Once you have a passkey saved on your device it can show up in autofill when you're signing in to help you be more secure.
On a desktop device you can also choose to use a passkey from your nearby mobile device and, since passkeys are built on industry standards, you can use either an Android or iOS device.
A passkey doesn't leave your mobile device when signing in like this. Only a securely generated code is exchanged with the site so, unlike a password, there's nothing that could be leaked.
To give you control over your passkeys, from Chrome M108 you will be able to manage your passkeys from within Chrome on Windows and macOS.
Enabling passkeys
For passkeys to work, developers need to build passkey support on their sites using the WebAuthn API. We’ve been working with others in the industry, especially Apple and Microsoft, members within the FIDO Alliance and the W3C to drive secure authentication standards for years.
Our goal is to keep you as safe as possible on the web and we’re excited for what the passkeys future holds. Enabling passkeys to be used in Chrome is a major milestone, but our work is not done. It will take time for this technology to be widely adopted across sites and we are working on enabling passkeys on iOS and Chrome OS. Passwords will continue to be part of our lives as we make this transition, so we’ll remain dedicated to making conventional sign-ins safer and easier through Google Password Manager.
No origin trials are beginning in this version of Chrome. However there are a number of ongoing origin trials which you can find on the Chrome Origin Trials dashboard. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.
Completed Origin Trials
The following features, previously in a Chrome origin trial, are now enabled by default.
Media Source Extensions in Workers
The Media Source Extensions (MSE) API is now available from DedicatedWorker contexts to enable improved performance of buffering media for playback by an HTMLMediaElement on the main Window context. By creating a MediaSource object in a DedicatedWorker, an application may then obtain a MediaSourceHandle from it and call postMessage() to transfer it to the main thread for attaching to an HTMLMediaElement. The context that created the MediaSource object may then use it to buffer media.
Viewport-height Client Hint
Chrome supports the new Sec-CH-Viewport-Height client hint. This is a counterpart to the Sec-CH-Viewport-Width previously introduced in Chrome. Together they provide information about a viewport's size to an origin. To use these hints, pass Sec-CH-Viewport-Height or Sec-CH-Viewport-Width to the Accept-CH header.
Other Features in this Release
Accurate Screen Labels for Multi-Screen Window Placement
This release enhances the screen label strings provided by the Multi-Screen Window Placement API. Specifically, it refines ScreenDetailed.label property by replacing the previous placeholders with information from the device's Extended Display Identification Data (EDID) or from a higher-level operating system API. For example, instead of returning "External Display 1", the label property will now return something like "HP z27n" or "Built-in Retina Display". These more accurate labels match those shown by operating systems in display settings dialog boxes. The labels are only exposed to sites that have been granted the "window-placement" permission by the user.
CSS: Preventing Overscroll Effects for Fixed Elements
Setting an element's position CSS property to fixed (unless the element's containing block is not the root) will now prevent it from performing the effects specified by overscroll-behavior. In particular, fixed-position elements will not move during overscroll effects.
DisplayMediaStreamConstraints.systemAudio
A new constraint is being added to MediaDevices.getDisplayMedia() to indicate whether system audio should be offered to the user. User agents sometimes offer audio for capturing alongside video. But not all audio is created alike. Consider video-conferencing applications. Tab audio is often useful, and can be shared with remote participants. But system audio includes participants' own audio, and may not be appropriate to share back. To use the new constraint, pass systemAudio as a constraint. For example:
To conform with spec the TransformStreamDefaultController class is now available on the global scope. This class already exists and can be accessed using code such as
let TransformStreamDefaultController;
new TransformStream({ start(c) { TransformStreamDefaultController = c.constructor; } });
This change makes such code unnecessary since TransformStreamDefaultController is now on the global scope. Possible uses for this class include monkey patching properties onto TransformStreamDefaultController.prototype, or feature-testing existing properties of it more easily. Note that the class is not constructible. In other words, this throws an error:
new TransformStreamDefaultController()
HTML Sanitizer API
The HTML Sanitizer API is an easy to use and safe way to remove executable code from arbitrary, user-supplied content. The goal of the API is to make it easier to build web applications that are free of cross-site scripting vulnerabilities and ship part of the maintenance burden for such apps to the platform.
In this release, only basic functionality is supported, specifically Element.setHTML(). The Sanitize interface will be added at a later stage. Namespaced content (SVG + MathML) is not yet supported, only HTML. For more information on the API, see HTML Sanitizer API - Web APIs.
import.meta.resolve()
The import.meta.resolve() method returns the URL to which the passed specifier would resolve in the context of the current script. That is, it returns the URL that would be imported if you called import(). A specifier is a URL beginning with a valid scheme or one of /, ./, or ../. See the HTML spec for examples.
This method makes it easier to write scripts which are not sensitive to their exact location, or to the web application's module setup. Some of its capabilities are doable today, in a longer form, by combining new URL() and the existing import.meta.url() method. But the integration with import maps allows resolving URLs that are affected by import maps.
Improvements to the Navigation API
Chrome 105 introduces two new methods on the NavigateEvent of the Navigation API (introduced in 102) to improve on methods that have proved problematic in practice. intercept(), which let's developers control the state following the navigation, replaces transitionWhile(), which proved difficult to use. The scroll() method, which scrolls to an anchor specified in the URL, replaces restoreScroll() which does not work for all types of navigation. For explanations of the problems with the existing methods and examples of using the new, see Changes to NavigateEvent.
The transitionWhile() and restoreScroll() methods are also deprecated in this release. We expect to remove them in 108. See below for other deprecations and removals in this release.
onbeforeinput Global Event Handler Content Attribute
The nbeforeinput global content attribute is now supported in Chrome. The beforeinput form was already available via addEventListener(). Chrome now also allows feature detection by testing against document.documentElement.onbeforeinput
Opaque Response Blocking v0.1
Opaque Response Blocking (ORB) is a replacement for Cross-Origin Read Blocking (CORB). CORB and ORB are both heuristics that attempt to prevent cross-origin disclosure of "no-cors" subresources.
Picture-in-Picture API Comes to Android
The Picture-in-Picture API allows websites to create a floating video window that is always on top of other windows so that users may continue consuming media while they interact with other sites or applications on their device. This feature has been available on desktop since Chrome 70. It's now available for Chrome running on Android 11 or later. This change only applies to <video> elements. For information on using the Picture-in-Picture API, see Watch video using Picture-in-Picture.
Response.json()
The Response() constructor allows for creating the body of the response from many types; however the existing response.json() instance method does not let you directly create a JSON object. The Response.json() static method fills this gap.
Response.json() returns a new Response object and takes two arguments. The first argument takes a string to convert to JSON. The second is an optional initialization object.
Syntax Changes to Markup Based Client Hints Delegation
New syntax: <meta http-equiv="delegate-ch" value="sec-ch-dpr https://foo.bar https://baz.qux; sec-ch-width https://foo.bar">
Writable Directory Prompts for the File System Access API
Chromium now allows returning a directory with both read and write permissions in a single prompt for the File System Access API. Previously, Window.showDirectoryPicker() returned a read-only directory (after showing a read access prompt), requiring a second prompt to get write access. This double prompt is a poor user experience and contributes to confusion and permission fatigue among users.
Deprecations, and Removals
This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of planned deprecations, current deprecations and previous removals.
Remove WebSQL in Non-secure Contexts
WebSQL in non-secure contexts is now removed. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated it in 2019. The W3C encourages Web Storage and Indexed Database for those needing alternatives.
Developers should expect that WebSQL itself will be deprecated and removed when usage is low enough.
CSS Default Keyword is Disallowed in Custom Identifiers
The CSS keyword 'default' is no longer allowed within CSS custom identifiers, which are used for many types of user-defined names in CSS (for example, names created by @keyframes rules, counters, @container names, custom layout or paint names). This adds 'default' to the list of names that are restricted from use in custom identifiers, specifically 'inherit', 'initial', 'unset', 'revert', and 'revert-layer'.
Deprecations in the Navigation API
The transitionWhile() and restoreScroll() methods are also deprecated in this release, and we expect to remove them in 108. Developers who need this functionality should use the new intercept() and scroll() methods. For explanations of the problems with the existing methods and examples of using the new, see Changes to NavigateEvent .
Deprecate Non-ASCII Characters in Cookie Domain Attributes
To align with the latest spec (RFC 6265bis), Chromium will soon reject cookies with a Domain attribute that contains a non-ASCII character (for example, Domain=éxample.com).
Support for IDN domain attributes in cookies has been long unspecified, with Chromium, Safari, and Firefox all behaving differently. This change standardizes Firefox's behavior of rejecting cookies with non-ASCII domain attributes.
Since Chromium has previously accepted non-ASCII characters and tried to convert them to normalized punycode for storage, we will now apply stricter rules and require valid ASCII (punycode if applicable) domain attributes.
A warning is printed to the console starting in 105. Removal is expected in 106.
Remove Gesture Scroll DOM Events
The gesture scroll DOM events have been removed from Chrome, specifically, gesturescrollstart, gesturescrollupdate and gesturescrollend. These were non-standard APIs that were added to Blink for use in plugins, but had also been exposed to the web.
Media Queries enable responsive design, and the range features that enable testing the minimum and maximum size of the viewport are used by around 80% of sites that use media queries.
The Media Queries Level 4 specification includes a new syntax for these range queries. They can now be written using ordinary mathematical comparison operators. Also supported are the logical operators or and not, and nesting and evaluation of "unknown" features. For example, a media query previously written like this:
This version of Chromium supports the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chromium, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.
New Origin Trials
Focusgroup
The focusgroup CSS property improves keyboard focus navigation using the keyboard arrow keys among a set of focusable elements. Adding this feature to browsers allows web developers to control focus navigation without custom solutions that can lead to a lack of consistency, accessibility, and interoperability. Sign up here for the Microsoft Edge origin trial. It's scheduled to last through 107.
Opt Out of Credit Card Storage
Secure Payment Confirmation now supports a means for users to opt out of storing their credit card data to make later purchases easier. To use the new feature, set showOptOut to true on methodData.data, which is passed as the first parameter of the PaymentRequest() constructor. For example:
To see an example in context check out the demo. You can sign up here for the origin trial. It's scheduled to last through Chrome 106.
Shared Element Transitions
Shared Element Transitions enables the creation of polished transitions in single-page applications (SPAs). Minimal development effort is required by devs to make transitions look nice; they can choose to use default animation properties, or they can customize their own transition effects to achieve the desired transition experience.Transitions are set declaratively using CSS properties. For more information, see Shared Element Transitions. Visit the dashboard to sign up for the origin trial.
Completed Origin Trials
The following features, previously in a Chrome origin trial, are now enabled by default.
Subresource loading with web bundles is a way to load many resources efficiently. To use the feature a web page declares that certain resources are provided by a web bundle at a particular URL. For example:
When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days. Previously, there was no limit and cookies could expire as much as multiple millennia in the future. This follows a change in the spec.
400 days was chosen as a round number close to 13 months. This duration ensures that sites visited roughly once a year (for example, sites for choosing health insurance benefits) will continue to work.
CSS object-view-box
The object-view-box property allows authors to specify a portion of an image that should draw within the content box of a target replaced element. This enables creation of images with a custom glow or shadow applied, with proper ink-overflow behavior such as a CSS shadow would have. For more information, see First Look At The CSS object-view-box Property.
Fullscreen Capability Delegation
Fullscreen Capability Delegation allows a Window to transfer the ability to call requestFullscreen() to another Window it trusts after relinquishing the transient user activation at the sender Window. This feature is based on the general delegation mechanism that shipped in Chrome 100.
Fullscreen Companion Window allows sites to place fullscreen content and a popup window on separate screens from a single user activation. There is a demo available with source code on GitHub.
The overflow-clip-margin property specifies how far an element's content is allowed to paint before being clipped. This feature allows using visual-box values to configure the reference box that defines the overflow clip edge the content is clipped to.
Web Custom Formats for Async Clipboard API
Web Custom Formats lets websites read and write arbitrary unsanitized payloads using a standardized web custom format, as well as read and write a limited subset of OS-specific formats (for supporting legacy apps).
The name of the clipboard format is mangled by the browser in a standardized way to indicate that the content is from the web. This allows platform applications to opt-in to accepting the unsanitized content.
Some web app developers want to exchange data payloads between web and platform applications via operating system clipboards. The Clipboard API supports the most popular standardized data types (text, image, rich text) across all platforms. However, this API does not scale to the long tail of specialized formats. In particular, custom formats, non-web-standard formats like TIFF (a large image format), and proprietary formats like docx (a document format), are not supported by the current Web Platform.
The color space that content should be converted to when importing as a texture.
Before this version of Chrome, both of these defaulted to sRGB. Now they can also use "display-p3".
Deprecations, and Removals
This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of current deprecations and previous removals.
Block Third-Party Contexts Navigating to Filesystem URLs
Four client hints (dpr, width, viewport-width, and device-memory) have a default allowlist of self but behave as though they have a default allowlist of * on Android, contrary to the spec. This is now fixed, increasing privacy on Android by requiring explicit delegation of these hints.
Remove U2F API (Cryptotoken)
Chrome's legacy U2F API for interacting with security keys is no longer supported. U2F security keys themselves are not deprecated and will continue to work.
Affected sites should migrate to the Web Authentication API. Credentials that were originally registered via the U2F API can be challenged via web authentication. USB security keys that are supported by the U2F API are also supported by the Web Authentication API.
U2F is Chrome's original security key API. It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but rather shipped a component extension called cryptotoken, which exposes an equivalent chrome.runtime.sendMessage() method. U2F and Cryptotoken are firmly in maintenance mode and have encouraged sites to migrate to the Web Authentication API for the last two years.