Portable Google Chrome 89.0.4389.72 (x64)
Google Chrome Portable is a fast and easy to use web browser that combines a minimal design with sophisticated technology to make the web safer. It has one box for everything: Type in the address bar and get suggestions for both search and web pages. Will give you thumbnails of your top sites; Access your favorite pages instantly with lightning speed from any new tab. Google Chrome is an open source web browser developed by Google. Design goals include stability, speed, security and a clean, simple and efficient user interface.
Its software architecture was engineered from scratch (using components from other open source software including WebKit and Mozilla Firefox) to cater for the changing needs of users and acknowledging that today most web sites aren’t web pages but web applications.
Sandboxing. Every tab in Google Chrome Portable is sandboxed, so that a tab can display contents of a web page and accept user input, but it will not be able to read the user’s desktop or personal files.
Google say they have “taken the existing process boundary and made it into a jail”. There is an exception to this rule; browser plugins such as Adobe Flash Player do not run within the boundaries of the tab jail, and so users will still be vulnerable to cross-browser exploits based on plugins, until plugins have been updated to work with the new Chrome security. Google has also developed a new phishing blacklist, which will be built into Chrome, as well as made available via a separate public API.
Privacy. Google announces a so-called incognito mode claiming that it “lets you browse the web in complete privacy because it doesn’t record any of your activity”. No features of this, and no implications of the default mode with respect to Google’s database are given.
The Gears team were considering a multithreaded browser (noting that a problem with existing web browser implementations was that they are inherently single-threaded) and Chrome Portable implemented this concept with a multiprocessing architecture. A separate process is allocated to each task (eg tabs, plugins), as is the case with modern operating systems.
This prevents tasks from interfering with each other which is good for both security and stability; an attacker successfully gaining access to one application does not give them access to all and failure in one application results in a “Sad Tab” screen of death. This strategy exacts a fixed per-process cost up front but results in less memory bloat overall as fragmentation is confined to each process and no longer results in further memory allocations.
To complement this, Google Chrome Portable will also feature a process manager which will allow the user to see how much memory and CPU each tab is using, as well as kill unresponsive tabs.
Google Chrome Portable will include support for web applications running alongside other local applications on the computer. Tabs can be put in a web-app mode, where the omnibar and controls will be hidden with the goal of allowing the user to use the web-app without the browser “in the way”.
Rendering Engine. Google Chrome uses the WebKit rendering engine on advice from the Gears team because it is simple, memory efficient, useful on embedded devices and easy to learn for new developers.
Tabs. While all of the major tabbed web browsers (e.g. Internet Explorer, Firefox) have been designed with the window as the primary container, Chrome will put tabs first (similar to Opera). The most immediate way this will show is in the user interface: tabs will be at the top of the window, instead of below the controls, as in the other major tabbed browsers.
In Chrome, each tab will be an individual process, and each will have its own browser controls and address bar (dubbed omnibox), a design that adds stability to the browser. If one tab fails only one process dies; the browser can still be used as normal with the exception of the dead tab.
Chrome will also implement a New Tab Page which shows the nine most visited pages in thumbnails, along with the most searched on sites, most recently bookmarked sites, and most recently closed tabs, upon opening a new tab, similar to Opera’s “Speed Dial” page.
- High CVE-2021-21159: Heap buffer overflow in TabStrip.
- High CVE-2021-21160: Heap buffer overflow in WebAudio.
- High CVE-2021-21161: Heap buffer overflow in TabStrip.
- High CVE-2021-21162: Use after free in WebRTC.
- High CVE-2021-21163: Insufficient data validation in Reader Mode.
- High CVE-2021-21164: Insufficient data validation in Chrome for iOS.
- High CVE-2021-21165: Object lifecycle issue in audio.
- High CVE-2021-21166: Object lifecycle issue in audio.
- Medium CVE-2021-21167: Use after free in bookmarks.
- Medium CVE-2021-21168: Insufficient policy enforcement in appcache.
- Medium CVE-2021-21169: Out of bounds memory access in V8.
- Medium CVE-2021-21170: Incorrect security UI in Loader.
- Medium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation.
- Medium CVE-2021-21172: Insufficient policy enforcement in File System API.
- Medium CVE-2021-21173: Side-channel information leakage in Network Internals.
- Medium CVE-2021-21174: Inappropriate implementation in Referrer.
- Medium CVE-2021-21175: Inappropriate implementation in Site isolation.
- Medium CVE-2021-21176: Inappropriate implementation in full screen mode.
- Medium CVE-2021-21177: Insufficient policy enforcement in Autofill.
- Medium CVE-2021-21178: Inappropriate implementation in Compositing.
- Medium CVE-2021-21179: Use after free in Network Internals.
- Medium CVE-2021-21180: Use after free in tab search.
- Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG.
- Medium CVE-2021-21181: Side-channel information leakage in autofill.
- Low CVE-2021-21182: Insufficient policy enforcement in navigations.
- Low CVE-2021-21183: Inappropriate implementation in performance APIs.
- Low CVE-2021-21184: Inappropriate implementation in performance APIs.
- Low CVE-2021-21185: Insufficient policy enforcement in extensions.
- Low CVE-2021-21186: Insufficient policy enforcement in QR scanning.
- Low CVE-2021-21187: Insufficient data validation in URL formatting.
- Low CVE-2021-21188: Use after free in Blink.
- Low CVE-2021-21189: Insufficient policy enforcement in payments.
- Low CVE-2021-21190: Uninitialized Use in PDFium.
Various fixes from internal audits, fuzzing and other initiatives:
- webview: clear the network callback in AwPacProcessor.
- Better adhere to the Get rule with SecTrustGetCertificateAtIndex
- Clear the add to submenu before add new items
- Do not register NetworkCallback for AwPacProcessor if network is not specified.
- Do not reset shortcuts if no valid Chrome installations were found
- Introduce AudioBuffers for user access in ScriptProcessorNode
- [Merge to M89] Prevent re-dropping when the desk is snapping back
- Merge 89: “Disable AV1 hardware decode w/ D3D11VideoDecoder for Intel GPUs.”
- ios: Check for nullptr cert.
- [Merge to M89] [X11] Fix incorrect bitmap row-bytes calculation
- [M89] Fix marking device-wide keys as corporate if no Profile was given
- Remove usage of WKUserContentController mock
- [Merge to M-89] Capture Mode: use Env event handler
- Merge 89: Fix null check and reduce DumpWithoutCrashing
- Reland “Prevent calling setSelection with negative values”
- [fuchsia] Enable Partial Site Isolation
- CrOS system tray: check for Media Router after primary profile init
- [fuchsia] Reduce likelihood of integration tests timeout-flaking.
- Disable flaky tests.
- remoting: Introduce native systemd unit for CRD
- ChromeOS: Disable touchpad finger swipe in the “Locked Mode”
- [Merge to M-89] Capture Mode: fix cursor scale for different displays
- [Blobs] Don’t store BlobStorageLimits as a reference in transport strategy.
- [Merge M89] Attempt to ensure ClassLoaders are consistent for splits
- [Merge to 89] MediaRecorder: tolerate non-GMB NV12 frames for H264.
- Updating XTBs based on .GRDs from branch 4389
- Merge M89 ash: Fix mirror transform when displays have different aspect
- viz: Clip required overlays to display boundaries
- [M89][Signin][Android] Set up sign-in promo only with account list cache
- Move notify call earlier when download is canceled.
- m89: Do not process hover events when not expected by ChromeVox
- [ChromeCart] Remove expired cart entries
- Use the correct layer bounds.
- Fix dependency
- Add flag to disable AV1 Decoding on d3d11 video decoder
- [merge to 89] Reland “capture_mode: Keyboard navigation and chromevox implementation.”
- Fix bug where search_box_view_base active/inactive colors were swapped.