Once you have a passkey saved on your device it can show up in autofill when you're signing in to help you be more secure. 




On a desktop device you can also choose to use a passkey from your nearby mobile device and, since passkeys are built on industry standards, you can use either an Android or iOS device.




A passkey doesn't leave your mobile device when signing in like this. Only a securely generated code is exchanged with the site so, unlike a password, there's nothing that could be leaked.


To give you control over your passkeys, from Chrome M108 you will be able to manage your passkeys from within Chrome on Windows and macOS.



Enabling passkeys

For passkeys to work, developers need to build passkey support on their sites using the WebAuthn API. We’ve been working with others in the industry, especially Apple and Microsoft, members within the FIDO Alliance and the W3C to drive secure authentication standards for years.


Our goal is to keep you as safe as possible on the web and we’re excited for what the passkeys future holds. Enabling passkeys to be used in Chrome is a major milestone, but our work is not done. It will take time for this technology to be widely adopted across sites and we are working on enabling passkeys on iOS and Chrome OS. Passwords will continue to be part of our lives as we make this transition, so we’ll remain dedicated to making conventional sign-ins safer and easier through Google Password Manager.



Posted by Ali Sarraf, Product Manager, Chrome



Posted by Ryan Dickson, Chris Clements, Emily Stark from Chrome Security

Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, ChromeOS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 106 is beta as of September 1, 2022. You can download the latest on Google.com for desktop or on Google Play Store on Android.

Origin Trials

This version of Chrome supports the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.

Anonymous iframes

Anonymous iframes give developers a way to load documents in third-party iframes using new and ephemeral contexts. Anonymous iframes are a generalization of COEP, i.e. Cross-Origin-Embedder-Policy: credentialless to support third-party iframes that may not deploy COEP. As with COEP: credentialless, it replaces the opt-in of cross-origin subresources with avoiding loading of non-public resources. This removes the constraint that third party iframes must support COEP in order to be embedded in a COEP page and unblocks developers looking to adopt cross-origin-isolation.

The origin trial is expected to last through Chrome 108. To sign up for the origin trial, visit its sign up page.

Pop-Up API

The Pop-Up API lets developers build transient user interface elements to display on top of other web app interface elements. This API is useful for creating interactive elements such as action menus, form element suggestions, content pickers, and teaching user interfaces.

This API uses a new popup content attribute to enable any element to be displayed in the top layer. This attribute's effect on the pop-up is similar to that of the <dialog> element, but has several important differences, including light-dismiss behavior, pop-up interaction management, animation, event support, and non-modal mode.

The origin trial is expected to last through Chrome 110. To sign up for the origin trial, visit its sign up page.

Other Features in this Release

Client Hints persistency in Android WebView

Client Hints are now persisted on Android WebView, creating parity with the rest of the web platform. Previously, WebView did not persist the list of Client Hints a page requests, so the initial load of a website would never include Client Hints. Only subresources on a given page would receive them. This undermined the use of the Client Hints system, which is to empower websites to adapt content to the user agent. For more information on Client Hints, see HTTP Client hints.

CSS

grid-template properties interpolation

In CSS Grid, the 'grid-template-columns' and 'grid-template-rows' properties allow developers to define line names and track sizing of grid columns and rows respectively. Supporting interpolation for these properties allows grid layouts to smoothly transition between states, instead of snapping at the halfway point of an animation or transition.

'ic' length unit

The 'ic' length unit expresses CSS lengths relative to the advanced measure of the water ideograph used in some Asian fonts such as Chinese and Japanese. This allows authors to size elements to fit a given number of full width glyphs for such fonts. Gecko and WebKit already support this unit. Adding this to Chrome is part of Interop 2022.

‘preserve-parent-color' value for the ‘forced-color-adjust' CSS property.

The 'preserve-parent-color' value has been added to the 'forced-color-adjust' CSS property. Previously, when the forced colors mode was enabled, the 'color' property was inherited. Now, when the 'preserve-parent-color' value is used, the 'color' property will use the value of its parent. Otherwise, the 'forced-color-adjust: preserve-parent-color' value behaves the same as 'forced-color-adjust: none'.

Unprefix -webkit-hyphenate-character property

Chrome now supports the unprefixed hyphenate-character property in addition to the -webkit-hyphenate-character property. The -webkit-hyphenate-character property will be deprecated at a later date.

JavaScript: Intl.NumberFormat v3 API

Intl.NumberFormat has the following new features:

Origin Trials

No origin trials are beginning in this version of Chrome. However there are a number of ongoing origin trials which you can find on the Chrome Origin Trials dashboard. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.

Completed Origin Trials

The following features, previously in a Chrome origin trial, are now enabled by default.

Media Source Extensions in Workers

The Media Source Extensions (MSE) API is now available from DedicatedWorker contexts to enable improved performance of buffering media for playback by an HTMLMediaElement on the main Window context. By creating a MediaSource object in a DedicatedWorker, an application may then obtain a MediaSourceHandle from it and call postMessage() to transfer it to the main thread for attaching to an HTMLMediaElement. The context that created the MediaSource object may then use it to buffer media.

Viewport-height Client Hint

Chrome supports the new Sec-CH-Viewport-Height client hint. This is a counterpart to the Sec-CH-Viewport-Width previously introduced in Chrome. Together they provide information about a viewport's size to an origin. To use these hints, pass Sec-CH-Viewport-Height or Sec-CH-Viewport-Width to the Accept-CH header.

Other Features in this Release

Accurate Screen Labels for Multi-Screen Window Placement

This release enhances the screen label strings provided by the Multi-Screen Window Placement API. Specifically, it refines ScreenDetailed.label property by replacing the previous placeholders with information from the device's Extended Display Identification Data (EDID) or from a higher-level operating system API. For example, instead of returning "External Display 1", the label property will now return something like "HP z27n" or "Built-in Retina Display". These more accurate labels match those shown by operating systems in display settings dialog boxes. The labels are only exposed to sites that have been granted the "window-placement" permission by the user.

CSS: Preventing Overscroll Effects for Fixed Elements

Setting an element's position CSS property to fixed (unless the element's containing block is not the root) will now prevent it from performing the effects specified by overscroll-behavior. In particular, fixed-position elements will not move during overscroll effects.

DisplayMediaStreamConstraints.systemAudio

A new constraint is being added to MediaDevices.getDisplayMedia() to indicate whether system audio should be offered to the user. User agents sometimes offer audio for capturing alongside video. But not all audio is created alike. Consider video-conferencing applications. Tab audio is often useful, and can be shared with remote participants. But system audio includes participants' own audio, and may not be appropriate to share back. To use the new constraint, pass systemAudio as a constraint. For example:

const stream = await navigator.mediaDevices.getDisplayMedia({
  video: true,
  audio: true,
  systemAudio: "exclude"  // or "include"
});

This feature is only supported on desktop.

Expose TransformStreamDefaultController

To conform with spec the TransformStreamDefaultController class is now available on the global scope. This class already exists and can be accessed using code such as

let TransformStreamDefaultController;
new TransformStream({ start(c) { TransformStreamDefaultController = c.constructor; } });


This change makes such code unnecessary since TransformStreamDefaultController is now on the global scope. Possible uses for this class include monkey patching properties onto TransformStreamDefaultController.prototype, or feature-testing existing properties of it more easily. Note that the class is not constructible. In other words, this throws an error:

new TransformStreamDefaultController()

HTML Sanitizer API

The HTML Sanitizer API is an easy to use and safe way to remove executable code from arbitrary, user-supplied content. The goal of the API is to make it easier to build web applications that are free of cross-site scripting vulnerabilities and ship part of the maintenance burden for such apps to the platform.

In this release, only basic functionality is supported, specifically Element.setHTML(). The Sanitize interface will be added at a later stage. Namespaced content (SVG + MathML) is not yet supported, only HTML. For more information on the API, see HTML Sanitizer API - Web APIs.

import.meta.resolve()

The import.meta.resolve() method returns the URL to which the passed specifier would resolve in the context of the current script. That is, it returns the URL that would be imported if you called import(). A specifier is a URL beginning with a valid scheme or one of /, ./, or ../. See the HTML spec for examples.

This method makes it easier to write scripts which are not sensitive to their exact location, or to the web application's module setup. Some of its capabilities are doable today, in a longer form, by combining new URL() and the existing import.meta.url() method. But the integration with import maps allows resolving URLs that are affected by import maps.

Improvements to the Navigation API

Chrome 105 introduces two new methods on the NavigateEvent of the Navigation API (introduced in 102) to improve on methods that have proved problematic in practice. intercept(), which let's developers control the state following the navigation, replaces transitionWhile(), which proved difficult to use. The scroll() method, which scrolls to an anchor specified in the URL, replaces restoreScroll() which does not work for all types of navigation. For explanations of the problems with the existing methods and examples of using the new, see Changes to NavigateEvent.

The transitionWhile() and restoreScroll() methods are also deprecated in this release. We expect to remove them in 108. See below for other deprecations and removals in this release.

onbeforeinput Global Event Handler Content Attribute

The nbeforeinput global content attribute is now supported in Chrome. The beforeinput form was already available via addEventListener(). Chrome now also allows feature detection by testing against document.documentElement.onbeforeinput

Opaque Response Blocking v0.1

Opaque Response Blocking (ORB) is a replacement for Cross-Origin Read Blocking (CORB). CORB and ORB are both heuristics that attempt to prevent cross-origin disclosure of "no-cors" subresources.

Picture-in-Picture API Comes to Android

The Picture-in-Picture API allows websites to create a floating video window that is always on top of other windows so that users may continue consuming media while they interact with other sites or applications on their device. This feature has been available on desktop since Chrome 70. It's now available for Chrome running on Android 11 or later. This change only applies to <video> elements. For information on using the Picture-in-Picture API, see Watch video using Picture-in-Picture.

Response.json()

The Response() constructor allows for creating the body of the response from many types; however the existing response.json() instance method does not let you directly create a JSON object. The Response.json() static method fills this gap.

Response.json() returns a new Response object and takes two arguments. The first argument takes a string to convert to JSON. The second is an optional initialization object.

Syntax Changes to Markup Based Client Hints Delegation

The syntax for the delegation of client hints to third-party content that requires client information lost by user agent reduction, which shipped in Chrome 100, is changing.

Previous syntax:
<meta name="accept-ch" value="sec-ch-dpr=(https://foo.bar https://baz.qux), sec-ch-width=(https://foo.bar)">

New syntax:
<meta http-equiv="delegate-ch" value="sec-ch-dpr https://foo.bar https://baz.qux; sec-ch-width https://foo.bar">

Writable Directory Prompts for the File System Access API

Chromium now allows returning a directory with both read and write permissions in a single prompt for the File System Access API. Previously, Window.showDirectoryPicker() returned a read-only directory (after showing a read access prompt), requiring a second prompt to get write access. This double prompt is a poor user experience and contributes to confusion and permission fatigue among users.

Deprecations, and Removals

This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of planned deprecations, current deprecations and previous removals.

Remove WebSQL in Non-secure Contexts

WebSQL in non-secure contexts is now removed. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated it in 2019. The W3C encourages Web Storage and Indexed Database for those needing alternatives.

Developers should expect that WebSQL itself will be deprecated and removed when usage is low enough.

CSS Default Keyword is Disallowed in Custom Identifiers

The CSS keyword 'default' is no longer allowed within CSS custom identifiers, which are used for many types of user-defined names in CSS (for example, names created by @keyframes rules, counters, @container names, custom layout or paint names). This adds 'default' to the list of names that are restricted from use in custom identifiers, specifically 'inherit', 'initial', 'unset', 'revert', and 'revert-layer'.

Deprecations in the Navigation API

The transitionWhile() and restoreScroll() methods are also deprecated in this release, and we expect to remove them in 108. Developers who need this functionality should use the new intercept() and scroll() methods. For explanations of the problems with the existing methods and examples of using the new, see Changes to NavigateEvent .

Deprecate Non-ASCII Characters in Cookie Domain Attributes

To align with the latest spec (RFC 6265bis), Chromium will soon reject cookies with a Domain attribute that contains a non-ASCII character (for example, Domain=éxample.com).
Support for IDN domain attributes in cookies has been long unspecified, with Chromium, Safari, and Firefox all behaving differently. This change standardizes Firefox's behavior of rejecting cookies with non-ASCII domain attributes.

Since Chromium has previously accepted non-ASCII characters and tried to convert them to normalized punycode for storage, we will now apply stricter rules and require valid ASCII (punycode if applicable) domain attributes.

A warning is printed to the console starting in 105. Removal is expected in 106.

Remove Gesture Scroll DOM Events

The gesture scroll DOM events have been removed from Chrome, specifically, gesturescrollstart, gesturescrollupdate and gesturescrollend. These were non-standard APIs that were added to Blink for use in plugins, but had also been exposed to the web.



Media Queries Level 4 Syntax and Evaluation

Media Queries enable responsive design, and the range features that enable testing the minimum and maximum size of the viewport are used by around 80% of sites that use media queries.

The Media Queries Level 4 specification includes a new syntax for these range queries. They can now be written using ordinary mathematical comparison operators. Also supported are the logical operators or and not, and nesting and evaluation of "unknown" features. For example, a media query previously written like this:

@media (min-width: 400px) { … }

Can now be written like this:

@media (width >= 400px) { … }

For more information, see New syntax for range media queries in Chrome 104.

Origin Trials

This version of Chromium supports the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chromium, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.

New Origin Trials

Focusgroup

The focusgroup CSS property improves keyboard focus navigation using the keyboard arrow keys among a set of focusable elements. Adding this feature to browsers allows web developers to control focus navigation without custom solutions that can lead to a lack of consistency, accessibility, and interoperability. Sign up here for the Microsoft Edge origin trial. It's scheduled to last through 107.

Opt Out of Credit Card Storage

Secure Payment Confirmation now supports a means for users to opt out of storing their credit card data to make later purchases easier. To use the new feature, set showOptOut to true on methodData.data, which is passed as the first parameter of the PaymentRequest() constructor. For example:

const methodata = [{ 
  …
  data: {
    …
    showOptOut: true
    …
  }
}];
const request = new PaymentRequest(methodData, details);

To see an example in context check out the demo. You can sign up here for the origin trial. It's scheduled to last through Chrome 106.

Shared Element Transitions

Shared Element Transitions enables the creation of polished transitions in single-page applications (SPAs). Minimal development effort is required by devs to make transitions look nice; they can choose to use default animation properties, or they can customize their own transition effects to achieve the desired transition experience.Transitions are set declaratively using CSS properties. For more information, see Shared Element Transitions. Visit the dashboard to sign up for the origin trial.

Completed Origin Trials

The following features, previously in a Chrome origin trial, are now enabled by default.

Speculation Rules

Speculation rules provide a mechanism for web content to permit prefetching or prerendering of certain URLs. For example:

<script type="speculationrules">
  {
    "prefetch": [
      {"source": "list", "urls": ["/weather/kitchener", "/weather/seattle", "/weather/tokyo"]}
    ]
  }
</script>

Subresource Loading with Web Bundles

Subresource loading with web bundles is a way to load many resources efficiently. To use the feature a web page declares that certain resources are provided by a web bundle at a particular URL. For example:

<script type="webbundle">
{
   "source": "https://example.com/dir/subresources.wbn",
   "resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
}
</script>

For information on creating web bundles, see Get started with Web Bundles. For more information on subresource loading using web bundles, see Origin Trial for Subresource Loading with Web Bundles.

Other Features in this Release

Cookie Expires/Max-Age Attribute Upper Limit

When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days. Previously, there was no limit and cookies could expire as much as multiple millennia in the future. This follows a change in the spec.

400 days was chosen as a round number close to 13 months. This duration ensures that sites visited roughly once a year (for example, sites for choosing health insurance benefits) will continue to work.

CSS object-view-box

The object-view-box property allows authors to specify a portion of an image that should draw within the content box of a target replaced element. This enables creation of images with a custom glow or shadow applied, with proper ink-overflow behavior such as a CSS shadow would have. For more information, see First Look At The CSS object-view-box Property.

Fullscreen Capability Delegation

Fullscreen Capability Delegation allows a Window to transfer the ability to call requestFullscreen() to another Window it trusts after relinquishing the transient user activation at the sender Window. This feature is based on the general delegation mechanism that shipped in Chrome 100.

Multi-Screen Window Placement: Fullscreen Companion Window

Fullscreen Companion Window allows sites to place fullscreen content and a popup window on separate screens from a single user activation. There is a demo available with source code on GitHub.

Permissions Policy for Web Bluetooth API

Web Bluetooth is now controllable with a Permissions Policy. The token is named "bluetooth" and has a default allowlist of 'self'.

visual-box on overflow-clip-margin

The overflow-clip-margin property specifies how far an element's content is allowed to paint before being clipped. This feature allows using visual-box values to configure the reference box that defines the overflow clip edge the content is clipped to.

Web Custom Formats for Async Clipboard API

Web Custom Formats lets websites read and write arbitrary unsanitized payloads using a standardized web custom format, as well as read and write a limited subset of OS-specific formats (for supporting legacy apps).

The name of the clipboard format is mangled by the browser in a standardized way to indicate that the content is from the web. This allows platform applications to opt-in to accepting the unsanitized content.

Some web app developers want to exchange data payloads between web and platform applications via operating system clipboards. The Clipboard API supports the most popular standardized data types (text, image, rich text) across all platforms. However, this API does not scale to the long tail of specialized formats. In particular, custom formats, non-web-standard formats like TIFF (a large image format), and proprietary formats like docx (a document format), are not supported by the current Web Platform.

WebGL Canvas Color Management

As per the spec, Chromium's implementation of WebGL now allows specifying:

  • The color space of a drawing buffer.
  • The color space that content should be converted to when importing as a texture.

Before this version of Chrome, both of these defaulted to sRGB. Now they can also use "display-p3".

Deprecations, and Removals

This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of current deprecations and previous removals.

Block Third-Party Contexts Navigating to Filesystem URLs

iframes can no longer navigate to filesystem URLs. Top frame support for navigating to filesystem URLs was dropped in Chrome 68.

Remove Non-Standard Client Hint Mode

Four client hints (dpr, width, viewport-width, and device-memory) have a default allowlist of self but behave as though they have a default allowlist of * on Android, contrary to the spec. This is now fixed, increasing privacy on Android by requiring explicit delegation of these hints.

Remove U2F API (Cryptotoken)

Chrome's legacy U2F API for interacting with security keys is no longer supported. U2F security keys themselves are not deprecated and will continue to work.

Affected sites should migrate to the Web Authentication API. Credentials that were originally registered via the U2F API can be challenged via web authentication. USB security keys that are supported by the U2F API are also supported by the Web Authentication API.

U2F is Chrome's original security key API. It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but rather shipped a component extension called cryptotoken, which exposes an equivalent chrome.runtime.sendMessage() method. U2F and Cryptotoken are firmly in maintenance mode and have encouraged sites to migrate to the Web Authentication API for the last two years.