List of Interesting Experimental Flags for Google Chrome to Try Out

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
607
Also if someone need: The command line switch for that is:
Code:
 --ssl-version-min=tls1.2

Site to verify the setting: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
Enable next setting in experiments. Will come in Chrome 84.0 in July. Now already in Edge Chromium.
1593445454409.png
 
Last edited:

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Experimental QUIC Protocol - Disabled

Please read the comment inside the below article to disable it


Quote from comment

The ‘QUIC’ protocol (Google originated BTW) appears to be insecure against webtracking by commercial as well as govt. trackers & surveillance. A user/browser may be (passively) uniquely tracked across a browsing session (and possibly across multiple sessions in some instances), without the need for cookies, other trackers, or fingerprinting, according to a recent University of Hamburg paper:

https://content.sciendo.com/downloadpdf/journals/popets/2019/3/article-p255.pdf

Thus, probably best not to enable this in your browser if you are privacy-minded, until this hole is patched … (I haven’t been able to find any mention that browser vendors have even addressed this to-date)

QUIC has already been enabled in Chrome for quite some time, surprise, surprise (Google builds in yet another hidden, powerful privacy-shredding tracker into its next-generation web technology and as well as its 60%-market-share-browser?? There’s a shocker for ya…)
You can disable this in most Chromium-based browsers, tho’, and/or otherwise at your OS firewall:

How to disable QUIC protocol in Google Chrome

Unquote
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
Web browsers uses a lot of battery when they are run on mobile devices such as laptops. While it helps to use content blockers and other extensions to remove or block elements that may draw additional power, it is still problematic from a user perspective.

Google has run experiments in the past couple of months in its Chrome web browser to find out if the throttling of JavaScript in background tabs has an effect on the battery usage of the web browser.

Chromium engineers decided to analyze "the work done by popular sites in the background" and determined that "a lot of work was done from JavaScript timers"at were not "valuable to the user" often.

The idea was born to reduce the number of wake ups from JavaScript timers in background tabs in the web browser to find out if that would improve battery life.
Currently, JavaScript wake ups are limited to 1 wake up per second in stable versions of the Chrome web browser.

A new Chrome experimental flag is available to enable the feature in development versions of the Chrome we browser (Canary).
  • Name: Throttle Javascript timers in background.
  • Description: When enabled, wake ups from DOM Timers are limited to 1 per minute in a page that has been hidden for 5 minutes.
Here is how to enable the experiment:
  1. Load chrome://flags in the web browser's address bar.
  2. Search for Throttle Javascript timers in background.
  3. Set the flag to Enabled.
  4. Restart the browser.

 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Can enable this flag

Prefetch request properties are updated to be privacy-preserving

Prefetch requests will not follow redirects, not send a Referer header, not send credentials for cross-origin requests, and do not pass through service workers.
 

SpiderWeb

Level 13
Verified
Top Poster
Well-known
Aug 21, 2020
609
I have been using the post-quantum key exchange flag for 2 months now with no issues. What you will see in the Security tab is "CECPQ2" (screenshot) as you navigate Google and Cloudflare websites. It's a combination of X25519 + an updated structured-lattice scheme (NTRU-HRSS). The links below go into way better detail. For me it appears to only trigger PQ encryption on Google domains but it's still worth turning on:

chrome://flags/#post-quantum-cecpq2

Information on CECPQ2:
NIST Research Presentation (PDF)

Observations:
-I have not noticed a discernible difference in performance compared to TLS 1.3 with just X25519
-It is slower than QUIC X25519 and Google Chrome will prefer QUIC over TLS 1.3 CECPQ2
-There are reports that it does break a few sites (ERR_CONNECTION_RESET): Source
 

Attachments

  • Screenshot 2020-08-21 at 18.56.24.png
    Screenshot 2020-08-21 at 18.56.24.png
    129.1 KB · Views: 703
  • Screenshot 2020-08-21 at 18.53.27.png
    Screenshot 2020-08-21 at 18.53.27.png
    71 KB · Views: 697

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Please enable the following flags in Chrome 85 if you have them

Framebusting requirers same-origin or a user gesture
Top document isolation
Strict site isolation

I'm basing on my latest Kiwi browesr version
 
Last edited:

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Enable flag 'Insecure origins treated as secure'

In my case I added the below HTTP sites (separated by a comma). By doing so the word 'Not secure' will no longer appear before the http://xxxxxxxxx in the address bar. Since some of the HTTP sites also cannot be upgraded to HTTPS sites in this case the Smart HTTP extension is of no use.

httx://budgetlightforum.com/, httx://eng.chinamil.com.cn/, httx://forum.notebookreview.com/, httx://www.candlepowerforums.com/, httx://www.globaltimes.cn/index.html, httx://www.ecns.cn/

Replace the 'x' by 'p'
 
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Lazy Lenny here :) these the flags set. Which ones are redundant because the default has changed?

Security
Experimental quick protocol - disabled
Block scripts loaded via document Write - disabled
Block insecure private network requests - enabled
Force empty CORB and CORS allowlist - enabled
Treat risky downloads over insecure connections as active mixed content - enabled
Strict-Origin-Isolation - enabled
Storage Access API - disabled

Privacy
Anonymize local IPs exposed by WebRTC - enabled
Frecency ranking for local history zero-prefix suggestions - disabled
Omnibox short bookmark suggestions - disabled
Omnibox switch to tab suggestions - disabled
Omnibox Pedal suggestions - disabled
Omnibox Rich Autocompletion Promising Combinations - disabled
Omnibox Dynamic Max Autocomplete - disabled
SameSite by default cookies - enabled
Cookies without SameSite must be secure - enabled
Heavy Ad Intervention - enabled
Heavy ad privacy mitigations - enabled
Schemeful Same-Site - enabled

Performance
Load media router component - disabled
Parallel downloading - enabled
Enable lazy image loading - enabled
Enable lazy frame loading - enabled

Don't use or don't need
Allow all sites to initiate mirroring - disabled
Enable On-Demand Media Router Extension - disabled
Background Push Notifications - disabled
Toast Notification Background Task Event Handlers - disabled
Enable Share Targets - disabled

Functionality
Vertical tabs - enabled


Thanks for your feedback and tips in advance

Lenny
 
Last edited:

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
Heavy ad privacy mitigations - enabled
I was under impression, it is better to have it disabled. 🤔
It disables the browser's defense mechanism and is intended only for developers and site owners.
Disables privacy mitigations for the heavy ad intervention. This makes the intervention deterministic.This is intended to be used for debugging only.
Code:
Disabled #heavy-ad-privacy-mitigations
Disabled #tab-hover-cards
Enabled #block-insecure-private-network-requests
Enabled #disallow-doc-written-script-loads
Enabled #dns-httpssvc
Enabled #enable-heavy-ad-intervention
Enabled #enable-parallel-downloading
Enabled #enable-quic
Enabled #enable-webrtc-hide-local-ips-with-mdns
Enabled #omnibox-default-typed-navigations-to-https
Enabled #quiet-notification-prompts
Enabled #safe-browsing-enhanced-protection-message-in-interstitials
Enabled #turn-off-streaming-media-caching-always
Enabled #use-sync-sandbox
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,870
A new flag in Chrome v89 which you can enable. Chrome will try HTTPS first if you type an incomplete URL

chrome://flags/#omnibox-default-typed-navigations-to-https
Looks like Chrome already does this in 89.
Source:
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Just updated my UC to v95 and found some new flags

1) Strict Extension Isolation
Experimental security mode that prevents extensions from sharing a process with each other. – Mac, Windows, Linux, Chrome OS

2) HTTPS-First Mode Setting
Adds a setting under chrome://settings/security to opt-in to HTTPS-First Mode. – Mac, Windows, Linux, Chrome OS, Android

The below flag has expired

chrome://flags/#omnibox-default-typed-navigations-to-https

Note: Many of the existing flags have EXPIRED!!

Anyone enables the above?

Any other flag(s) that deserves to be enabled i.e from v90 to v95?
 
Last edited:

amirr

Level 27
Verified
Top Poster
Well-known
Jan 26, 2020
1,628
Is this flag ok and safe to enable now in Google Chrome last version?
You can now enable Windows 11 design in Google Chrome 96
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Is this flag ok and safe to enable now in Google Chrome last version?
You can now enable Windows 11 design in Google Chrome 96
Its visual flag only , its been there for ''long'' time as far as i know & lastly there is no warning as there mostly is when it might cause problems.... so i suppose its pretty ok to turn it on
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top