List of Interesting Experimental Flags for Google Chrome to Try Out

[Moonhorse]

@Moonhorse

When you use uBloc0 you can simply keep using the block WebRTC.

I like to use what is there. In Firefox and Edge it is possible to hide private IP adres (the one your router gives you on your internal network) using browser settings. In Chrome it was also possible in the past, but they removed that option some time. Extensions like WebRTC block and uBlock0 filled in the gap and offered an easy way to disable this 'leak'.

There are so many ways you can be traced. While most of this data does not mark you as an individual, combining several fields makes it possible to track you, no matter how many blocklists people keep adding in there adBlocker.

I consider Privacy a lost war. I use AdGuard beta (with stealth mode including a limited lifetime of first-party cookies of 150 minutes) and Privacy Possum to make it a little harder for advertising networks to track me.

Most used tracking methods:
- using UTM codes in URL: What Are UTM Codes and How Do You Use Them?
- misusing the browser cache (etag headers)
- long life time of (first-party) cookies (most people don't delete history or know the settings to limit it to browser is closed)
- referrer imfo passes at cross origin requests)

For sure its lost war indeed, just was curious should i enable the webRTC to leak my local ip, and does it matters at all if i do

Myself i kinda find trace+ decentraleyes+ ublock origin to do everything on privacy side, but then again im thinking im fine without

 

[Windows_Security]

@Moonhorse

Yes local IP is usually the same because most routers use DHCP reservation, so with external IP, browser data and some fingerprinting they know it is you, so have a look at browserleaks.com and panopticlick.eff.org.

Easylist and Adguard have included Content Delivery Networks in their blocklists which makes decentral eyes sort of redundant.Also Trace+ does not do well in above mentioned tests of websites last time I checked them, but it might have improved, better check it out.

Regards Kees

 

[Moonhorse]

@Moonhorse

Yes local IP is usually the same because most routers use DHCP reservation, so with external IP, browser data and some fingerprinting they know it is you, so have a look at browserleaks.com and panopticlick.eff.org.

Easylist and Adguard have included Content Delivery Networks in their blocklists which makes decentral eyes sort of redundant.Also Trace+ does not do well in above mentioned tests of websites last time I checked them, but it might have improved, better check it out.

Regards Kees

Since i enabled that flag my fingerprint went to > 100% (0 of 358283 user agents have the same signature)
So it hides your public ip on browserleaks and aswell the fingerprint is more unique?

 

[Windows_Security]

@Moonhorse: that is because it is a blank value now.

My advice would be replace two useless extensions (decentral eyes and trace) with privacy possum and canvasdefender

See for some background info HTML5 APIs Fingerprint Users - How to Prevent - Blog | add0n.com

Take the test results with a grain of salt. Notice the NEARLY-unique* in the results below , also the red X-mark in the 'Unblock 3rd-party cookies which PROMISE to honor do not track', is a positive result IMO

* P.S.
Based on your public IP, it is relatively easy to track your location on zip-code level. I have my OS, Office and Chrome in US-English, because it is much easier to troubleshoot something when using the English version. I had Dutch version for some time, but it was hard to find the corresponding Dutch settings in Windows/Office/Chrome/etc.

The NEAR uniqueness is caused (when allowing website to track your location) because there are probably very few people in my ZIP code using US English version of browser and OS. So when they know my location, I am nearly-unique and very easy to track. Even when I raised the threshold by using Adguard to remove UTM identifiers, Privacy Possum blocking etag-headers misuse in cache, Canvas fingerprint to generate a new unique fingerprint-ID.

As explained earlier when I am looking for a good deal for a flight, holiday destination or hotel accomodation, I will be reviewing the same bookable/purchasable objects with a time frame of say 15 minutes. When a US-UK visitor with my Zip-code looks at 70% of the same bookable/purchasable objects the next day, it is probably me again. So after two-three returning visits without actual purchase, don't be surprised to see prices rising or availability reducing.

We are the GAFAM. Lower your shields and surrender your privacy. We will add your biological and technological distinctiveness to our own telemetry. Your buying behavior will adapt to our ad--services. Resistance is futile.

 

[Ink]

New tab button position
Controls placement of the new tab button within the tabstrip. – Mac, Windows, Linux, Chrome OS.

• Default

• Opposite caption buttons (looks same as below)
• Leading

• After tabs

• Trailing

chrome://flags/#new-tab-button-position

 

[LDogg]

On topic with flags, what are the best flag to enable for security & privacy which are stable?

~LDogg

 

[Moonhorse]

thanks @Spawn for sharing this. Enabled the leading, i like it

 

[Windows_Security]

Privacy
Anonymize local IPs exposed by WebRTC (enable)
Reduce default 'referer' header granularity. (enable)
Hyperlink auditing (disable)

Security
Enable AppContainer Lockdown (enabled - by default, but as long as it is in flags I enable it)
Enable GPU AppContainer Lockdown (enable)
PDF isolation enabled
Block unsafe downloads over insecure connections (enabled)
Mark non-secure origins as non-secure (mark actively as dangereous)
TLS 1.3 downgrade hardening (enabled)

Question
Any proven performance flags welcome, so please post
(I have parallel downloading enabled, but quite frankly can't measure difference)

 

[Windows_Security]

Trick to get a blank new tab with chrome

1. Make startpage/duck duck go your default search engine (for startpage enter manually)
- search engine: Startpage
- keyword: startpage.com
- query URL: hxxps://startpage.com/search?q=%s
(change hxxps in https)

2. Type NTP in about://flags
Disable minimum for server-side tile suggestions on NTP (disable)
Enable using the Google local NTP (enable)
Enable doodles on the local NTP (disable)
Enable search suggestions on the local NTP (disable)
Enable promos on the local NTP (disable)
New Tab Page Background Selection (disable)
New Tab Page Custom Links (enable)
Top Sites from Site Engagement (disable)

3. Install an extension to auto wipe history like: Auto History Wipe (make sure too enable all options)

4. Click away (X) what is left on NTP

That is it

 

[Stas]

Hyperlink auditing (disable)

I thought Hyperlink auditing flag #disable-hyperlink-auditing should be set to (enable) for privacy.
When enable flag #disable-hyperlink-auditing isn't it disables hyperlink auditing?

 

[Moonhorse]

Privacy
Anonymize local IPs exposed by WebRTC (enable)
Reduce default 'referer' header granularity. (enable)
Hyperlink auditing (disable)

Security
Enable AppContainer Lockdown (enabled - by default, but as long as it is in flags I enable it)
Enable GPU AppContainer Lockdown (enable)
PDF isolation enabled
Block unsafe downloads over insecure connections (enabled)
Mark non-secure origins as non-secure (mark actively as dangereous)
TLS 1.3 downgrade hardening (enabled)

Question
Any proven performance flags welcome, so please post
(I have parallel downloading enabled, but quite frankly can't measure difference)

Currently using these, thanks for tips. + Privacy possum. Can you post your opinions on updated trace somewhere in mt?

 

[bribon77]

Trick to get a blank new tab with chrome

1. Make startpage/duck duck go your default search engine (for startpage enter manually)
- search engine: Startpage
- keyword: startpage.com
- query URL: hxxps://startpage.com/search?q=%s
(change hxxps in https)

2. Type NTP in about://flags
Disable minimum for server-side tile suggestions on NTP (disable)
Enable using the Google local NTP (enable)
Enable doodles on the local NTP (disable)
Enable search suggestions on the local NTP (disable)
Enable promos on the local NTP (disable)
New Tab Page Background Selection (disable)
New Tab Page Custom Links (enable)

3. Install an extension to auto wipe history like: Auto History Wipe (make sure too enable all options)

4. Click away (X) what is left on NTP

That is it

Fact. In SlimjetThank you

 

[Windows_Security]

I thought Hyperlink auditing flag #disable-hyperlink-auditing should be set to (enable) for privacy.
When enable flag #disable-hyperlink-auditing isn't it disables hyperlink auditing?

I thought the same, but then why would this switch be enabled by default when disabling hyperlink auditing would increase privacy. Somehow enabled by default increasing privacy just did not sound like standard Google practices to me.

Maybe more knowledgeable members can join in with insiders information

 

[Moonhorse]

With this flag opera is usable for me Probably i prefer it now over chrome

 

[Windows_Security]

My updated flags

Privacy
Anonymize local IPs exposed by WebRTC (enable)
Reduce default 'referer' header granularity. (enable)
Hyperlink auditing (disable)
New history entries require a user gesture (enable)
History Manipulation Intervention (enabled)
Unified Consent (enabled)
Disable minimum for server-side tile suggestions on NTP (disable)
Top Sites from Site Engagement (disable)
Enable search suggestions on the local NTP (disable)

Security
Enable GPU AppContainer Lockdown (enable)
PDF isolation enabled
Block unsafe downloads over insecure connections (enabled)
Mark non-secure origins as non-secure (mark actively as dangereous)
TLS 1.3 downgrade hardening (enabled)
Extension Content Verification (enforce strict - hard fail ...)
User consent for extension scripts (enabled)
Framebusting requires same-origin or a user gesture (enabled)

Performance
GPU rasterization (enabled)
Enable lazy image loading (enabled)
Enable lazy frame loading (enabled)
Parallel downloading (enabled)
Enable doodles on the local NTP (disable)

Advertising
App Banners (disabled)
Autoplay policy (document user activation required)
Enable promos on the local NTP (disabled)
User Activation V2 (disabled)

Blank NTP trick
* change default engine toStartpage , remove others also Chrome
Enable using the Google local NTP (enable)
[ Enable doodles on the local NTP (disable) ] also performance
[ Enable search suggestions on the local NTP (disable) ] also privacy
[ Top Sites from Site Engagement (disable) ] also privacy
[ Disable minimum for server-side tile suggestions on NTP (disable) ] also privacy
[ Enable promos on the local NTP (disabled) ] also advertising

 

[Ink]

GOOGLE CHROME FOR ANDROID: Site Isolation For Password Sites

• Security mode that enables site isolation for sites based on password-orientated heuristics, such as a user typing in a password.

#enable-site-isolation-for-password-sites
version 74.0.3729.112

 

[Sunshine-boy]

My updated flags

Hello! very nice:emoji_clap: thanks for sharing. I added some of those to my flags.if you want a better list check here:

CHEF-KOCH/Chromium-hardening

Hardens Chrome & Chromium based Browsers. Contribute to CHEF-KOCH/Chromium-hardening development by creating an account on GitHub.

github.com

this guy has some interesting and unique registry tweaks for windows too:

CHEF-KOCH/regtweaks

Registry Tweaks for Windows. Contribute to CHEF-KOCH/regtweaks development by creating an account on GitHub.

github.com

 

[DeepWeb]

Chrome 74 has brought so many new flags. Geez! They need to start removing flags that are already implemented. Either way. Here are some newer ones that I recently enabled related to security:

Anonymize local IPs exposed by WebRTC.
Site settings
Newblue
User consent for extension scripts
TLS 1.3 downgrade hardening
Web Authentication API BLE support (for U2F keys e.g Yubikey)
Web Authentication caBLE support (for U2F keys)
Enable Account Manager
Request Advanced Protection verdicts when inspecting downloads

 

[Windows_Security]

Request Advanced Protection verdicts when inspecting downloads

Thanks that is an interesting find

Did some Googling, you need to have Safe Browsing enabled and it seems to create a set of (additional control) strings for the download surfaces to provide extra protection against malicious downloads.

Some veteran members might remember BCclean which did something simular for new processes starting on your PC. knowing Google it will probably be implemented in a modern way. Artificial Intelligence systems look at file attributes to determine (pre-execution) whether something is malware. This new protection maybe adds a variable set of attributes by looking for 'string' patterns and combines this with big-data about the source of the download. When (a big conditional when) my guess is right, this could be the start of the next-level safe browsing feature.

 

[HarborFront]

25 Google Chrome Flags You Should Use in 2019

15 Google Chrome Flags You Should Use

Google Chrome users can use Chrome Flags to enable new features on Chrome. Here are 15 Google Chrome Flags you should use in 2024.

beebom.com