Following version 85’s release on Android, Mac, Windows, and Linux, the next release of Google’s browser is rolling out today. Chrome 86 makes a number of security-focused additions and a handful of other usability tweaks.

A number of security features that first debuted on desktop Chrome are now coming to mobile with version 86:

  • Password Checkup, which can analyze whether your saved credentials have been compromised in leaks, is now available on Android and iOS.
  • Enhanced Safe Browsing shares “uncommon URLs” in real-time with Google to determine whether you’re about to visit a phishing site or encounter malware. As the optional mode comes to Android with this release, the company notes a “20% drop in users typing their passwords into phishing sites.”
  • Face ID, Touch ID, or phone passcode can be used as an authentication method to Autofill passwords on iOS. Android in July added a similar touch-to-fill passwords feature.

Google is encouraging websites to adopt an example.com/.well-known/change-password URL scheme. This allows the default password manager to display a big button that lets users quickly change their password after a credential has been compromised.

Long URLs that include the correct page name are often used to spoof people into thinking they are on a reputable/desired site. To combat this common phishing tactic, Chrome 86 will test only showing the registrable domain in the address bar as part of a test in Chrome 86. Users will have the option to see the full URL.

For example, https://google-secure.example.com/secure-google-sign-in/ will appear only as example.com to the user.

Chrome 86 also features a new “Safety Tip” on sites with URLs that look “very similar” to those of other ones. Meant to combat spoofing, client-side heuristics are leveraged with Google throwing up a “Did you mean… ?” warning that makes you confirm the address before continuing. 

For example, goog0le.com spoofing google.com

This release will warn about web forms that load via HTTPS but submit content over HTTP. Autofill is disabled, but the browser will continue to offer unique passwords. Red warning text appears underneath fields, while users will be given the option to turn back before submitting.

Chrome 86 will block macOS, Windows, Linux, and Chrome OS users from downloading archives (.zip and .iso files) over HTTP on an HTTPS page. This “[file] can’t be downloaded securely” message is found in the downloads bar, while this version will also start warning about non-safe file types, including PDFs.

Chrome will make it more explicit when an “Update” is available by placing a green warning to the right of your profile avatar.

Google has been working to reduce CPU and power consumption over the past few releases. Chrome 86 will detect when a browser window is covered by another and suspend work painting pixels, thus preserving resources when a page isn’t being viewed. This builds on Chrome freezing tabs —  except for playing audio/video and recording — that have been in the background for over five minutes.

Chrome 86 will further reduce processing and power consumption of background tabs by throttling CPU usage to only use 1%, and limiting wake up to once per minute.

Quick Focus Highlight shows a white-blue outline with an accompanying blue glow around the currently focused element. It can be enabled in Settings > Advanced > Accessibility > Show a quick highlight on the focused object.

With the Native File System API, which is now out of preview, developers can build powerful apps — like IDEs, text, photo, and video editors — that interact with on-device files.

After a user grants access, this API allows web apps to read or save changes directly to files and folders on the user’s device. It does all this by invoking the platform’s own open and save dialog boxes.

VP9 is now available in macOS with Big Sur.

Version 86 sees the browser default to the Windows-native spell checker on devices that have the corresponding language packs installed. Google will otherwise fallback to Chrome’s built-in offering.

Portals allow a web “page to show another page as an inset.” Chrome 86 lets developers test this feature through an origin trial.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author