More new changes to try for all OSes.
Chrome 69 rolling out ‘Material Design refresh’ next month ‘across all operating systems’
Chrome 69 rolling out ‘Material Design refresh’ next month ‘across all operating systems’
List of Interesting Experimental Flags for Google Chrome to Try Out
- Thread starter Petrovic
- Start date
Block unsafe downloads over insecure connections #disallow-unsafe-http-downloads
Parallel downloading #enable-parallel-downloading
Parallel downloading #enable-parallel-downloading
- Jul 3, 2015
- 8,153
Thanks, Spawn.
Do you use them, and what other flags do you use?
Chrome for Desktop (Windows)
Appearance
- UI Layout for the browser's top chrome #top-chrome-md
- Custom-drawn Windows 10 Titlebar #windows10-custom-titlebar
- Password generation #enable-password-generation
- Force-saving of passwords #PasswordForceSaving
- Manual password generation #enable-manual-password-generation
- Parallel downloading #enable-parallel-downloading
- Enable AppContainer Lockdown #enable-appcontainer
- Enable GPU AppContainer Lockdown #enable-gpu-appcontainer
- Block unsafe downloads over insecure connections #disallow-unsafe-http-downloads
In Chrome 70 now you can enable lazy image loading to speed up the browser
Chrome may soon lazy load images and frames natively - gHacks Tech News
Enable lazy image loading ==> Enabled
Chrome may soon lazy load images and frames natively - gHacks Tech News
Enable lazy image loading ==> Enabled
Some other useful flags here
and latest flags from Chrome 70
- Show credit card last usage in forms
- Enabling HDR
- Stop the websites from high jacking navigations
- Automatically generating passwords
- Reduce microphone echo in web chat
- Enabling pip (picture in picture) mode
- Show title in search bar
- Audio muting from the tab
- Automatic password saving
- Automatic tab discarding
and latest flags from Chrome 70
Hey, beste ik zie aan je profiel dat je Nederlands bent? :/
Nou ik deed een beetje research en een expert/nerd zei tegen me dat
(Block scripts loaded via document.write, tot grote security doorbraken kan leiden of problemen met je privacy..)
Ik weet natuurlijk niet of dit waar is of niet, daarom vraag ik het is aan jou
Zouden deze Flags enige problemen, security doorbraken, privacy leaks kunnen veroorzaken? :/
Hoelang heb jij deze Flags al?
Groetjes!
----------------
Hey there, some expert/nerd sayed to me that
(Block scripts loaded via document.write, can lead to serious security breaches or problems with your privacy..)
I don't know if this is true orn't, thats why i ask it to you
Will these flags cause any security, privacy breaches or problems?
How long do you have these flags already?
Cheers!
- Mar 13, 2016
- 1,298
Hey, beste ik zie aan je profiel dat je Nederlands bent? :/
Nou ik deed een beetje research en een expert/nerd zei tegen me dat
(Block scripts loaded via document.write, tot grote security doorbraken kan leiden of problemen met je privacy..)
Ik weet natuurlijk niet of dit waar is of niet, daarom vraag ik het is aan jou
Zouden deze Flags enige problemen, security doorbraken, privacy leaks kunnen veroorzaken? :/
Hoelang heb jij deze Flags al?
Groetjes!
----------------
Hey there, some expert/nerd sayed to me that
(Block scripts loaded via document.write, can lead to serious security breaches or problems with your privacy..)
I don't know if this is true orn't, thats why i ask it to you
Will these flags cause any security, privacy breaches or problems?
How long do you have these flags already?
Cheers!
Yep Dutch, but responding in Dutch-English (Dunglish)
Looking at the descritption it blocks third-party scripts inserted, so unless something is lost in translation dynamically injected third-party scripts are something to stay away from as this post explains (scroll down to "document write can be a form of eval" - link)
So it's safe to have this flag enabled..
All it does is blocking third-part scripts that can have bad code inserted into the document.write or something like that?
and this also speeds up loading times of pages?
- Jul 1, 2017
- 1,396
chrome://flags/#enable-service-worker-servicification
I have seen a fast improvement in page lookups with this enabled.
I have an issue with the wording on top document isolation:
"In this mode, iframes from different third-party sites will be allowed to share a process."
So if enabled all third party iframes share a process as opposed to keeping them in separate processes? Wouldn't keeping it disabled be better for privacy?
I have seen a fast improvement in page lookups with this enabled.
I have an issue with the wording on top document isolation:
"In this mode, iframes from different third-party sites will be allowed to share a process."
So if enabled all third party iframes share a process as opposed to keeping them in separate processes? Wouldn't keeping it disabled be better for privacy?
- Mar 13, 2016
- 1,298
My current flags (on Linux Lite & Windows 10)
Security l
- some security flags are now enabled by default (e.g. strict site isolation) or when your OS supports it (e.g. appcontainer)
#disallow-doc-written-script-loads (enabled)
#disallow-unsafe-http-downloads (enabled)
#enable-framebusting-needs-sameorigin-or-usergesture (enabled)
#enable-mark-http-as ...non-secure (enabled: non secure warning and passwords ... )
#enable-signed-http-exchange (disabled)
#extension-content-verification (enforce strict ...)
#pdf-isolation (enabled)
Privacy
#disable-hyperlink-auditing (enabled)
#enable-history-entry-requires-user-gesture (enabled)
#reduced-referrer-granularity (enabled)
Performance
#autoplay-policy (user gesture is required ...)
#enable-gpu-rasterization (enabled)
#enable-lazy-frame-loading (enabled)
#enable-lazy-image-loading (enabled)
#enable-parallel-downloading (enabled)
#enable-tcp-fast-open (enabled)
#load-media-router-component-extension (disabled)
Security l
- some security flags are now enabled by default (e.g. strict site isolation) or when your OS supports it (e.g. appcontainer)
#disallow-doc-written-script-loads (enabled)
#disallow-unsafe-http-downloads (enabled)
#enable-framebusting-needs-sameorigin-or-usergesture (enabled)
#enable-mark-http-as ...non-secure (enabled: non secure warning and passwords ... )
#enable-signed-http-exchange (disabled)
#extension-content-verification (enforce strict ...)
#pdf-isolation (enabled)
Privacy
#disable-hyperlink-auditing (enabled)
#enable-history-entry-requires-user-gesture (enabled)
#reduced-referrer-granularity (enabled)
Performance
#autoplay-policy (user gesture is required ...)
#enable-gpu-rasterization (enabled)
#enable-lazy-frame-loading (enabled)
#enable-lazy-image-loading (enabled)
#enable-parallel-downloading (enabled)
#enable-tcp-fast-open (enabled)
#load-media-router-component-extension (disabled)
Last edited:
- Mar 13, 2016
- 1,298
Found an old (2012) PoC where an image obfuscates a script using document.write. This flag is so old (from 2G area and we are now on 4G entering 5G), that no website should use this mechanism anymore. Google disabled it for performance reasons (and only blocked third-party), so it is safe to disable this IMO.
Last edited:
Can try the flags for Chrome's NOSCRIPT Intervention from the link below
Chrome's NOSCRIPT Intervention - TimKadlec.com
Looks like its for the android Chrome version
Chrome's NOSCRIPT Intervention - TimKadlec.com
Looks like its for the android Chrome version
Last edited:
Update for Chrome v72
Touch UI Layout
Enables touch UI layout in the browser's top chrome. – Mac, Windows, Linux, Chrome OS
Set to Enabled for similar to Touchable Refresh
Touch UI Layout
Enables touch UI layout in the browser's top chrome. – Mac, Windows, Linux, Chrome OS
- Default
- Automatic
- Disabled
- Enabled
chrome://flags/#top-chrome-touch-uiSet to Enabled for similar to Touchable Refresh
- Mar 13, 2016
- 1,298
Have not seen this before: but it seems to fix local IP leak of WebRTC in Chrome, see picture
- May 29, 2018
- 2,728
- Mar 13, 2016
- 1,298
- May 29, 2018
- 2,728
Like if you have VPN and you do use ublock origin as example:
gorhill/uBlock
is this because of extension (ublock origin) or is the feature meant to do same as chrome/flag is doing currently?
Even though you hide local ip with chrome:flag, is there any benefits to enable that feature?
Its hard to spell what im meaning
- Mar 13, 2016
- 1,298
@Moonhorse
When you use uBloc0 you can simply keep using the block WebRTC.
I like to use what is there. In Firefox and Edge it is possible to hide private IP adres (the one your router gives you on your internal network) using browser settings. In Chrome it was also possible in the past, but they removed that option some time. Extensions like WebRTC block and uBlock0 filled in the gap and offered an easy way to disable this 'leak'.
There are so many ways you can be traced. While most of this data does not mark you as an individual, combining several fields makes it possible to track you, no matter how many blocklists people keep adding in there adBlocker.
I consider Privacy a lost war. I use AdGuard beta (with stealth mode including a limited lifetime of first-party cookies of 150 minutes) and Privacy Possum to make it a little harder for advertising networks to track me.
Most used tracking methods:
- using UTM codes in URL: What Are UTM Codes and How Do You Use Them?
- misusing the browser cache (etag headers)
- long life time of (first-party) cookies (most people don't delete history or know the settings to limit it to browser is closed)
- referrer imfo passes at cross origin requests)
- fingerprinting (combining available browser data, which does not nessecarely identifies you uniquely. This is often used when you look at hotel prices or air flights. After some time of looking for the best, the best deal starts to increase in price or reduce in availability . They don;t know that it is you, but there is a larger than 80% chance that the person looking for that destination, with profile A is the same person who is looking at those prices an hour or a day later. Because this fingerprint is server side stored, only TOR browser and VPN could protect you against such tracking techniques.
When you use uBloc0 you can simply keep using the block WebRTC.
I like to use what is there. In Firefox and Edge it is possible to hide private IP adres (the one your router gives you on your internal network) using browser settings. In Chrome it was also possible in the past, but they removed that option some time. Extensions like WebRTC block and uBlock0 filled in the gap and offered an easy way to disable this 'leak'.
There are so many ways you can be traced. While most of this data does not mark you as an individual, combining several fields makes it possible to track you, no matter how many blocklists people keep adding in there adBlocker.
I consider Privacy a lost war. I use AdGuard beta (with stealth mode including a limited lifetime of first-party cookies of 150 minutes) and Privacy Possum to make it a little harder for advertising networks to track me.
Most used tracking methods:
- using UTM codes in URL: What Are UTM Codes and How Do You Use Them?
- misusing the browser cache (etag headers)
- long life time of (first-party) cookies (most people don't delete history or know the settings to limit it to browser is closed)
- referrer imfo passes at cross origin requests)
- fingerprinting (combining available browser data, which does not nessecarely identifies you uniquely. This is often used when you look at hotel prices or air flights. After some time of looking for the best, the best deal starts to increase in price or reduce in availability . They don;t know that it is you, but there is a larger than 80% chance that the person looking for that destination, with profile A is the same person who is looking at those prices an hour or a day later. Because this fingerprint is server side stored, only TOR browser and VPN could protect you against such tracking techniques.
Last edited:
Similar threads
