Spawn

Administrator
Verified
Staff member
Block unsafe downloads over insecure connections #disallow-unsafe-http-downloads
Disallows downloads of unsafe files (files that can potentially execute code), where the final download origin or any origin in the redirect chain is insecure. – Mac, Windows, Linux, Chrome OS, Android
Parallel downloading #enable-parallel-downloading
Enable parallel downloading to accelerate download speed. – Mac, Windows, Linux, Chrome OS, Android
 

Spawn

Administrator
Verified
Staff member
Thanks, Spawn.
Do you use them, and what other flags do you use?
Chrome for Desktop (Windows)
Appearance
  • UI Layout for the browser's top chrome #top-chrome-md
  • Custom-drawn Windows 10 Titlebar #windows10-custom-titlebar
Usability
  • Password generation #enable-password-generation
  • Force-saving of passwords #PasswordForceSaving
  • Manual password generation #enable-manual-password-generation
  • Parallel downloading #enable-parallel-downloading
Security
  • Enable AppContainer Lockdown #enable-appcontainer
  • Enable GPU AppContainer Lockdown #enable-gpu-appcontainer
  • Block unsafe downloads over insecure connections #disallow-unsafe-http-downloads
 

HarborFront

Level 54
Verified
Content Creator

brent023

New Member
Sorry missed your question

Security
View attachment 180318

Privacy
View attachment 180319
Hey, beste ik zie aan je profiel dat je Nederlands bent? :/
Nou ik deed een beetje research en een expert/nerd zei tegen me dat
(Block scripts loaded via document.write, tot grote security doorbraken kan leiden of problemen met je privacy..)
Ik weet natuurlijk niet of dit waar is of niet, daarom vraag ik het is aan jou :)
Zouden deze Flags enige problemen, security doorbraken, privacy leaks kunnen veroorzaken? :/
Hoelang heb jij deze Flags al?
Groetjes!

----------------

Hey there, some expert/nerd sayed to me that
(Block scripts loaded via document.write, can lead to serious security breaches or problems with your privacy..)
I don't know if this is true orn't, thats why i ask it to you :)
Will these flags cause any security, privacy breaches or problems?
How long do you have these flags already?
Cheers!
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Hey, beste ik zie aan je profiel dat je Nederlands bent? :/
Nou ik deed een beetje research en een expert/nerd zei tegen me dat
(Block scripts loaded via document.write, tot grote security doorbraken kan leiden of problemen met je privacy..)
Ik weet natuurlijk niet of dit waar is of niet, daarom vraag ik het is aan jou :)
Zouden deze Flags enige problemen, security doorbraken, privacy leaks kunnen veroorzaken? :/
Hoelang heb jij deze Flags al?
Groetjes!

----------------

Hey there, some expert/nerd sayed to me that
(Block scripts loaded via document.write, can lead to serious security breaches or problems with your privacy..)
I don't know if this is true orn't, thats why i ask it to you :)
Will these flags cause any security, privacy breaches or problems?
How long do you have these flags already?
Cheers!
Yep Dutch, but responding in Dutch-English (Dunglish)

Looking at the descritption it blocks third-party scripts inserted, so unless something is lost in translation dynamically injected third-party scripts are something to stay away from as this post explains (scroll down to "document write can be a form of eval" - link)

1542135742691.png
 

brent023

New Member
Looking at the descritption it blocks third-party scripts inserted, so unless something is lost in translation dynamically injected third-party scripts are something to stay away from as this post explains
So it's safe to have this flag enabled..
All it does is blocking third-part scripts that can have bad code inserted into the document.write or something like that?
and this also speeds up loading times of pages?
 

DeepWeb

Level 25
Verified
chrome://flags/#enable-service-worker-servicification

I have seen a fast improvement in page lookups with this enabled.

I have an issue with the wording on top document isolation:
"In this mode, iframes from different third-party sites will be allowed to share a process."

So if enabled all third party iframes share a process as opposed to keeping them in separate processes? Wouldn't keeping it disabled be better for privacy?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
My current flags (on Linux Lite & Windows 10)

Security l
- some security flags are now enabled by default (e.g. strict site isolation) or when your OS supports it (e.g. appcontainer)
#disallow-doc-written-script-loads (enabled)
#disallow-unsafe-http-downloads (enabled)
#enable-framebusting-needs-sameorigin-or-usergesture (enabled)
#enable-mark-http-as ...non-secure (enabled: non secure warning and passwords ... )
#enable-signed-http-exchange (disabled)
#extension-content-verification (enforce strict ...)
#pdf-isolation (enabled)

Privacy
#disable-hyperlink-auditing (enabled)
#enable-history-entry-requires-user-gesture (enabled)
#reduced-referrer-granularity (enabled)

Performance
#autoplay-policy (user gesture is required ...)
#enable-gpu-rasterization (enabled)
#enable-lazy-frame-loading (enabled)
#enable-lazy-image-loading (enabled)
#enable-parallel-downloading (enabled)
#enable-tcp-fast-open (enabled)
#load-media-router-component-extension (disabled)
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
So it's safe to have this flag enabled..
All it does is blocking third-part scripts that can have bad code inserted into the document.write or something like that?
and this also speeds up loading times of pages?
Found an old (2012) PoC where an image obfuscates a script using document.write. This flag is so old (from 2G area and we are now on 4G entering 5G), that no website should use this mechanism anymore. Google disabled it for performance reasons (and only blocked third-party), so it is safe to disable this IMO.
1546684946145.png
 
Last edited:

Spawn

Administrator
Verified
Staff member
Update for Chrome v72

Touch UI Layout
Enables touch UI layout in the browser's top chrome. – Mac, Windows, Linux, Chrome OS
  • Default
  • Automatic
  • Disabled
  • Enabled
chrome://flags/#top-chrome-touch-ui

Set to Enabled for similar to Touchable Refresh

For a refreshed Chrome UI try these 2 flags

UI Layout for the browser's top chrome #top-chrome-md
Toggles between
  1. Normal - for clamshell devices
  2. Hybrid (previously touch) - middle point for devices with a touch screen
  3. Touchable - new unified interface for touch and convertibles (Chrome OS)
  4. Material Design refresh
  5. Touchable Material Design refresh.
– Mac, Windows, Linux, Chrome OS

<snip>

<snip>

Windows 10 + Chrome Canary v68 - Set UI Layout as Touchable Refresh
View attachment 188869

(based on source)
 

Moonhorse

Level 28
Verified
Content Creator
??? don't understand you, please explain
Like if you have VPN and you do use ublock origin as example:
gorhill/uBlock

is this because of extension (ublock origin) or is the feature meant to do same as chrome/flag is doing currently?

Even though you hide local ip with chrome:flag, is there any benefits to enable that feature?
Its hard to spell what im meaning :D
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Moonhorse

When you use uBloc0 you can simply keep using the block WebRTC.

I like to use what is there. In Firefox and Edge it is possible to hide private IP adres (the one your router gives you on your internal network) using browser settings. In Chrome it was also possible in the past, but they removed that option some time. Extensions like WebRTC block and uBlock0 filled in the gap and offered an easy way to disable this 'leak'.

There are so many ways you can be traced. While most of this data does not mark you as an individual, combining several fields makes it possible to track you, no matter how many blocklists people keep adding in there adBlocker.

I consider Privacy a lost war. I use AdGuard beta (with stealth mode including a limited lifetime of first-party cookies of 150 minutes) and Privacy Possum to make it a little harder for advertising networks to track me.

Most used tracking methods:
- using UTM codes in URL: What Are UTM Codes and How Do You Use Them?
- misusing the browser cache (etag headers)
- long life time of (first-party) cookies (most people don't delete history or know the settings to limit it to browser is closed)
- referrer imfo passes at cross origin requests)
- fingerprinting (combining available browser data, which does not nessecarely identifies you uniquely. This is often used when you look at hotel prices or air flights. After some time of looking for the best, the best deal starts to increase in price or reduce in availability . They don;t know that it is you, but there is a larger than 80% chance that the person looking for that destination, with profile A is the same person who is looking at those prices an hour or a day later. Because this fingerprint is server side stored, only TOR browser and VPN could protect you against such tracking techniques.
 
Last edited:
Top