As planned, the next milestone update for the Chrome browser has begun rolling out to Windows, macOS, and Linux users. This update is relatively light in the features department, but delivers a healthy batch of security updates and patches. Let’s take a look at what’s new in Chrome 105 for desktop.
More PWA controls
Progressive Web Apps have come a long way in Chrome, and before long, it will be nearly impossible to differentiate between browser-based tools and native apps. Chrome 97 added the ability to add elements to the top bar of web applications. Chrome 105 builds on this feature with customizable controls. Now, web application developers can add tools like a search bar and add or customize functionality in the top bar. This gives developers more control over how Web applications look and interact with users.
Window tiling options
We’ve covered this upcoming feature in detail, and while it’s not technically available in Chrome 105, you can enable it with a simple flag. This feature will provide Chrome with window snapping capabilities similar to what Windows already has. Once enabled, you can simply hover over the maximize button in Chrome and you’ll see various sizes and snapping options for the window in focus. Here’s what’s working on ChromeOS in the Canary channel.
As I mentioned, this feature is not enabled by default, but you can do this by pointing your browser to
chrome://flags/#partial-split and enable the flag. After restarting Chrome, you should be able to see the window running.
As I said, from a user perspective, there isn’t much to talk about in this update, but there are some updates in the background that give developers some new and updated tools to work with. You can read more about these on the Chromium blog, but I’ll list them here in case you’re interested.
- Custom Highlighting API – The Custom Highlighting API provides web developers a way to style arbitrary ranges of text. This is useful in a variety of scenarios, including editing frameworks that want to implement their own choices, page lookups for virtualized documents, multiple choices representing online collaboration, or spell checking frameworks.
- Container queries – Container queries enable developers to query parent selectors for size and style information, allowing child elements to have their responsive styling logic, no matter where it is located on the page.
- :has() pseudo-class – CSS
:has()Pseudo-classes enable developers to check if a parent element contains child elements with specific parameters.
- Fetch Upload Streaming – Start the request before you get the entire body using the Streams API.
- Multi-Screen Window Placement API – Enhancements to the label strings provided by the Multi-Screen Window Placement API
Security Updates and Patches
That’s it for features and tools, now a security update. This version of Chrome contains up to 24 patches. While this may seem like an overkill, milestone updates are not uncommon, meaning Google will continue to focus on keeping Chrome safe for all of its users. Here’s a list of patches along with associated bugs and the bounty collected by the developer who found each vulnerability.
- [$NA] Severe CVE-2022-3038: Free to use in web services.Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
- [$10000] High CVE-2022-3039: Use after release in WebSQL. Reported by Wang Nan (@eternalsakura13) and Gong Guang of 360 Vulnerability Research Institute on 2022-07-11
- [$9000] High CVE-2022-3040: Use after release in Layout.Reported by Anonymous on 2022-07-03
- [$7500] High CVE-2022-3041: Use after release in WebSQL. Reported by Chen Ziling and Wang Nan (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
- [$5000] High CVE-2022-3042: Use after free in PhoneHub. 360 Vulnerability Research Institute koocola (@alo_cook), Gong Guang reported on 2022-06-22
- [$3000] High CVE-2022-3043: Heap buffer overflow in screen capture. Reported by @ginggilBesel on 2022-06-16
- [$NA] High CVE-2022-3044: Improper Implementation in Site Isolation.Microsoft Browser Vulnerability Research Reported by Lucas Pinheiro on 2020-02-12
- [$TBD] High CVE-2022-3045: Insufficient validation of untrusted input in V8. By Ben Noordhuis on 26 June 2022 email@example.com
- [$TBD] High CVE-2022-3046: Free to use in browser tabs. Reported by VRI Rongjian 2022-07-21
- [$7000] Medium CVE-2022-3047: Insufficient policy enforcement in extension API. By Maurice Dauer on 2022-07-07
- [$5000] Medium CVE-2022-3048: Improper implementation in Chrome OS lock screen. Reported by Andr.Ess on 2022-03-06
- [$3000] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
- [$3000] Medium CVE-2022-3050: Heap buffer overflow in WebUI.Reported by Yao Zhihua from Kunlun Laboratory on 2022-06-17
- [$2000] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
- [$2000] Medium CVE-2022-3052: Heap buffer overflow in window manager. By Khalil Zhani on 2022-07-21
- [$TBD] Medium CVE-2022-3053: Inappropriate implementation in pointer locks. By Jesper van den Ende (Pelican Party Studios) on 2021-11-08
- [$TBD] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools.Reported by Li Kuilin on 2022-01-24
- [$TBD] Moderate CVE-2022-3055: Free to use in passwords. Reported by Jiang Weipeng (@Krace) and Gong Guang of 360 Vulnerability Research Institute on 2022-08-11
- [$3000] low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Anonymous reported on 2022-05-26
- [$2000] low CVE-2022-3057: Improper implementation in iframe sandbox. By Gareth Heyes on 2022-06-16
- [$1000] low CVE-2022-3058: Free to use during login flow. Reported by raven in Kunlun Lab on 2022-06-20
Chrome 105 is currently rolling out to Windows, macOS, and Linux users. Don’t worry if you haven’t received the update yet. It should be in the next few days. You can always check for updates by going to the three-dot menu in the upper-right corner of the Chrome browser, clicking Help, and then clicking About Chrome. There, you should see an update button. If Google goes according to plan, we should see a ChromeOS 105 update tomorrow. Stay tuned for more information when it arrives.