, with gated access behind a permissions prompt. We now intend to expand the scope of the permission to regular Web MIDI API usage.

In Chrome 124, all access to the Web MIDI API requires a user permission. No policies are available to control these changes. If you encounter any issues, file a bug here.
- Chrome 124 on Windows, MacOS, Linux, Android

Two Chrome extensions to be upgraded to Manifest V3
Two extensions will soon be updated to use Manifest V3: User-Agent Switcher, and Chrome Reporting.

This is a major update with a possibility for bugs, so you can try the Beta version of these extensions today. We encourage you to test them in your environment. If you encounter any issues, file a bug here.

  - User-Agent Switcher for Chrome - Beta

  - Chrome Reporting Extension - Beta

The User-Agent Switcher URL parser changed, so make sure your existing user agent substitutions work with the new version.
- Chrome 124: Both extensions receive an update, on their Stable version around April 30, 2024.

Chrome Installer/Updater changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for GoogleUpdate.exe on Windows changes and it is renamed updater.exe. Note that the previous path continues to persist until the transition is fully completed. GoogleUpdate.exe is also modified to point to updater.exe.

* Previous: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
* Current: C:\Program Files (x86)\Google\GoogleUpdater\<VERSION>\updater.exe
- Chrome 124 on Windows: These changes appear on Windows.

Bookmarks and reading list improvements on Android
On Chrome 124 on Android, some users who sign in to Chrome from the Bookmark Manager can use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncTypesListDisabled, EditBookmarksEnabled, ManagedBookmarks and ShoppingListEnabled continue to work as before, to configure whether users can use and save items in their Google Account.
- Chrome 124 on Android: Feature rolls out.

Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.

For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.

Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Starting Chrome 124 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.

Deprecate enterprise policy used for throttling
The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy in Chrome 124. To read the discussions around the throttling issue (and its resolution), see this Chromium issue report.
- Chrome 124: Policy is removed.

Chrome Desktop support for Windows ARM64
Chrome is rolling out support for Windows ARM64. We are working on publishing the Enterprise installers. You can continue to test the Canary channel and Beta channel and report bugs there. Note that this is subject to change based on overall stability, as well as feedback from customers. If you encounter any issues, file a bug here.
- Chrome 124 on Windows (ARM): New Enterprise installers will be available towards the end of April or early May.

Remove enterprise policy used for GREASE
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will be removed in Chrome 126.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated.
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed.

Deprecate and remove Web SQL
With SQLite over WASM as its official replacement, we plan to remove Web SQL entirely. This will help keep our users secure.

The Web SQL database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 124: on ChromeOS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 124, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.

Chrome bandwidth updates
Chrome rolls out a new mechanism for updating certain Chrome components that might result in extra bandwidth used within your fleet. You can control this with the GenAILocalFoundationalModelSettings policy.
- Chrome 124 on Windows, MacOS, Linux

Form controls support direction value in vertical writing mode
The CSS property writing-mode allows elements to go vertical, but users cannot set the direction in which the value changes. With this feature, we are allowing the form control elements (meter, progress and range input type) to have vertical writing mode and choose the form control's value direction. If direction is rtl, the value is rendered from bottom to top. If direction is ltr, the value is rendered from top to bottom. For more information, see this Chrome for Developers blog post.
- Chrome 124 on Windows, MacOS, Linux, Android

Remove enterprise policies used for TLS handshake and RSA key usage
In Chrome 114, we introduced InsecureHashesInTLSHandshakesEnabled to control the use of legacy insecure hashes during the TLS handshake process. In Chrome 116, we introduced RSAKeyUsageForLocalAnchorsEnabled to control some server certificate checks. In Chrome 124, both InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies are removed.

Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies will be removed.

Shadow root cloneable attribute
The shadow root clonable attribute enables individual control over whether a shadow root is cloneable (via standard platform cloning commands such as cloneNode()). Imperative shadow roots can now be controlled via a parameter to attachShadow({clonable:true}). Declarative shadow roots can be controlled via a new attribute, <template shadowrootmode=open shadowrootclonable>.

Breakage can occur if you are:
a) using declarative shadow DOM
b) cloning templates that contain DSD and
c) expecting those clones to contain cloned shadow roots
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows

Local passwords stored in Play services on Android
Chrome changes the way local (not syncable) passwords are stored. Previously, they were stored in the Chrome profile. Now they are migrated to the local password storage of the Google Play services similarly to how the Google account passwords are already stored. It also changes the management UI for them to be provided by Google Play services. The Chrome policy PasswordManagerEnabled is still valid but it doesn't control the behavior outside the Chrome binary. Thus, the new password management UI allows users to import or add passwords there manually.
- Chrome 123 on Android: The feature kicks-in for users without local passwords
- Chrome 124 on Android: All local passwords are migrated to the Google Play services.

X25519Kyber768 key encapsulation for TLS
Starting in Chrome 124, Chrome enables by default on all desktop platforms a new post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard (ML-KEM). This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber (ML-KEM) key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy, which will be available through the end of 2024. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. This cipher will be used for both TLS 1.3 and QUIC connections.
- Chrome 124 on Windows, MacOS, Linux

Save to Drive and to Photos
You can directly save a file or document image from the web to your Drive, as well as an image to your Google Photos. You can now change the account to which the file is going to be saved. The relevant policies to control these features are ContextMenuPhotoSharingSettings and DownloadManagerSaveToDriveSettings.
- Chrome 124 on iOS

Device Bound Session Credentials google.com prototype
The Device Bound Session Credentials project is intended to move the web away from long-lived bearer credentials like cookies, which can be stolen and reused, to credentials that are either short-lived or cryptographically bound to a device. The feature aims at protecting users against credential theft which is typically performed by malware running on the user's device.

The current launch is a proof-of-concept targeting google.com website. In the future, we plan to standardize this approach for other websites and web browsers (Github).

Enterprise admins can control the feature state by using the BoundSessionCredentialsEnabled boolean policy.
- Chrome 124 on Windows: Planned 1% rollout on Chrome stable for google.com cookie binding for the general population. A temporary BoundSessionCredentialsEnabled policy is introduced in this milestone.

Windows ClearType Text Tuner integration
This feature tracks the work to support picking the contrast and gamma values from the Windows ClearType Text Tuner setting and applying them to Skia text rendering. This ensures that users' text rendering preferences are respected on Windows devices.
- Chrome 124 on Windows, MacOS, Linux

New and updated policies in Chrome browser

Policy	Description
MutationEventsEnabled	Re-enable deprecated/removed Mutation Events
BoundSessionCredentialsEnabled	Bind Google credentials to a device
AutomaticFullscreenAllowedForUrls	Allow automatic fullscreen on these sites
AutomaticFullscreenBlockedForUrls	Block automatic fullscreen on these sites
CloudProfileReportingEnabled	Enable Google Chrome cloud reporting for managed profile
PrefixedVideoFullscreenApiAvailability	Manage the deprecated prefixed video fullscreen API's availability

Removed policies in Chrome browser

Policy	Description
WebSQLAccess	Force WebSQL to be enabled
InsecureHashesInTLSHandshakesEnabled	Insecure Hashes in TLS Handshakes Enabled
RSAKeyUsageForLocalAnchorsEnabled	Check RSA key usage for server certificates issued by local trust anchors
GetDisplayMediaSetSelectAllScreensAllowedForUrls	Enables auto-select for multi screen captures
ThrottleNonVisibleCrossOriginIframesAllowed	Allows enabling throttling of non-visible, cross-origin iframes

ChromeOS updates

WebHID permission delegation

Chrome Apps now enables WebHID features in Chrome App Webview, for VDI and Zoom HID support.

WiFi QoS on ChromeOS

ChromeOS 124 now includes a new Quality of Service (QoS) feature that ensures better traffic prioritization of video conferencing and gaming applications on congested Wi-Fi networks. As a result, users can experience smoother video play with less buffering. In this initial release, this feature is not available for managed users.

Scanning DLC

To optimize the size of ChromeOS updates, we now download the required driver once the user signs in and connects a scanner that requires a driver. The driver downloads automatically without any prompt that the user needs to answer. A notification appears to indicate that external drivers are being installed and when installation is complete.

Increase the max size for the mouse pointer slider

We have expanded the mouse cursor sizes. You can adjust the cursor size by going into settings, accessibility, cursor and touchpad, and sliding the slider to your preferred size. This can be helpful for people who have low vision, for teachers who want students to follow along during a lesson while presenting, for people who are presenting on a video call, or if you just want to have a larger mouse cursor.

Fast Pair for HID

Fast Pair is now available for mice on ChromeOS. You can now bring a Fast Pair-compatible mouse close to your ChromeOS device, and be prompted to pair it with one click. For details, see our Help Center article.

Extension Cache Invalidation for managed guest login screen

From ChromeOS 124, the ExtensionInstallForcelist policy supports the rollback of extensions for managed guest sessions and the login screen. This gives admins the option to rollback extensions in case of an erroneous rollout of a new version.

Instant reboot in Managed Guest Session

ChromeOS 124 introduces a UI for admins to initiate an instant reboot action for Managed Guest Sessions.

ChromeOS carrier lock

ChromeOS now supports carrier lock for mobile providers that want to provide subsidized devices to users. On all cellular enabled devices, carriers can lock the device to only allow connection to approved SIM profiles (both eSIM and physical SIM). Locked devices get enrolled to a carrier lock server and when the contract ends, the carrier simply releases the lock and the user is notified on their device. Note that in addition to being blocked for using unauthorized SIM profiles, dev mode is blocked on carrier locked devices.

Admin console updates

Inactive browser deletion in Chrome Enterprise Core

Starting in April 2024 until May 2024, for Chrome Enterprise Core, the Inactive period for browser deletion policy will start rolling out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days will be deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days (learn more).

If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.

New filter on the App details page

Introducing a new filter for All users and browsers on the App Details page. This filter allows IT admins to easily view all the managed browsers and managed users where a specific extension or app is installed.

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
AutomaticFullscreenAllowedForUrls	Users & browsers MGS	Android Chrome ChromeOS	User experience
AutomaticFullscreenBlockedForUrls	Users & browsers MGS	Android Chrome ChromeOS	User experience
MutationEventsEnabled	Users & browsers MGS	Android Chrome ChromeOS Android Webview	Legacy site compatibility
PrefixedVideoFullscreenApiAvailability	Users & browsers MGS	Android Chrome ChromeOS Fuschia	Legacy site compatibility

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

UI Automation accessibility framework provider on Windows
Starting in Chrome 126, Chrome will start directly supporting accessibility client software that uses Microsoft Windows' UI Automation accessibility framework. Prior to this change, such software interoperated with Chrome by way of a compatibility shim in Microsoft Windows. This change is being made to improve the accessible user experience for many users. It provides complete support for Narrator, Magnifier, and Voice Access; and will improve third-party apps that use Windows's UI Automation accessibility framework. Users of Chrome will find reduced memory usage and processing overhead when used with accessibility tools. It will also ease development of software using assistive technologies.

Administrators may use the UiAutomationProviderEnabled enterprise policy starting in Chrome 125 to either force-enable the new provider (so that all users receive the new functionality), or disable the new provider. This policy will be supported through Chrome 136, and will be removed in Chrome 137. This one-year period is intended to give enterprises sufficient time to work with third-party vendors so that they may fix any incompatibilities resulting from the switch from Microsoft's compatibility shim to Chrome's UI Automation provider.
- Chrome 125 on Window: The UiAutomationProviderEnabled policy is introduced so that administrators can enable Chrome's UI Automation accessibility framework provider and validate that third-party accessibility tools continue to work.
- Chrome 126 on Windows: The Chrome variations framework will be used to begin enabling Chrome's UI Automation accessibility framework provider for users. It will be progressively enabled to the full stable population, with pauses as needed to address compatibility issues that can be resolved in Chrome. Enterprise administrators may continue to use the UiAutomationProviderEnabled policy to either opt-in early to the new behavior, or to temporarily opt-out through Chrome 136.
- Chrome 137 on Windows: The UiAutomationProviderEnabled policy will be removed from Chrome. All clients will use the browser's UI Automation accessibility framework provider.

Keyboard-focusable scroll containers
Making scroll containers focusable using sequential focus navigation greatly improves accessibility. Today, the tab key doesn't focus scrollers unless tabIndex is explicitly set to 0 or more.

By making scrollers focusable by default, users who can't (or don't want to) use a mouse will be able to focus clipped content using a keyboard's tab and arrow keys. This behavior is enabled only if the scroller does not contain any keyboard focusable children. This logic is necessary so we don't cause regressions for existing focusable elements that might exist within a scroller like a <textarea>.
- Chrome 125 on Windows, MacOS, Linux, Android

Interoperable mousemove default action
Chrome allowed canceling mousemove events to prevent other APIs like text selection (and even drag-and-drop in the past). This does not match other major browsers; nor does it conform to the UI (event spec).

Through this feature, text selection will no longer be the default-action of mousemove. Text selection and drag-and-drop can still be prevented through canceling selectstart and dragstart events respectively, which are spec compliant and fully interoperable.
- Chrome 125 on Windows, MacOS, Linux, Android

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 125 on Windows: Network Service sandboxed on Windows.

Telemetry about pages that trigger keyboard and pointer Lock APIs
When an Enhances Safe Browsing user visits a page that triggers keyboard or pointer lock APIs, attributes of that page will be sent to Safe Browsing.

If the telemetry is sent and the page seems to be malicious, users will see a Safe Browsing warning and their keyboard or pointer will be unlocked if they were locked.
- Chrome 125 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Extending Storage Access API (SAA) to non-cookie storage
We propose an extension of the Storage Access API (backwards compatible) to allow access to unpartitioned (cookie and non-cookie) storage in a third-party context, and imagine the API mechanics to be roughly like this (JS running in an embedded iframe):

// Request a new storage handle via rSA (this should prompt the user)
let handle = await document.requestStorageAccess({all: true});

// Write some cross-site localstorage
handle.localStorage.setItem("userid", "1234");

// Open or create an indexedDB that is shared with the 1P context
let messageDB = handle.defaultBucket.indexedDB.open("messages");

The same flow would be used by iframes to get a storage handle when their top-level ancestor successfully called rSAFor, just that in this case the storage-access permission was already granted and thus the rSA call would not require a user gesture or show a prompt, allowing for hidden iframes accessing storage.

Remove window-placement alias for permission and permission policy descriptors
Chrome 124 removes the window-placement alias for permission and permission policy descriptors. All instances of window-placement are replaced with window-management, which better describes the related API functionality. This is a follow-up to Multi-Screen Window Placement API feature enhancements; for more details, see Chrome Platform Status.
- Chrome 125 on Windows, MacOS, Linux

Cross-site ancestor chain bit for CookiePartitionKey of partitioned cookies
Chrome 125 adds a cross-site ancestor bit to the keying of the partitioned cookie's CookiePartitionKey. This change unifies the partition key with the partition key values used in storage partitioning and adds protection against clickjacking attacks by preventing cross-site embedded frames from having access to the top-level-site's partitioned cookies.

If an enterprise experiences any breakage with embedded iframes, they can use the CookiesAllowedForUrls policy or use SameSite=None cookies without the Partitioned attribute and then invoke the Storage Access API (SAA) or use the Cross-Origin Resource Sharing (CORS) to ensure that embedded iframes have access to the same cookies as the top level domain.
- Chrome 126 on Windows, MacOS, Linux

Extract text from PDFs for screen reader users
Chrome browser is launching an Optical character recognition (OCR) AI reader for PDFs, creating the first browser built-in PDF screen reader for inaccessible documents, further filling the gap in accessibility for low vision and blind users across the web.

This feature leverages Google's OCR models to extract, compartmentalize, and section PDF documents to make them more accessible. A local machine intelligence library will be added that uses Screen AI technology to analyze screenshots or the accessibility tree, and extract more information to help assistive technology, such as texts (OCR) and main content of the page.
- Chrome 126 on ChromeOS, Linux, MacOS, Windows

Deprecate Safe Browsing Extended reporting
Safe Browsing Extended reporting is a feature that enhances the security of all users by collecting telemetry information from participating users that is used for Google Safe Browsing protections. The data collected includes URLs of visited web pages, limited system information, and some page content. However, this feature is now superseded by Enhanced protection mode. We suggest users switch to Enhanced protection to continue providing security for all users in addition to enabling the strongest security available in Chrome. For more information, see Safe Browsing protection levels.
- Chrome 126 on iOS, ChromeOS, Linux, MacOS, Windows: Deprecation of Safe Browsing Extended Reporting

Remove enterprise policy used for Base URL inheritance
In Chrome 114 we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. In Chrome 125, the temporary NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Chrome 125 on Android, ChromeOS, Linux, MacOS, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.

App-Bound encryption for cookies
To improve the security of cookies on Windows, the encryption key used for cookie encryption will be further secured by binding it to Chrome's application identity. This can help protect against malware that might attempt to steal cookies from the system. This does not protect against an attacker who is able to elevate privilege or inject into Chrome's processes.

An enterprise policy ApplicationBoundEncryptionEnabled will be available to disable Application Bound encryption.
- Chrome 125 on Windows

Intent to deprecate: mutation events
Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.
- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation events will stop functioning in Chrome 127, around July 30, 2024.

User link capturing on PWAs
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Earliest in Chrome 127 on Linux, MacOS, Windows: We will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).

All extensions must be updated to leverage Manifest V3 by June 2025
Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Enterprise Core. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

Remove enterprise policy used for legacy same site behavior
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Chrome will no longer support MacOS 10.15
Chrome will no longer support MacOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems to continue to use Chrome browser. Running on a supported operating system is essential to maintaining security. If run on MacOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support MacOS 10.15.
- Chrome 129 on MacOS: Chrome no longer supports MacOS 10.15

Deprecate the includeShadowRoots argument on DOMParser
The includeShadowRoots argument was a never-standardized argument to the DOMParser.parseFromString() function, which was there to allow imperative parsing of HTML content that contains declarative shadow DOM. This was shipped in Chrome 90 as part of the initial shipment of declarative shadow DOM. Since the standards discussion rematerialized in 2023, the shape of DSD APIs changed, including this feature for imperative parsing. To read more, see details of the context on the related standards, and information is also available on the related deprecations of shadow DOM serialization and shadow root attribute.

Now that a standardized version of this API, in the form of setHTMLUnsafe() and parseHTMLUnsafe() will ship in Chrome 124, the non-standard includeShadowRoots argument needs to be deprecated and removed. All usage should shift accordingly:
Instead of:
  (new DOMParser()).parseFromString(html,'text/html',{includeShadowRoots: true});
This can be used instead:
  document.parseHTMLUnsafe(html);
- Chrome 129 on Windows, Mac, Linux, Android

↑ back to top

Upcoming ChromeOS changes

ChromeOS Passpoint settings

As early as ChromeOS 125, you will be able to view and manage Wi-Fi Passpoint in ChromeOS Settings. You will be able to view and remove your installed passpoint subscription under the passpoint detailed page.

New policy to control Kiosk wake and sleep times

As early as ChromeOS 125, we will introduce a new kiosk device policy that will allow Admins to schedule when a device will wake and sleep. For more details, see Kiosk settings.

Upcoming Admin console changes

Policy parity: Custom Configurations for IT admins
The Custom Configurations page allows IT admins to configure Chrome policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Enterprise Core in the Admin console, either using the Settings page or the Custom Configurations page. You can also use the page to configure extension installation mode not supported in the Admin console, such as “normal_installed”.
- As early as Chrome 125 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 126 on Android, iOS, Linux, Mac, Windows: Feature rolls out

Legacy Technology report
As early as Chrome 127, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.
This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 127 on Linux, MacOS, Windows: Legacy Technology report will be available in the Admin console.

Chrome 123

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Generative AI features		✓
Resume tabs		✓	✓
Chrome on Android and iOS: cross-device resumption		✓
Resume the last opened tab on any device		✓
Change in behavior of the JavaScript JIT policies			✓
Chrome Sync ends support for Chrome 81 and earlier	✓		✓
New idle timeout policies on iOS			✓
Cross-profile password reuse detection	✓
Telemetry for permission prompts and accepting notification permissions	✓
ServiceWorker static routing API	✓
Private network access checks for navigation requests: warning-only mode	✓
Local passwords stored in Play services		✓
Zstd content encoding	✓
Force Sign-in flows revamp		✓
Google Update changes			✓
New and updated policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Flex Bluetooth migration			✓
Customizing keyboard shortcuts		✓
Mouse button customization		✓
Faster Split Screen setup		✓
ChromeOS Tether Hotspot		✓
Per-app language preferences on Android		✓
New natural-sounding voices for text-to-speech		✓
Data Processor mode rollout for Norway and Belgium	✓
Per-app privacy settings	✓
Enhanced Android security for new enterprise customers			✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Enhanced Settings page experience		✓
Remote log collection for ChromeOS devices			✓
Inactive browser deletion in Chrome Browser Cloud Management			✓
Chrome crash report			✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Default Search Engine choice screen		✓
User link capturing on PWAs - Windows, MacOS and Linux	✓
Permissions prompt for Web MIDI API	✓
Three Chrome extensions will be upgraded to Manifest V3	✓		✓
Bookmarks and reading list improvements on Android		✓
Deprecate enterprise policy used for throttling			✓
Chrome Desktop support for Windows ARM64			✓
Remove enterprise policy used for GREASE			✓
Network Service on Windows will be sandboxed	✓
Deprecate and remove WebSQL	✓
Form controls support direction value in vertical writing mode		✓
Remove enterprise policies used for TLS handshake and RSA key usage			✓
Shadow root cloneable attribute			✓
Remove enterprise policy used for Base URL inheritance			✓
Intent to deprecate: mutation events		✓
Remove enterprise policy used for legacy same site behavior			✓
All extensions must be updated to leverage Manifest V3 by June 2025			✓
Chrome will no longer support macOS 10.15			✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Record GIFs with Screen capture		✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Legacy Technology report			✓
Policy parity: Custom Configurations for IT admins		✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 120 started to restrict third-party cookies by default for 1% of Chrome users to facilitate testing, and subsequent releases will ramp up to 100% of users as early as Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group also see new Tracking Protection user controls. You can try out these changes in Chrome 120 or higher by enabling chrome://flags/#test-third-party-cookie-phaseout.

This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users are excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out managed browsers ahead of the experiment. This gives enterprises time to make the changes required to avoid relying on this policy or on third-party cookies.

We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.

For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this Help Center article for more details on how to toggle these settings for the desired configuration.

Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.

Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.

The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.

For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Generative AI features
In Chrome 122, 3 Generative AI (GenAI) features became available for managed users that have signed into Chrome browser: Tab Organizer, Create themes, and Help me write (not available on ChromeOS). Initially, these 3 features are only available to users (18+) in English in the USA. Admins can control these by using the TabOrganizerSettings, CreateThemesSettings and HelpMeWriteSettings policies.

Starting in Chrome 123, we will gradually roll out these features and some users will no longer need to opt in to Experimental AI to use the features if admins set the policies to enabled.
- Chrome 122 on ChromeOS, Linux, Mac, Windows: GenAI features (Tab Organizer, Create themes) become available to managed users in the USA. Users need to turn on Experimental AI.
- Chrome 123 on ChromeOS, Linux, Mac, Windows: Features (Tab Organizer, Create themes) become available to managed users in the USA. Some users will have the feature enabled by default; others will still be able to manually opt in via the Experimental AI settings page. In both cases, the features will not be available if disabled via policy.

Resume tabs
Chrome 123 introduces a new card on the New tab page, which helps users continue with tab suggestions from other devices. Using the NTPCardsVisible policy, admins can control this feature, and other cards on the New tab page.
- Chrome 123 on ChromeOS, Linux, Mac, Windows

Chrome on Android and iOS: cross-device resumption
To help users resume tasks originating from other devices, Chrome now provides cross-device tab suggestions on the New tab page or Home surfaces on Chrome on Android and Chrome on iOS.
- Chrome 123 on Android, iOS: Feature launches

Resume the last opened tab on any device
For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome now offers users a quick shortcut to resume that tab. Admins can control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 123 on iOS: Feature launches

Change in behavior of the JavaScript JIT policies
As early as Chrome 122, enabling the DefaultJavaScriptJitSetting policy and disabling JavaScript JIT no longer resulted in WebAssembly being fully disabled. The V8 optimizing JIT will continue to be disabled by setting this policy. This allows Chrome to render web content in a more secure configuration.

Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, ChromeOS, Linux, MacOS, Windows: The change will be implemented.

New idle timeout policies on iOS
Enterprises are now able to enforce taking an action after Chrome has been idle for some amount of time on iOS devices. Admins can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout. The setting will be available as a platform policy and will be available per user profile at a future date.
- Chrome 123 on iOS: Policies available on iOS.

Cross-profile password reuse detection
Previously, password reuse detection of corporate credentials was only detectable in the corporate profile. In Chrome 123, password reuse detection will detect corporate credential reuse across all non-Incognito profiles on the managed browser.
- Chrome 123: Feature rolls out to enterprises that have MetricsReportingEnabled set to enabled.

Telemetry for permission prompts and accepting notification permissions
When Enhanced Protection is turned on, and a user visits a page that prompts the user to accept a notification permission, attributes of that page might be sent to Safe Browsing. If the telemetry is sent and the page is deemed dangerous, users will see a Safe Browsing warning.

When Enhanced Protection or Safe Browsing Extended Reporting is turned on, and a user accepts a notification permission for a blocklisted page, this event will be sent to Safe Browsing.

These features can be controlled by the SafeBrowsingProtectionLevel and SafeBrowsingExtendedReportingEnabled policies.
- Chrome 123 Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Feature rolls out to enterprises that have MetricsReportingEnabled set to enabled.

ServiceWorker static routing API
This API allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Chrome 123 on Windows, Mac, Linux, Android

Private network access checks for navigation requests: warning-only mode
Before a website navigates to a destination site in a user's private network, Chrome will do the following:

1. Checks whether the original navigation request has been initiated from a secure context.

2. Sends a preflight request, and checks whether the destination site responds with a header that allows private network access.

The above checks are made to protect the user's private network. Since this feature operates in warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in DevTools Chrome console, to help developers prepare for the coming enforcement. To read about these changes, see Private Network Access (PNA) for Navigation Requests. To learn more, see the PNA specification.
- Chrome 123 on Android (except for WebView), ChromeOS, Linux, MacOS, Windows: Warning-only mode.
- Earliest Chrome 130 on Android (except for WebView), ChromeOS, Linux, MacOS, Windows: Requests will fail.

Local passwords stored in Play services
Chrome changes the way local (not syncable) passwords are stored. Previously they were stored in the Chrome profile. Now they are gonna be migrated to the local password storage of the Google Play services similarly to how the Google account passwords are already stored. It also changes the management UI for them to be provided by Google Play services. The Chrome policy PasswordManagerEnabled is still valid but it doesn't control the behavior outside the Chrome binary. Thus, the new password management UI allows users to import or add passwords there manually.
- Chrome 123 on Android: The feature kicks-in for users without local passwords
- Chrome 124 on Android: All local passwords are migrated to the Google Play services.

Zstd content encoding
Chrome is adding support for Zstandard (zstd) as a data compression mechanism. Supporting zstd content encoding in the browser allows sites to spend less time and CPU or power on compression on their servers, resulting in reduced server costs. A temporary enterprise policy ZstdContentEncodingEnabled is available to turn off the zstd content encoding feature.
- Chrome 123 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Support for zstd is added.

Force sign-in flows revamp
When the BrowserSignin policy is set to Force users to sign-in to use the browser, users now sign in to Chrome browser by following the standard sign-in procedure through the Profile Picker.

Previously, the Force sign-in flow had a specific UI dialog that did not follow typical Chrome style or standards. Now the flows are aligned with the regular sign-in flows. We’ve also improved error handling by displaying sign-in errors in a regular dialog with actionable buttons.
- Chrome 123 on Mac, Windows: Full launch

Google Update changes
We are in the process of rolling out a new version of Google Update. As part of this change, the location for GoogleUpdate.exe on Windows will change and will be named updater.exe. Note that the previous path will continue to persist until the transition is fully completed.
- Previous: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
- Current: C:\Program Files (x86)\Google\GoogleUpdater\VERSION\updater.exe

New and updated policies in Chrome browser

Policy	Description
WebAnnotations	Allow detecting plain text entities in web pages (on iOS only)
IdleTimeout	Delay before running idle actions (now also available on iOS)
IdleTimeoutActions	Actions to run when the computer is idle (now also available on iOS)
ChromeForTestingAllowed	Allow Chrome for Testing
RemoteAccessHostAllowPinAuthentication	Allow PIN and pairing authentication methods for remote access hosts
RemoteAccessHostAllowUrlForwarding	Allow remote access users to open host-side URLs in their local client browser
DownloadManagerSaveToDriveSettings	Allow saving files directly to Google Drive

ChromeOS updates

ChromeOS Flex Bluetooth migration
In ChromeOS 123, ChromeOS Flex will upgrade to the Floss Bluetooth stack. As part of this upgrade, the listed devices no longer support Bluetooth functionality. If Bluetooth functionality is critical for these devices, we recommend moving these devices to the LTS channel to extend the Bluetooth functionality through to October 2024.
- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420
If your devices are unable to connect to Bluetooth after updating to ChromeOS 123, switch the Chrome flag Use Floss instead of BlueZ to Disabled.

Customizing keyboard shortcuts
Using shortcuts boosts productivity, and we all have our favorites. In ChromeOS 123, with shortcut customization, you will be able to assign your preferred key combination to personalize your shortcuts. Whether you want them to be easier to do with one hand, simpler to remember, or identical to the ones you're familiar with, this feature will simplify your day-to-day workflows.

Mouse button customization
Mouse button customization on Chromebook helps users complete quick actions with the click of a button. If your mouse has more than two buttons, you can now assign those to a set list of actions such as taking a screenshot, muting and unmuting, inserting emojis, and so on. You can also select a key combination to assign to your buttons any action performed by a keyboard shortcut.

Faster Split Screen setup
Chromebooks provide a variety of ways to arrange the windows on your screen to help make you more productive — one of which is Split Screen. Just as it sounds, Faster Split Screen setup offers a quicker way to set up your window layout by showing an overview of your open windows on the other side of the screen. With Faster Split Screen, once you snap (or lock) a window in place on one side, you can choose an already-open window from Overview to snap into the other side, or select something from the shelf (the row of apps located at the bottom or side of your screen).

ChromeOS Tether Hotspot
Hotspot is now available on ChromeOS! You can now share your cellular network on your Chromebook as a hotspot to other devices without an internet connection! Enable your first hotspot by opening Network Settings and toggling on Hotspot. In ChromeOS 123, we only support T-Mobile in the US but we are working to add other networks in future releases.

Per-app language preferences on Android
You can now change to your preferred language for your Android apps. These new settings are available in Settings > Apps > Manage your apps > App language.

New natural-sounding voices for text-to-speech
In ChromeOS 123, we’ve added new natural sounding TTS voices that work offline and are available in 31 languages.

Data Processor mode rollout for Norway and Belgium
In August 2023, data processor mode for ChromeOS was launched in the Netherlands to give organizations more transparency and control over data sent to, and processed by Google. As interest in this space increased recently, we are making data processor mode generally available in additional countries, starting with Norway and Belgium. This product is available in the Admin console through Device > Chrome > Compliance. For more information, see our Help Center article.

Per-app privacy settings
ChromeOS 123 makes privacy controls on Chromebooks easier to manage by consolidating app permissions and privacy controls. This gives users more transparency by showing what apps need access to privacy sensors, and how app permissions are affected by privacy control states. Now with the per-app permissions, for microphone and camera, instead of going to two separate places (privacy controls and app settings), users can directly go to privacy settings to view what apps need access to these sensors and modify app permissions.

Enhanced Android security for new enterprise customers
ChromeOS 123 enhances the default app security level for enterprise customers. On new enterprise domains, ChromeOS now deactivates Android apps for unaffiliated ChromeOS users by default. Unaffiliated ChromeOS users are users on unmanaged devices or on devices that are managed by a different domain than the user.

Existing enterprise domains will not be affected by this change. Any new or existing education customer will not be affected.

Enterprise customers who want to change the default setting, see our Help Center article.

Admin console updates

Enhanced Settings page experience
Starting in March 2024, all admins will use our updated Settings page experience–that means you’ll no longer be able to use the legacy Settings page experience. Most of you already use the updated experience. This just means that admins will no longer be able to access the legacy view, but you'll still have access to all the same functionality in the updated view.

Remote log collection for ChromeOS devices
If you experience problems with a managed ChromeOS device, you can troubleshoot by capturing additional logs from the Device details page in the Admin console.You can remotely collect logs for following use cases :
- Kiosk devices
- Affiliated and unaffiliated signed-in users
- Managed guest sessions
- Login and Locked screen
For more information, see this Help Center article, Remote log collection for ChromeOS devices.

Inactive browser deletion in Chrome Browser Cloud Management
The Inactive period for browser deletion policy is now available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.

Starting in April 2024 until May 2024, the Inactive period for browser deletion policy will start rolling out and automatically delete enrolled browsers in the Admin console that have been inactive for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. Meaning that by default, all enrolled browsers that have been inactive for more than 540 days will be deleted from your account. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.
If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.

Chrome crash report
In Chrome 123, you can visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report helps you proactively identify potential Chrome issues within your organization.
- Chrome 121 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 123 on Linux, MacOS, Windows: Feature rolls out

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
ShortcutCustomizationAllowed	User/MGS	ChromeOS 123+	User accessibility
DeleteKeyModifier	User/MGS	ChromeOS 123+	User accessibility
HomeAndEndKeysModifier	User/MGS	ChromeOS 123+	User accessibility
InsertKeyModifier	User/MGS	ChromeOS 123+	User accessibility
PageUpAndPageDownKeysModifier	User/MGS	ChromeOS 123+	User accessibility
F11KeyModifier	User/MGS	ChromeOS 123+	User accessibility
F12KeyModifier	User/MGS	ChromeOS 123+	User accessibility
ChromeForTestingAllowed	User	ChromeOS 123+	User experience
DownloadManagerSaveToDriveSettings	User	ChromeOS 123+	User experience

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.

For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.

Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Later this year on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.

User link capturing on PWAs - Windows, MacOS and Linux

Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it easier to move between the browser and installed web apps. When the user clicks a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. When the user clicks the chip, this either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking a link always automatically opens the app.

Some issues were discovered with the current implementation, so we will not launch this feature in Chrome 123 as initially announced. We definitely plan to launch link capturing this year (bug).
- Chrome 121 on Linux, MacOS, Windows: When some users click a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Future milestone in 2024 on Linux, MacOS, Windows: We will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).

Permissions prompt for Web MIDI API

The Web MIDI API connects to and interacts with Musical Instrument Digital Interface (MIDI) Devices. There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (see related Chromium bug). To address this problem, the W3C Audio Working Group decided to place an explicit permission on general Web MIDI API access. Originally, the explicit permission was only required for advanced Web MIDI usage in Chrome, including the ability to send and receive system exclusive (SysEx) messages, with gated access behind a permissions prompt. We now intend to expand the scope of the permission to regular Web MIDI API usage.

In Chrome 124, all access to the Web MIDI API will require a user permission. No policies will be available to control these changes. If you encounter any issues, file a bug here.
- Chrome 124 on Windows, MacOS, Linux, Android

Three Chrome extensions will be upgraded to Manifest V3

Three extensions will soon be updated to use Manifest V3: Legacy Browser Support for Edge, User-Agent Switcher, and Chrome Reporting.

This is a major update with a possibility for bugs, so you can try the Beta version of these extensions today. We encourage you to test them in your environment. If you encounter any issues, file a bug here.
The User-Agent Switcher URL parser changed, so make sure your existing user agent substitutions work with the new version.
- Chrome 124: All three extensions receive an update, on their stable version around April 30, 2024.

Bookmarks and reading list improvements on Android

On Chrome 124 on Android, some users who sign in to Chrome from the Bookmark manager will be able to use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncTypesListDisabled, EditBookmarksEnabled, ManagedBookmarks and ShoppingListEnabled will continue to work as before, to configure whether users can use and save items in their Google Account.
- Chrome 124 on Android: Feature rolls out.

Deprecate enterprise policy used for throttling

The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy by Chrome 124. The discussions around the throttling issue (and its resolution) can be found in this Chromium bug.
- Chrome 124: Policy is removed.

Chrome Desktop support for Windows ARM64

Chrome is rolling out support for Windows ARM64. We are working on publishing the Enterprise installers. You can continue to test the Canary channel and report bugs there. Note that this is subject to change based on overall stability, as well as feedback from customers. If you encounter any issues, file a bug here.
- Chrome 124 on Windows (ARM): New Enterprise installers are available.

Remove enterprise policy used for GREASE

We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated.
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed.

Network Service on Windows will be sandboxed

To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 124 on Windows: Network Service sandboxed on Windows.

Deprecate and remove WebSQL

With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.

The Web SQL database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 124: on ChromeOS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 124, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.

Form controls support direction value in vertical writing mode
The CSS property writing-mode allows elements to go vertical, but users cannot set the direction in which the value changes. With this feature, we are allowing the form control elements (meter, progress and range) input type to have vertical writing mode and choose the form control's value direction. If direction is rtl, the value is rendered from bottom to top. If direction is ltr, the value is rendered from top to bottom. For more information, see this Chrome for Developers blog post.
- Chrome 124 on Windows, Mac, Linux, Android

Remove enterprise policies used for TLS handshake and RSA key usage

In Chrome 114, we introduced InsecureHashesInTLSHandshakesEnabled to control the use of legacy insecure hashes during the TLS handshake process. In Chrome 116, we introduced RSAKeyUsageForLocalAnchorsEnabled to check RSA key usage for server certificates issued by local trust anchors. In Chrome 124, both InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies will be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: InsecureHashesInTLSHandshakesEnabled and RSAKeyUsageForLocalAnchorsEnabled policies will be removed.

Shadow root cloneable attribute

The shadow root clonable attribute enables individual control over whether a shadow root is cloneable (via standard platform cloning commands such as `cloneNode()`). Imperative shadow roots can now be controlled via a parameter to `attachShadow({clonable:true})`. Declarative shadow roots can be controlled via a new attribute, `<template shadowrootmode=open shadowrootclonable>`.

Breakage can occur if you are:
1. using declarative shadow DOM
2. cloning templates that contain DSD and
3. expecting those clones to contain cloned shadow roots
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows

Remove enterprise policy used for Base URL inheritance

In Chrome 114 we introduced NewBaseUrlInheritanceBehaviorAllowed to prevent users or Google Chrome variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues were discovered. In Chrome 125 the temporary NewBaseUrlInheritanceBehaviorAllowed policy will be removed.
- Chrome 125 on Android, ChromeOS, Linux, MacOS, Windows: NewBaseUrlInheritanceBehaviorAllowed policy will be removed.

Intent to deprecate: mutation events

Synchronous mutation events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete mutation events must be removed or migrated to Mutation Observer. Starting in Chrome 124, a temporary enterprise policy, MutationEventsEnabled, will be available to re-enable deprecated or removed mutation events. If you encounter any issues, file a bug here.
- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation events will stop functioning in Chrome 127, around July 30, 2024.

Remove enterprise policy used for legacy same site behavior

In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

All extensions must be updated to leverage Manifest V3 by June 2025

Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disable Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

Chrome will no longer support macOS 10.15

Chrome will no longer support macOS 10.15, which is already outside of its support window with Apple. Users have to update their operating systems to continue to use Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.15, Chrome continues to show an infobar that reminds users that Chrome 129 will no longer support macOS 10.15.
- Chrome 129 on MacOS: Chrome no longer supports macOS 10.15

↑ back to top

Upcoming ChromeOS changes

Record GIFs with Screen capture

As early as ChromeOS 124, Screen capture will let you record your screen in .GIF format to easily capture, share, and play the recording inline in chat, slides, docs, and more.

↑ back to top

Upcoming Admin console changes

Legacy Technology report
As early as Chrome 124, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.

This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 124 on Linux, MacOS, Windows: Legacy Technology report will be available in the Admin console.

Policy parity: Custom Configurations for IT admins
The Custom Configurations page allows IT admins to configure Chromium policies that are not yet in the Admin console, using JSON scripts. As a result, all Chrome policies are now configurable in Chrome Browser Cloud Management in the Admin console, either using the Settings page or the Custom Configurations page.
- As early as Chrome 124 on Android, iOS, Linux, Mac, Windows: Trusted Tester access
- As early as Chrome 125 on Android, iOS, Linux, Mac, Windows: Feature rolls out

↑ back to top

Chrome 122

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Generative AI features		✓
Simplified sign-in and sync experience on iOS		✓	✓
SharedImages for PPAPI Video Decode	✓
New download URLs for Chrome browser (Enterprise)			✓
New V8 security setting	✓
Read aloud		✓
Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed			✓
Asynchronous server-side Safe Browsing check	✓
Improved download warnings on the Chrome Downloads page	✓
Skip unload events	✓
Autofill: security code updates		✓
Removing unenrollment from Unified Password Manager		✓
Chrome on iOS: bottom address bar		✓
DefaultSearchProvider policy changes			✓
Change in behavior of the JavaScript JIT policies	✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Content scanning with BCE	✓
Battery Saver		✓
Enhanced SAML reauthentication flows	✓
Badge-based authentication	✓
Edit your recordings with Screencast		✓
IkeV2 VPN support	✓	✓
Mandatory extensions in Incognito	✓		✓
New look for ChromeOS media player		✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Inactive browser deletion in Chrome Browser Cloud Management			✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Default Search Engine choice screen		✓
User link capturing on PWAs - Windows, MacOS and Linux	✓
Resume tabs		✓
Chrome on Android or iOS: cross-device resumption		✓
Resume the last opened tab on any device		✓
Permissions prompt for Web MIDI API	✓
Network Service on Windows will be sandboxed	✓
Chrome Sync ends support for Chrome 81 and earlier	✓		✓
Deprecate and remove WebSQL	✓
IdleTimeout and IdleTimeoutActions Policies on iOS			✓
Cross Profile Password Reuse Detection	✓
Telemetry for permission prompts and accepting notification permissions	✓
ServiceWorker static routing API	✓
Private network access checks for navigation requests: warning-only mode	✓
Bookmarks and reading list improvements on Android		✓
Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed			✓
Remove support for UserAgentClientHintsGREASEUpdateEnabled			✓
Intent to deprecate: Mutation Events		✓
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Extensions must be updated to leverage Manifest V3	✓	✓	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Flex Bluetooth Migration			✓
Customizing keyboard shortcuts		✓
Record GIFs with Screen capture		✓
Faster Split Screen setup		✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Enhanced Settings page experience		✓
Chrome crash report			✓
Legacy Technology report			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 120 started to restrict third-party cookies by default for 1% of Chrome users to facilitate testing, and subsequent releases will ramp up to 100% of users as early as Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group also see new Tracking Protection user controls. You can try out these changes in Chrome 120 or higher by enabling chrome://flags/#test-third-party-cookie-phaseout.

This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users are excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out managed browsers ahead of the experiment. This gives enterprises time to make the changes required to avoid relying on this policy or on third-party cookies.

We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.

For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this help article for more details on how to toggle these settings for the desired configuration.

Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.

Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial or the first-party deprecation trial for continued access to third-party cookies for a limited period of time.

The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.

For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Generative AI features
Starting in Chrome 122, there are 3 Generative AI (GenAI) features that are now also available for managed users that have signed into Chrome browser:
- Tab organizer: Chrome can automatically suggest tab groups for users based on the URL and title of opened websites. To use this feature, right-click on a tab, and select Organize similar tabs.
- Create themes with AI: Chrome lets users create a unique Chrome theme (a combination of a color and a wallpaper image) using GenAI. To use the feature, open a new tab, and at the bottom right, click Customize Chrome. On the side panel, select Change theme > Create with AI. Users can then choose from preset options for subject, mood, style, and color.
- Get help writing on the web with AI: This feature helps users write with more confidence and kickstart the writing process in free-form text fields on the web. To use this feature, right-click on a text field, and select Help me write (not available on ChromeOS).
Initially, these 3 features are only available to users in English in the US. Admins can control these by using the TabOrganizerSettings, CreateThemesSettings and HelpMeWriteSettings policies. For each feature, you have the following options for your organization:
- 0 = Enable the feature and send data to help improve AI models
- 1 = Enable the feature but don’t send data to help improve AI models
- 2 = Fully disable feature
You can find more information in the Tab group suggestions, Create themes, and Help me write help center articles.

Simplified sign-in and sync experience on iOS
Starting in Chrome 122, existing users on iOS with Chrome sync turned on now experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync no longer appears as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 117: no longer shows Chrome sync as a separate feature for users who didn't have Chrome sync enabled at the time.
- Chrome 122: no longer shows Chrome sync as a separate feature for users who had Chrome sync enabled by migrating them to an equivalent state.

SharedImages for PPAPI video decoder
Chrome 122 removes the PPAPISharedImagesForVideoDecoderAllowed policy, used to control the recent refactor for VideoDecoder APIs in PPAPI plugin. This policy was introduced on a temporary basis in Chrome 119.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.

New download URLs for Chrome browser (Enterprise)
From February 8th, the main download pages for Chrome Browser Enterprise (Windows and MacOS) change to:
- Windows https://chromeenterprise.google/download/?modal-id=download-chrome-demo#windows-download
- MacOS https://chromeenterprise.google/download/?modal-id=download-chrome-demo#mac-download
To avoid disruption, enterprises that leverage automation to download Chrome need to change their scripts to capture these URL changes.

New V8 security setting
Chrome 122 adds a new setting on chrome://settings/security to disable the V8 JIT optimizers, to reduce the attack surface of Chrome browser. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The enterprise policies have been available since Chrome 93.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Read aloud
Read aloud allows users of Chrome on Android to listen to web pages using text to speech technology. Users can now access this feature via the overflow menu and control playback via audio controls.

Read aloud sends the page URL to Google servers to power playback, and users who use it need to enable the settings menu item Make searches and browsing better.

Setting the ListenToThisPageEnabled policy to true allows users to have eligible web pages read aloud using text-to-speech. This is achieved by server side content distillation and audio synthesis. Setting to false disables this feature, and if this policy is set to default or left unset, Read aloud is enabled.
- Chrome 122 on Android: Feature launches

Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed
Chrome 122 removes the temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed, which was made available in Chrome 116 to give enterprises time to address possible breakage related to Chrome Apps webview usage changes.
- Chrome 122 on Linux, MacOS, Windows, ChromeOS: Enterprise Policy ChromeAppsWebViewPermissiveBehaviorAllowed removed

Asynchronous server-side Safe Browsing check
Today Safe Browsing checks are on the blocking path of page loads, meaning that users cannot see the page until the checks are complete. To improve Chrome's loading speed, checks with the server-side Safe Browsing list no longer block page loads in Chrome 122.

We have evaluated the risk and put mitigations in place:

1) To protect against direct exploits against the browser, local list checks are still conducted in a synchronous manner so that malicious payloads cannot run until the local list check is complete.

2) To protect against phishing attacks, we've looked at data and concluded that it is unlikely the user would have significantly interacted with the page (for example, typed a password) by the time we show a warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows: Feature launches

Improved download warnings on the Chrome Downloads page
To help reduce consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia: Feature launches

Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.

In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which allow you to selectively keep the behavior unchanged.
- Chrome 117 on ChromeOS, Linux, MacOS, Windows: Dev Trial
- Chrome 119 on ChromeOS, Linux, MacOS, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 122 -132 on ChromeOS, Linux, MacOS, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)
- Chrome 122 unload handlers will be gradually skipped for 1% of users on top-50 sites, as proposed here.

Autofill: security code updates
In Chrome 122, payments autofill allows you to save security codes for local and server cards to improve user experience. Security codes are only saved if a user consents to saving it. Users always have the option to turn security code saving off in Chrome Settings.
- Chrome 122 on Android, MacOS: feature rolls out

Removing unenrollment from Unified Password Manager
Chrome 122 removes unenrollment from Unified Password Manager on Android. When Google Play Services responds with an error users lose access to Password Manager features (password saving or updating, password generation) until the error is resolved. For some errors, there is an error message with an action button to resolve the problem. Other issues are supposed to be temporary (for example, during Google Play Services update).
- Chrome 122 on Android: feature rolls out

Chrome on iOS: bottom address bar on iPhone
We recently launched a customizable address bar that allows users to choose between a top and a bottom address bar on iPhone. The address bar position picker screen is now added to the First Run Experience.
- Chrome 122 on iOS: feature rolls out

DefaultSearchProvider policy changes
In Chrome 122, we are making some changes to the DefaultSearchProvider* policies. We have removed the DefaultSearchProviderIconURL on all platforms because Chrome now uses the favicon image provided by the search engine. DefaultSearchProviderKeyword and DefaultSearchProviderNewTabURL are not supported on iOS and Android, alongside (but support continues on) Linux, Mac OS and Windows. We fixed the supported platform set to reflect this.

Change in behavior of the JavaScript JIT policies
In Chrome 122, enabling the DefaultJavaScriptJitSetting policy and disabling JavaScript JIT no longer results in WebAssembly being fully disabled. The V8 optimizing JIT continues to be disabled by setting the DefaultJavaScriptJitSetting policy. This allows Chrome to render web content in a more secure configuration.

New and updated policies in Chrome browser

Policy	Description
InsecureFormsWarningsEnabled	Enable warnings for insecure forms (now available on iOS)
ListenToThisPageEnabled	Enable read aloud (text distillation and text-to-speech synthesis) for web pages

Removed policies in Chrome browser

Policy	Description
PPAPISharedImagesForVideoDecoderAllowed	Allow Pepper to use shared images for video decoding.
ChromeAppsWebViewPermissiveBehaviorAllowed	Restore permissive Chrome Apps webview behavior
DefaultSearchProviderIconURL	Default search provider icon (removed on all platforms)
DefaultSearchProviderKeyword	Default search provider keyword (removed on Android and iOS only)
DefaultSearchProviderNewTabURL	Default search provider new tab page URL (removed on Android and iOS only)

ChromeOS updates

Content scanning with BCE
ChromeOS data controls are a set of controls that are applied by the admin, which protect users from data leakage on endpoints using a Data Loss Prevention (DLP) layer in ChromeOS. For details, see this help center article. BeyondCorp Enterprise (BCE) enables continuous and real-time end-to-end protection. Content scanning with BCE is a new way to evaluate and enforce data controls restrictions on file transfers based on signals from BeyondCorp Enterprise.

Battery Saver
As early as ChromeOS 122, Battery Saver is available to reduce brightness on both display and keyboard backlight, throttle display refresh rate and available compute budget, and also turn off certain energy-intensive background functions to allow users squeeze more battery life out of their devices. This helps when users need that last couple minutes to finish a task and don't have a charger handy. When enabled, Battery Saver switches on automatically when the user's battery level reaches 20%. You can control this feature using the BatterySaverModeAvailability enterprise policy.

Enhanced SAML reauthentication flows
To optimize the sign-on experience of our customers, we've introduced certain internal changes to our SAML single sign-on implementation. These changes will impact customers with misconfigured SAML settings.
In particular if you set the policy LoginAuthenticationBehavior to Redirect to SAML IdP by default, ensure that the Single Sign-on policy is set to Enable SAML, otherwise your SAML-based IdP won’t be loaded anymore.

Badge-based authentication
From ChromeOS 122, certain third-party Identity Management Providers (IdPs) can use badge authentication on ChromeOS devices. Users can simply start a session with a badge tap, and leave the session with another badge tap. The solution is focused on frontline workers in various industries including retail, hospitality, and manufacturing.

In ChromeOS 122, we are starting with the Ilex Card Management System, but we aim to add additional reader and authentication partners in the upcoming months. If you want to learn more, see Set up badge-based authentication.

Edit your recordings with Screencast
With ChromeOS Screencast, users can create and share transcribed screen recordings. As early as ChromeOS 122, users can trim their screencasts sentence-by-sentence, add and remove paragraph breaks, mute segments of their recordings, and title sections to make long recordings easier to navigate.

IKEv2 VPN support
ChromeOS 122 includes new options in the Admin console for Internet Key Exchange Protocol Version 2 (IKEv2) VPN protocol.

Mandatory extensions in Incognito
Admins can now specify if there are certain extensions that users must turn on to use Incognito mode. There is a new toggle in Admin console > Apps & extensions that can be applied for individual extensions. This allows enterprises that have debugging or multi-account use cases that rely on Incognito mode to safely leave it enabled across their managed fleet. If they want to use Incognito mode, users need to turn on Allow in Incognito for all required enterprise extensions.

New look for ChromeOS media player
ChromeOS media player will soon have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.

Admin console updates

Inactive browser deletion in Chrome Browser Cloud Management
As early as March 2024, the Inactive period for browser deletion policy will automatically delete browser data in the Admin console for managed browsers that have not contacted the server for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. All enrolled browsers that have been inactive for more than 540 days will be deleted from your account shortly after the release of this policy. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.

If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
- As early as Chrome 122: The Inactive period for browser deletion policy UI will be available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
AlwaysOnVpnPreConnectUrlAllowlist	User/MGS	ChromeOS 122+	Network
DeviceSwitchFunctionKeysBehaviorEnabled	Device	ChromeOS 122+	Other settings
HelpMeWriteSettings	User	Chrome/ChromeOS 121+	Generative AI
CreateThemesSettings	User	Chrome/ChromeOS 121+	Generative AI
TabOrganizerSettings	User	Chrome/ChromeOS 121+	Generative AI

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Default Search Engine choice screen
As part of our Digital Markets Act (DMA) compliance, Google is introducing choice screens for users to choose their default search engine within Chrome. The choice from the prompt controls the default search engine setting, currently available at chrome://settings/search.

For enterprises that have chosen to have their administrator set their enterprise users’ search settings using the enterprise policies DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, those policies continue to control their enterprise’s search settings. Where the administrator has not set their enterprise users’ search settings by policy, enterprise users might see a prompt to choose their default search engine within Chrome.

Read more about these policies and the related atomic group.
- Chrome 120 on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Later this year on iOS, ChromeOS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users

User link capturing on PWAs - Windows, MacOS and Linux
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it more seamless to move between the browser and installed web apps. When the user clicks on a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. Clicking on the chip either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking on a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click on a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar, clicking on which will launch the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 123 on Linux, MacOS, Windows: Based on the outcome of the experiment in Chrome 121, we will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).

Resume tabs

Chrome 123 will introduce a new card on the New tab page, which will help users continue with tab suggestions from other devices. Using the NTPCardsVisible policy, admins will be available to control this feature.
- Chrome 123 on ChromeOS, Linux, Mac, Windows

Chrome on Android and iOS: cross-device resumption

To help users resume tasks originating from other devices, Chrome will provide cross-device tab suggestions on the New tab page or Home surfaces on Chrome on Android and Chrome on iOS. This component will be displayed within the existing continue browsing card on Start and the Magic Stack on Chrome on Android and Chrome on iOS.
- Chrome 123 on Android, iOS: Feature launches

Resume the last opened tab on any device

For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 123 on iOS: Feature launches

Permissions prompt for Web MIDI API
The Web MIDI API connects to and interacts with Musical Instrument Digital Interface (MIDI) Devices. There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (see related Chromium bug). To address this problem, the W3C Audio Working Group decided to place an explicit permission on general Web MIDI API access. Originally, the explicit permission was only required for advanced Web MIDI usage in Chrome, including the ability to send and receive system exclusive (SysEx) messages, with gated access behind a permissions prompt. We now intend to expand the scope of the permission to regular Web MIDI API usage.

In Chrome 123, all access to the Web MIDI API will require a user permission. No policies will be available to control these changes. If you encounter any issues, file a bug here.
- Chrome 123 on Windows, MacOS, Linux, Android

Network Service on Windows will be sandboxed
To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 123 on Windows: Network Service sandboxed on Windows

Chrome Sync ends support for Chrome 81 and earlier
Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, ChromeOS, Linux, MacOS, Windows: The change will be implemented.

Deprecate and remove WebSQL
With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.

The Web SQL database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 123: on ChromeOS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 123, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.

IdleTimeout and IdleTimeoutActions policies on iOS
Enterprises are now able to enforce taking an action after Chrome has been idle for some amount of time on iOS devices. Admins can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout. The setting will be available as a platform policy and will be available per profile at a future date.
- Chrome 123 on iOS: policies available on iOS

Cross-profile password reuse detection
Previously, password reuse detection of corporate credentials was only detectable in the corporate profile. In Chrome 123, password reuse detection will detect corporate credential reuse across all non-Incognito profiles on the managed browser.
- Chrome 123: feature rolls out

Telemetry for permission prompts and accepting notification permissions
When Enhanced Protection is turned on, and a user visits a page that prompts the user to accept a notification permission, attributes of that page might be sent to Safe Browsing. If the telemetry is sent and the page is deemed dangerous, users will see a Safe Browsing warning.

When Enhanced Protection or Safe Browsing Extended Reporting is turned on, and a user accepts a notification permission for a blocklisted page, this event will be sent to Safe Browsing.

These features can be controlled by the SafeBrowsingProtectionLevel and SafeBrowsingExtendedReportingEnabled policies.
- Chrome 123 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia

ServiceWorker static routing API
This API allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Chrome 123 on Windows, Mac, Linux, Android

Private network access checks for navigation requests: warning-only mode
Before a website navigates to a destination site in a user's private network, Chrome will do the following:

1. Checks whether the original navigation request has been initiated from a secure context.

2. Sends a preflight request, and checks whether the destination site responds with a header that allows private network access.

The above checks are made to protect the user's private network. Since this feature operates in warning-only mode, we do not fail the requests if any of the checks fail. Instead, a warning will be shown in DevTools Chrome console, to help developers prepare for the coming enforcement. To read about these changes, see Private Network Access (PNA) for Navigation Requests. To learn more, see the PNA specification.
- Chrome 123 on Android (except for WebView), ChromeOS, Linux, MacOS, Windows

Bookmarks and reading list improvements on Android
On Chrome 124 on Android, some users who sign in to Chrome from the bookmark manager will be able to use and save bookmarks and reading list items in their Google Account. Relevant enterprise policies, such as BrowserSignin, SyncTypesListDisabled, EditBookmarksEnabled, ManagedBookmarks and ShoppingListEnabled will continue to work as before, to configure whether users can use and save items in their Google Account.
- Chrome 124 on Android: Feature rolls out

Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed
The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy by Chrome 124. The discussions around the throttling issue (and its resolution) can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=958475.
- Chrome 124: Policy is removed

Remove support for UserAgentClientHintsGREASEUpdateEnabled
We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed

Intent to deprecate: Mutation Events

Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Extensions must be updated to leverage Manifest V3 by June 2025

Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disabled Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

↑ back to top

Upcoming ChromeOS changes

ChromeOS Flex Bluetooth Migration

In ChromeOS 123, ChromeOS Flex will be upgrading to the Floss Bluetooth stack. As part of this upgrade the following devices will no longer support Bluetooth functionality. If Bluetooth functionality is critical for these devices, we recommend moving these devices to the LTS channel to extend the Bluetooth functionality through to October 2024.
- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420
If your devices are unable to connect to Bluetooth after updating to ChromeOS 123, switch the Chrome flag Use Floss instead of BlueZ to Disabled.

Customizing keyboard shortcuts

Using shortcuts boosts productivity, and we all have our favorites. As early as ChromeOS 123, with shortcut customization, you will be able to assign your preferred key combination to personalize your shortcuts. Whether you want them to be easier to do with one hand, simpler to remember, or identical to the ones you're familiar with, this feature will simplify your day-to-day workflows.

Record GIFs with Screen capture

As early as ChromeOS 124, Screen capture will let you record your screen in .GIF format to easily capture, share, and play the recording inline in chat, slides, docs, and more.

Faster Split Screen setup

Chromebooks provide a variety of ways to arrange the windows on your screen to help make you more productive — one of which is Split Screen. Just as it sounds, Faster Split Screen Setup will offer a quicker way to set up your window layout by showing an overview of your open windows on the other side of the screen. With Faster Split Screen, once you "snap" (or lock) a window in place on one side, you can choose an already-open window from Overview to snap into the other side, or select something from the shelf (the row of apps located at the bottom or side of your screen).

Refer to the ChromeOS release schedule for release dates and updates.

↑ back to top

Upcoming Admin console changes

Enhanced Settings page experience
Starting in March 2024, all admins will use our updated Settings page experience–that means you’ll no longer be able to use the legacy Settings page experience. Most of you already use the updated experience. This just means that admins will no longer be able to access the legacy view, but you'll still have access to all the same functionality in the updated view.

Chrome crash report

As early as Chrome 123, you will be able to visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report will help you proactively identify potential Chrome issues within your organization.

This feature is now released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 121 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 123 on Linux, MacOS, Windows: Feature rolls out

Legacy Technology report

As early as Chrome 123, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.

This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 123 on Linux, MacOS, Windows

↑ back to top

Chrome 121

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets	✓		✓
Tab organizer		✓
Create themes with AI		✓
Safer encrypted archives for Standard Safe Browsing users	✓
User Link Capturing on PWAs - Windows, MacOS and Linux	✓
Side Panel Navigation: Pinning or unpinning		✓
Autofill: display in server cards and local cards	✓
Autofill: changes in card verification	✓
CSS Highlight Inheritance	✓
Chrome user policies for iOS			✓
Skip unload events	✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Flex End of Device Support			✓
Enable dictation using the keyboard		✓
ChromeVox Accessibility service		✓
No more onboarding messages for Assistant		✓
New trackpad gesture on ChromeOS		✓
Integrate the DLP events rule Id and name into the security investigation tool	✓
Enterprise DataControls (DLP) file restrictions	✓
Borderless printing		✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Configure IP address on device with Ethernet adapter	✓		✓
Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store			✓
Chrome crash report			✓
Fix for certain Android WiFi certificates			✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Default Search Engine choice screen		✓
Get help writing on the web with AI		✓
Simplified sign-in and sync experience		✓	✓
Permissions prompt for Web MIDI API	✓
SharedImages for PPAPI Video Decode	✓
V8 security setting	✓
Read aloud		✓
Network Service on Windows will be sandboxed	✓
Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed			✓
Asynchronous server-side Safe Browsing check	✓
Improved download warnings on the Chrome Downloads page	✓
Resume the last opened tab on any device		✓
Chrome Sync ends support for Chrome 81 and earlier	✓		✓
Deprecate and remove WebSQL	✓
Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed			✓
Remove support for UserAgentClientHintsGREASEUpdateEnabled			✓
Intent to deprecate: Mutation Events		✓
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Extensions must be updated to leverage Manifest V3	✓	✓	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Flex Bluetooth Migration			✓
New look for ChromeOS media player		✓
App disablement by Admin in MGS			✓
Battery Saver		✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Inactive browser deletion in Chrome Browser Cloud Management			✓
Legacy Technology report			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Chrome Third-Party Cookie Deprecation (3PCD)
As previously announced, Chrome 121 restricts third-party cookies by default for 1% of Chrome users to facilitate testing, and plans to ramp up to 100% of users from Q3 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA). Browsers that are part of the 1% experiment group will also see new Tracking Protection user controls. You can try out these changes in Chrome 121 or higher by enabling chrome://flags/#test-third-party-cookie-phaseout.

This testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked have bounce tracking mitigations taking effect, so that their state is cleared for sites that get classified as bounce trackers. Most enterprise users should be excluded from this 1% experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This gives enterprises time to make the changes required to not rely on this policy or third-party cookies.

We are launching the Legacy Technology Report to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.

For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the eye icon in the omnibox to temporarily re-enable third-party cookies for 90 days on a given site, when necessary. See this help article for more details on how to toggle these settings for the desired configuration.

Bounce tracking protections are also covered by the same policies as cookies and these protections are enforced when the bouncing site is not permitted to use 3P cookies. So setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, prevents bounce tracking mitigations from deleting state for sites.

Enterprise SaaS integrations used in a cross-site context for non-advertising use cases can register for the third-party deprecation trial for continued access to third-party cookies for a limited period of time.

The heuristics feature grants temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns, such as identity provider pop ups and redirects.

For more details on how to prepare, provide feedback and report potential site issues, refer to our updated landing page on preparing for the end of third-party cookies.
- Starting in Chrome 120 on ChromeOS, Linux, MacOS, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Rename FirstPartySets policies to RelatedWebsiteSets
The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in policy behavior. Administrators should use the new policies RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/

Tab organizer
Tab organizer is a GenAI-powered feature where Chrome automatically suggests and creates tab groups for users based on the URL and title of opened websites. To use this feature, right-click on a tab, and select Organize similar tabs.

Starting in Chrome 121, a limited set of signed-in users in the US can turn on Tab organizer in Chrome settings. This feature is initially available to unmanaged users only, and is inaccessible to managed Chrome Enterprise & Education users in Chrome 121. To learn more, read this blog post. In the coming weeks, we will provide more details about Tab organizer in the Chrome Enterprise & Education help center.

In advance of this feature rolling out to managed users, Admins can control Tab organizer using the TabOrganizerSettings policy. You have the following options for your organization:

  0 = Enable the feature and send data to help improve AI models
  1 = Enable the feature but don’t send data to help improve AI models
  2 = Fully disable feature

Create themes with AI
Create themes with AI in Chrome lets users create a unique Chrome theme (a combination of a color and a wallpaper image) using GenAI. To use the feature, open a new tab, and at the bottom right, click Customize Chrome. On the side panel, select Change theme > Create with AI. Users can then choose from preset options for subject, mood, style, and color.

Starting in Chrome 121, a limited set of signed-in users in the US can create themes with AI by turning on the feature in Chrome settings. This feature is initially available to unmanaged users only, and is inaccessible to managed Chrome Enterprise & Education users in Chrome 121. To learn more, read this blog post. In the coming weeks, we will provide more details about Create themes with AI in the Chrome Enterprise & Education help center.

In advance of this feature rolling out to managed users, Admins can control Create themes with AI using the CreateThemesSettings policy. You have the following options for your organization:

  0 = Enable the feature and send data to help improve AI models
  1 = Enable the feature but don’t send data to help improve AI models
  2 = Fully disable feature

Safer encrypted archives for Standard Safe Browsing users
On some encrypted archive downloads, Chrome prompts Standard Safe Browsing users for a password (not shared with Google and cleared after retrieving the metadata). This collects more metadata about the download (such as contained file hashes and executable signatures), which is sent to Google for better quality verdicts. The password remains local and not shared with Google. You can control this feature with the SafeBrowsingDeepScanningEnabled policy.
- Chrome 121 on Linux, MacOS, Windows

User Link Capturing on PWAs - Windows, MacOS and Linux
Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome makes it more seamless to move between the browser and installed web apps. When the user clicks on a link that could be handled by an installed web app, Chrome adds a chip in the address bar to suggest switching over to the app. Clicking on the chip either launches the app directly, or opens a grid of apps that can support that link. For some users, clicking on a link always automatically opens the app.
- Chrome 121 on Linux, MacOS, Windows: When some users click on a link, it always opens in an installed PWA, while some users see the link open in a new tab with a chip in the address bar; clicking on the chip launches the app. A flag is available to control this feature: chrome://flags/#enable-user-link-capturing-pwa.
- Chrome 123 on Linux, MacOS, Windows: Based on the outcome of the experiment in Chrome 121, we will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).

Side Panel Navigation: Pinning or unpinning
As early as Chrome 121, Chrome removes the side panel icon in favor of evolving the side panel navigation to offer customization through toolbar pinning. This allows for efficient direct access to a suite of panels. You can open most side panel features through the Chrome menu ().
- Chrome 121 on Chrome OS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Autofill: display in server cards and local cards
Autofill helps users seamlessly fill out their card information into payment forms. Credit or debit cards, which can be autofilled, are stored on the Chrome client. There are 2 types: Server cards and Local cards. A server card only has the last 4 digits and the expiry date of the card whereas a local card has all the digits of a card along with the expiry date.

There are instances when a local and server card of the same card exist on the same client. When that happens, Chrome typically dedupes the server card and only offers the local card for autofilling. With this change, the opposite is true, and server card usage is now offered to users instead. This brings the security and usability benefits of GPay server cards to users with duplicate cards, as well as makes the experience more consistent across devices.
- Chrome 121 on Chrome OS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Autofill: security code updates
In Chrome 121, to improve user experience, payments autofill now unmasks card information using Google’s industry leading verification methods instead of relying on security codes to verify and unmask cards. Users can choose to turn on device unlock if they want to add an extra layer of security for unmasking their card.
- Chrome 121 on Android, MacOS

CSS Highlight Inheritance
With CSS Highlight Inheritance, the CSS Highlight pseudo classes, such as ::selection and ::highlight, inherit their properties through the pseudo highlight chain, rather than the element chain. The result is a more intuitive model for inheritance of properties in highlights. Specifically, when any supported property is not given a value by the cascade, its specified value is determined by inheritance from the corresponding highlight pseudo-element of its originating element’s parent element. For more details, see the Highlight Pseudo-elements specification.
- Chrome 121 on Windows, MacOS, Linux, Android

Chrome user policies for iOS
With Chrome user policies for iOS, admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device, including personal devices.

In Chrome 120, we began rollout but rolled back due to a non-impacting bug. Starting in Chrome 121, managed end-users start to see a management notice stating that their organization manages the account they are signing into. Admins can turn on this functionality in the Admin console under the Chrome on iOS setting. For more information, see Set Chrome policies for users or browsers.
- Chrome 120 on iOS: Started rollout to 5%, rolled back due to non-impacting bug
- Chrome 121 on iOS: Begin gradual rollout, targeting 100% by M122

Skip unload events
The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.

In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, MacOS, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, MacOS, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 121 -131 on Chrome OS, Linux, MacOS, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)

New and updated policies in Chrome browser

Policy	Description
AllowChromeDataInBackups	Allow backup of Google Chrome data
CloudUserPolicyMerge	Enables merging of user cloud policies into machine-level policies (now available on iOS)
ProfileReauthPrompt	Prompt users to re-authenticate to the profile
HelpMeWriteSettings	Allow help me write feature
TabOrganizerSettings	Allow tab organization feature
CreateThemesSettings	Create themes with AI

Removed policies in Chrome browser

Policy	Description
ChromeRootStoreEnabled	Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates
ContextAwareAccessSignalsAllowlist	Enable the Chrome Enterprise Device Trust Connector attestation flow for a list of URLs
WebRtcAllowLegacyTLSProtocols	Allow legacy TLS/DTLS downgrade in WebRTC
OffsetParentNewSpecBehaviorEnabled	Control the new behavior of HTMLElement.offsetParent
SendMouseEventsDisabledFormControlsEnabled	Control the new behavior for event dispatching on disabled form controls
AttestationEnabledForDevice	Enable remote attestation for the device

ChromeOS updates

ChromeOS Flex End of Device Support

As of January 01, 2024, devices scheduled to end support in 2023 will no longer be supported. Decertified devices include those listed below; for the full list of devices ending support you can review our Certified models list.
- HP Compaq 6005 Pro
- HP Compaq Elite 8100
- Lenovo ThinkCentre M77
- HP ProBook 6550b
- HP 630
- Dell Optiplex 980
The devices will continue to receive ChromeOS Flex updates but these updates will no longer be tested or maintained by the Flex team. We recommend that customers upgrade to newer ChromeOS Flex certified models or ChromeOS devices to benefit from new features and security improvements. You can learn more about supported devices in our help center.

Enable dictation using the keyboard

Logitech keyboards with a dictation button and other keyboards using the Search + D shortcut now turn on the Dictation accessibility feature if it is off. If Dictation is already on, then the key (and the shortcut) will activate Dictation. When enabling dictation, a dialog will appear to inform users they are about to enable Dictation, certain speech files might be downloaded and how to use the dictation feature once it is enabled.

ChromeVox Accessibility service

Users of App Streaming on Chromebooks will now be able to use ChromeVox to navigate the streaming Android app. The streaming Android app's accessibility tree is streamed in tandem with the app itself and can be interacted with using ChromeOS screen reader capabilities.

No more onboarding messages for Assistant

ChromeOS 121 removes the welcome or onboarding messages offered to a new user when launching Assistant on ChromeOS for the first time. This is a deprecation.

New trackpad gesture on ChromeOS

ChromeOS 121 launches a new trackpad gesture to help users dismiss notification popups in the notification center.

Integrate the DLP events rule Id and name into the security investigation tool

ChromeOS Data Control events will have additional fields to enrich admin insights in the security investigation tool.

Enterprise DataControls (DLP) file restrictions

In ChromeOS 121, ChromeOS Data Controls enable IT and Security teams to protect important business and customer data. It is available for events like copy and paste, screen capture, screen sharing, and printing. IT administrators can create an information protection strategy with rules based on the data source, destination and user.
We now have new functionality to control what users can do with files on ChromeOS devices through source and destination based rules.

Borderless printing

ChromeOS now supports borderless printing. With a compatible printer, you can now print photographs on photograph paper, without borders.

Admin console updates

Configure IP address on device with Ethernet adapter

The Admin console setting Allow IP address to be configured on the device (ChromeOS only) and Allow users to modify these values (in DNS settings) is now also respected for Ethernet adapters.

Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store

In Chrome 121, new information on the Apps & Extensions usage report is available to help you identify if an extension was recently removed from the Chrome Web Store via a new notifications column and a new Chrome Web Store column that represents the listing status of an extension. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.
- Chrome 120 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 121 on Linux, MacOS, Windows: Feature rolls out
Extensions & apps usage report:

App Details page:

Chrome crash report

As early as Chrome 122, you will be able to visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report will help you proactively identify potential Chrome issues within your organization.

This feature is now released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 121 on Linux, MacOS, Windows: Trusted Tester program
- Chrome 122 on Linux, MacOS, Windows: Feature rolls out

Fix for certain Android WiFi certificates (early Feb 2024)

Required as of Android 13, for certain WiFi configurations using enterprise authentication (802.1X), a new required field, called DomainSuffixMatch, was added for additional security. Before updating your fleet to Android 13, you need to edit the new field of that network's settings, Server Certificate Authority, to add at least one Server Certificate Domain Suffix Match. The device will only connect to the WiFi network if the server certificate presented by the remote end has a Subject CommonName or DNS Name SubjectAlternativeName (SAN) that matches the provided suffix.

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
AllowChromeDataInBackups	User & Browser	Chrome (iOS)	Other Settings
OopPrintDriversAllowed	User & Browser	Chrome (Linux, MacOS, Windows)	Printing

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Default Search Engine choice screen

Starting Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.

As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, MacOS, Windows: 1% users might start getting the choice screen with Chrome 120.
- Chrome 122 on iOS, Chrome OS, LaCrOS, Linux, MacOS, Windows: full roll-out for applicable users.

Get help writing on the web with AI
In Chrome 122, we’ll roll out an experimental GenAI-powered feature to help users write on the web. This tool can help users write with more confidence and kickstart the writing process for users in free-form text fields on the web.

Starting in Chrome 122, a limited set of signed-in users in the US will be able to turn on Help me write in Chrome settings. In Chrome 122, this feature will initially be available to unmanaged users only, and will be inaccessible to managed Chrome Enterprise & Education users. To learn more, read this blog post. In the coming weeks, we will provide more details about Help me write in the Chrome Enterprise & Education help center.

Admins will be able to control Help me write using the HelpMeWriteSettings policy. You will have the following options for your organization:

  0 = Enable the feature and send data to help improve AI models
  1 = Enable the feature but don’t send data to help improve AI models
  2 = Fully disable feature

Simplified sign-in and sync experience

Starting in Chrome 122, existing users with Chrome sync turned on will experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.
As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 117: sunset Chrome sync for users who didn't have Chrome sync enabled at the time.
- Chrome 122: sunset Chrome sync for users with Chrome sync enabled by migrating them to an equivalent state.

Permissions prompt for Web MIDI API

There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for advanced MIDI usage (System Exclusive (SysEx) messages) in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.
Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 122 on Windows, MacOS, Linux, Android

SharedImages for PPAPI Video Decode

Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.

V8 security setting

Add a setting on chrome://settings/security to disable the V8 JIT optimizers, in order to reduce the attack surface of Chrome. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The setting rolls out in Chrome 122. The enterprise policies have been available since Chrome 93.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

Read aloud

Read aloud will allow users of Chrome on Android to listen to web pages via text to speech technology. Users will be able to access this feature via the overflow menu and control playback via audio controls.
Read aloud will send the page URL to Google servers to power playback, and users who use it will need to enable the settings menu item "make searches and browsing better".
Setting the ListenToThisPageEnabled policy to true will allow users to have eligible web pages read aloud using text-to-speech. This is achieved by server side content distillation and audio synthesis. Setting to false disables this feature, and if this policy is set to default or left unset, Read aloud will be enabled.
- Chrome 122 on Android: Feature launches

Network Service on Windows will be sandboxed

To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 122 on Windows: Network Service sandboxed on Windows

Removal of enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed

In Chrome 116, Chrome Apps webview usage have the following restrictions:
Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the window.open call in the originating webview to be invalidated. A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed was made available to give enterprises time to address possible breakage related to these changes. This policy will be removed in Chrome 122.
- Chrome 122 on Linux, MacOS, Windows, ChromeOS: Enterprise Policy ChromeAppsWebViewPermissiveBehaviorAllowed removed

Asynchronous server-side Safe Browsing check

Today Safe Browsing checks are on the blocking path of page loads, meaning that the user cannot see the page until the checks are completed. To improve Chrome's loading speed, checks with the server-side Safe Browsing list will no longer block page loads after Chrome 122.
We have evaluated the risk and put mitigations in place:
1. To protect against direct exploits against the browser, local list checks will still be conducted in a synchronous manner so that malicious payloads cannot run until the local list check is completed.
2. To protect against phishing attacks, we've looked at data and concluded that it is unlikely the user would have significantly interacted with the page (e.g. typed a password) by the time we show the warning.
- Chrome 122 on Android, ChromeOS, LaCrOS, Linux, MacOS, Windows: Feature launches

Improved download warnings on the Chrome Downloads page

To help reduce consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia: Feature launches

Resume the last opened tab on any device

For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 123 on iOS: Feature launches

Chrome Sync ends support for Chrome 81 and earlier

Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, MacOS, Windows: The change will be implemented.

Deprecate and remove WebSQL

With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.
Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 101: In Chrome 101 the WebSQLAccess policy is added. WebSQL will be available when this policy is enabled, while the policy is available until Chrome 123.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a deprecation trial token is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy, or a deprecation trial token.
- Chrome 123: on Chrome OS, LaCrOS, Linux, MacOS, Windows, Android: Starting in Chrome 123, the policy WebSQLAccess and the deprecation trial, which allows for WebSQL to be available, will no longer be available.

Deprecate enterprise policy ThrottleNonVisibleCrossOriginIframesAllowed

The underlying code change (throttling same-process, cross-origin display:none iframes) that the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy overrides has been enabled in stable releases since early 2023. Since known issues have been dealt with, we intend to remove the ThrottleNonVisibleCrossOriginIframesAllowed enterprise policy by Chrome 124. The discussions around the throttling issue (and its resolution) can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=958475.
- Chrome 124: ThrottleNonVisibleCrossOriginIframesAllowed is removed

Remove support for UserAgentClientHintsGREASEUpdateEnabled

We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 124 on Android, ChromeOS, Linux, MacOS, Windows: Policy is deprecated
- Chrome 126 on Android, ChromeOS, Linux, MacOS, Windows: Policy is removed

Intent to deprecate: Mutation Events

Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, MacOS, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, MacOS, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Extensions must be updated to leverage Manifest V3 by June 2025

Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Chrome will gradually disabled Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, MacOS, Windows: Remove ExtensionManifestV2Availability policy.

↑ back to top

Upcoming ChromeOS changes

ChromeOS Flex Bluetooth Migration

ChromeOS Flex will be upgrading to the Floss bluetooth stack in ChromeOS 122. As part of this upgrade the following devices will no longer support bluetooth functionality, if bluetooth functionality is critical for these devices we recommend moving these devices to the LTS channel to extend the bluetooth functionality through to October 2024.
- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420

New look for ChromeOS media player

ChromeOS media player will soon have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.

App disablement by Admin in MGS

Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.

Battery Saver

As early as ChromeOS 122, Battery Saver will be available to reduce brightness on both display and keyboard backlight, throttle display refresh rate and available compute budget, and also turn off certain energy-intensive background functions to allow users squeeze more battery life out of their devices. This will help when they need that last couple minutes to finish a task and don't have a charger handy. The feature will automatically be enabled when the user's battery level reaches 20%.

↑ back to top

Upcoming Admin console changes

Inactive browser deletion in Chrome Browser Cloud Management
As early as Chrome 124, the Inactive period for browser deletion policy will automatically delete browser data in the Admin console for managed browsers that have not contacted the server for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 540 days. All enrolled browsers that have been inactive for more than 540 days will be deleted from your account shortly after the release of this policy. Administrators can change the inactive period value using this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.

If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
- As early as Chrome 122: The Inactive period for browser deletion policy UI will be available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.

Legacy Technology report
As early as Chrome 122, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, third-party cookies, SameSite cookie changes, and older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation feature removals goes into effect.

This feature is currently released in our Trusted Tester program. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 122 on Linux, MacOS, Windows

↑ back to top

Chrome 120

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Default Search Engine choice screen		✓
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets	✓		✓
Chrome Web Store: UX Improvements		✓
Revamped Safety Check on Desktop	✓
Chrome Desktop responsive toolbar		✓
Chrome on Android no longer supports Android Nougat			✓
Package tracking (iOS only)		✓
Unprefix -webkit-background-clip for text and make it an alias	✓
Chrome user policies for iOS			✓
Chrome profile separation: new policies			✓
Migrate away from data URLs in SVGUseElement	✓	✓
Password Manager: password sharing		✓	✓
Remove recommended support from multiple policies			✓
Save images to Google Photos on iOS			✓
Remove same-origin blanket enforcement in CSPEE	✓
Close requests for CloseWatcher, <dialog>, and popover=""	✓
Deprecate and remove Theora support	✓
Unmanaged device signals consent			✓
Printing interactions moved to a service process			✓
URL-Based Permission Suggestions Service			✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
New controls for mouse scroll acceleration		✓
Enhanced Alt + click behavior		✓
XDR Authentication Events			✓
Pinch-to-Resize PiP		✓
New look for Emoji Picker		✓
Keyboard Shortcuts - Enabling F11-F12 keys		✓
Deprecate support for legacy ChromeOS media containers and codecs			✓
ChromeOS Virtual Desk button		✓
App Details in App Management			✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Generative AI features		✓
Safer encrypted archives for Standard Safe Browsing users	✓
Permissions prompt for Web MIDI API	✓
Network Service on Windows will be sandboxed	✓
User Link Capturing on PWAs - Windows, Mac and Linux	✓
Side Panel Navigation: Pinning/Unpinning		✓
SharedImages for PPAPI Video Decode	✓
Skip unload events	✓
Resume the last opened tab on any device		✓
Remove support for UserAgentClientHintsGREASEUpdateEnabled			✓
Chrome Sync ends support for Chrome 81 and earlier	✓		✓
Deprecate and remove WebSQL	✓
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Intent to deprecate: Mutation Events		✓
Extensions must be updated to leverage Manifest V3 by June 2025	✓	✓	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
ChromeOS Flex End of Device Support			✓
ChromeOS Flex Bluetooth Migration			✓
Set the screensaver duration		✓
New look for ChromeOS media player		✓
Integrate the DLP events into the security investigation tool	✓
ChromeOS Data Controls file restrictions	✓
Enhanced notifications for pinned apps		✓
New ChromeOS sync options	✓	✓
App disablement by Admin in MGS			✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
Inactive browser deletion in Chrome Browser Cloud Management			✓
Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store			✓
Legacy Technology report			✓
Chrome crash report			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Default Search Engine choice screen

Starting Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.

As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: 1% users might start getting the choice screen with Chrome 120. 100% by Chrome 122 for applicable users.

Chrome Third-Party Cookie Deprecation (3PCD)

In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA. The facilitated testing period allows sites to meaningfully preview what it's like to operate in a world without third-party cookies. As bounce-tracking protections are also a part of 3PCD, the users in this group with third-party cookies blocked will have bounce tracking mitigations take effect, so that their state is cleared for sites that get classified as a bounce tracker. Most enterprise users should be excluded from this experiment group automatically; however, we recommend that admins proactively use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This will give enterprises time to make the changes required to not rely on this policy or third-party cookies.

We plan to provide more tooling (such as the Legacy Tech Report) to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.

For enterprise end users that are pulled into this experiment group and that are not covered by either enterprise admin policy, they can use the User Bypass control (the “eye icon” in the omnibox) to temporarily re-enable third-party cookies for 90 days on a given site when necessary. Enterprise admin policies override User Bypass controls, for example, setting BlockThirdPartyCookies policy to true will disable third-party cookies for all sites and prevent users from using this User Bypass control.

Bounce tracking protections are also covered by the same policies as cookies and enforced when the bouncing site is not permitted to have/receive 3P cookies. Thus, setting the BlockThirdPartyCookies policy to false, or setting the CookiesAllowedForUrls policy for a site, will prevent bounce tracking mitigations from deleting state for sites.

Enterprise SaaS integrations used in a cross-site context for non-advertising use cases will be able to register for the third-party cookie deprecation trial for continued access to third-party cookies for a limited period of time.

The heuristics feature will grant temporary third-party cookie access in limited scenarios based on user behavior. This mitigates site breakage caused by third-party cookie deprecation in established patterns such as identity provider pop ups and redirects.

For more details on how to prepare, provide feedback and report potential site issues, refer to the Mode B: 1% third-party cookie deprecation blog section and the Preparing for the end of third-party cookies blog.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Rename FirstPartySets policies to RelatedWebsiteSets

The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in the policies’ behavior. Administrators should use the new policies RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/
- Chrome 120 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia

Chrome Web Store: UX improvements

The Chrome team is unveiling a redesigned Chrome Web Store that simplifies the process of finding and managing extensions. Alongside a refreshing, modern interface, the store introduces new extension categories, including AI-powered extensions and Editors' spotlight. These enhancements will be gradually rolled out over the coming months.

Users can temporarily switch back to the original store layout by clicking the three dots next to their profile avatar and selecting Revert to original store. This temporary option will be disabled in January 2024 and cannot be centrally controlled by administrators.

Enterprises will continue to have access to their enterprise policies within the new Chrome Store UX.

The revamped Chrome Web Store will also feature a dedicated section for extensions specific to your domain. For more details on publishing private extensions, see Enterprise Publishing Options.

Note that there is a known issue with ExtensionSettings, where the blocked_install_message does not appear correctly in the redesigned Chrome Store UX that we are working on fixing.

Revamped Safety Check on Desktop

In Chrome 120, we begin to roll out a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows

Chrome Desktop responsive toolbar

Chrome Desktop customers across devices and input modes (for example, Mouse or Touch) now experience a toolbar that seamlessly responds to changing window sizes. This happens when users manually select and resize a window or use OS-specific window management tools in addition to an overflow menu.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows

Chrome on Android no longer supports Android Nougat

The last version of Chrome that supports Android Nougat is Chrome 119, and it includes a message to affected users informing them to upgrade their operating system.

Chrome 120 does not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat

Package tracking (iOS only)

Users can enable a new package tracking feature that results in estimated delivery dates and package status appearing in a new card on the New tab page. This feature is only supported for en-US users and only for packages fulfilled via FedEx and USPS. If needed, you can turn off the feature using a new policy called ParcelTrackingEnabled.
- Chrome 120 on iOS: feature launches

Unprefix -webkit-background-clip for text and make it an alias

Chrome allows the use of the unprefixed version for background-clip: text and makes -webkit-background-clip an alias for background-clip. Also, it drops support for non-suffixed keywords (content, padding and border)..
- Chrome 120 on Windows, Mac, Linux, Android

Chrome user policies for iOS

With Chrome user policies for iOS, admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device, including personal devices.

Starting in Chrome 120, to bring consistency to iOS, managed end-users start to see a management notice stating that their organization manages the account they are signing into. In Chrome 121, admins can turn on this functionality in the Admin console under the Chrome on iOS setting. For more information, see Set Chrome policies for users or browsers.
- Chrome 120 on iOS: Feature starts gradual roll out.

Chrome profile separation: new policies

Three new policies are now available to help you configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationDomainExceptionList. These policies take precedence over ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 120 on Linux, Mac, Windows

Migrate away from data URLs in SVGUseElement

The SVG spec was recently updated to remove support for data: URLs in SVGUseElement. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVGUseElement. To read more, see this blog post.

Assigning data: URLs in SVGUseElement can lead to Cross-Site Scripting (XSS) and Trusted Types bypass.

For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable support for data: URLs in SVGUseElement.
- Chrome 120 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVGUseElement

Password Manager: password sharing

Password Manager allows users to share their passwords with members of their Google Family Group (as configured in their Google Account). Users can only share one password at a time. It is not possible to share passwords in bulk. The shared password cannot be updated or revoked by the sender.

As an enterprise admin, you can use the PasswordSharingEnabled policy to switch off the share feature for all users.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia

Remove recommended support from multiple policies

Some policies can be applied as recommended, allowing admins to set an initial value that users can later change. In Chrome 119, recommended support was removed from multiple policies that users had no way of configuring.

Any affected policies that were previously set as recommended now need to be set as mandatory to ensure they continue to take effect.
- Chrome 119 on Linux, Mac, Windows: Recommended support is being removed from the PrintPdfAsImageDefault enterprise policy.
- Chrome 120 on Android, Linux, Mac, Windows: Recommended support is being removed from the following enterprise policies:
  - AlternateErrorPagesEnabled
  
  - PasswordDismissCompromisedAlertEnabled
  
  - PasswordLeakDetectionEnabled
  
  - SafeBrowsingForTrustedSourcesEnabled

Save images to Google Photos on iOS

When a signed-in user long-presses on an image in Chrome, they can save it directly to Google Photos. They have the option to save it to any account logged in on the device. You can use the ContextMenuPhotoSharingSettings policy to turn on this feature.
- Chrome 119 on iOS: Users can directly save images to Google photos
- Chrome 120 on iOS: A new policy, ContextMenuPhotoSharingSettings , is introduced to control this functionality

Remove same-origin blanket enforcement in CSPEE

Chrome 120 removes a special treatment for same-origin iframes from CSP Embedded Enforcement.

This aligns the behavior of CSP Embedded Enforcement for cross-origin iframes and same-origin iframes. To read more, see ChromeStatus.
- Chrome 120 on Windows, Mac, Linux, Android

Close requests for CloseWatcher, <dialog>, and popover=""

Close requests are a new concept where a user requests to close something currently open, using the Esc key on desktop or the back gesture or button on Android. Integrating Close requests into Chromium comes with two changes:
- CloseWatcher, a new API for directly listening and responding to close requests.
- Upgrades to <dialog> and popover="" to use the new close request framework, so that they respond to the Android back button.
- Chrome 120 on Windows, Mac, Linux, Android

Deprecate and remove Theora support

Chrome 120 deprecates and removes support for the Theora video codec in Chrome desktop, due to emerging security risks. Theora's low (and now often incorrect) usage no longer justifies support for most users. Ogg containers will remain supported. Our plan is to begin escalating experiments turning down Theora support in Chrome 120. If users encounter problems playing specific videos, they can reactivate support via chrome://flags/#theora-video-codec if needed until Chrome 123. You can find more info in Chrome Status.
- Chrome 120 on ChromeOS, LaCrOS, Windows, Mac, Linux

Unmanaged device signals consent

This feature introduces a new consent popup dialog, which collects users' consent on whether they allow Chrome to collect device signals from their device.

The dialog is only displayed for users who satisfy the following conditions:
- user is managed

- user's current device is unmanaged

- user's admin enabled the device trust service

- user's admin did not specifically disable this feature and its corresponding policy
- Chrome 120 on Linux, Mac, Windows

Printing interactions moved to a service process

In Chrome 120, some users have the printing interactions with the operating system performed in a separate service process. Moving these interactions out of the browser process improves browser stability. It also improves the responsiveness of the Print Preview user interface. An enterprise policy OopPrintDriversAllowed is available to revert to making platform printing interactions from the browser process.

URL-Based Permission Suggestions Service

Chrome is upgrading its Permission Suggestions Service. Earlier the requests to Chrome servers for permission suggestion service didn't contain URLs. Now Chrome will add URL based signals to the suggestion service. Earlier admins could disable sending requests to Chrome by setting the SafeBrowsingProtectionLevel policy to 1, 0 or unset. After this update the SafeBrowsingProtectionLevel policy will no longer enable/disable the Permission Suggestion Service.

The Permission Suggestions Service is now gated behind the existing URL-keyed anonymized data collection policy: UrlKeyedAnonymizedDataCollectionEnabled.
- Chrome 120 on ChromeOS, Linux, Mac, Windows: 1% stable experiment

New and updated policies in Chrome browser

Policy	Description
ExtensionInstallTypeBlocklist	Blocklist for install types of extensions
ParcelTrackingEnabled	Allows users to track their packages on Chrome (available on iOS)
RelatedWebsiteSetsOverrides	Override Related Website Sets
RelatedWebsiteSetsEnabled	Enable Related Website Sets
DataUrlInSvgUseEnabled	Data URL support for SVGUseElement
ContextMenuPhotoSharingSettings	Allow saving images directly to Google Photos (available on iOS)
FeedbackSurveysEnabled	Specifies whether in-product Google Chrome surveys are shown to users
NativeHostsExecutablesLaunchDirectly	Force Windows executable Native Messaging hosts to launch directly
IPv6ReachabilityOverrideEnabled	Enable IPv6 reachability check override
PasswordSharingEnabled	Enable sharing user credentials with other users
PrivateNetworkAccessRestrictionsEnabled	Specifies whether to apply restrictions to requests to more-private network endpoints

Removed policies in Chrome browser

Policy	Description
NativeClientForceAllowed	Forces Native Client (NaCl) to be allowed to run.
ChromeRootStoreEnabled	Determines whether the Chrome Root Store and built-in certificate verifier will be used to verify server certificates

ChromeOS updates

New controls for mouse scroll acceleration

ChromeOS 120 adds new controls to let users disable mouse scroll acceleration and adjust the speed of the scrolling.

Enhanced Alt + click behavior

You can configure right-click behavior using the keyboard and touchpad. You can also configure settings for actions such as Home, End, and Page Up, in the Customize keyboard keys subpage.

XDR Authentication Events

Authentication events (login/out lock/unlock) can now be enabled as part of Extended Detection and Response (XDR) on ChromeOS. Once rollout is complete, XDR systems will be able to use these events to provide insights on the device security posture.

Pinch-to-Resize PiP

Picture-in-Picture (PiP) windows can now be resized with a pinch. Simply place two fingers on the window and pinch them together or spread them apart to find the perfect size for your screen.

New look for Emoji Picker

ChromeOS 120 brings a new dynamic color palette to the floating Emoji and GIF Picker.

Keyboard Shortcuts - Enabling F11-F12 keys

Most ChromeOS keyboards lack F11 and F12 keys, which are expected functionality in many applications. This proposal adds options to remap F11 and F12 keys in the Keyboard key remapping section in Settings.

Deprecate support for legacy ChromeOS media containers and codecs

Deprecated support for MPEG4 Part 2 video codec and AVI container in ChromeOS 120. Users needing this functionality may temporarily re-enable support using chrome://flags/#cros-legacy-media-formats until ChromeOS 125, after which support will be removed.

ChromeOS Virtual Desk Button (Bento Button)

Bento Button is a shelf button that's available for all users who utilize virtual desks. The button will allow quick access to desk operations for desk visualizing, desk switching, desk creation and desk ordering. If the user has previously saved desks, they would be able to go to the desk library as well.

App Details in App Management

Settings now include additional details about installed apps. Navigate to Settings > Apps > Manage your apps, select an app to view the app's storage usage, version number, and information about how it was installed.

ChromeOS Flex end of device support

As of January 01, 2024, devices scheduled to end support in 2023 will no longer be supported. Decertified devices include those listed below; for the full list of devices ending support you can review our Certified models list.
- HP Compaq 6005 Pro HP
- Compaq Elite 8100
- Lenovo ThinkCentre M77
- HP ProBook 6550b
- HP 630
- Dell Optiplex 980
The devices will continue to receive ChromeOS Flex updates but these updates will no longer be tested or maintained by the Flex team. We recommend customers upgrade to newer ChromeOS devices to benefit from new features and security improvements.

Admin console updates

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
PowerManagementIdleSettings (screen dim, screen off, idle actions)	User, MGS	ChromeOS	Power and shutdown - Idle settings
ScreenLockDelays	User, MGS	ChromeOS	Power and shutdown - Idle settings
LidCloseAction	User, MGS	ChromeOS	Power and shutdown - Idle settings
ChromeOsLockOnIdleSuspend (lock screen on lid close)	User, MGS	ChromeOS	Power and shutdown - Idle settings
NativeHostsExecutablesLaunchDirectly	User	Chrome Browser	Other settings
ExtensionInstallTypeBlocklist	Additional app settings	Chrome Browser	Additional app settings
ContextMenuPhotoSharingSettings	User	Chrome for iOS	Content settings
PrivateNetworkAccessRestrictionsEnabled	User, MGS	ChromeOS, Chrome Browser, Chrome for Android	Network settings
DeviceFlexHwDataForProductImprovementEnabled	Device	ChromeOS	Other settings
IPv6ReachabilityOverrideEnabled	User	ChromeOS, Chrome Browser, Chrome for Android	Network settings
DataUrlInSvgUseEnabled	User, MGS	ChromeOS, Chrome Browser, Chrome for Android	Security

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Generative AI features

In Chrome 115, Google introduced its first Generative AI (GenAI) integration in the Search Side Panel. As early as Chrome 121, additional GenAI features will be rolled out to Chrome. You’ll be able to opt in through a new chrome://settings page. Enterprise policies will be available at roll-out to control these features. More details will be shared in upcoming milestones.
- (Earliest) Chrome 121 on ChromeOS, Linux, Mac, Windows

Safer encrypted archives for Standard Safe Browsing users

Standard Safe Browsing users will be prompted for a password to some encrypted archive downloads. This will be used to collect more metadata about the download (such as contained file hashes and executable signatures), which will be sent to Google for better quality verdicts. The password will remain local. You can control this feature with the SafeBrowsingDeepScanningEnabled policy.
- Chrome 121 on Linux, Mac, Windows

Permissions prompt for Web MIDI API

There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for advanced MIDI usage (System Exclusive (SysEx) messages) in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.

Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 121 on Windows, Mac, Linux, Android

Network Service on Windows will be sandboxed

To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 121 on Windows: Network Service sandboxed on Windows

User Link Capturing on PWAs - Windows, Mac and Linux

Web links automatically direct users to installed web apps. To better align with users' expectations around installed web apps, Chrome will make it more seamless to move between the browser and installed web apps. When the user clicks on a link that could be handled by an installed web app, Chrome will add a chip in the address bar to suggest switching over to the app. Clicking on the chip would either launch the app directly, or open a grid of apps that can support that link. For some users, clicking on a link will always automatically open the app.
- Chrome 121 on Linux, Mac, Windows: When some users click on a link, it will always open in an installed PWA, while some users will see the link open in a new tab with a chip in the address bar clicking on which will launch the app. This is an experiment to determine if users prefer having links launched by default. The experiment will run on Canary/Dev/Beta and 1% of Stable.
- Chrome 123 on Linux, Mac, Windows: Based on the outcome of the experiment in Chrome 121, we will launch to 100% of Stable with either a default on (always launch apps on link clicks) or a default off (always open in a tab, only launch if user clicks on chip on address bar).

Side Panel Navigation: Pinning/Unpinning

As early as Chrome 121, the side panel icon is being removed in favor of evolving the side panel navigation to offer customization through toolbar pinning. This will allow for efficient direct access to a suite of panels.
- Chrome 121 on Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia

SharedImages for PPAPI Video Decode

Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.

Skip unload events

The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.

In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which will allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, Mac, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 121 -131 on Chrome OS, Linux, Mac, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)

Resume the last opened tab on any device

For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 122 on iOS: Feature launches

Remove support for UserAgentClientHintsGREASEUpdateEnabled

We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed

Chrome Sync ends support for Chrome 81 and earlier

Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, Mac, Windows: The change will be implemented.

Deprecate and remove WebSQL

With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.

The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Chrome 123: on Chrome OS, LaCrOS, Linux, Mac, Windows: Starting in Chrome 123, the policy WebSQLAccess, which allows for WebSQL to be available, will no longer be available.

Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 128 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Intent to deprecate: Mutation Events

Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Extensions must be updated to leverage Manifest V3 by June 2025

Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

Beginning June 2024, Chrome will gradually disable Manifest V2 extensions running in the browser. An Enterprise policy - ExtensionManifestV2Availability - is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. Additionally, machines on which the policy is enabled will not be subject to the disabling of Manifest V2 extensions until the following year - June 2025 - at which point the policy will be removed.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Chrome 127 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome will gradually disabled Manifest V2 extensions on user devices. Only those with the ExtensionManifestV2Availability enterprise policy enabled would be able to continue using Manifest V2 extensions in their organization.
- Chrome 139 on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.

↑ back to top

Upcoming ChromeOS changes

ChromeOS Flex End of Device Support

As of the 1st Jan 2024, devices scheduled to end support in 2023 will no longer be supported. Devices include those detailed below, for the full list of devices ending support please review our certified devices list .
- HP Compaq 6005 Pro
- HP Compaq Elite 8100
- Lenovo ThinkCentre M77
- HP ProBook 6550b
- HP 630
- Dell Optiplex 980
The devices will continue to receive ChromeOS Flex updates but these updates will no longer be tested or maintained by the Flex team.

We recommend customers look to upgrade to newer ChromeOS devices to benefit from new features and security improvements.

ChromeOS Flex Bluetooth Migration

ChromeOS Flex will be upgrading to the Floss bluetooth stack in ChromeOS 121. As part of this upgrade the following devices will no longer support bluetooth functionality.
- HP Probook 4530s
- Lenovo ThinkPad T420
- HP Elitebook 8460p
- Apple iMac 11,2
- Lenovo ThinkPad x220
- Dell Vostro 3550
- HP 3115m
- HP Elitebook 2560p
- HP ProBook 6465b
- Lenovo ThinkPad L420

Set the screensaver duration

As early as ChromeOS 120, you will be able to set the duration for screensaver while charging. Users can now choose how long their screensaver runs while their device is charging (not on battery). You can control this using a new enterprise policy. The default setting is Forever, and can be reduced using drop-down options.

New look for ChromeOS media player

As early as ChromeOS 121, the media player will have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.

Integrate the DLP events rule Id and name into the security investigation tool

ChromeOS Data Control events, for Data Loss Prevention (DLP), will have additional fields to enrich admin insights in the security investigation tool.

ChromeOS Data Controls file restrictions

In ChromeOS 121, ChromeOS Data Controls, for DLP, will enable IT and Security teams to protect important business and customer data. It will be available for events like copy and paste, screen capture, screen sharing, and printing. IT administrators will be able to create an information protection strategy with rules based on the data source, destination and user.

We will have new functionality to control what users can do with files on ChromeOS devices through source and destination based rules.

Enhanced notifications for pinned apps

As early as ChromeOS 121, you will be able to visually separate pinned notifications from other notifications. We will change the visual specs, buttons, and notification text to fit within fixed size bubbles. This significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference in purpose (notifying the user of an ongoing process rather than an instantaneous event).

New ChromeOS sync options

ChromeOS will soon deliver an updated device setup experience that lets users customize sync settings for apps, settings, wi-fi networks, and wallpaper.

App disablement by Admin in MGS

Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.

↑ back to top

Upcoming Admin console changes

Inactive browser deletion in Chrome Browser Cloud Management

As early as Chrome 123, the Inactive period for browser data deletion policy will be added to the Admin Console and it will automatically delete browsers that have not contacted the server for more than the inactivity period of time determined by the policy. When releasing the policy, the inactivity period of time will have a default value of 18 months. All enrolled browsers that have been inactive for more than 18 months will be deleted from your account shortly after the release of this policy. The maximum value to determine the browser inactivity period will be 730 days and the minimum value is 28 days.

Note. Shortening the period significantly will cause more enrolled browsers to be considered inactive and deleted, and should be done with caution. To mitigate this, you can set the Device Token Management policy value to “Delete token” ahead of time, which allows deleted browsers to automatically re-enroll in Chrome Browser Cloud Management the next time the browser restarts (if the enrollment token is still valid). You can find the Device Token Management policy here.
- As early as Chrome 121: The Inactive period for browser data deletion policy UI will be available for early access in the Admin console. For IT admins who find the 18 month default inadequate, this will allow them to explicitly set a policy value (inactivity period of time) a few weeks before the actual deletion starts.

Apps & Extensions usage report: Highlight extensions removed from the Chrome Web Store

As early as 121, Chrome is adding new information on the Apps & Extensions usage report to help you identify if an extension was recently removed from the Chrome Web Store via a new notifications column and a new Chrome Web Store column that represents the listing status of an extension. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.

This feature is available to test for the members of the Chrome Enterprise Trusted Tester program. You can sign up for our Trusted Tester program here.
- Chrome 120 on Linux, Mac, Windows: Trusted Tester program
- Chrome 121 on Linux, Mac, Windows: Feature rolls out
Apps & Extensions usage report:

App Details page:

Legacy Technology report

As early as Chrome 121, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, SameSite cookie changes, older security protocols like TLS 1.0/1.1 and third-party cookies. This information will enable IT administrators to work with developers to plan required tech migrations before the deprecation goes into effect.

This feature will be released in our Trusted Tester program as early as Chrome 120. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- As early as Chrome 121 on Linux, Mac, Windows

Chrome crash report

As early as Chrome 122, you will be able to visualize crash events in the Admin console using the new Chrome crash report page. In this report, you will find a dynamic chart representing Chrome crash events over time, grouped by versions of Chrome. Additional filtering is available for the following fields: OS platforms, Chrome channels and dates. This report will help you proactively identify potential Chrome issues within your organization.

This feature will be released in our Trusted Tester program as early as Chrome 121. If you’re interested in helping us test this feature, you can sign up for the Chrome Enterprise Trusted Tester program here.
- Chrome 121 on Linux, Mac, Windows: Trusted Tester program
- Chrome 122 on Linux, Mac, Windows: Feature rolls out

↑ back to top

Chrome 119

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Chrome release schedule changes			✓
Deprecate and remove WebSQL		✓
Native Client support updates	✓
Remove Sanitizer API	✓
Tab groups can be saved, recalled, and synced		✓
Deprecate non-standard shadowroot attribute for declarative shadow DOM	✓
Shifting UI strings in Chrome from Clear to Delete when getting rid of data			✓
DevTools internal errors reported to Chrome internal crash reporting			✓
Skip unload events		✓
SharedImages for PPAPI Video Decode	✓
Remove Authorization header upon cross-origin redirect	✓
Dedicated setting for Permission Suggestions Service			✓
Hash-prefix real-time lookups	✓
Remove recommended support from multiple policies			✓
Standard-compliant URL host punctuation characters		✓
Save images to Google Photos on iOS		✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Privacy Hub	✓
ChromeOS Admin templates			✓
Using Drive offline on Chromebook Plus		✓	✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Default Search Engine choice screen		✓
Rename FirstPartySets Enterprise Policies to RelatedWebsiteSets	✓		✓
Revamped Safety Check on Desktop	✓
Chrome Desktop responsive toolbar		✓
Chrome on Android will no longer support Android Nougat			✓
Chrome Third-Party Cookie Deprecation	✓
Package tracking (iOS only)		✓
Network Service on Windows will be sandboxed	✓
Display banner allowing to resume last tab from other devices		✓
Resume the last opened tab on any device		✓
Unprefix -webkit-background-clip for text and make it an alias	✓
Chrome user policies for iOS			✓
Chrome profile separation: new policies			✓
Migrate away from data URLs in SVGUseElement	✓	✓
Password Manager: password sharing		✓	✓
Permissions prompt for Web MIDI API	✓
IP Protection Phase 0 for Chrome	✓
Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store			✓
Legacy Technology Report			✓
Remove support for UserAgentClientHintsGREASEUpdateEnabled			✓
Chrome Sync ends support for Chrome 81 and earlier
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Intent to deprecate: Mutation Events		✓
Extensions must be updated to leverage Manifest V3	✓	✓	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Set the screensaver duration		✓
New controls for mouse scroll acceleration		✓
Enhanced Alt + click behavior		✓
New look for ChromeOS media player		✓
Enhanced notifications for pinned apps		✓
New ChromeOS sync options	✓	✓
App disablement by Admin in MGS			✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Chrome release schedule changes

Chrome 119 and all subsequent releases will be moved forward by one week. For example, Chrome 119 has its early stable release on October 25 instead of Nov 1. Beta releases will also be moved forward by one week starting in Chrome 119.

For more details, see the Chrome Release Schedule.
- Chrome 119 on Android, iOS, ChromeOS, Linux, Mac, Windows

Deprecate and remove WebSQL

With SQLite over WASM as its official replacement, we plan to remove WebSQL entirely. This will help keep our users secure.

The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebSQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.
- Chrome 123: on Chrome OS, LaCrOS, Linux, Mac, Windows: Starting in Chrome 123, the policy WebSQLAccess, which allows for WebSQL to be available will no longer be available.

Native Client support updates

Chrome 119 removes a temporary enterprise policy, NativeClientForceAllowed, which allowed Native Client to continue to be used.
- Chrome 117 on Linux, Mac, Windows: Removes Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removes NativeClientForceAllowed policy.

Remove Sanitizer API

To prevent the current Sanitizer API from becoming entrenched, we plan to remove the current implementation. We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.

The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the standards discussion has meanwhile moved on and the proposed API shape has changed substantially.
- Chrome 119 on Windows, Mac, Linux, Android

Tab Groups can be saved, recalled, and synced

Users can now save tab groups, which allows them to close and re-open the tabs in the group, as well as sync them across devices. You can disable syncing Tab Groups using the SyncTypesListDisabled policy.
- Chrome 119 on ChromeOS, Linux, Mac, Windows

Deprecate non-standard shadowroot attribute for declarative Shadow DOM

The standards-track shadowrootmode attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 (ChromeStatus). The older, non-standard shadowroot attribute is now deprecated. During the deprecation period, both attributes are functional, however the shadowroot attribute does not enable the new streaming behavior, whereas shadowrootmode allows streaming of content. There is a straightforward migration path: replace shadowroot with shadowrootmode.

The old shadowroot attribute is deprecated as of Chrome 112, and it will be removed (no longer supported) in Chrome 119. Chrome 119 goes to Stable on October 31, 2023.
- Chrome 119 on Windows, Mac, Linux, Android

Shifting UI strings in Chrome from Clear to Delete when getting rid of data

Chrome is updating settings text to reflect delete instead of clear when referring to the destruction of data. We expect this change to improve users’ understanding of the associated effect on data. Users who intend to get rid of data should feel reassured that the data is actually deleted, not just cleared from one view but possibly accessible elsewhere.
- Chrome 119 on Android, iOS, ChromeOS, Mac, Windows: The earliest milestone that users may see these changes is 119.

DevTools internal errors reported to Chrome internal crash reporting

To improve Chrome's stability, DevTools internal errors are now reported through Chrome's existing crash reporting pipeline. This provides visibility of the stability of Chrome DevTools. Admins can control all crash reporting, including these errors, using the MetricsReportingEnabled enterprise policy.
- Chrome 119 on ChromeOS, Linux

Skip unload events

The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events.

In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of a Permissions-Policy API and an enterprise policy ForcePermissionPolicyUnloadDefaultEnabled, which will allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial
- Chrome 119 on Chrome OS, Linux, Mac, Windows: Introduces ForcePermissionPolicyUnloadDefaultEnabled policy
- Chrome 120-131 on Chrome OS, Linux, Mac, Windows: Deprecation trial (general rollout of deprecation will be limited scope until deprecation trial is ready)

SharedImages for PPAPI Video Decode

Chrome 119 introduces a new PPAPISharedImagesForVideoDecoderAllowed policy to control the recent refactor for VideoDecoder APIs in PPAPI plugin.
- Chrome 119 on ChromeOS, LaCrOS: Introduces escape hatch policy.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.

Remove Authorization header upon cross-origin redirect

The Fetch standard has been updated to remove Authorization header on cross origin redirects. Chrome 119 implements this change to the specification. Prior to Chrome 119, when a cross origin redirect, such as from foo.test to bar.test, happened with an Authorization header, Chrome preserved the Authorization header and bar.test could receive the header. Starting Chrome 119, Chrome removes Authorization headers when cross origin redirects happen, meaning that bar.test no longer receives the Authorization header.
- Chrome 119 on ChromeOS, Windows, Mac, Linux, Android

Dedicated setting for Permission Suggestions Service

The settings page for notification and geolocation permissions now has an additional option to explicitly enable the Permission Suggestions Service. Permission Suggestions Service is an already existing feature, but it didn’t have its dedicated setting. It was tied to standard Safe Browsing settings being enabled. Now the users can choose between four different states:
1. Always show the notification/geolocation permission prompt
2. Let Permission Suggestion Service quieten unwanted notification/geolocation requests (new)
3. Always quieten notification permission requests
4. Always block notifications/geolocation permission requests
Admins can use the existing policies to either always allow or always block notifications or geolocation requests globally or for particular sites.
- Chrome 119 on Linux, Mac, Windows

Hash-prefix real-time lookups

For standard Safe Browsing protection users, visited URLs now have their safety checked in real time instead of against a less frequently updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, the feature can be disabled through the policy SafeBrowsingProxiedRealTimeChecksAllowed.
- Chrome 119 on Android, iOS, Chrome OS, LaCrOS, Linux, Mac, Windows

Remove recommended support from multiple policies

Some policies can be applied as recommended, allowing administrators to set an initial value which end-users can later change. Beginning in Chrome 119, recommended support will be removed from multiple policies which end-users currently have no way of configuring.

Any affected policies that were previously set as recommended will need to be set as mandatory to ensure they continue to take effect.
- Chrome 119 on Linux, Mac, Windows: Recommended support is being removed from the PrintPdfAsImageDefault enterprise policy.
- Chrome 120 on Android, Linux, Mac, Windows: Recommended support is being removed from the following enterprise policies:

Standard-compliant URL host punctuation characters

Chrome 119 continues our efforts to make Chrome's handling of URL host punctuation characters standard-compliant. Here is a summary of changes in Chrome 119:

Notation:

- 'ESC': Allowed, but Chrome escapes it, which is non-compliant.

- '-': Allowed.

- '0': Forbidden. URL will be invalid if the host contains a forbidden character.

Warning:

- SPACE and ASTERISK are still non-compliant.
- Chrome 119 on Windows, Mac, Linux, Android

Save images to Google Photos on iOS

When a signed-in user long-presses on an image in Chrome, they can save it directly to Google Photos. They have the option to save it to any account logged in on the device.
- Chrome 119 on iOS: Users can directly save images to Google photos
- Chrome 120 on iOS: A policy is introduced to control this functionality

New and updated policies in Chrome browser

Policy	Description
SafeBrowsingDeepScanningEnabled	Allow download deep scanning for Safe Browsing-enabled users
SafeBrowsingProxiedRealTimeChecksAllowed	Allow Safe Browsing Proxied Real Time Checks (now also available on Android)

Removed policies in Chrome browser

Policy	Description
ChromeCleanupEnabled	Enable Chrome Cleanup on Windows
DownloadBubbleEnabled	Enable download bubble UI
ChromeCleanupReportingEnabled	Control how Chrome Cleanup reports data to Google

ChromeOS updates

Privacy Hub

Users can now manage their camera and microphone settings across the operating system from one place in Settings>Security and Privacy>Privacy controls. Now it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.

ChromeOS Admin templates

With App Launch Automation, admins can now configure groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.

You can turn on this feature using the #app-launch-automation flag, and then create templates in the Admin console.

Using Drive offline on Chromebook Plus devices

Enterprise users on Chromebook Plus devices can now easily make all of their files in the My Drive section of Google Drive available offline. You can control this using the DriveFileSyncAvailable enterprise policy.

Admin console updates

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
PPAPISharedImagesForVideoDecoderAllowed	User & Browser, MGS	ChromeOS	Content
SafeBrowsingDeepScanningEnabled	User & Browser	Chrome (Linux, Mac, Windows), ChromeOS	Chrome Safe Browsing
DriveFileSyncAvailable	User & Browser	ChromeOS	Content
ProfileSeparationDataMigrationSettings	User & Browser	Chrome (Linux, Mac, Windows)	Sign-In Settings
ProfileSeparationDomainExceptionList	User & Browser	Chrome (Linux, Mac, Windows)	Sign-In Settings
ProfileSeparationSettings	User & Browser	Chrome (Linux, Mac, Windows)	Sign-In Settings
ShowDisplaySizeScreenEnabled	User & Browser	ChromeOS	Sign-In Settings
ShowTouchpadScrollScreenEnabled	User & Browser	ChromeOS	Sign-In Settings
DeviceEphemeralNetworkPoliciesEnabled	Device	ChromeOS	Other Settings

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Default Search Engine choice screen

As early as Chrome 120, enterprise end-users might be prompted to choose their default search engine within Chrome.

As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: 1% users will start getting the choice screen with Chrome 120. 100% by Chrome 122.

Rename FirstPartySets enterprise policies to RelatedWebsiteSets

The FirstPartySetsEnabled and FirstPartySetsOverrides enterprise policies are renamed to RelatedWebsiteSetsEnabled and RelatedWebsiteSetsOverrides respectively. There is no change in the policies’ behavior. The new policies become available from Chrome 120. Administrators should use them going forward. To learn more about the rename, follow https://developer.chrome.com/blog/related-website-sets/
- Chrome 120 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia

Revamped Safety Check on Desktop

We plan to introduce a new proactive Safety Check that regularly checks the browser for safety-related issues and informs users when there's anything that needs their attention. This launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows

Chrome Desktop responsive toolbar

As early as Chrome 120, Chrome Desktop customers across devices and input modes (for example, Mouse or Touch) will experience a toolbar that seamlessly responds to changing window sizes, when users manually select and resize a window or use OS-specific window management tools.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows

Chrome on Android will no longer support Android Nougat

The last version of Chrome that supports Android Nougat is Chrome 119, and it includes a message to affected users informing them to upgrade their operating system.

Chrome 120 will not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat

Chrome Third-Party Cookie deprecation

In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA. This will allow sites to meaningfully preview what it's like to operate in a world without third-party cookies. Most enterprise users will be excluded from this experiment group automatically. But for the few that might be affected, admins will be able to use the BlockThirdPartyCookies and CookiesAllowedForUrls policies to re-enable third-party cookies and opt out their managed browsers ahead of the experiment. This will give enterprises time to make the changes required to not rely on this policy or third-party cookies.

We plan to provide more tooling to help identify third-party cookies use cases. Admins can set the BlockThirdPartyCookies policy to false to re-enable third-party cookies for all sites but this will prevent users from changing the corresponding setting in Chrome. Alternatively, to prevent breakage, you can set the CookiesAllowedForUrls policy to allowlist your enterprise applications to continue receiving third-party cookies.

For more details on how to prepare, provide feedback and report potential site issues, refer to the Mode B: 1% third-party cookie deprecation blog section and the Preparing for the end of third-party cookies blog.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
  1% of global traffic has third-party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Package tracking (iOS only)

Users will be able to enable a new package tracking feature that results in estimated delivery dates and package status appearing in a new card on the New tab page. This feature is only supported for en-US users and only for packages fulfilled via FedEx and USPS. If needed, you will be able to turn off the feature using a new policy called ParcelTrackingEnabled.
- Chrome 120 on iOS: feature launches

Network Service on Windows will be sandboxed

To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 120 on Windows: Network Service sandboxed on Windows

Display banner allowing to resume last tab from other devices

To help signed-in users resume tasks when they have to switch devices immediately, Chrome will offer to pick up tabs recently used on the previous device. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 120 on iOS: Feature launches

Resume the last opened tab on any device

For the last open tab on any device within the last 24 hours with the same signed-in user profile, Chrome will offer users with a quick shortcut to resume that tab. Admins will be able to control this feature using an existing enterprise policy called SyncTypesListDisabled.
- Chrome 120 on iOS: Feature launches

Unprefix -webkit-background-clip for text and make it an alias

Chrome will allow the use of the unprefixed version for background-clip: text and will make -webkit-background-clip an alias for background-clip. Also, it drops support for non-suffixed keywords (content, padding and border) for better round-trip with alias.
- Chrome 120 on Windows, Mac, Linux, Android

Chrome user policies for iOS

Admins can apply policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device. This functionality already exists on Windows, Mac, Linux, ChromeOS and Android. We are in the process of bringing this functionality to iOS.
- Chrome 120 on iOS: The earliest milestone for this capability is 120.

Chrome profile separation: new policies

Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will be simpler to use and will replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 120 on Linux, Mac, Windows

Migrate away from data URLs in SVGUseElement

The SVG spec was recently updated to remove support for data: URLs in SVGUseElement. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVGUseElement. You can read more in this blog post.

Assigning a data: URL in SVGUseElement can cause XSS. And this also led to a Trusted Types bypass.

For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable Data URL support for SVGUseElement.
- Chrome 120 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVGUseElement

Password Manager: password sharing

Password Manager allows users to share their passwords with members of their Google Family Group (as configured in their Google Account). Users can only share one password at a time. It is not possible to share passwords in bulk. The shared password cannot be updated or revoked by the sender.

Enterprise admins can use the PasswordSharingEnabled policy to switch off the share feature for all their employees.
- Chrome 120 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia

Permissions prompt for Web MIDI API

There have been several reported problems around Web MIDI API's drive-by access to client MIDI devices (bugs). To address this problem, the Audio WG decided to place an explicit permission on the general MIDI API access. Originally, the explicit permission was only required for the advanced MIDI usage, for example, system exclusive (SysEx) message in Chrome, with gated access behind a permissions prompt. We plan to expand the scope of the permission to regular MIDI API usage.

Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 121 on Windows, Mac, Linux, Android

IP Protection Phase 0 for Chrome

As early as Chrome 122, Chrome might route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information is available in this explainer on GitHub. Enterprise policies will be in place to allow admins to turn off the feature before it’s launched.
- Chrome 122 on ChromeOS, Linux, Mac, Windows, Android

Apps & Extensions Usage report: Highlight extensions removed from the Chrome Web Store

As early as 122, Chrome is adding new information on the Apps & Extensions Usage Report to help you identify if an extension was recently removed from the Chrome Web Store. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.
- Chrome 122 on LaCrOS, Linux, Mac, Windows

Legacy Technology report

As early as Chrome 122, the Legacy Technology report will be available in the Admin console and it will proactively report websites (both internal and external) that are using technology that will be deprecated, for example, SameSite cookie changes, or older security protocols like TLS 1.0/1.1. This gives admins the ability to work with developers to plan required tech migrations before the deprecation goes into effect. If you’re interested in helping us test this feature, you can sign up for our Trusted Tester program here.
- Chrome 122 on LaCrOS, Linux, Mac, Windows

Remove support for UserAgentClientHintsGREASEUpdateEnabled

We plan to deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year. The policy will eventually be removed.
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 125 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed

Chrome Sync ends support for Chrome 81 and earlier

Chrome Sync will no longer support Chrome 81 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome Sync.
- Chrome 123 on Android, iOS, Chrome OS, Linux, Mac, Windows: The change will be implemented.

Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Intent to deprecate: Mutation Events

Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Extensions must be updated to leverage Manifest V3

Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post , the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 98 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
- Future milestone on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.

↑ back to top

Upcoming ChromeOS changes

Set the screensaver duration

As early as ChromeOS 120, you will be able to set the duration for screensaver while charging. Users can now choose how long their screensaver runs while their device is charging (not on battery). You can control this using a new enterprise policy. The default setting is Forever, and can be reduced using drop-down options.

New controls for mouse scroll acceleration

ChromeOS 120 will add new controls to let users disable mouse scroll acceleration and adjust the speed of the scrolling.

Enhanced Alt + click behavior

In ChromeOS 120, you will be able to configure right-click behavior using the keyboard and touchpad. You can also configure settings for actions such as Home, End, and Page Up, in the Customize keyboard keys subpage.

New look for ChromeOS media player

As early as ChromeOS 121, the media player will have bigger buttons and colors to match your wallpaper. The media player will appear when you are playing any video or audio (like Spotify or YouTube) in Quick Settings. You will be able to click the pin icon to move the media player to the shelf. In addition to controlling media that is being cast, you will be able to start casting web media to any speakers or screens on your local network.

Enhanced notifications for pinned apps

As early as ChromeOS 121, you will be able to visually separate pinned notifications from other notifications. We will change the visual specs, buttons, and notification text to fit within fixed size bubbles. This significantly differentiates the visual look of pinned notifications from typical notifications to reflect their significant difference in purpose (notifying the user of an ongoing process rather than an instantaneous event).

New ChromeOS sync options

ChromeOS will soon deliver an updated device setup experience that lets users customize sync settings for apps, settings, wi-fi networks, and wallpaper.

App disablement by Admin in MGS

Up until now, Managed Guest Sessions (MGS) include a set of applications (Explore, Gallery, and Terminal apps) that are available to the user. With the SystemFeaturesDisableList policy, Admins will soon be able to disable these apps, blocking and hiding them from users across your enterprise.

↑ back to top

Chrome 118

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Remove ForceMajorVersionToMinorPositionInUserAgent policy			✓
Remotely disable malicious off-store extensions	✓
Remove RendererCodeIntegrityEnabled policy			✓
Support for passkeys in iCloud Keychain on macOS		✓	✓
Hash-prefix real-time lookups	✓
Updates to the red Safe Browsing interstitials	✓	✓
Form controls support vertical writing mode		✓
Block all cookies set via JavaScript that contain control characters	✓
Clearer Safe Browsing protection level settings text and images	✓
WebUSB in Extension Service Workers	✓
Include chrome.tabs API calls in extension telemetry reports	✓
Remove non-standard appearance keywords		✓
Enrollment for Privacy Sandbox	✓
Discounts shown on product pages and on Quests on the New Tab Page		✓
Encrypted archive deep scanning for Enhanced Safe Browsing users	✓
Flag for enabling the chrome://policy/test page			✓
TLS Encrypted Client Hello (ECH)	✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Password recovery	✓
Tabbed PWAs		✓
Printer setup assistance		✓
Imprivata integration v4	✓	✓
Touch text editing redesign		✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Chrome release schedule changes			✓
Deprecate and remove WebSQL		✓
Native Client support updates	✓
Migrate away from data URLs in SVG <use> element	✓	✓
Network Service on Windows will be sandboxed	✓
Display banner allowing to resume last tab from other devices		✓
Remove Sanitizer API	✓
Tab groups can be saved, recalled, and synced		✓
Chrome profile separation: new policies			✓
Private Network Access restrictions for automotive	✓
Deprecate non-standard shadowroot attribute for declarative shadow DOM	✓
Remove support for UserAgentClientHintsGREASEUpdateEnabled			✓
Default Search Engine choice screen		✓
Shifting UI strings in Chrome from Clear to Delete when getting rid of data			✓
DevTools internal errors will be reported to Chrome internal crash reporting			✓
SharedImages for PPAPI Video Decode	✓
Private Aggregation API bundled enhancements	✓		✓
Remove Authorization header upon cross-origin redirect	✓
Revamped Safety Check on Desktop	✓
Permissions prompt for Web MIDI API	✓
Desktop Responsive Toolbar		✓
Chrome on Android will no longer support Android Nougat			✓
Chrome Third-Party Cookie Deprecation (3PCD)	✓
IP Protection Phase 0 for Chrome	✓
Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store			✓
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Intent to deprecate: Mutation Events		✓
Extensions must be updated to leverage Manifest V3	✓	✓	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Privacy Hub	✓
ChromeOS Admin templates			✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
URL-keyed anonymized data collection in Kiosk mode	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Remove ForceMajorVersionToMinorPositionInUserAgent policy

Chrome 118 removes the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we can now remove this policy. If you have any feedback about this policy removal, or are aware of intranet functionality that depends on the policy, comment on this bug.
- Chrome 118 on Android, ChromeOS, Linux, Mac, Windows: Remove ForceMajorVersionToMinorPositionInUserAgent policy

Remotely disable malicious off-store extensions

When Enhanced Safe Browsing is enabled, where users have a malicious off-store extension installed, the extension is disabled when the decision is entered on the Safe Browsing servers via either manually or by an automated detection system.
- Chrome 118 on ChromeOS, Linux, Mac, Windows: Feature launches

Remove RendererCodeIntegrityEnabled policy

The Renderer Code Integrity security feature is no longer controlled by the RendererCodeIntegrityEnabled policy; it is now switched on by default. We recommend that you verify any potential incompatibilities with third party software by no longer using the policy in advance of this release. To report any issues you encounter, submit a bug here.
- Chrome 118 on Windows: This policy is deprecated and will no longer take effect

Support for passkeys in iCloud Keychain on macOS

Chrome on macOS ≥ 13.5 now supports creating and using passkeys from iCloud Keychain. When signing in using WebAuthn, passkeys from iCloud Keychain are listed as options once the user has granted Chrome the needed permission. If permission has not been granted, a generic iCloud Keychain option appears that prompts for permission before showing iCloud Keychain passkeys. If permission is denied, the iCloud Keychain can still be used, but it has to be manually selected each time.

When a site asks to create a platform passkey, Chrome might default to creating the passkey in iCloud Keychain based on whether iCloud Drive is in use and whether WebAuthn credentials from the current profile have been recently used. This can be controlled with a setting on chrome://password-manager/settings, and with the enterprise policy CreatePasskeysInICloudKeychain.
- Chrome 118 on Mac: Chrome 118 supports iCloud Keychain. Whether Chrome defaults to creating platform passkeys in iCloud Keychain can be altered by Chrome Variations during the lifetime of 118.

Hash-prefix real-time lookups

For standard Safe Browsing protection users, visited URLs now have their safety checked in real time, instead of less frequently using an updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, you can control this feature using the SafeBrowsingProxiedRealTimeChecksAllowed policy.
- Chrome 118 on iOS, ChromeOS, LaCrOS, Linux, Mac, Windows

Updates to the red Safe Browsing interstitials

In Chrome 118, users see minor updates to the red Safe Browsing interstitials. The main body text now includes an explicit recommendation from Chrome and site ID is specified in the details section instead of the main body. The danger icon replaces the previous warning icon, and styling is now consistent with the latest product standards. These changes improve user comprehension of warnings.
- Chrome 118 on Android, iOS, ChromeOS, LaCrOS, Linux, Mac, Windows

Form controls support vertical writing mode

The CSS property writing-mode should be enabled for form controls elements as it allows lines of text to be laid out horizontally or vertically and it sets the direction in which blocks progress.

With this feature, we are allowing the form control elements select, meter, progress, button, textarea and input to have vertical-rl or vertical-lr writing mode. As needed for Web compatibility, we now begin to slowly roll out the change for a number of form controls in 118, and we will continue in future milestones.

You can control this feature with the following command line flags:

--enable-features= FormControlsVerticalWritingModeSupport
--enable-features= FormControlsVerticalWritingModeTextSupport
- Chrome 118 on Windows, Mac, Linux, Android

Block all cookies set via JavaScript that contain control characters

Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis.

You can control this feature using the --disable-features=BlockTruncatedCookies or the BlockTruncatedCookies enterprise policy, which will be available for several milestones in case this change causes any breakage.
- Chrome 118 on Windows, Mac, Linux, Android

Clearer Safe Browsing protection level settings text and images

In Chrome 118, some users see new text describing the Safe Browsing protection level on both the Security Settings page and the Privacy Guide. The update clarifies the Enhanced Protection level by adding a table and linking to a help center article where users can learn more. The new table helps users understand the trade-offs when selecting that option versus choosing the other options. The descriptions for Standard Protection, No Protection and the password compromise warnings toggle have been simplified to make the options clearer. The Safe Browsing protection level is an existing feature, still controlled by the SafeBrowsingProtectionLevel policy.
- Chrome 118: Some users see the updated text and images on the Chrome Security Settings page and on the Privacy Guide.

WebUSB in Extension Service Workers

Web developers can use the WebUSB API when responding to extension events by exposing WebUSB API to Service Workers registered by browser extensions. This API is not yet exposed to Service Workers registered by sites but the implementation experience gained by supporting the API for extensions will be valuable for such a future project.
- Chrome 118 on Windows, Mac, Linux, ChromeOS

Include chrome.tabs API calls in extension telemetry reports

When you switch on Enhanced Safe Browsing, Chrome now collects telemetry information about chrome.tabs API calls made by extensions. This information is analyzed on Google servers and further improves the detection of malicious and policy violating extensions. It also allows better protection for all Chrome extension users. You can turn off this functionality along with the extension telemetry feature by setting SafeBrowsingProtectionLevel to any value other than 2, which turns off Enhanced Safe Browsing.
- Chrome 118 on ChromeOS, Linux, Mac, Windows: Feature launches

Remove non-standard appearance keywords

Since only standard appearance keywords should be supported, Chrome 118 removes appearance (and -webkit-appearance) keywords, including:

* inner-spin-button

* media-slider

* media-sliderthumb

* media-volume-slider

* media-volume-sliderthumb

* push-button

* searchfield-cancel-button

* slider-horizontal

* sliderthumb-horizontal

* sliderthumb-vertical

* square-button

Note that value slider-vertical will not be removed as part of this patch; it is used for allowing <input type=range> vertical. It will be removed once feature FormControlsVerticalWritingModeSupport is enabled in Stable.

Previously, if using any of the above keywords, a console warning appeared, but the keyword was recognized as a valid value. With the feature enabled, the appearance property will be ignored and set to the empty string. As needed for Web compatibility, we will progressively remove the appearance keywords based on their counter usages on Chrome Status Metrics.

For Chrome 118, we start with the following keywords, currently at page load usage below 0.001%:

* media-slider at 0.000361

* media-sliderthumb at 0.000187%

* media-volume-slider at 0.000143%

* media-volume-sliderthumb at 0.000109%

* sliderthumb-horizontal at 0.000182%

* sliderthumb-vertical at 0.000014%
- Chrome 118 on Windows, Mac, Linux, Android

Enrollment for Privacy Sandbox

As the Privacy Sandbox relevance and measurement APIs start ramping up for general availability, we want to make sure these technologies are used as intended and with transparency. The APIs include Attribution Reporting, the Protected Audience API, Topics, Private Aggregation and Shared Storage. Privacy Sandbox is introducing a new Developer Enrollment process for Privacy Sandbox relevance and measurement APIs. Chrome will fetch the enrolled-sites list from the enrollment server (via component updater) and use it to gate access to the Privacy Sandbox APIs.
- Chrome 118 on Windows, Mac, Linux, Android

Discounts shown on product pages and on Quests on the New tab page

Starting in Chrome 118, users sometimes see discounts, shown as annotations on page visits, in the Quests cards shown on the New tab page. Clicking through on the discount shows the relevant information on the product page. Quests as a whole are controlled by the NTPCardsVisible policy. Users also sometimes see discounts directly on the product page, available through an icon in the Omnibox.
- Chrome 118 on ChromeOS, LaCrOS, Linux, Mac, Windows

Encrypted archive deep scanning for Enhanced Safe Browsing users

Google Chrome offers deep scanning of some suspicious downloads to users who have opted in to Enhanced Safe Browsing. This sends the file content to Safe Browsing for a real-time evaluation of the file's safety. Starting in Chrome 118, deep scans of encrypted archives, for example, ZIP and RAR files, prompt the user to provide the archive password along with the file content. This is necessary for Safe Browsing to provide a useful verdict about the contents of the archive. Enterprises who do not want to see this prompt can prevent users from enabling Enhanced Safe Browsing with the SafeBrowsingProtectionLevel policy. Starting in Chrome 119, enterprises who want to switch off file deep scans while still enabling Enhanced Safe Browsing can do so with the SafeBrowsingDeepScanningEnabled policy.
- Chrome 118 on ChromeOS, LaCrOS, Linux, Mac, Windows

Flag for enabling the chrome://policy/test page

The #enable-policy-test-page flag allows admins and developers to use the chrome://policy/test page to more easily test policies on the Beta, Dev, Canary channels.
- Chrome 118 on Android, iOS, ChromeOS, Linux, Mac, Windows

TLS Encrypted Client Hello (ECH)

The TLS Encrypted ClientHello (ECH) extension allows clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag. If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- Chrome 118 on Chrome OS, Linux, Mac, Windows: Rolled out to 100% of users

New and updated policies in Chrome browser

Policy	Description
BlockTruncatedCookies	Block truncated cookies
CompressionDictionaryTransportEnabled	Enable compression dictionary transport support
CreatePasskeysInICloudKeychain	Control whether passkey creation will default to iCloud Keychain.
LegacyTechReportAllowlist	Specifies URLs that allow legacy technology report
SafeBrowsingProxiedRealTimeChecksAllowed	Allow Safe Browsing Proxied Real Time Checks

Removed policies in Chrome browser

Policy	Description
ForceMajorVersionToMinorPositionInUserAgent	Freeze User-Agent string major version at 99
RendererCodeIntegrityEnabled	Enable Renderer Code Integrity

ChromeOS updates

Password recovery

ChromeOS users who have forgotten their password can now recover their account along with all associated local data. Gone are the days where all local data is lost when a password has been forgotten! You can control this feature with the RecoveryFactorBehavior policy.

Tabbed PWAs

Developers can now choose to display their Progressive Web App (PWA) in tabbed mode, allowing users to manage and navigate multiple documents within a single window using a familiar tab strip. Developers should also specify a home tab where appropriate, which provides a consistent place for users to access documents and settings.

Printer setup assistance

To simplify a user's printing journey, ChromeOS provides more in context help when it comes to using their printer: an easier way to save printers, new set up instructions and help content, printer status directly integrated on the settings page. Moreover, we now also provide users an easy route to manage their printer when they face issues with it while trying to print.

Imprivata integration v4

For caregivers, Imprivata OneSign compatibility with Google ChromeOS devices and the Chrome browser means fast, secure access, and better cost efficiency. This fourth version of Imprivata integration, Imprivata v4, adds deployment, stability, and workflow improvements. It improves support for assigned devices by allowing for Imprivata sign-in to ChromeOS user sessions. In addition, ChromeOS 118 now supports all 12 languages of Imprivata and SPINE workflows.

Touch text editing redesign

Improved text editing interaction with user's fingers on the touchscreen, including a much more intuitive gesture system, usability improvements around gesture intentions and text legibility, a brand new magnifier that automatically shows cursor position with precision.

Admin console updates

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
ForcePermissionPolicyUnloadDefaultEnabled	User, Managed Guest Session	Chrome (Android) Chrome (Linux, Mac, Windows) ChromeOS	Legacy site compatibility
SafeBrowsingSurveysEnabled	User, MGS	Chrome (Linux, Mac, Windows) ChromeOS	Chrome safe browsing
EmojiPickerGifSupportEnabled	User, MGS	Chrome (Linux, Mac, Windows) ChromeOS	User experience
ColorCorrectionEnabled	User, MGS	ChromeOS	User accessibility
CreatePasskeysInICloudKeychain	User, MGS	Chrome (Mac)	Content
SafeBrowsingProxiedRealTimeChecksAllowed	User, MGS	Chrome (Linux, Mac, Windows) ChromeOS, Chrome (iOS and iPadOS)	Chrome safe browsing

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Chrome release schedule changes

Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.
- Chrome 119 on Android, iOS, ChromeOS, Linux, Mac, Windows

Deprecate and remove WebSQL

The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebsQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team. With SQLite over WASM as its official replacement, we want to remove WebSQL entirely.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117, the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting with Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.

Native Client support updates

Native Client NaCl support was removed from extensions on Windows, macOS, and Linux. A temporary enterprise policy is available, NativeClientForceAllowed, which allows Native Client to continue to be used.
- Chrome 117 on Linux, Mac, Windows: Removal of Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removal of NativeClientForceAllowed policy

Migrate away from data URLs in SVG <use> element

The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. You can read more in this blog post.

For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available until Chrome 128 to re-enable Data URL support for SVG <use> element.
- Chrome 119 on Android, ChromeOS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVG <use> element

Network Service on Windows will be sandboxed

To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 119 on Windows: Network Service sandboxed on Windows

Display banner allowing to resume last tab from other devices

Help signed in users resume tasks when they have to switch devices immediately by offering to pick up tabs recently used on the previous device. Admins can control this feature via the existing enterprise policy called SyncTypesListDisabled.
- Chrome 119 on iOS: Feature launches

Remove Sanitizer API

The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the standards discussion has meanwhile moved on and the proposed API shape has changed substantially. To prevent the current API from becoming entrenched, we plan to remove the current implementation. We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.
- Chrome 119 on Windows, Mac, Linux, Android

Tab Groups can be saved, recalled, and synced

Users will be able to save tab groups, which will allow them to close and re-open the tabs in the group, as well as sync them across devices. You can disable syncing Tab Groups using the SyncTypesListDisabled policy.
- Chrome 119 on ChromeOS, Linux, Mac, Windows

Chrome profile separation: new policies

Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will be simpler to use and will replace ManagedAccountsSigninRestriction and EnterpriseProfileCreationKeepBrowsingData.
- Chrome 119 on Linux, Mac, Windows: New profile separation policies available: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.

Private Network Access restrictions for automotive

This ships Private Network Access restrictions to Android Automotive (if BuildInfo::is_automotive), including: Private Network Access preflight requests for subresources and Private Network Access for Workers. Note that the two above features were shipped in warning only mode, but these features will enforce the restriction, that is, failing the main request if restrictions are not satisfied.
- Chrome 119 on Android

Deprecate non-standard shadowroot attribute for declarative shadow DOM

The standards-track shadowrootmode attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 (ChromeStatus). The older, non-standard shadowroot attribute is now deprecated. During the deprecation period, both attributes are functional, however the shadowroot attribute does not enable the new streaming behavior, whereas shadowrootmode allows streaming of content. There is a straightforward migration path: replace shadowroot with shadowrootmode.
The old shadowroot attribute is deprecated as of Chrome 112, and it will be removed (no longer supported) in Chrome 119, which goes to Stable on November 1, 2023.
- Chrome 119 on Windows, Mac, Linux, Android

Remove support for UserAgentClientHintsGREASEUpdateEnabled

Deprecate the UserAgentClientHintsGREASEUpdateEnabled policy since the updated GREASE algorithm has been on by default for over a year and then eventually remove it.
- Chrome 119 on Android, ChromeOS, Linux, Mac, Windows: Policy is deprecated
- Chrome 122 on Android, ChromeOS, Linux, Mac, Windows: Policy is removed

Default Search Engine choice screen

As early as Chrome 119, enterprise end-users may be prompted to choose their default search engine within Chrome.

As part of our building for DMA compliance, some users will be prompted to choose their default search engine for Chrome. This prompt controls the default search engine setting, currently available at chrome://settings/search. The enterprise policies, DefaultSearchProviderEnabled and DefaultSearchProviderSearchUrl, will continue to control this setting as it does today, if it is set by the IT admin. Read more on this policy and the related atomic group.
- Chrome 119 on iOS, ChromeOS, LaCrOS, Linux, Mac, Windows: 1% users will start getting the choice screen with Chrome 119. 100% by Chrome 122

Shifting UI strings in Chrome from Clear to Delete when getting rid of data

Chrome is updating settings text to reflect delete instead of clear when referring to the destruction of data. We expect the change will improve user comprehension. Users who intend to get rid of data should feel reassured that the data is actually deleted and not just cleared from one view but accessible elsewhere.
- Chrome 119 on Android, iOS, ChromeOS, Mac, Windows: The earliest milestone that users may see these changes is 119.

DevTools internal errors will be reported to Chrome internal crash reporting

To improve Chrome's stability, DevTools internal errors will be reported through Chrome's existing crash reporting pipeline. This will provide visibility into the stability of the Chrome DevTools. Admins can control all crash reporting, including these errors, using the MetricsReportingEnabled enterprise policy.
- Chrome 119 on ChromeOS, Linux, Mac, Windows

SharedImages for PPAPI Video Decode

The PPAPISharedImagesForVideoDecoderAllowed policy controls the recent refactor for VideoDecoder APIs in PPAPI plugin. The migration only affects internal implementation details and should not change any behavior. However, this policy can be used in case any PPAPI applications do not work as expected.
When the policy is left unset or set to Enabled, the browser will decide which implementation is used.

When the policy is set to Disabled, Chrome will use the old implementation until the policy expires.

NOTE: Only newly-started renderer processes will reflect changes to this policy while the browser is running.
- Chrome 119 on ChromeOS, LaCrOS: Escape hatch policy introduced.
- Chrome 122 on ChromeOS, LaCrOS: Escape hatch policy and corresponding old code paths are removed.

Private Aggregation API bundled enhancements

We're planning a few bundled changes to Private Aggregation:

- Null report fixes: Currently reports with no contributions are inadvertently dropped. This change ensures that, when a context ID is specified, a null report is sent even if budget is denied. Separately, it fixes a bug causing budget to always be denied for null reports.

- Debug mode eligibility changes: Currently, debug mode is always available. This change only allows debug mode for callers that are allowed access to third-party cookies, silently dropping the debug mode otherwise. Note that this will allow debug mode to automatically sunset when third-party cookies are deprecated.

- Padding report payloads: To avoid the payload size being dependent on the number of contributions, we will pad it with 'null' contributions to a fixed length. Note that this change will also affect Attribution Reporting reports.

- Reducing delay: When a context ID is specified, we remove the randomized 10-60 minute delay, which is superfluous as a report is always sent in this case. Instead, we just wait until the Shared Storage operation timeout.
- Chrome 119 on Windows, Mac, Linux, Android

Remove Authorization header upon cross-origin redirect

The Fetch standard has been updated to remove Authorization header on cross origin redirects. Chrome should follow the spec change.
- Chrome 119 on Windows, Mac, Linux, Android

Revamped Safety Check on Desktop

We plan to introduce a new proactive Safety Check that regularly checks the browser for safety related issues and informs users when there's anything that needs their attention. Our Safety Check launch also introduces a new page with Chrome’s proactive safety-related actions and information tailored to each user, designed to make it easier for users to stay safe online.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows

Permissions prompt for Web MIDI API

This feature gates the Web MIDI API access behind a permissions prompt. Today, the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 120 on Windows, Mac, Linux, Android

Desktop Responsive Toolbar

As early as Chrome 120, Chrome Desktop customers across form factors and input modalities (e.g. Mouse, Touch) will experience a toolbar that seamlessly responds to changing window sizes albeit by manually selecting and dragging a window smaller/larger or using operating system specific window management tools.
- Chrome 120 on ChromeOS, LaCrOS, Linux, Mac, Windows

Chrome on Android will no longer support Android Nougat

The last version of Chrome that will support Android Nougat will be Chrome 119, and it includes a message to affected users informing them to upgrade their operating system. Chrome 120 will not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat

Chrome Third-Party Cookie Deprecation (3PCD)

In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA, to allow sites to meaningfully preview what it's like to operate in a world without third-party cookies (3PCs). Most enterprise end users will be excluded from this experiment group automatically. But for the few that may be affected, enterprise admins will be able to utilize an enterprise policy to opt out their managed browsers ahead of the experiment and give enterprises time to make necessary changes to not rely on this policy or third party cookies.
We plan to provide more details about this policy and provide more tooling to help identify 3PC use cases. In the meantime, refer to the Mode B: 1% third-party cookie deprecation blog section for more details on how to prepare, provide feedback and report potential site issues.
- Chrome 120 on ChromeOS, Linux, Mac, Windows
  1% of global traffic has third party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

IP Protection Phase 0 for Chrome

As early as Chrome 122, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) can be found in the explainer. Enterprise policies will be in place to allow admins to disable the feature before it’s launched.
- Chrome 122 on ChromeOS, Linux, Mac, Windows, Android

Apps & Extensions Usage Report: Highlight extensions removed from the Chrome Web Store

Chrome is adding new information on the Apps & Extensions Usage Report to help you identify if an extension was recently removed from the Chrome Web Store. On the App Details page, you can find the reason why an extension was removed from the Chrome Web Store. This feature will help IT administrators identify the impact of using the policy to disable unpublished extensions.
- Chrome 122 on LaCrOS, Linux, Mac, Windows

Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

Intent to deprecate: Mutation Events
Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, ChromeOS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Extensions must be updated to leverage Manifest V3

Extensions must be updated to leverage Manifest V3. Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post , the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. Read more on the Manifest timeline, including:
- Chrome 98 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on ChromeOS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on ChromeOS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
Future milestone on ChromeOS, LaCrOS, Linux, Mac, Windows: Remove ExtensionManifestV2Availability policy.

↑ back to top

Upcoming ChromeOS changes

Privacy Hub

Later this year, users will be able to manage their camera and microphone settings across the operating system from one place in Settings. This way it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.

ChromeOS Admin templates

App Launch Automation can be configured by Administrators in the Admin console to contain groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can: get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.

↑ back to top

Upcoming Admin console changes

URL-keyed anonymized data collection in Kiosk mode

The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, will soon be supported in the Admin console. This policy will be enforced starting October 1st and will remain disabled until then.

↑ back to top

Chrome 117

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Skip unload events		✓
Chrome no longer supports macOS 10.13 and macOS 10.14			✓
Update to lock icon	✓
Network service is sandboxed on Linux and ChromeOS	✓
TLS Encrypted Client Hello (ECH)	✓
User surveys related to SafeBrowsing warnings			✓
Simplified onboarding experience		✓
Warnings on insecure downloads	✓
Service Worker static routing API		✓
Chrome browser integration with Symantec Endpoint DLP	✓
Require X.509 key usage extension for RSA certificates chaining to local roots	✓
Simplified sign-in and sync experience		✓
Updates to Clear Browsing Data on Android	✓
Allow users to review and optionally remove potentially unsafe extensions			✓
New Chrome Desktop visual refresh in Chrome 117		✓
Native Client support updates		✓
Deprecate and remove WebSQL		✓
Revamp permission usage or lockage indicators	✓
Price tracking		✓
Price insights on Chrome desktop		✓
Auth on entry to Password Manager on iOS	✓
Improved download warnings		✓
Storage Access API with prompts		✓
Chrome on Android trackpad support		✓
Port overflow check in URL setters	✓
Deprecate TLS SHA-1 server signatures	✓
URL standard-compatible IPv4 embedded IPv6 host parser	✓
Form-filler accessibility mode		✓
Clear client hints via Clear-Site-Data header	✓
Remove WebRTC getStats datachannelIdentifier -1	✓
Remove WebRTC getStats encoderImplementation/decoderImplementation unknown	✓
Unship callback-based legacy getStats() in WebRTC	✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
ChromeOS battery state sounds			✓
Avoid content control escapes on the login or lock screen	✓
Emoji Picker with GIF support		✓
ChromeOS gets a makeover		✓
ChromeOS Personalization App		✓
Color correction settings on ChromeOS		✓
Tabbed PWAs on ChromeOS			✓
System answer cards in Launcher search		✓
Nudge managed users towards enrolling non-ZTE devices	✓		✓
Replacing the Bluetooth stack on ChromeOS			✓
Time-lapse recording		✓
Enhanced options in clipboard history		✓
ChromeVox dialog changes		✓
Steam enabled on all capable devices		✓
Up Next Calendar view with Join video call integration		✓
Adaptive Charging			✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
Printing reports now available in Chrome Management Reports API			✓
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Chrome will introduce a chrome://policy/test page			✓
Network Service on Windows will be sandboxed	✓
Remove ForceMajorVersionToMinorPositionInUserAgent policy			✓
Remotely disable malicious off-store extensions	✓
Remove RendererCodeIntegrityEnabled policy			✓
Support for passkeys in iCloud Keychain on macOS		✓	✓
Hash-prefix real-time lookups	✓
Red interstitial facelift	✓	✓
Form controls support vertical writing mode		✓
Block all cookies set via JavaScript that contain control characters	✓
Clearer Safe Browsing protection level settings text and images	✓
WebUSB in Extension Service Workers	✓
Include chrome.tabs API calls in extension telemetry reports	✓
Remove non-standard appearance keywords		✓
Chrome release schedule changes			✓
Permissions prompt for Web MIDI API	✓
Migrate away from data URLs in SVG <use> element	✓	✓
Chrome Browser Cloud Management: Crash report			✓
IP protection Phase 0 for Chrome	✓
Display banner to allow resume last tab from other devices		✓
Remove Sanitizer API	✓
Tab groups can be saved, recalled, and synced		✓
Chrome profile separation: new policies			✓
Chrome on Android will no longer support Android Nougat			✓
Replace dangling markup in target name to _blank	✓
Private Network Access restrictions for automotive	✓
Deprecate non-standard shadowroot attribute for declarative shadow DOM	✓
Chrome Third-Party Cookie Deprecation (3PCD)	✓
Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Intent to deprecate: Mutation events		✓
Extensions must be updated to leverage Manifest V3	✓	✓	✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
Privacy Hub			✓
ChromeOS Admin templates			✓
Upcoming Admin console changes	Security/ Privacy	User productivity/ Apps	Management
URL-keyed anonymized data collection in Kiosk mode	✓

DOWNLOAD Release notes (PDF)

↑ back to top

Chrome browser updates

Skip unload events

The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years. To further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy, which will allow you to selectively keep the behavior unchanged.
- Chrome 117 on Chrome OS, Linux, Mac, Windows: Dev Trial.

Chrome no longer supports macOS 10.13 and macOS 10.14

Chrome will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.
- Chrome 117 on Mac: Chrome no longer supports macOS 10.13 and macOS 10.14.

Update to lock icon

We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.
The new icon is scheduled to launch as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can enable the tune icon pre-release in Chrome for Desktop if you enable Chrome Refresh 2023 at chrome://flags#chrome-refresh-2023, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.

We will also replace the icon on Android. On iOS, the lock icon is not tappable, so we will be removing the icon. You can read more in this blog post.
- Chrome 117 on Linux, Mac, Windows: The new icon is scheduled to launch in Chrome 117.

Network service is sandboxed on Linux and ChromeOS

The network service is sandboxed on Linux and ChromeOS to improve security. On Linux, it's possible that third party software (likely data loss prevention or antivirus software) is injecting code into Chrome's processes and will be blocked by this change. This may result in Chrome crashing for your users.
If this happens, you should work with the vendor of the third party software to stop it from injecting code into Chrome's processes. In the meantime, you will be able to use the NetworkServiceSandboxEnabled policy to defer the sandboxing. This is a temporary measure intended to help enterprises surprised by the change; the policy will be removed in a future version of Chrome.
- Chrome 117 on Chrome OS, Linux: The network service sandboxed on Linux and ChromeOS to improve security.

TLS Encrypted Client Hello (ECH)

The TLS Encrypted ClientHello (ECH) extension enables clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag. On Windows and Linux, you also need to enable Secure DNS for the flag to have an effect.
If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
- Chrome 117 on Chrome OS, Linux, Mac, Windows

User surveys related to SafeBrowsing warnings

After a user adheres to or bypasses a SafeBrowsing warning, Chrome may ask them about their satisfaction with the experience. You can control this with the SafeBrowsingSurveysEnabled policy.
- Chrome 117 on Chrome OS, Linux, Mac, Windows

Simplified onboarding experience

Some users may see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, EnableSyncConsent, RestrictSigninToPattern and SyncTypesListDisabled will continue to be available as before to control whether the user can sign into Chrome and turn on sync. The PromotionalTabsEnabled policy can be used to skip the onboarding altogether. DefaultBrowserSettingEnabled is respected in the same way as before.
- Chrome 117 on Linux, Mac, Windows

Warnings on insecure downloads

Chrome will begin showing warnings on some downloads if those files were downloaded over an insecure (i.e. not HTTPS) connection. These warnings do not prevent downloading and can be bypassed by the user. Enterprises can test their downloads by enabling warnings via chrome://flags/#insecure-download-warnings. Enterprises can also disable warnings for sites that can not deliver files securely by adding the downloading site to InsecureContentAllowedForUrls.
- Chrome 117 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia: Chrome shows warnings on some downloads.

Service Worker static routing API

Chrome releases the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.
- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: Origin Trial for Service Worker static routing API.
- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Release of the Service Worker static routing API.

Chrome browser integration with Symantec Endpoint DLP

This feature provides a secure native integration that transfers content (file or text) between Chrome and Broadcom’s Symantec DLP agent without the need for deploying an extension. When a CBCM or CDM managed user performs an action that sends data via Chrome, Symantec Endpoint DLP can monitor for data exfiltration and apply allow/block controls based on customer's DLP policies.
- Chrome 117 on Windows

Require X.509 key usage extension for RSA certificates chaining to local roots

X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.
Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).
- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: The RSAKeyUsageForLocalAnchorsEnabled policy is added.
- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Chrome begins enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates.

Simplified sign-in and sync experience

Chrome launches a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies. As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.
Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.
- Chrome 117 on iOS: Simplified sign-in and sync experience launches on iOS.

Updates to Clear browsing data on Android

Chrome enhances the browser data deletion controls by making it easier and quicker for users to complete their ‘Clear browsing data’ journeys, while maintaining the granular controls for advanced data deletion needs.
- Chrome 117 on Android

Allow users to review and optionally remove potentially unsafe extensions

A new review panel will be added in chrome://extensions, which appears whenever there are potentially unsafe extensions that need the user's attention, such as extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.
There is also a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page. As an administrator, you can preemptively control the availability of potentially unsafe extensions using the ExtensionUnpublishedAvailability policy.
- Chrome 117 on Chrome OS, Linux, Mac, Windows

New Chrome Desktop visual refresh in Chrome 117

With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.
The three dot Chrome menu will also be refreshed, providing a foundation to scale personalization and customization experiences in Chrome by enabling customers proximate access to tools and actions.. The menu will be updated in phases starting in Chrome 117.
- Chrome 117 on Linux, Mac, Windows: Rollout starts for all users.

Native Client support updates

We will remove Native Client NaCl support from extensions on Windows, macOS, Linux. An enterprise policy will be available, NativeClientForceAllowed, which will allow Native Client to continue to be used.
- Chrome 117 on Linux, Mac, Windows: Removal of Native Client NaCl support from extensions on Windows, macOS, Linux.
- Chrome 119 on Linux, Mac, Windows: Removal of NativeClientForceAllowed policy.

Deprecate and remove WebSQL

The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database. Ever since its release, it has made it incredibly difficult to keep our users secure. SQLite was not initially designed to run malicious SQL statements, and yet with WebsQL we have to do exactly this. Having to react to a flow of stability and security issues is an unpredictable cost to the storage team. With SQLite over WASM as its official replacement, we want to remove WebSQL entirely.
- Chrome 115: Deprecation message added to console.
- Chrome 117: In Chrome 117 the WebSQL Deprecation Trial starts. The trial ends in Chrome 123. During the trial period, a policy, WebSQLAccess, is needed for the feature to be available.
- Chrome 119: Starting Chrome 119, WebSQL is no longer available. Access to the feature is available until Chrome 123 using the WebSQLAccess policy.

Revamp permission usage or blockage indicators

In-use activity indicators are visual cues that let users know that an origin is actively using a permission-gated feature. They can be used to indicate things like whether geolocation is accessed, or video and audio are being captured. Chrome is changing the life cycle of the activity indicators, updating how long they appear in the address bar.
- Chrome 117 on Chrome OS, Linux, Mac, Windows

Price tracking

Starting in Chrome 117, when users bookmark a price-trackable product, price tracking will be enabled by default when available. Users will be able to disable price tracking per item, and administrators can disable the feature entirely with the ShoppingListEnabled policy.
- Chrome 117 on Chrome OS, Linux, Mac, Windows

Price insights on Chrome desktop

Some users will see a chip in the address bar which enables them to see price information about a product they're shopping for.
- Chrome 117 on Chrome OS, Linux, Mac, Windows

Auth on entry to Password Manager on iOS

To improve security, re-auth is now required when entering Google Password Manager on Chrome on iOS. Previously, re-auth was required only when viewing password details or notes. The device unlock method will be offered, i.e. FaceID, TouchID, or Passcode. If a Passcode is not set-up, the user will be prompted to do so.
- Chrome 117 on iOS: Re-auth required anytime when entering Google Password Manager on Chrome on iOS.

Improved download warnings

To help reduce cookie theft and other consequences of downloading malware, we’re cleaning up desktop download warning strings and patterns to be clear and consistent.
- Chrome 117 on LaCrOS, Linux, Mac, Windows: Strings, icons, and colors, as well as warning messages for some downloads, will be updated.

Storage Access API with prompts

Allow frames to request access to third-party cookies through the Storage Access API (SAA) when third-party cookies are blocked.
- Chrome 117 on Chrome OS, LaCrOS, Linux, Mac, Windows: Support the Storage Access API by implementing all the behaviors listed in the specification, i.e. with user prompts, and additionally having its own user-agent-specific behaviors.

Chrome on Android trackpad support

Chrome on Android now has advanced keyboard and trackpad or mouse support, similar to desktop Chrome.
- Chrome 117 on Android: Enabled shortcuts for web content edit, cursor movements and media.

Port overflow check in URL setters

The port value is now checked when setting url.port. All the values that overflow the 16-bit numeric limit are no longer valid. For instance the following script behaves differently after the change: ``` u = new URL("http://test.com"); u.port = 65536; console.log(u.port); ``` Before the change, the output is 65536. After the change, the output will be 80.
- Chrome 117 on Windows, Mac, Linux, Android

Deprecate TLS SHA-1 server signatures

Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. SHA-1 can be temporarily re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled enterprise policy. This policy will be removed in Chrome 123.
- Chrome 117 on Windows, Mac, Linux, Android

URL standard-compatible IPv4 embedded IPv6 host parser

The behavior of parsing IPv4 embedded IPv6 host parser will be updated to strictly follow the web URL standard: https://url.spec.whatwg.org/#concept-ipv6-parser The introduced restrictions on the IPv6 address are: * The embedded IPv4 address shall always consist of 4 parts. Addresses with less than 4 parts like http://[::1.2] will be no longer valid. The feature is a part of the URL interop 2023.
- Chrome 117 on Windows, Mac, Linux, Android

Form-Filler Accessibility Mode

This feature improves performance by providing a subset of the full accessibility API to form-filler apps.
- Chrome 117 on Android: A subset of the full accessibility API is provided to form-filler apps.

Clear client hints via Clear-Site-Data header

Websites will now be able to clear the client hints cache using `Clear-Site-Data: “clientHints”`. Client hints will also now be cleared when cookies, cache, or * are targeted by the same header. This is because if the user clears cookies in the UI client hints are already cleared as well, the client hints cache is a cache, and to be consistent with wildcard targets respectively.
- Chrome 117 on Windows, Mac, Linux, Android

Remove WebRTC getStats datachannelIdentifier -1

The WebRTC getStats API exposes a dataChannelIdentifier property. It will no longer provide the value "-1" in cases where statistics are queried before the datachannel connection is established. Instead, the dictionary member will be omitted. This follows the general pattern not to return meaningless information described in this article.
- Chrome 117 on Windows, Mac, Linux, Android

Remove WebRTC getStats encoderImplementation or decoderImplementation unknown

The WebRTC getStats API exposes the encoder and decoder implementation names for outbound and inbound video: https://w3c.github.io/webrtc-stats/#dom-rtcoutboundrtpstreamstats-encoderimplementation
It will no longer provide the value unknown in cases where statistics are queried before a video frame was encoded or decoded. Instead, the dictionary member will be omitted. This follows the general pattern not to return meaningless information described in this article.
- Chrome 117 on Windows, Mac, Linux, Android

Unship callback-based legacy getStats() for WebRTC

RTCPeerConnection has two versions of getStats(), one that is spec-compliant returning the report via resolving a promise, and one that is non-standard returning a very different report via a callback as the first argument. The callback-based one will soon be removed. Removal target: Chrome 117. A deprecation trial is available Chrome 113- Chrome 121 for apps that need more time. In the Chrome 114+ the method will throw an exception in Canary/Beta unless using the trial.
- Chrome 117 on Windows, Mac, Linux, Android

New and updated policies in Chrome browser

Policy	Description
NetworkServiceSandboxEnabled	Enable the network service sandbox (now available on Linux).
BeforeunloadEventCancelByPreventDefaultEnabled	Control new behavior for the cancel dialog produced by the `beforeunload` event.
ForcePermissionPolicyUnloadDefaultEnabled	Controls whether `unload` event handlers can be disabled.
AccessibilityPerformanceFilteringAllowed	Allow accessibility performance filtering.
SafeBrowsingSurveysEnabled	Allow Safe Browsing surveys.

Removed policies in Chrome browser

Policy	Description
DeviceTargetVersionSelector	Allow devices to select a specific target version of Google ChromeOS they will update to

ChromeOS updates

ChromeOS battery state sounds

In Chrome 117, audible sounds now indicate battery status. Users can turn on and off these sounds and Admins can control them using the DeviceLowBatterySoundEnabled policy.
When the device is not plugged in, you hear warning sounds if:
- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you hear an information beep when:
- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level - 80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.

Avoid content control escapes on the login or lock screen

Administrators can now control and limit the available content on end-users login and lock screens when identity federation is used with a third party identity provider (using SAML or OIDC). This is achieved by introducing two new policies to block or allow external URLs on login and lock screens, DeviceAuthenticationURLAllowlist and DeviceAuthenticationURLBlocklist. As a result, you can prevent content control escapes.

Emoji Picker with GIF support

The emoji picker now supports GIFs. Search and find the perfect GIF to express yourself.
For managed devices, this feature is switched off by default.

ChromeOS gets a makeover

Thanks to Google Material 3, Google’s new design platform, ChromeOS 117 brings with it:
- A new set of themes which dynamically update to reflect your wallpaper and style.
- A new look for almost all system surfaces with updated text, menus, icons or elements.
You can control the new look using the ChromeOS Personalization App.

ChromeOS Personalization App

With this launch, your ChromeOS now has accent colors that match your wallpapers, creating a unique theme for your device. The accent colors also adapt to the light and dark modes.

Color correction settings on ChromeOS

ChromeOS now has built-in color correction settings that make it easier for users to see colors on their screens. In ChromeOS Accessibility settings, under Display and Magnification, you can enable color filters for protanopia, deuteranopia or tritanopia, or to view the display in grayscale. Users can use a slider to customize the filters' intensity to meet their needs.

System answer cards in Launcher search

When users search for the status of their OS version, battery, RAM, storage, or CPU, in Launcher, they can now see that information previewed in the search results.

Nudge managed users towards enrolling non-ZTE devices

This feature enables administrators to demand managed users to enroll their non-zero touch devices by introducing a new user policy, UserEnrollmentNudging, which can be configured to require enrollment of the given user. If the policy is enabled and the managed user misses the enrollment step and performs first sign in on the device, a pop-up is shown suggesting to either switch to enrollment flow or use another email for sign-in, essentially preventing the managed user from signing in without enrollment.

Replacing the Bluetooth stack on ChromeOS

Starting in ChromeOS 117, and gradually applying to all ChromeOS devices, this Bluetooth software change brings the Android Bluetooth stack, Fluoride, to ChromeOS. The transition happens seamlessly on login, preserving existing paired devices, and should work with Bluetooth devices today with no interruptions. If you experience issues, please file feedback and, if necessary, disable the new stack via chrome://flags/#bluetooth-use-floss.

Time-lapse recording

The built-in Camera App now supports Time-Lapse recording. To use the feature, open the Camera App, select Video, then Time-Lapse. Recording can continue for as long as there is available storage space. Camera app determines the right speed for the time-lapse video based on duration recorded, to ensure your video always looks great.

Enhanced options in clipboard history

Enhancements to Clipboard History menu including introducing new entry points, ways to discover the feature and simplifying feature comprehension making it easier to discover and use. You can now see more detail for items in your clipboard history and can access clipboard history items nested directly in context menus. For users discovering Clipboard History for the first time, we are also introducing educational information to help with understanding this feature.

ChromeVox dialog changes

We’ve made some changes to the initial out-of-the-box experience (OOBE) dialog that explains what ChromeVox is, who might benefit from activating ChromeVox and requires pressing space instead of offering an on-screen button. With this update, we hope to reduce the number of users who inadvertently activate ChromeVox.

Up Next Calendar view with Join video call integration

See your upcoming events directly from the calendar view and join any digital meetings directly with the new Join button.

Adaptive Charging

Adaptive Charging is a new ChromeOS power management feature. Devices with Adaptive Charging enabled via Settings charge to 80% and then complete charging to 100% based on an ML model’s prediction for when the user will unplug their device. Reducing the time a device spends at 100% charge helps preserve the battery's health and ability to hold a charge over the lifetime of the device.

Admin console updates

Printing reports now available in Chrome Management Reports API

Chrome 117 includes additional endpoints to Chrome Management Reports API that allow access to printing reports. The new endpoints provide per-user and per-printer summary printing reports, as well as a listing of all print jobs submitted to managed printers. The data provided by the new endpoints corresponds to the data in the Print Usage page of the Admin console. This update exposes the same data in the third-party Reports API.

New policies in Admin console

Policy Name	Pages	Supported on	Category/Field
BeforeUnloadEventCancelByPreventDefaultEnabled	User, Managed Guest	Chrome OS, Chrome Browser, Android	Legacy Site Compatibility

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Chrome will introduce a chrome://policy/test page

chrome://policy/test will allow customers to test out policies on the Beta, Dev, Canary channels. If there is enough customer demand, we will consider bringing this functionality to the Stable channel.
- Chrome 118 on Android, iOS, Chrome OS, Linux, Mac, Windows

Network Service on Windows will be sandboxed

To improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Chrome 118 on Windows: Network Service sandboxed on Windows

Remove ForceMajorVersionToMinorPositionInUserAgent policy

Chrome plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy. If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.
- Chrome 118 on Android, Chrome OS, Linux, Mac, Windows: Removal of ForceMajorVersionToMinorPositionInUserAgent policy

Remotely disable malicious off-store extensions

When Enhanced Safe Browsing is enabled, users found to have a malicious off-store extension installed will have it disabled when the decision is entered on the Safe Browsing servers via either manually or by an automated detection system.
- Chrome 118 on Chrome OS, Linux, Mac, Windows: Feature launches

Remove RendererCodeIntegrityEnabled policy

The RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.
- Chrome 118 on Windows: This policy is deprecated and will no longer take effect

Support for passkeys in iCloud Keychain on macOS

Chrome on macOS ≥ 13.5 will gain support for creating and using passkeys from iCloud Keychain. When signing in using WebAuthn, passkeys from iCloud Keychain will be listed as options once the user has granted Chrome the needed permission. If permission has not been granted then a generic "iCloud Keychain" option will appear that will prompt for permission before showing iCloud Keychain passkeys. If permission is denied then iCloud Keychain can still be used, but will have to be manually selected each time. When a site asks to create a platform passkey, Chrome might default to creating the passkey in iCloud Keychain based on whether iCloud Drive is in use and whether WebAuthn credentials from the current profile have been recently used. This can be controlled with a setting on chrome://password-manager/settings, and with the enterprise policy CreatePasskeysInICloudKeychain.
- Chrome 118 on Mac: The ability to use iCloud Keychain will be enabled in Chrome 118. Whether Chrome defaults to creating platform passkeys in iCloud Keychain may be altered by Finch during the lifetime of 118.

Hash-prefix real-time lookups

For standard Safe Browsing protection users, visited URLs now have their safety checked in real time instead of against a less frequently updated local list of unsafe URLs. This is done by sending partial hashes of the URLs to Google Safe Browsing through a proxy via Oblivious HTTP, so that the user’s IP address is not linked to the partial hashes. This change improves security while maintaining privacy for users. If needed, the feature can be disabled through the policy SafeBrowsingProxiedRealTimeChecksAllowed.
- Chrome 118 on iOS, Chrome OS, LaCrOS, Linux, Mac, Windows: This will start with a 1% rollout and then proceed to 100% of users.

Red interstitial facelift

In Chrome 118, users will see minor updates to the red Safe Browsing interstitials. The main body text will include an explicit recommendation from Chrome and site ID will be specified in the details section instead of the main body. The warning icon will be replaced by the danger icon and styling will be updated to be consistent with the latest product standards. These changes will improve user comprehension of warnings.
- Chrome 118 on Android, iOS, Chrome OS, LaCrOS, Linux, Mac, Windows

Form Controls support vertical writing mode

CSS property writing-mode should be enabled for form controls elements as it will allow lines of text to be laid out horizontally or vertically and it sets the direction in which blocks progress. With this feature, we are allowing the form control elements select, meter, progress, button, textarea and input to have vertical-rl or vertical-lr writing mode. As needed for Web compatibility, we will slowly rollout the change for a number of form controls in 118 and continue in future milestones.
- Chrome 118 on Windows, Mac, Linux, Android

Block all cookies set via JavaScript that contain control characters

Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis. This change can be disabled using the `--disable-features=BlockTruncatedCookies` or the BlockTruncatedCookies enterprise policy, which will exist for several milestones in case this change causes any breakage.
- Chrome 118 on Windows, Mac, Linux, Android

Clearer Safe Browsing protection level settings text and images

In Chrome 118, some users will see new text describing the Safe Browsing protection level on both the Security Settings page and the Privacy Guide. The update clarifies the Enhanced Protection level by adding a table and linking to a help center article where users can learn more. The new table helps users understand the trade-offs when selecting that option versus choosing the other options. The descriptions for Standard Protection, No Protection and the password compromise warnings toggle have been simplified to make the options clearer. The Safe Browsing protection level is an existing setting and continues to be controlled by the SafeBrowsingProtectionLevel policy value.
- Chrome 118: Some users will see the updated text and images on the Chrome Security Settings page and on the Privacy Guide.

WebUSB in Extension Service Workers

Allows web developers to use WebUSB API when responding to extension events by exposing WebUSB API to Service Workers registered by browser extensions. This API will not yet be exposed to Service Workers registered by sites but the implementation experience gained by supporting the API for extensions will be valuable for such a future project.
- Chrome 118 on Windows, Mac, Linux

IP Protection Phase 0 for Chrome

As early as Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) will be provided in the near future.

Include chrome.tabs API calls in extension telemetry reports

When you enable Enhanced Safe Browsing, Chrome will now collect telemetry information about chrome.tabs API calls made by extensions. This information is analyzed on Google servers and further improves the detection of malicious and policy violating extensions. It will also allow better protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2 (ie. disable Enhanced Safe Browsing).
- Chrome 118 on Chrome OS, Linux, Mac, Windows: Feature launches

Remove non-standard appearance keywords

Since only standard appearance keywords should be supported, we are removing the appearance (and -webkit-appearance) keywords that shouldn't be supported anymore:
* inner-spin-button

* media-slider

* media-sliderthumb

* media-volume-slider

* media-volume-sliderthumb

* push-button * searchfield-cancel-button

* slider-horizontal * sliderthumb-horizontal

* sliderthumb-vertical

* square-button

Note that value slider-vertical will not be removed as part of this patch; it is used for allowing <input type=range> vertical. It will be removed once feature FormControlsVerticalWritingModeSupport is enabled in Stable.

Previously, if using any of the above keywords, a console warning will be shown, but the keyword will be recognized as a valid value. With the feature enabled, the appearance property will be ignored and set to the empty string. As needed for Web compatibility, we will progressively remove the appearance keywords based on their counter usages on Chrome Status Metrics. For release 118, we will start with the following keywords, currently at page load usage below 0.001%:

* media-slider at 0.000361

* media-sliderthumb at 0.000187%

* media-volume-slider at 0.000143%

* media-volume-sliderthumb at 0.000109%

* sliderthumb-horizontal at 0.000182%

* sliderthumb-vertical at 0.000014%
- Chrome 118 on Windows, Mac, Linux, Android

Chrome release schedule changes

Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.
- Chrome 119 on Android, iOS, Chrome OS, Linux, Mac, Windows

Permissions Prompt for Web MIDI API

This feature gates the Web MIDI API access behind a permissions prompt. Today the use of SysEx messages with the Web MIDI API requires an explicit user permission. With this implementation, even access to the Web MIDI API without SysEx support will require a user permission. Three new policies—DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls—will be available to allow administrators to pre-configure user access to the API.
- Chrome 119 on Windows, Mac, Linux, Android

Migrate away from data URLs in SVG <use> element

The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. You can read more in this blog post.
For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available temporarily to re-enable Data URL support for SVG <use> element.
- Chrome 119 on Android, Chrome OS, LaCrOS, Linux, Mac, Windows, Fuchsia: Remove support for data: URLs in SVG <use> element

Chrome Browser Cloud Management: Crash report

The Crash Report is a new Chrome Browser Cloud Management report in the Admin console where IT admins can find a chart to easily visualize the number of crash events over time, based on the versions of Chrome that are running.
- Chrome 119 on Android, iOS, Linux, Mac, Windows: Crash Report launched in Chrome Browser Cloud Management

Display banner to allow resume last tab from other devices

Help signed in users resume tasks when they have to switch devices during an immediate transition by offering to pick up tabs recently used on the previous device. Admins can control this feature via the existing enterprise policy called SyncTypesListDisabled.
- Chrome 119 on iOS: Feature launches

Remove Sanitizer API

The Sanitizer API aims to build an easy-to-use, always secure, browser-maintained HTML sanitizer into the platform. It is a cross-browser standardization effort starting in Q2/2020. We shipped an initial version of the Sanitizer API in Chrome 105, based on the then-current specification draft. However, the discussion has meanwhile moved on and the proposed API shape has changed substantially. In order to prevent the current API from becoming entrenched we would like to remove the current implementation.
We expect to re-implement the Sanitizer API when the proposed specification stabilizes again.
- Use counters: The Sanitizer API is currently used on 0.000000492% of page visits.
- Old vs new API: * Old explainer, API as implemented in "MVP" since Chrome 105: https://github.com/WICG/sanitizer-api/blob/e72b56b361a31b722b4e14491a83e2d25943ba58/explainer.md *
- New explainer (still in progress): https://github.com/WICG/sanitizer-api/blob/main/explainer.md
- Chrome 119 on Windows, Mac, Linux, Android

Tab Groups can be saved, recalled, and synced

Users will be able to save tab groups, which will allow them to close and re-open the tabs in the group, as well as sync them across devices.
- Chrome 119 on Chrome OS, Linux, Mac, Windows

Chrome profile separation: new policies

Three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist. These policies will basically be replacements for ManagedAccountsSigninRestriction, EnterpriseProfileCreationKeepBrowsingData.
- Chrome 119 on Linux, Mac, Windows: New profile separation policies available: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.

Replace dangling markup in target name to `_blank`

This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation.
- Chrome 119 on Windows, Mac, Linux, Android

Private Network Access restrictions for automotive

This ships Private Network Access restrictions to Android Automotive (if BuildInfo::is_automotive), including: - Private Network Access preflight requests for subresources and Private Network Access for Workers. See Note that the two above features were shipped in warning only mode, but this features will enforce the restriction, i.e. failing the main request if restrictions are not satisfied.
- Chrome 5 on Windows, Mac, Linux
- Chrome 119 on Android

Deprecate non-standard `shadowroot` attribute for declarative shadow DOM

The standards-track `shadowrootmode` attribute, which enables declarative Shadow DOM, was shipped in Chrome 111 [1]. The older, non-standard `shadowroot` attribute is now deprecated. During the deprecation period, both attributes are functional, however the `shadowroot` attribute does not enable the new streaming behavior, whereas `shadowrootmode` allows streaming of content. There is a straightforward migration path: replace `shadowroot` with `shadowrootmode`. The old `shadowroot` attribute is deprecated as of Chrome Chrome 112, and it will be removed (no longer supported) in Chrome 119, which goes to Stable on November 1, 2023. [1] https://chromestatus.com/feature/5161240576393216
- Chrome 119 on Windows, Mac, Linux, Android

Chrome on Android will no longer support Android Nougat

The last version of Chrome that will support Android Nougat will be Chrome 119, and it includes a message to affected users informing them to upgrade their operating system. Chrome 120 will not support nor ship to users running Android Nougat.
- Chrome 120 on Android: Chrome on Android no longer supports Android Nougat

Chrome Third-Party Cookie Deprecation (3PCD)

In Chrome 120 and beyond (Jan 2024), Chrome will globally disable third-party cookies for 1% of Chrome traffic as part of our Chrome-facilitated testing in collaboration with the CMA, to allow sites to meaningfully preview what it's like to operate in a world without third-party cookies (3PCs). Most enterprise end users will be excluded from this experiment group automatically. But for the few that may be affected, enterprise admins will be able to utilize an enterprise policy to opt out their managed browsers ahead of the experiment and give enterprises time to make necessary changes to not rely on this policy or third party cookies. We plan to provide more details about this policy and provide more tooling to help identify 3PC use cases. In the meantime, refer to the 'Mode B: 1% third-party cookie deprecation' blog section for more details on how to prepare, provide feedback and report potential site issues.
- Chrome 120 on Chrome OS, Linux, Mac, Windows
  1% of global traffic has third party cookies disabled. Enterprise users are excluded from this automatically where possible, and a policy is available to override the change.

Remove LegacySameSiteCookieBehaviorEnabledForDomainList policy

In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies to legacy behavior on the specified domains. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will be removed on the milestone listed below.
- Chrome 127 on Android, Chrome OS, Linux, Mac, Windows: Removal of LegacySameSiteCookieBehaviorEnabledForDomainList policy

Intent to deprecate: Mutation events

Synchronous Mutation Events, including DOMSubtreeModified, DOMNodeInserted, DOMNodeRemoved, DOMNodeRemovedFromDocument, DOMNodeInsertedIntoDocument, and DOMCharacterDataModified, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer.
- Chrome 127 on Android, Chrome OS, Linux, Mac, Windows: Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Extensions must be updated to leverage Manifest V3

Extensions must be updated to leverage Manifest V3 back to top Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3. As mentioned earlier in our blog post (https://developer.chrome.com/blog/more-mv2-transition/) the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed. During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3. An Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management. For more information on the Manifest timeline: https://developer.chrome.com/docs/extensions/migrating/mv2-sunset/
- Chrome 98 on Chrome OS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Public" or "Unlisted". The ability to change Manifest V2 extensions from "Private" to "Public" or "Unlisted" is removed.
- Chrome 103 on Chrome OS, LaCrOS, Linux, Mac, Windows: Chrome Web Store stops accepting new Manifest V2 extensions with visibility set to "Private".
- Chrome 110 on Chrome OS, LaCrOS, Linux, Mac, Windows: Enterprise policy ExtensionManifestV2Availability is available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions.
Future milestone on Chrome OS, LaCrOS, Linux, Mac, Windows: Removal of ExtensionManifestV2Availability policy.

↑ back to top

Upcoming ChromeOS changes

Privacy Hub

Later this year, users will be able to manage their camera and microphone settings across the operating system from one place in Settings. This way it only takes one click for users to completely turn off their camera or microphone all from one place when they need extra confidence in staying on mute.

ChromeOS Admin templates

App Launch Automation can be configured by Administrators in the Admin console to contain groups of applications, windows and tools that can be launched automatically on startup or on-demand by users throughout their day. With App Launch Automation, you can: get users up and running quickly at the start of their day, provide users with a way to easily get to an optimal starting point for new tasks, and remember the window layout each user sets up for their individual workflows for future use.

↑ back to top

Upcoming Admin console changes

URL-keyed anonymized data collection in Kiosk mode

The policy for URL-keyed anonymized data collection, UrlKeyedAnonymizedDataCollectionEnabled, will soon be supported in the Admin console. This policy will be enforced starting October 1st and will remain disabled until then.

↑ back to top

Chrome 116

Chrome browser updates	Security/ Privacy	User productivity/ Apps	Management
Enterprises can sign up for security fix notifications	✓
Chrome increases release velocity with security improvements planned for each week	✓
Share Sheet migration		✓
Google Search side panel		✓
X25519Kyber768 key encapsulation for TLS	✓
Improving performance: Memory Saver and Energy Saver modes		✓	✓
Anti-phishing telemetry expansion	✓
Enabling BFCache for pages that set Cache-Control: no-store			✓
Idle Timeout policies on Desktop			✓
OS-native Passkey changes on Windows 11	✓
New and updated policies in Chrome browser			✓
Removed policies in Chrome browser			✓
ChromeOS updates	Security/ Privacy	User productivity/ Apps	Management
Data processor mode on ChromeOS (including Chrome browser running on managed ChromeOS)	✓
Removal of permissive Chrome Apps webview behaviors	✓
ChromeOS OCR in PDFs for screen reader users		✓
Move ChromeVox settings pages to ChromeOS settings		✓
Customizing input peripherals per device settings		✓
Managing Android App permissions			✓
ChromeOS Kerberos integration enhancements			✓
Commercial launch of screensaver		✓
Enhanced autocorrect features		✓
Additional input method support for Linux apps			✓
URL-keyed anonymized data collection in Kiosk mode			✓
Admin console updates	Security/ Privacy	User productivity/ Apps	Management
New policies in the Admin console			✓
Upcoming Chrome browser changes	Security/ Privacy	User productivity/ Apps	Management
Extensions Review panel			✓
Native Client Support updates		✓
Updates to Clear Browsing Data on Android	✓
Skip unload events		✓
Require X.509 key usage extension for RSA certificates chaining to local roots	✓
Network service will be sandboxed on Linux and ChromeOS	✓
Bounce Tracking mitigations	✓
Restricting the use of --load-extension	✓
Service Worker static routing API		✓
Enable access to WebUSB API from extension service workers		✓
Simplified sign-in and sync experience		✓
IP Protection Phase 0 for Chrome	✓
Web MIDI permission prompt	✓
Network service will be sandboxed on Windows	✓
Removal of the RendererCodeIntegrityEnabled policy			✓
Chrome 117 will no longer support macOS 10.13 and macOS 10.14			✓
New Chrome Desktop visual refresh in Chrome 117		✓
Update to the lock icon	✓
Storage Access API with Prompts		✓
Extensions must be updated to leverage Manifest V3	✓	✓	✓
Removal ForceMajorVersionToMinorPositionInUserAgent policy			✓
Chrome release schedule changes			✓
Chrome 119 to phase out support for Web SQL		✓
Migrate away from data URLs in SVG <use> element	✓	✓
Chrome profile separation		✓	✓
Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy			✓
Intent to deprecate: Mutation Events		✓
Warnings on insecure downloads		✓
Upcoming ChromeOS changes	Security/ Privacy	User productivity/ Apps	Management
ChromeOS battery state sounds			✓

DOWNLOAD Release notes (PDF)

↑ back to top

The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.

Chrome browser updates

Enterprises can sign up for security fix notifications

Using this sign-up form, you can opt in to receive email notifications whenever there's a Chrome release that contains high or critical security fixes, including zero-day fixes. Chrome uses a fast release cycle to keep you ahead of bad actors, and so you can expect such a release approximately every week. By default, Chrome applies updates automatically when they're made available, so no action is required from admins who keep Chrome's default update behavior. You can read more about Chrome updates strategies for enterprises here.

Chrome increases release velocity with security improvements planned for each week

In Chrome 115 and previous releases, Chrome maintained a four-week release cycle with a minor release halfway between each major release containing security improvements and minor bug fixes. Major releases continue to be planned for approximately every four weeks, but starting in Chrome 116, minor releases are now planned every week. This allows us to deliver security improvements even faster. If you have auto-updates turned on (the default behavior of Chrome, and our recommendation), then no action is required. Chrome might still release some unplanned updates in response to critical fixes, zero-day fixes, or other unforeseen circumstances. If you want to be notified of the security fixes contained in each release of Chrome, you can sign up for notifications here. Read more about Chrome Security and why we're making this change in our blog post.

Share Sheet migration

Chrome is migrating Share functionality from its custom share sheet to the Android system share sheet for Android U+ users. In this migration, we’ve deprecated some functionality such as stylized cards for shared highlights and a redundant button for short (non full-page) screenshots. On Pre-U Android, Chrome still shows the custom share sheet and users can navigate to the system share sheet using the More (...) button.

Google Search side panel

Chrome is introducing the Search side panel, a new contextual side panel experience that allows users to delve into the content of the page they're currently viewing. The new side panel gives users new tools to get more context about the page they're viewing. We launched the Search side panel to some users in Chrome 115 and subsequently plan to roll out to all users in Chrome 116. You can control access to the Search side panel using the GoogleSearchSidePanelEnabled policy.

X25519Kyber768 key encapsulation for TLS

As early as Chrome 116, Chrome introduces a post-quantum secure TLS key encapsulation mechanism X25519Kyber768, based on a NIST standard. This is exposed as a new TLS cipher suite. TLS automatically negotiates supported ciphers, so this change should be transparent to server operators. However, some TLS middleboxes might be unprepared for the size of a Kyber key encapsulation, or a new TLS ClientHello cipher code point, leading to dropped or hanging connections. This can be resolved by updating your middlebox, or disabling the key encapsulation mechanism via the temporary PostQuantumKeyAgreementEnabled enterprise policy. However, long term, post-quantum secure ciphers will be required in TLS and the enterprise policy will be removed. This cipher will be used for both TLS and QUIC connections.

↑ back to top

Improving performance: Memory Saver and Energy Saver modes

In Chrome 108, we introduced features designed to improve the performance of Chrome and extend battery life under the following enterprise policies: TabDiscardingExceptions, BatterySaverModeAvailability and HighEfficiencyModeEnabled. In Chrome 116, we expand the capabilities of the Memory Saver feature to help users further understand and use tab discarding to their benefit.
Users with Memory Saver enabled (policy HighEfficiencyModeEnabled) now have increased visibility of discarded tabs in the tab strip and more insight into memory usage of active and inactive tabs.

Additionally, this release makes the management of exceptions (policy TabDiscardingExceptions) more intuitive for users who have access to manage their own exceptions:

1. In settings, users can add exceptions based on currently open tabs (in addition to manual entry which exists today)
2. In the page action chip of a discarded tab, users can opt the site out from future discarding.

Anti-phishing telemetry expansion

In this feature, we log user-interaction data to Chrome servers and to Safe Browsing servers, which will fill knowledge gaps about how users interact with Safe Browsing phishing warnings and phishing pages. This additional telemetry will help inform where we should concentrate our efforts to improve phishing protection because it will allow us to understand the user better. Admins can opt out by using the Enterprise policies MetricsReportingEnabled and SafeBrowsingProtectionLevel.

Enabling BFCache for pages that set Cache-Control: no-store

Documents with a Cache-Control: no-store header (CCNS) are blocked from entering BFCache. Chrome 116 will start BFCaching these documents, except for the ones with sensitive information (Github).
The AllowBackForwardCacheForCacheControlNoStorePageEnabled policy controls if a page with Cache-Control: no-store header can be stored in back/forward cache. The website setting this header might not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.

If the policy is enabled or unset, the page with Cache-Control: no-store header might be restored from back/forward cache unless the cache eviction is triggered, for example, when there is HTTP-only cookie change to the site.

If the policy is disabled, the page with Cache-Control: no-store header will not be stored in back/forward cache.

↑ back to top

Idle Timeout policies on Desktop

In Chrome 116, admins can now enforce taking an action, for example, closing the browser, clearing cookies or moving to the profile picker, after Chrome has been idle for some amount of time. You can use the IdleTimeout policy to set a timeout period and the IdleTimeoutActions policy to specify actions on timeout.

OS-native Passkey changes on Windows 11

An update to Windows 11 later in 2023 adds support for cross-device passkeys flows in Windows webauthn.dll v6. Chrome 116 recognizes this version of Windows and stops offering its own cross-device support in Chrome UI, deferring to Windows instead. This results in users seeing a different UI, as shown below. This can be tested with Chrome 116 running on Windows Insider Dev Build 23486 or later.

New and updated policies in Chrome browser

Policy	Description
NativeClientForceAllowed	Forces Native Client (NaCl) to be allowed to run.
SafeSitesFilterBehavior	Control SafeSites adult content filtering (now on Android)
PostQuantumKeyAgreementEnabled	Enable post-quantum key agreement for TLS
UserContextAwareAccessSignalsAllowlist	Enable the Chrome Enterprise Device Trust Connector attestation flow for a list of URLs on Managed Profiles
RSAKeyUsageForLocalAnchorsEnabled	Check RSA key usage for server certificates issued by local trust anchors
AllowBackForwardCacheForCacheControlNoStorePageEnabled	Allow pages with Cache-Control: no-store header to enter back/forward cache

Removed policies in Chrome browser

Policy	Description
EventPathEnabled	Re-enable the Event.path API

↑ back to top

ChromeOS updates

Data processor mode on ChromeOS (including Chrome browser running on managed ChromeOS)

In ChromeOS 116, ChromeOS is releasing a data processor mode for a suite of ChromeOS features and services called Essential Services, switching Google’s role from that of a data controller over personal data, to primarily that of a data processor. Features and services for which Google remains solely a data controller are called “Optional Services”. IT admins who manage ChromeOS devices used by managed Dutch Education accounts will see these new terms and features available to select from August 18, 2023.

These are the new tools available in data processor mode for ChromeOS:
- Data processor mode landing page in the Admin console
- The ability to turn-on/off individual Optional Services
- Tools to assist customers with Data Subject Access Requests (DSARs)
- A tool to assist customers with data subject deletion requests

Removal of permissive Chrome Apps webview behaviors

As early as Chrome 116, Chrome Apps webview usage have the following restrictions:
- Using the webview NewWindow event to attach to a webview element in another App window causes the window reference returned by the window.open call in the originating webview to be invalidated.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed is available to give enterprises time to address possible breakage related to these changes. To test whether this change is the cause of any breakage, without needing to set the enterprise policy, you can restore the previous behavior from Chrome 112 and earlier by navigating to chrome://flags and disabling chrome://flags/#enable-webview-tag-mparch-behavior.

This change was originally scheduled for Chrome 113, but was postponed. Previous release notes mentioned a change to the handling of SSL errors within webviews, but this is no longer part of this change.

ChromeOS OCR in PDFs for screen reader users

Through Optical Character Recognition (OCR), users can convert images to text, so that they can access and read them.

ChromeVox settings move to ChromeOS setting

In Chrome 116, you now access the existing settings for ChromeVox under the ChromeOS Accessibility settings pages.

Customizing input peripherals per device settings

Users can now manage settings for their input peripherals, such as their mouse and keyboard, at the device level and apply different values for different devices. This provides more control over the peripheral experience on ChromeOS.

Managing Android App permissions

In Chrome 116, users have a better view of what data Android apps can access by reviewing allowed app permissions on the Apps page in ChromeOS Settings. Now, users can see a detailed view of the data an Android app can access on the Apps page in Settings, and they can easily manage those permissions.

↑ back to top

ChromeOS Kerberos integration enhancements

Starting with M116, we streamline the end user configuration flows for ChromeOS Kerberos customers. Many users use Kerberos on ChromeOS to access corporate resources. The new UI enhancements guide users through the configuration of their Kerberos accounts in a guided flow, similar to Password Manager. For details, see this help center article.

Commercial launch of screensaver

With M116, ChromeOS represents your organization even better. The commercial launch of screensaver for the login screen or MGS lock screen allows admins to customize the appearance of idle devices. Newly added admin settings include the abilities to turn on/off the screensaver, to provide a list of screensaver images, and to customize idle times.

Enhanced autocorrect features

We've enhanced Autocorrect in ChromeOS! Autocorrect is now enabled by default for English in compatible apps, automatically fixing typos, spelling, and other errors. In addition to the new Autocorrect for physical keyboards, this update also enhances the performance of the virtual keyboard's Autocorrect and other Assistive features.

Additional input method support for Linux apps

Linux on ChromeOS now supports complex input methods, such as Japanese and Korean. This means that you can now use the same input methods that you're already using in Chrome to type in your Linux applications. Not all applications are supported yet, but support for additional applications is coming soon.

URL-keyed anonymized data collection in Kiosk mode

The policy for URL-keyed anonymized data collection is now supported in Kiosk mode. This policy will be added to the Admin console in a future release.

↑ back to top

Admin console updates

New policies in Admin console

RSAKeyUsageForLocalAnchorsEnabled	User, MGS	CrOS, Chrome, Android	Legacy Site Compatibility
AllowBackForwardCacheForCacheControlNoStorePageEnabled	User, MGS	CrOS, Chrome, Android	Security
PostQuantumKeyAgreementEnabled	User, MGS	CrOS, Chrome, Android	Security
PhysicalKeyboardPredictiveWriting	User, MGS	CrOS	User Experience
PhysicalKeyboardAutocorrect	User, MGS	CrOS	User Experience

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming browser changes

Extensions Review panel

A new review panel will be added in chrome://extensions, which will appear whenever there are potentially unsafe extensions that need the user's attention. The initial launch will highlight extensions that are malware, policy violating or are no longer available in the Chrome Web Store. The user can choose to remove or keep these extensions.

There will also be a count of risky extensions needing review that is presented in the Chrome Privacy & Security settings page.

The ExtensionsUnpublishedAvailability policy will disable extensions that have been unpublished by the developer or violate Chrome Web Store policy. Note that these extensions might also appear in the Extensions Module's review panel but only if they are not installed by policy. The user can choose to remove or keep them.

Native Client Support updates

As early as Chrome 117, we will remove Native Client NaCl support from extensions on Windows, macOS, Linux. An enterprise policy will be available, NativeClientForceAllowed, which will allow Native Client to continue to be used until Chrome 119.

Updates to Clear Browsing Data on Android

We’re making it easier to find and use the browsing data deletion tools that Chrome offers.

We’re adding more entry points to Clear Browsing Data, including on the main Chrome menu. We’re also introducing a new quick deletion affordance to enable users to quickly delete their recent history. We’ll maintain and further enhance the more granular ‘Advanced’ Clear Browsing Data page on Privacy Settings.

Skip unload events

The presence of unload event listeners is a primary blocker for back/forward cache on Chromium based browsers and for Firefox on desktop platforms. On the other hand, for mobile platforms, almost all browsers prioritize the bfcache by not firing unload events in most cases. To improve the situation, we’ve been working with lots of partners and successfully reduced the use of unload event listeners over the last few years.

As early as Chrome 117, to further accelerate this migration, we propose to have Chrome for desktop gradually skip unload events. In case you need more time to migrate away from unload events, we’ll offer temporary opt-outs in the form of an API and a group policy which will allow you to selectively keep the behavior unchanged.

Require X.509 key usage extension for RSA certificates chaining to local roots

X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters, specifically that the key usage flag for “digitalSignature” and possibly “keyEncipherment” (depending on TLS ciphers in use) are asserted when using RSA.

Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).

Network service will be sandboxed on Linux and ChromeOS

As early as Chrome 117, the network service will be sandboxed on Linux and ChromeOS to improve security. On Linux, it's possible that third party software (likely data loss prevention or antivirus software) is injecting code into Chrome's processes and will be blocked by this change. This may result in Chrome crashing for your users.

If this happens, you should work with the vendor of the third party software to stop it from injecting code into Chrome's processes. In the meantime, you will be able to use the NetworkServiceSandboxEnabled policy to defer the sandboxing. This is a temporary measure intended to help enterprises surprised by the change; the policy will be removed in a future version of Chrome.

Bounce Tracking mitigations

As early as Chrome 116, Chrome will launch bounce tracking mitigations. Bounce tracking mitigations will only take effect when the policy is set to true (Block 3rd party cookies). You can use the BlockThirdPartyCookies policy to control this feature. Alternatively, if 3rd party cookies are blocked by default you can exempt specific sites by using the CookiesAllowedForUrls policy.

Restricting the use of --load-extension

The --load-extension command-line switch provides a very low bar for cookie theft malware to load malicious extensions without an installation prompt. Chrome will gradually phase out this switch to reduce this attack vector for malware. Starting in Chrome 116, --load-extension will be ignored for users that have enabled Enhanced Safe Browsing.

Service Worker static routing API

Chrome 116 will release the Service Worker static routing API; it enables developers to optimize how Service Workers are loaded. Specifically, it allows developers to configure the routing, and allows them to offload simple things ServiceWorkers do. If the condition matches, the navigation happens without starting ServiceWorkers or executing JavaScript, which allows web pages to avoid performance penalties due to ServiceWorker interceptions.

Enable access to WebUSB API from extension service workers

As early as Chrome 117, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.

WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.

Simplified sign-in and sync experience

Starting in Chrome 117, some users may experience a simplified and consolidated version of sign-in and sync in Chrome. Chrome sync will no longer be shown as a separate feature in settings or elsewhere. Instead, users can sign in to Chrome to use and save information like passwords, bookmarks and more in their Google Account, subject to the relevant enterprise policies.

As before, the functionality previously part of Chrome sync that saves and accesses Chrome data in the Google Account can be turned off fully (via SyncDisabled) or partially (via SyncTypesListDisabled). Sign-in to Chrome can be required or disabled via BrowserSignin as before.

Note that the changes do not affect users’ ability to sign in to Google services on the web (like Gmail) without signing in to Chrome, their ability to stay signed out of Chrome, or their ability to control what information is synced with their Google Account.

IP Protection Phase 0 for Chrome

Beginning in Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users' identities by masking their IP address from known cross-site trackers. More information (including enterprise policies) will be provided in the near future.

Web MIDI permission prompt

Starting in Chrome 118, the Web MIDI API access will be gated behind a permissions prompt. Currently, the use of SysEx messages with the Web MIDI API requires explicit user permission. With the planned implementation, even access to the Web MIDI API without SysEx support will require user permission. Both permissions will be requested in a bundled permissions prompt.

Three new policies DefaultMidiSetting, MidiAllowedForUrls and MidiBlockedForUrls will be available to allow administrators to pre-configure user access to the API.

Network Service on Windows will be sandboxed on Windows

As early as Chrome 118, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.

Removal of the RendererCodeIntegrityEnabled policy

As early as Chrome 117, the RendererCodeIntegrityEnabled policy will be removed. We recommend that you verify any potential incompatibilities with third party software by no longer applying the policy in advance of this release. You can report any issues you encounter by submitting a bug here.

Chrome 117 will no longer support macOS 10.13 and macOS 10.14

Chrome 117 will no longer support macOS 10.13 and macOS 10.14, which are already outside of their support window with Apple. Users have to update their operating systems in order to continue running Chrome browser. Running on a supported operating system is essential to maintaining security. If run on macOS 10.13 or 10.14, Chrome continues to show an infobar that reminds users that Chrome 117 will no longer support macOS 10.13 and macOS 10.14.

New Chrome Desktop visual refresh in Chrome 117

With Google’s design platform moving to Google Material 3, we have an opportunity to modernize our desktop browser across OS’s, leveraging updated UI elements or styling, enhancing personalization through a new dynamic color system, and improving accessibility. The first wave of UI updates will roll out in Chrome 117.

The three dot Chrome menu will also be refreshed, providing a foundation to scale personalization and customization experiences in Chrome by enabling customers proximate access to tools and actions. The menu will be updated in phases starting in Chrome 117.

Update to the lock icon

We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings. Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.

The new icon is scheduled to launch in Chrome 117 as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary for Desktop if you enable Chrome Refresh 2023 at chrome://flags#chrome-refresh-2023, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.

We will also replace the icon on Android. On iOS, the lock icon is not tappable, so we will be removing the icon.

You can read more in this blog post.

Storage Access API with Prompts

The Storage Access API provides a means for authenticated cross-site embeds to check their blocking status and request access to storage if they are blocked. Targeting Chrome 117 for Desktop, we will support the Storage Access API by implementing all the behaviors listed in the specification, i.e. with user prompts, and additionally having its own user-agent-specific behaviors.

Extensions must be updated to leverage Manifest V3

Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.

As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.

During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.

Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability has been available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.

You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.

For more details, refer to the Manifest V2 support timeline.

Removal ForceMajorVersionToMinorPositionInUserAgent policy

Chrome 118 plans to remove the ForceMajorVersionToMinorPositionInUserAgent policy. This policy was introduced in Chrome 99 to control whether the User-Agent string major version would be frozen at 99, in case of User-Agent string parsing bugs when the version changed to 100. Fortunately, we did not need to deploy this feature and only encountered a few minor 3-digit version parsing issues that have all since been fixed. Given that, we intend to remove this policy.

If you have any feedback about this policy removal, or are aware of intranet breakage that depends on the policy, please comment on this bug.

Chrome release schedule changes

Chrome 119 and all subsequent releases will be shifted forward by one week. For example, Chrome 119 will have its early stable release on October 25 instead of Nov 1. Beta releases will also be shifted forward by one week starting in Chrome 119.

Chrome 119 to phase out support for Web SQL

Starting in Chrome 119, to improve user data security, Chrome will remove support for Web SQL. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. As of today, Chrome is the only major browser with support for Web SQL. The W3C encouraged those needing web databases to adopt Indexed Database or SQLite WASM.

The timeline for the deprecation will be:
- Chrome 115 - Deprecation message added
- Chrome 117 - 123 - Deprecation trial
- Chrome 119 - Ship removal
More details about the deprecation and removal can be found on the Chromestatus page.

An enterprise policy WebSQLAccess is available until Chrome 123 to enable Web SQL to be available.

Migrate away from data URLs in SVG <use> element

The SVG spec was recently updated to remove support for data: URLs in SVG <use> element. This improves security of the Web platform as well as compatibility between browsers as Webkit does not support data: URLs in SVG <use> element. We expect to remove support for data: URLs in SVG <use> element in Chrome 119, scheduled to ship in November 2023. You can read more in this blog post. For enterprises that need additional time to migrate, the DataUrlInSvgUseEnabled policy will be available temporarily to re-enable Data URL support for SVG <use> element.

Chrome profile separation

As early as Chrome 119, three new policies will be created to help enterprises configure enterprise profiles: ProfileSeparationSettings, ProfileSeparationDataMigrationSettings, ProfileSeparationSecondaryDomainAllowlist.

Removal LegacySameSiteCookieBehaviorEnabledForDomainList policy

In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. The LegacySameSiteCookieBehaviorEnabledForDomainList policy’s lifetime has been extended and will now be removed in Chrome 127.

Intent to deprecate: Mutation Events

Synchronous Mutation Events, including `DOMSubtreeModified`, `DOMNodeInserted`, `DOMNodeRemoved`, `DOMNodeRemovedFromDocument`, `DOMNodeInsertedIntoDocument`, and `DOMCharacterDataModified`, negatively affect page performance, and also significantly increase the complexity of adding new features to the Web. These APIs were deprecated from the spec in 2011, and were replaced (in 2012) by the much better-behaved Mutation Observer API. Usage of the obsolete Mutation Events must be removed or migrated to Mutation Observer. Mutation Events will stop functioning in Chrome 127, around July 30, 2024.

Warnings on insecure downloads

Chrome will begin showing warnings on some downloads if those files were downloaded over an insecure connection, that is, not HTTPS. These warnings do not prevent downloading and can be bypassed by the user. Enterprises can test their downloads by enabling warnings via chrome://flags/#insecure-download-warnings. Enterprises can also disable warnings for sites that can not deliver files securely by adding the download site to InsecureContentAllowedForUrls.

↑ back to top

Upcoming ChromeOS changes

ChromeOS battery state sounds

As early as Chrome 117, we will add audible sounds to indicate battery status. Users will be able to turn on and off these sounds and Admins will be able to control them through policies.

When the device is not plugged in, you will hear warning sounds if:
- Battery level goes down to 15 minutes of charge time left, and another one when there is 5 minutes left.
When the device is plugged in, you will hear an information beep when:
- Battery level - 0-15% (low)
- Battery level - 16-79% (med)
- Battery level - 80-100% (high)
In the case where the device is connected to a low power charger, you’ll hear warnings when the battery goes down to 10%, then again at 5%.

↑ back to top

Additional resources

How Chrome releases work—Chrome Release Cycle
Chrome Browser downloads and Chrome Enterprise product overviews—Chrome Browser for enterprise
Chrome version status and timelines—Google Update Server Viewer
Announcements: Chrome Releases Blog | Chromium Blog
Developers: Learn about changes to the web platform

Still need help?

G Suite, Cloud Identity customers (authorized access only)—Contact support
Chrome Browser Enterprise Support—Sign up to contact a specialist
Chrome Administrators Forum
Chrome Enterprise Help Center

Was this helpful?

How can we improve it?