Google Chrome 78 is out: Forced dark mode, DoH trials, no more XSS Auditor

Password Checkup tool makes its debut and the New Tab page gets more customization features.
Written by Catalin Cimpanu, Contributor

Version 78 of the Google Chrome web browser is now available for download for users of Windows, macOS, Linux, ChromeOS, Android, and iOS.

Released today, Chrome 78, comes with a new customization menu for the New Tab page, tooltips when hovering nearby tabs, forced dark mode on every site, support for the Password Checkup tool, DNS-over-HTTPS trials, and the removal of the old XSS Auditor security feature.

But let's start at the beginning.

New customization menu for the New Tab page

In Chrome 78, users have a new customization menu at their disposal. The menu can be accessed from the New Tab page.

This is an experimental feature, and users must activate it by accessing the chrome://flags section and enabling two options named "NTP customization menu version 2" and "Chrome Colors menu"


Once enabled, a new menu will allow users to customize their Chrome browser with new themes, control how the shortcuts on the New Tab page look, and customize the New Tab page background wallpaper.

This is a feature that has been in the works for months, and Google initially promised it would be ready for last month's release in Chrome 77. It wasn't included last month, but it is today.

Image: ZDNet

Tab hover cards

A small detail that most users will also notice in this release is the fact that when hovering a tab, Chrome will now show a small panel (tooltip) with information about that tab.

Called "Tab Hover Cards," this feature was added to help Chrome power users who open a large number of tabs.

The hover card will make it easier for users with crowded browser toolbars to locate the tab they're looking for at a particular moment, instead of cycling through all at once.

To disable this feature or use a different style for the hover cards, just visit"


Image: ZDNet

Dark Mode on every website

A cool addition in Chrome 78 is a feature called Forced Dark Mode that enables a dark mode setting on every website, even if the website supports a dark theme or not.

This feature doesn't mess with websites' source code but uses color theory inversion to switch light website UIs into their chromatic dark versions.

Some sites might look weird when this feature is enabled, but from our experiments, CIELAB-based inversions looked pretty good.

To enable Forced Dark Mode, you can access and enable the following Chrome flag:


Image: ZDNet

Password Checkup tool

Chrome 78 is also the first Chrome version that integrates the Chrome Password Safety tool. This is a Google-developed extension that was integrated into Chrome.

The former extension allowed users to check if their passwords had been leaked in public data breaches. Now, this option is available within Chrome itself, but will only work if users are syncing Chrome-stored passwords to their Google account.

We detailed this feature in a longer piece earlier this month, which you can read here.

The Password Checkup tool is not enabled by default, but users can turn it on by visiting:


Image: ZDNet

DNS-over-HTTPS trials

Chrome 78 is also the version in which Google will test the new DNS-over-HTTPS (DoH) protocol inside Chrome. This protocol works by disguising DNS queries and responses inside regular HTTPS traffic.

At the start of September, Google said that it would test how DoH performs in a real field test, within the Chrome stable release.

What users need to know is that Chrome's DoH implementation is different from Firefox. While Firefox sends all DoH requests to a Cloudflare server by default, Chrome will not modify the local computer's DNS settings.

If the user's locally-set DNS server supports DoH, Chrome will send over DoH requests. If it doesn't, Chrome will send over classic DNS requests. More on this rollout plan in this Google blog post.

Removal of XSS Auditor

And last, but not least, in Chrome 78, Google engineers have removed the old XSS Auditor, a security feature that had been present in Chrome since v4, released in 2009.

For years, this has been Chrome's de-facto protection against cross-site scripting (XSS) attacks. However, as the XSS Auditor aged and web standards advanced, the tool became highly inefficient, and Chrome engineers decided to remove it for good over the summer. Read more in our previous coverage, here.

But we only touched on the most interesting changes. Users who'd like to learn more about the other new features added or removed from the Chrome 78 release can check out the following links:

Chrome security updates are detailed here.
Chromium open-source browser changes are detailed here.
Chrome developer API deprecations and feature removals are here.
Chrome for Android updates are detailed here.
Chrome for iOS updates are detailed here.
Changes to Chrome V8 JavaScript engine are available here.

All the Chromium-based browsers

Editorial standards