Last month, Chrome 94 rolled out to the Stable channel with support for a controversial idle detection API and a VirtualKeyboard API, among many other things. Since Chrome has shifted to a four-week release cycle, Chrome 95 will be rolling out to the general public today with several interesting changes including the enforcement of cookie size limits and removal of FTP support.
Chrome will now enforce the size of a cookie's name+value to a maximum of 4096 bytes with the length of each attribute being set to 1024 bytes, at most. Cookies which exceed these lengths will be rejected outright. Previously, Chrome used to set a limit of 4096 bytes on the entire Set-Cookie line. The recent change will align it with Mozilla Firefox and improve interoperability.
Additionally, the user-agent (UA) client hints are being enhanced to cater to the detection of different versions of Windows. The existing implementation considers the major and minor versions of Windows components but these haven't changed at all in different Windows 10 releases and even Windows 11. Moving forward, Windows.Foundation.UniversalApiContract will be used to derive which version of Windows a user is running with Chrome.
Importantly, Chrome 95 also removes support for FTP. Google has noted that Chrome does not support encrypted FTP connections such as FTPS and lacks proxy support too. Furthermore, very few people use FTP capabilities present in Chrome due to the availability of much better FTP clients. As such, the company has deemed it fit to remove its insecure FTP implementation altogether rather than invest in it further.
In a similar vein, Chrome 95 is also deprecating support for URLs with non-IPv4 hostnames ending in numbers. While no exploit in the current implementation is known yet, Google is making this decision as a preventative security measure and updating the URL specification to indicate this change too. According to the company's metrics, this modification affects only 0.0003% of hostnames.
A new EyeDropper API is being introduced too. This will allow sites like PowerPoint Online to integrate the browser-supplied eyedropper in their custom color pickers. The existing implementation was limited in terms of customization. OS-level integrations with note-taking web apps are being enabled too as Chrome 95 will be able to parse web app manifest entries for URLs. The payment authentication mechanism is being enhanced as well with secure payment confirmations for improved security.
Additionally, self.reportError() is a function that will allow web developers to report global exceptions to the console for more control over a custom callback. WebAssembly cross-origin module sharing is being deprecated. In related news, WebAssembly is also getting exception handling, a move that has received universally positive feedback from web developers as well as the teams behind Firefox, Edge, and Safari. Finally, a new droppedEntriesCount attribute is being added for developers utilizing PerformanceObserver. It will let them know how many entries have been dropped due to the buffer size being exceeded.
Chrome 95 is expected to roll out later today. If it does not update to version 95 automatically for you throughout the course of the day, head over to Help > About Google Chrome to trigger the update once it becomes available. Next up is Chrome 96 which is currently in the Dev channel with a Stable release expected on November 16.