Chrome 65 rolls out: You're getting a stronger redirect blocker, 45 security fixes

Chrome 65 rounds out Google's long-running efforts to stamp out unwanted redirects.
Written by Liam Tung, Contributing Writer

Video: How to make Google Chrome faster: Five tips

Google has released Chrome 65 for Android, Linux, Mac, and Windows, bringing security enhancements and 45 fixes for security flaws.

As Google announced late last year, its aim is to roll out changes in Chrome to prevent nasty ads from bumping users to a page they never intended to go to -- potentially leading them to a malware site or page filled with ads.

Google flagged the changes soon after Android Police founder complained that redirect ads were still occurring on his site after moving exclusively to Google AdSense and Google Ad Exchange.

However, Chrome developers were as early as August last year working a so-called 'infobar' to notify users when the browser blocked redirects.

Google targeted the Chrome 64 release for blocking redirects from third-party iframes, so that if that occurs it would display an infobar explaining why a redirect was blocked unless the user has clicked on that iframe.

Chrome 65 addresses the 'tab-under' problem where clicking on a link opens the desired content in a new tab, while the opening tab navigates to a page the user never intended to visit.


Google's mockup of Chrome's infobar redirect warning.

Image: Google

To stop this, Chrome 65 detects this behavior, displays an infobar, and prevents the redirect on the main tab from occurring.

The restrictions on abusive experiences round out a long-running effort by Chrome developers to stop this behavior.

Google announced the restrictions alongside the launch of its Abusive Experiences Report for site owners who can see if abusive experiences have been seen on their site. Chrome may prevent new windows and tabs opening on sites that don't remove abusive experiences after 30 days.

Chrome 64 also introduced stricter popup blocking on sites with excessively abusive experiences by blocking popups even in cases where the user does click a button.

Chrome 65 restricts "framebusting ability by requiring a relevant user gesture unless it is same-origin to the parent" because it was being abused by ads, according to the Chrome milestone hotlist.

"Summary Content in an <iframe> can generally navigate the top-level browsing context unless explicitly forbidden by the sandbox attribute (sometimes called 'framebusting'). Restrict this ability to content that is processing a user gesture, unless it is same-origin to the parent. Motivation Framebusting was originally used by content that wanted to prevent being placed in an <iframe> but it's being abused."

Chrome 64's milestone page says it introduces 'block tab-under navigations'. "A tab-under is when a page both opens a popup to some destination (usually where the user wants to go) AND navigates the opener page to some third party content (usually an advertisement). Chrome will block these navigations and show native UI to the user so they can follow the redirect just in case."

Google details its motivations and design considerations for how it enables tab-under blocking in this document.

Chrome 65 brings fixes for 45 security bugs, including nine high-severity issues. It paid researchers $34,500 for reporting bugs.

Chrome 65 is also the first version that Google has enabled Transport Layer Security version 1.3 on by default.

Previous and related coverage

Google is switching on Chrome's ad blocker against disruptive ads

Google kicks off Chrome ad filtering on sites that persistently display annoying ads.

Five tricks to make Google Chrome faster and better

Here are five tricks to help you speed up your browser and increase your productivity.

Google Chrome can now spot even brand new phishing pages

Google has rolled out two new tools to combat phishing, and upped Gmail security.

Editorial standards