Update List of Interesting Experimental Flags for Google Chrome

Jan Willy

Level 7
Jul 5, 2019
285
Also if someone need: The command line switch for that is:
Code:
 --ssl-version-min=tls1.2

Site to verify the setting: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
Enable next setting in experiments. Will come in Chrome 84.0 in July. Now already in Edge Chromium.
1593445454409.png
 
Last edited:

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,825
Experimental QUIC Protocol - Disabled

Please read the comment inside the below article to disable it


Quote from comment

The ‘QUIC’ protocol (Google originated BTW) appears to be insecure against webtracking by commercial as well as govt. trackers & surveillance. A user/browser may be (passively) uniquely tracked across a browsing session (and possibly across multiple sessions in some instances), without the need for cookies, other trackers, or fingerprinting, according to a recent University of Hamburg paper:

https://content.sciendo.com/downloadpdf/journals/popets/2019/3/article-p255.pdf

Thus, probably best not to enable this in your browser if you are privacy-minded, until this hole is patched … (I haven’t been able to find any mention that browser vendors have even addressed this to-date)

QUIC has already been enabled in Chrome for quite some time, surprise, surprise (Google builds in yet another hidden, powerful privacy-shredding tracker into its next-generation web technology and as well as its 60%-market-share-browser?? There’s a shocker for ya…)
You can disable this in most Chromium-based browsers, tho’, and/or otherwise at your OS firewall:

How to disable QUIC protocol in Google Chrome

Unquote
 

CyberTech

Level 36
Verified
Nov 10, 2017
2,517
Web browsers uses a lot of battery when they are run on mobile devices such as laptops. While it helps to use content blockers and other extensions to remove or block elements that may draw additional power, it is still problematic from a user perspective.

Google has run experiments in the past couple of months in its Chrome web browser to find out if the throttling of JavaScript in background tabs has an effect on the battery usage of the web browser.

Chromium engineers decided to analyze "the work done by popular sites in the background" and determined that "a lot of work was done from JavaScript timers"at were not "valuable to the user" often.

The idea was born to reduce the number of wake ups from JavaScript timers in background tabs in the web browser to find out if that would improve battery life.
Currently, JavaScript wake ups are limited to 1 wake up per second in stable versions of the Chrome web browser.

A new Chrome experimental flag is available to enable the feature in development versions of the Chrome we browser (Canary).
  • Name: Throttle Javascript timers in background.
  • Description: When enabled, wake ups from DOM Timers are limited to 1 per minute in a page that has been hidden for 5 minutes.
Here is how to enable the experiment:
  1. Load chrome://flags in the web browser's address bar.
  2. Search for Throttle Javascript timers in background.
  3. Set the flag to Enabled.
  4. Restart the browser.

 

SpiderWeb

Level 6
Aug 21, 2020
256
I have been using the post-quantum key exchange flag for 2 months now with no issues. What you will see in the Security tab is "CECPQ2" (screenshot) as you navigate Google and Cloudflare websites. It's a combination of X25519 + an updated structured-lattice scheme (NTRU-HRSS). The links below go into way better detail. For me it appears to only trigger PQ encryption on Google domains but it's still worth turning on:

chrome://flags/#post-quantum-cecpq2

Information on CECPQ2:
NIST Research Presentation (PDF)

Observations:
-I have not noticed a discernible difference in performance compared to TLS 1.3 with just X25519
-It is slower than QUIC X25519 and Google Chrome will prefer QUIC over TLS 1.3 CECPQ2
-There are reports that it does break a few sites (ERR_CONNECTION_RESET): Source
 

Attachments

  • Screenshot 2020-08-21 at 18.56.24.png
    Screenshot 2020-08-21 at 18.56.24.png
    129.1 KB · Views: 418
  • Screenshot 2020-08-21 at 18.53.27.png
    Screenshot 2020-08-21 at 18.53.27.png
    71 KB · Views: 403

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,825
Please enable the following flags in Chrome 85 if you have them

Framebusting requirers same-origin or a user gesture
Top document isolation
Strict site isolation

I'm basing on my latest Kiwi browesr version
 
Last edited:

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,825
Enable flag 'Insecure origins treated as secure'

In my case I added the below HTTP sites (separated by a comma). By doing so the word 'Not secure' will no longer appear before the http://xxxxxxxxx in the address bar. Since some of the HTTP sites also cannot be upgraded to HTTPS sites in this case the Smart HTTP extension is of no use.

httx://budgetlightforum.com/, httx://eng.chinamil.com.cn/, httx://forum.notebookreview.com/, httx://www.candlepowerforums.com/, httx://www.globaltimes.cn/index.html, httx://www.ecns.cn/

Replace the 'x' by 'p'
 
Last edited:

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
Lazy Lenny here :) these the flags set. Which ones are redundant because the default has changed?

Security
Experimental quick protocol - disabled
Block scripts loaded via document Write - disabled
Block insecure private network requests - enabled
Force empty CORB and CORS allowlist - enabled
Treat risky downloads over insecure connections as active mixed content - enabled
Strict-Origin-Isolation - enabled
Storage Access API - disabled

Privacy
Anonymize local IPs exposed by WebRTC - enabled
Frecency ranking for local history zero-prefix suggestions - disabled
Omnibox short bookmark suggestions - disabled
Omnibox switch to tab suggestions - disabled
Omnibox Pedal suggestions - disabled
Omnibox Rich Autocompletion Promising Combinations - disabled
Omnibox Dynamic Max Autocomplete - disabled
SameSite by default cookies - enabled
Cookies without SameSite must be secure - enabled
Heavy Ad Intervention - enabled
Heavy ad privacy mitigations - enabled
Schemeful Same-Site - enabled

Performance
Load media router component - disabled
Parallel downloading - enabled
Enable lazy image loading - enabled
Enable lazy frame loading - enabled

Don't use or don't need
Allow all sites to initiate mirroring - disabled
Enable On-Demand Media Router Extension - disabled
Background Push Notifications - disabled
Toast Notification Background Task Event Handlers - disabled
Enable Share Targets - disabled

Functionality
Vertical tabs - enabled


Thanks for your feedback and tips in advance

Lenny
 
Last edited:

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
Heavy ad privacy mitigations - enabled
I was under impression, it is better to have it disabled. 🤔
It disables the browser's defense mechanism and is intended only for developers and site owners.
Disables privacy mitigations for the heavy ad intervention. This makes the intervention deterministic.This is intended to be used for debugging only.
Code:
Disabled #heavy-ad-privacy-mitigations
Disabled #tab-hover-cards
Enabled #block-insecure-private-network-requests
Enabled #disallow-doc-written-script-loads
Enabled #dns-httpssvc
Enabled #enable-heavy-ad-intervention
Enabled #enable-parallel-downloading
Enabled #enable-quic
Enabled #enable-webrtc-hide-local-ips-with-mdns
Enabled #omnibox-default-typed-navigations-to-https
Enabled #quiet-notification-prompts
Enabled #safe-browsing-enhanced-protection-message-in-interstitials
Enabled #turn-off-streaming-media-caching-always
Enabled #use-sync-sandbox
 

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,660
A new flag in Chrome v89 which you can enable. Chrome will try HTTPS first if you type an incomplete URL

chrome://flags/#omnibox-default-typed-navigations-to-https
Looks like Chrome already does this in 89.
Source:
 
Top