Google Chrome 97 relaxes privacy protection just a little to help out Microsoft

New keyboard API will let online Office apps handle shortcut keys better

Google Chrome 97 arrived on Tuesday, bringing with it a Microsoft-backed keyboard API rejected by Apple and Mozilla on privacy grounds.

Microsoft developers proposed the change – called Feature policy for Keyboard API – because web applications such as Excel Online run within an iframe that cannot access a browser API for determining how the physical keys on a keyboard have been mapped to specific keyboard layouts.

The update to Chrome (Version 97.0.4692.71) adds support for the Keyboard Map specification, which provides a way to convert a code representing the pressed key on a keyboard to the value generated by pressing the key. The value returned varies, depending on locale (e.g., "en-US"), layout (e.g., "dvorak") and modifier state (e.g., "Shift + Control"); the code is tied to the platform-neutral scancode associated with each physical key.

The Keyboard.getLayoutMap() API provides a way to get specific information about how keyboards are mapped.

But it's not available in an iframe or sub-context due to the way browser security has been designed. So there's potential ambiguity where, for example, a user has both French and Japanese keyboard layouts installed and the current active layout and locale are Japanese – Excel Online in this instance would need to guess which Latin-character-based keyboard shortcut in the app corresponds with the non-Latin character sent by the user.

The addition of Keyboard Map to Chrome 97 means the Keyboard Map can be used in conjunction with the getLayoutMap() method, which Microsoft intends to use to make keyboard shortcuts work better in its online Office apps.

Apple and Mozilla, however, are not fans because the change represents a privacy rollback. As Apple software engineer Ryosuke Niwa wrote in a GitHub Issues post in 2019, "the Keyboard Map API as proposed exposes a high entropy fingerprinting surface. This is not acceptable from [a] privacy perspective."

Some of Mozilla's Firefox developers have also expressed concern the API would make fingerprinting easier and the organization has designated the proposal as "harmful."

Leaving tracks

Fingerprinting in this context refers to websites collecting data from users and their systems to create a unique identifier derived from the various available data points. Being able to identify available keyboard layouts, in this instance, would add one more data point to differentiate between web visitors – one available without interaction.

The Keyboard Map proposal cites possible privacy considerations and proposes how browsers might address these concerns. Google and Microsoft appear to believe the privacy risk posed by this change is minimal.

Google's updated browser also includes a revised interface for clearing web data: the "Remove all" button at Settings > Site Data has been renamed "Clear all data" and moved to a new location.

"Users can now delete all data stored by an individual site by navigating to Settings > Privacy and Security > Site Settings > View permissions and data stored across files, where they’ll land on chrome://settings/content/all," explained Google engineer Theodore Olsauskas-Warren in a post about this feature when it debuted in beta back in November, 2021.

More significantly, Google plans to remove granular controls for deleting individual cookies, ostensibly to protect users from themselves.

"By providing users the ability to delete individual cookies, they can accidentally change the implementation details of the site and potentially break their experience on that site, which can be difficult to predict," said Olsauskas-Warren. "Even more capable users run the risk of compromising some of their privacy protection, by incorrectly assuming the purpose of a cookie."

Cookie meddling and editing will still be available to web developers through Chrome's Developer Tools; such mayhem won't be available in the menus frequented by typical users, however. It's not clear when this particular change will be implemented. Individual cookies could still be deleted via chrome://settings/siteData in Chrome 97 when we checked.

Best of the rest

Chrome 97's handful of other new features are less controversial and more developer-oriented. There's "Late newline normalization in form submission," which makes newline handling in form submissions more consistent across browsers. "Support calc(<number>) where only accepts <integer>" makes the CSS calc() function provide an integer where an integer is expected. The CSS revision "transform: perspective(none)" brings the handling of small values in the perspective CSS property and the perspective() transform function into compliance with the specification.

"HTMLScriptElement.supports(type) method" adds a way for code to detect the type of scripts supported by a given browser. "​​Array and TypedArray findLast and findLastIndex" add two more efficient methods in JavaScript for finding the last element and index value in an array. WebTransport is a new client-server messaging API that's being tested via an Origin Trial.

Then there's PermissionStatus.prototype.name, which provides developers with a way to more easily interact with browser permissions. And "Propagate request origin and redirect chain in passthrough service workers" helps services workers handle navigation requests better.

Chrome Enterprise has its own set of release notes, including a reminder that new Manifest v2 Chrome extensions will no longer be accepted after January 17, 2022. Chrome Dev Tools now includes a recorder for assessing how users interact with websites, among other enhancements. And v97 delivers some 37 security fixes, including one "Critical" use after free Storage vulnerability.

On a related note, Chrome rival Brave on Wednesday said its browser reached over 50 million monthly active users at the end of 2021. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022