Chrome 79 arrives with password warnings, real-time phishing protection, and WebXR Device API

Google today launched Chrome 79 for Windows, Mac, Linux, Android, and iOS. The release includes built-in warnings about compromised passwords, real-time phishing protection, the WebXR Device API, and more. This release thus beefs up security for the world’s most popular browser and sets the stage for bringing virtual reality to the web. You can update to the latest version now using Chrome’s built-in updater or download it directly from

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 79 removes -webkit-appearance keywords for arbitrary elements.

Password Checkup

In February, Google launched a Chrome extension called Password Checkup. The extension warns you if your login credentials for any website have been involved in any sort of known hack or data breach. It compares your usernames and passwords against over 4 billion credentials (hashed and encrypted) that Google knows to be compromised. In October, Google built Password Checkup into Google Accounts. Now, the company has built it into Chrome, effectively making the extension obsolete.

Chrome now checks your passwords

As a result, when you sign in to a website, Chrome will send a SHA256 hashed copy of your username and password to Google. It will be encrypted with a secret key (not even Google will be able to see your credentials, the company says). Using a technique called private set intersection with blinding, Google uses multiple layers of encryption to compare your encrypted username and password with all of the encrypted breached usernames and passwords. If your username and password have been compromised, Chrome will encourage you to change your password.

You can turn this feature on or off in Chrome settings under Sync and Google Services. Enterprise admins can control this feature using this policy.

Real-time phishing protection

Google’s Safe Browsing service provides lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to internet service providers (ISPs). The service shows warnings before users visit dangerous sites or download dangerous files. As of May, Google Safe Browsing protects over 4 billion devices. Similar to the aforementioned password protection, Google can’t see the actual URL itself. Chrome checks a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) against Safe Browsing’s database.

But it’s not perfect. Chrome checks the URL of each site you visit or file you download against its local list, which is updated approximately every 30 minutes. Google says that some phishing sites are, however, slipping through this refresh window either by switching domains very quickly or by hiding from the company’s crawlers. Google has thus implemented real-time phishing protections that inspect the URLs of pages visited with Safe Browsing’s servers in real time.

Now when you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe list, Chrome checks the URL anonymously with Google to see if you’re visiting a dangerous site. Google says that in 30% of cases, this results in better protection against malicious sites that are brand new.

You can control this feature in Chrome settings with the “Make searches and browsing better” option. Enterprises administrators can manage this setting via this policy.

Chrome also has predictive phishing protections to warn users when they enter their Google Account password into suspected phishing sites. Google is now expanding this protection to everyone signed in to Chrome and to all credentials in the password manager. Previously it only worked for users that had Sync enabled. If you type a password stored in Chrome’s password manager, or the Google Account password you used to sign in to Chrome, into an unusual site, Chrome will do an anonymous check like with real-time phishing proteciton. If Safe Browsing determines that the site is indeed suspicious or malicious, Chrome will show you a warning and encourage you to change your compromised password.

WebXR Device API

New Chrome releases often introduce new APIs. Chrome 79 implements a big one: the WebXR Device API, which brings virtual reality to the web. Other browsers, including Firefox Reality, Oculus Browser, Edge, and Magic Leap’s Helio browser, are expected to implement the API as well.

Big Bunny WebXR Device API

With the WebXR Device API, developers can now create immersive experiences for smartphones and head-mounted displays in Chrome. Google expects that more immersive features will follow, including supporting augmented reality and other immersive tools. The company even listed a few potential use cases: games, home buying, and viewing products in your home before buying them.

Android and iOS

Chrome 79 for Android is rolling out slowly on Google Play. Here’s the changelog:

  • Password safety: When you sign in to a website, Chrome can now warn you if your password was previously exposed in a data breach.
  • Support for virtual reality: The WebXR Device API enables immersive and inline VR experiences for the web.
  • Reorder bookmarks: Drag bookmarks into place, or tap a bookmark’s options menu and select Move up or Move down.

Chrome 79 for iOS is rolling out on Apple’s App Store. Its changelog is just two points:

  • If you’re signed in to Chrome and then sign in to a website, Chrome will check if your username and password have been leaked on the Internet.
  • When you start a search in the address bar, you’ll see top suggestions, even when your network connection is slow.

Most of these changes should sound familiar based on what you’ve read above.

Security fixes

Chrome 79 implements 51 security fixes. The following were found by external researchers:

  • [$20000][1025067] Critical CVE-2019-13725: Use after free in Bluetooth. Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security Lab on 2019-11-15.
  • [$TBD][1027152] Critical CVE-2019-13726: Heap buffer overflow in password manager. Reported by Sergei Glazunov of Google Project Zero on 2019-11-21.
  • [$10000][944619] High CVE-2019-13727: Insufficient policy enforcement in WebSockets. Reported by @piochu on 2019-03-21.
  • [$7500][1024758] High CVE-2019-13728: Out of bounds write in V8. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2019-11-14.
  • [$5000][1025489] High CVE-2019-13729: Use after free in WebSockets. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-11-16.
  • [$5000][1028862] High CVE-2019-13730: Type Confusion in V8. Reported by Wen Xu of SSLab, Georgia Tech on 2019-11-27.
  • [$TBD][1023817] High CVE-2019-13732: Use after free in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2019-11-12.
  • [$TBD][1025466] High CVE-2019-13734: Out of bounds write in SQLite. Reported by “Team 0x34567a61” @Xbalien29 @leonwxqian on 2019-11-16.
  • [$TBD][1025468] High CVE-2019-13735: Out of bounds write in V8. Reported by Gengming Liu and Zhen Feng from Tencent Keen Lab on 2019-11-16.
  • [$TBD][1028863] High CVE-2019-13764: Type Confusion in V8. Reported by Wen Xu of SSLab, Georgia Tech on 2019-11-26.
  • [$7500][1020899] Medium CVE-2019-13736: Integer overflow in PDFium. Reported by Anonymous on 2019-11-03.
  • [$5000][1013882] Medium CVE-2019-13737: Insufficient policy enforcement in autocomplete. Reported by Mark Amery on 2019-10-12.
  • [$5000][1017441] Medium CVE-2019-13738: Insufficient policy enforcement in navigation. Reported by Johnathan Norman and Daniel Clark of Microsoft Edge Team on 2019-10-23.
  • [$3000][824715] Medium CVE-2019-13739: Incorrect security UI in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2018-03-22.
  • [$2000][1005596] Medium CVE-2019-13740: Incorrect security UI in sharing. Reported by Khalil Zhani on 2019-09-19.
  • [$2000][1011950] Medium CVE-2019-13741: Insufficient validation of untrusted input in Blink. Reported by Michał Bentkowski of Securitum on 2019-10-07.
  • [$2000][1017564] Medium CVE-2019-13742: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-10-24.
  • [$1000][754304] Medium CVE-2019-13743: Incorrect security UI in external protocol handling. Reported by Zhiyang Zeng of Tencent security platform department on 2017-08-10.
  • [$1000][853670] Medium CVE-2019-13744: Insufficient policy enforcement in cookies. Reported by Prakash (@1lastBr3ath) on 2018-06-18.
  • [$500][990867] Medium CVE-2019-13745: Insufficient policy enforcement in audio. Reported by Luan Herrera (@lbherrera_) on 2019-08-05.
  • [$500][999932] Medium CVE-2019-13746: Insufficient policy enforcement in Omnibox. Reported by David Erceg on 2019-09-02.
  • [$500][1018528] Medium CVE-2019-13747: Uninitialized Use in rendering. Reported by Ivan Popelyshev and André Bonatti on 2019-10-26.
  • [$N/A][993706] Medium CVE-2019-13748: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2019-08-14.
  • [$N/A][1010765] Medium CVE-2019-13749: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-10-03.
  • [$TBD][1025464] Medium CVE-2019-13750: Insufficient data validation in SQLite. Reported by “Team 0x34567a61” @Xbalien29 @leonwxqian on 2019-11-16.
  • [$TBD][1025465] Medium CVE-2019-13751: Uninitialized Use in SQLite. Reported by “Team 0x34567a61” @Xbalien29 @leonwxqian on 2019-11-16.
  • [$TBD][1025470] Medium CVE-2019-13752: Out of bounds read in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16.
  • [$TBD][1025471] Medium CVE-2019-13753: Out of bounds read in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16.
  • [$500][442579] Low CVE-2019-13754: Insufficient policy enforcement in extensions. Reported by Cody Crews on 2014-12-16.
  • [$500][696208] Low CVE-2019-13755: Insufficient policy enforcement in extensions. Reported by Masato Kinugawa on 2017-02-25.
  • [$500][708595] Low CVE-2019-13756: Incorrect security UI in printing. Reported by Khalil Zhani on 2017-04-05.
  • [$500][884693] Low CVE-2019-13757: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2018-09-17.
  • [$500][979441] Low CVE-2019-13758: Insufficient policy enforcement in navigation. Reported by Khalil Zhani on 2019-06-28.
  • [$N/A][901789] Low CVE-2019-13759: Incorrect security UI in interstitials. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-11-05.
  • [$N/A][1002687] Low CVE-2019-13761: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-09-10.
  • [$N/A][1004212] Low CVE-2019-13762: Insufficient policy enforcement in downloads. Reported by csanuragjain (@csanuragjain) on 2019-09-16.
  • [$TBD][1011600] Low CVE-2019-13763: Insufficient policy enforcement in payments. Reported by weiwangpp93 on 2019-10-05.
  • [1032080] Various fixes from internal audits, fuzzing and other initiatives.

Google thus spent at least $80,000 in bug bounties for this release, much more than usual. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

Chrome 79 also brings an update to the V8 JavaScript engine. Version 7.9 includes performance improvements, the ability to handle API getters in builtins, OSR caching, and support for multiple code spaces in WebAssembly. Check out the full changelog for more information.

Other developer features in this release include:

  • Adaptive Icon Display for Installed PWAs on Android: Android Oreo introduced adaptive icons, which enforced the same shape for all icons on the home screen and in the launcher. Before Android Oreo, icons could be any shape and there was no background behind each icon. With adaptive icon display, Android will automatically mask irregularly shaped icons to fit properly.
  • Autofocus Support for any Focusable HTML/SVG Element: Adds the autofocus attribute to any focusable HTML or SVG element. The autofocus was previously supported for a limited number of HTML elements, and there were elements that could receive focus but didn’t support the autofocus attribute.
  • Compute img/video Aspect Ratio from Width Or Height HTML Attributes: The aspect ratio of an image is now computed so that it can be used for sizing an image using CSS before it loads. This avoids unnecessary relayouts when the image loads.
  • Font sizing: The font-optical-sizing property automatically sets the font size to the optical sizing axis of variable fonts that support optical sizing. This improves styling and legibility of fonts depending on font size because the font chooses a glyph shape that works optimally at the given font size.
  • list-style-type: <string>: Allows a stylesheet to use an arbitrary character for the list style marker. Examples include “-“, “+”, “★” and “▸”. Since CSS Level 2, list-style-type has supported keywords like disc or decimal to define the appearance of the list item marker.
  • Reject Worklet.addModule() with a More Specific Error: When Worklet.addModule() fails, a promise rejects with a more specific error object than it did previously. Worklet.addModule() can fail for various reasons, including, for example, network errors and syntax errors. Before this change, Worklet.addModule() rejected with AbortError regardless of the actual cause. That made it difficult for developers to debug worklets. After this change, Worklet.addModule() rejects with a clearer error such as SyntaxError.
  • Retrieve a Service Worker Object corresponding to a Worker itself: A service worker can now get its ServiceWorker object with self.serviceWorker in a service worker script and its current state with self.serviceWorker.state. A service worker instance previously had no way to get its current lifecycle state.
  • Stop evaluating script elements moved between documents during fetching:
    Chrome no longer evaluates scripts or fire error and load events if <script> elements are moved between documents during fetching. Script elements can still be moved between documents, but they won’t be executed. This prevents possible security bugs caused by exploitation of <script> elements moved between documents.

For a full rundown of what’s new, check out the Chrome 79 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 80 will arrive in early February.