Chrome 84 Brings 38 Security Patches, Resumes CSRF Protection Rollout

Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change.


Initially announced in May 2019, the change is meant to provide users with improved protection against cross-site request forgery (CSRF) attacks by making only cookies set as SameSite=None; Secure available in third-party contexts, and only if served over a secure connection.


Google started rolling out the change in February, with the release of Chrome 80, but halted the process in early April due to the COVID-19 pandemic. The release of Chrome 84 resumes the gradual rollout of the protection.


The new browser iteration also improves user protection from abusive notifications, as announced in May. Thus, websites that push abusive notifications will be enrolled in the quieter notifications UI and the notification won’t be displayed to the user.


Instead, a discreet warning will pop up, to notify the user on the blocking of a notification. An alert will also be displayed when Chrome detects websites that attempt to trick users into allowing intrusive notifications.


In Chrome 84, Google also included support for the Web OTP (one-time password) API, which allows the browser to detect incoming one-time passcodes (OTP) received by SMS and automatically fill specific two-factor authentication (2FA) fields. Users will be prompted to allow for the action to take place.


The browser also removes support for the TLS 1.0 and TLS 1.1 protocols, a move that was long announced ..