Google Chrome 97 introduces controversial keyboard API
Google Chrome 97 is expected to be released later today. The new stable version of Google Chrome will be rolled out via the browser's automatic updating system starting today.
Chrome 97's release was delayed by weeks because of the Holiday period in many parts of the world. Google Chrome 96, the last major stable release in 2021, was released on November 16, 2021.
The new version of Google Chrome launches with a controversial Keyboard MAP API. The API could not be used previously by certain web experiences because it could not be used inside iframes. Apps such as Microsoft's Office web applications could not make use of the API to detect key presses on keyboard layouts. Keyboard layouts differ depending on the region or language. The change makes the functionality available to web applications that are inside iframes.
Here is the official explanation of why the feature has been implemented:
getLayoutMap() used in conjunction with code solves the problem of identifying the actual key pressed in keyboard with different layout maps such as English vs French keyboards, but since getLayoutMap() isn't available in all contexts (can't be used inside iframes), Office web apps like Excel, Word, PowerPoint, etc. that show up as embedded experiences in Outlook Web, Teams, etc. and are running in iframes, can't use this API.
Adding keyboard-map to the allow attribute list solves this problem.
Mozilla, Apple, Brave and other browser developers voiced concerns. One key argument that the companies brought forth against the integration in their browsers was that sites could use the functionality for fingerprinting purposes.
Apple published a response on GitHub, stating:
As I've noted in person a while ago, the Keyboard Map API as proposed exposes a high entropy fingerprinting surface. This is not acceptable from privacy perspective. As a result, the WebKit team at Apple is not interested in implementing this feature as currently proposed / spec'ed.
Brave Software, maker of the Brave Browser, had this to say:
Brave inherits from Chrome implementation of Keyboard API which does not provide any functionality to the user (only Chrome and Opera support it and, to my knowledge, no site actually uses it). However, the API might be used for fingerprinting.
WICG Keyboard Map Draft mentions that the API can be used for fingerprinting of:
Users who use uncommon ASCII layouts (like Dvorak or Colemak)
Users who use an ASCII layout that doesn’t match the default for the region that they are in. For example, a user in the US with an active UK or French layout.
Mozilla finally added the Keyboard Map API to the list of harmful APIs that it won't implement in the Firefox web browser.
Google will implement the API in Chrome, but many other browsers, even those based on Chromium, won't implement it or will disable the API so that it can't be used by websites.
Interested users can check out the other features of Chrome 97 here.
Now You: what is your preferred browser right now?
Am I the only one just slightly confused by the fact that the GitHub comments from Apple and Brave are both dated 2019, and yet this is a “new” problem with Chrome 97 in 2022?
@Mac_SE_5379
A draft of the API has been present in Chromium for a while but was not finalized or enabled by default until recently.
A lot of people install and launch Chrome because one or another site or service they are using, essentially requires it. Many sites now specify Chrome as their recommended browser. The rich array of supported browser extensions open up whole areas of functionality, e.g., screen sharing for example. For this reason, I keep a copy of Chrome on my computer.
My daily use browser is Safari, and I have several secondary and tertiary browsers available, including Google Chrome. But I only use it when it is required.
How about they one j/a on TOR, running a Dvorak keyboard and blocking all cookies just disable this feature and that will impair absolutely no on else’s privacy because the ship already sailed?
I wish people would just grow a brain and leave this browser. So sad the market share it has.
Which browser do you use?
Only smooth brains don’t use Brave.
Privacy erosion never happens all at once.
The frog is never dropped into boiling water or it will jump out. The water temp must be raised slowly and sneakily, lest the masses revolt.
How dare you compare frogs to humans? Amphibians are a way more intelligent species.
In case of humans all you have to do is tell each half of the population that the other half whom they generally disagree with are exclusively enjoying the pleasure of boiling water and just sit back and watch them all jump into the pot.
So, the New *World* Order uses *geo*thermal then? :D
No problem, just install Keyscrambler and let’s go with any API! Thanks @Martin! :]
I am not entirely sure why you are acting so aggressiv towards this. Not any person reading the article will understand what fingerprinting is or why it’s bad and the author did a very poor job at explaining either. That’s the reason why I checked the comments in the first place.
But thank you for your reply regardless because once one gets past the first paragraph of swearing, it’s actually sufficiently explaining the situation
Yes it’s at least something. In this particular browser case, I guess. But people who install the free “Personal” edition of Keyscrambler should also be clearly aware that this will _not_ give you an actual, complete anti-keylogger protection. For this basic free version of Keyscrambler will protect only what you type in browsers. So if you are unlucky enough to have some hidden keylogging malware on your PC, whatever you type in (for example) in your email client or your password manager, will still be unprotected.
I’ve used Keyscrambler for years. Suggest everyone do the same.
So, what does this thing do? A keylogger? Is it in Chromium? Why do they even need this, android users who haven’t replaced the spaminator GBoard, already have everything they type scraped? That’s not sufficient?
Google has enough Make Work employees to park one of those silly Google Earth vehicles on every corner to monitor drones hovering at your front door and video the drones. That’s next? In the metaverse, Google will engulf you, The Blob style.
Seems like Big Tech has become a force they can’t even control which may be doing a decent job building the privacy industry. Ooops!
@ULBoom The article says what it does, but apparently you either can’t read or lack comprehension of what the article says.
No it is not a keylogger, it is not reading your keypresses, but… I mean, do I expect humans to read? to test it? to try to understand it? lol that’s too much to ask apparently.
What the API does, is that it gets your keyboard layout because some people might use different layouts, but obviously like any other web feature, it will get some information about you and can be used to fingerprint.
getLayoutMap will get this type of information for example:
For standard English keyboard:
{KeyE: “e”, KeyD: “d”, Minus: “-“, KeyH: “h”, KeyZ: “z”, …}
For Dvorak keyboard:
{KeyE: “.”, KeyD: “e”, Minus: “[“, KeyH: “d”, KeyZ: “;”, …}
That’s all it does, it just checks to see which layout you are using for whatever it would be needed by website. Of course, it is still information that can “identify you”.
I mean, people are afraid of these type of APIs maybe they should stay away from internet since pretty much anything made for the web is meant to fingerprint you, so all this drama, is a bit too much, you block this and then what? something else is going to identify you the same or better, are you going to block anything else and then not even open your search engine because it won’t work without enabling many stuff, like javascript and how you provide your IP and all that? most people’s data are not even valuable to even care, but some people worry like if their data was worth a penny.
Anyway, this seems like a useless API, getLayoutMap() has never used by any website ever or you wouldn’t run into problems for blocking it.
Seems Brave has been the only one with some brains and actually do something easy about this SO DANGEROUS API: you have fingerprinting protection on? it gives an error when you run console and try to access it, you have it off? it displays the layout information.
Why others don’t do the same? oh yeaaaaah! because Mozilla, Apple, Edge and others haven’t done any real good native implementation to protect you (or whatever you want to call it), Brave seems to be the only one working on a native solution that does good Fingerprinting protection, blocks tracking scripts at the same level as uBlock does and is even able to do CNAME filtering, because being native it bypassed any Chromium restriction and the lack of DNS API.
@ULBoom
> Is it in Chromium?
Of course it is, what did you think? All web-related features are implemented in Chromium, Chrome is just Chromium + some proprietary binary blobs from Google + different branding.
The better question would be though, is it enabled? And the answer, outside of Chrome, depends on the fork, and is in my case a resounding “No.” as I am a Brave user: https://github.com/brave/brave-browser/issues/3964
The even better question is how much endorsements from West Boro Baptist church would help Brave increase browser market share over next year. It’s worth looking into.
@Iron Shart
As always, your comments are invaluable for me and the entire gHacks community.
I migrated to Brave browser, still keeping Edge for work stuff though.
Another one to add to the list of things to block.
Or just block Chrome (use other browser, preferably FF) :)
@Shadowed
LOL you mean the ones who get half billion dollars from Google? and keep copying any Google’s move they make?
Oh plus, Mozilla is the one that says “free internet for all” but at the same time supports censorship and deplatforming, to the point of spamming Android users about joining the “boycott facebook” campaign, what was it about? because Facebook is evil? nah, because facebook wasn’t censoring (supposedly) enough.
Also Mozilla is the company that keeps releasing extensions to grab people’s data while supposedly using them to “fix the internet” like the one about youtube suggestions which is obviously grabbing people’s data while wanting to find a way to massively report and remove videos that Mozilla thinks shouldn’t exist.
Best browser ever! /s
especially when you count the fact that it even uses SafeBrowsing by Google, telemetry turned on by default, I mean, if it was good, people shouldn’t have to go harden it with one billion things to turn off.
Or what about the fact that it consumes so many resources, especially when you use different profiles? or when you play videos it uses more CPU than any chromium browser.
I mean… it is like the worst Browser, but go ahead, keep thinking people should use Firefox because you are a fanboy, or because some lame reason like “Chromium’s monopoly”, forcing your self to use the same coin with a different side and pretending it will be better for the internet to keep supporting Mozilla.
Mozilla did not say they want or support censorship. To quote from Mozilla blog
Changing these dangerous dynamics requires more than just the temporary silencing or permanent removal of bad actors from social media platforms.
Additional precise and specific actions must also be taken:
Reveal who is paying for advertisements, how much they are paying and who is being targeted.
Commit to meaningful transparency of platform algorithms so we know how and what content is being amplified, to whom, and the associated impact.
Turn on by default the tools to amplify factual voices over disinformation.
Work with independent researchers to facilitate in-depth studies of the platforms’ impact on people and our societies, and what we can do to improve things.
This only asks more transparency about advertisers and to work with researchers to reduce disinformation.
Google safe browsing is not a privacy issue. Every modern browser has it on by default.There are many recommendations to disable the Safe Browsing feature in Firefox due to privacy concerns and potential Google tracking. However, these concerns are based on an older version of the Safe Browsing feature, which would utilize “real-time lookup” of website URLs. This method has not been in use since 2011 – explained further here.
If a URL is needed, Firefox takes the following precautions to protect user privacy, as explained by François Marier, a security engineer for Mozilla:
Query string parameters are stripped from URLs we check as part of the download protection feature.
Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra “noise” entries to obfuscate the original URL further.
Therefore I would conclude that disabling Safe Browsing would give you no tangible privacy benefits, while also being a security risk.
Telemetry is needed by all browsers though I agree that client identifiers should not be included since brave does not include them.
However Firefox won’t survive for long if the Mozilla team ignores user feedback and act like strictt controlling parents.
> Mozilla did not say they want or support censorship.
> Turn on by default the tools to amplify factual voices over disinformation.
Sounds like a contradiction, eh? Because it is. Come on…
The rest of the posting is equally horrible btw. Websites are being financed by ads unless they go down the paywall route (and users, as we know, won’t pay, so it is not feasible). There are ad networks behind the financing of opposition websites as well. Mozilla wants details on who finances whom because that is the only way oppressors can defund political opposition, and Mozilla is helping their cause. Leave me alone with this bullshit, it is a major reason why I do not support Mozilla in any way, shape, or form.
wow, you’re spreading a lot of fake news and then telling other people they are “fanboys” if they use the browser. That’s so stupid. And obvious that you’re trolling.
So which browser would you suggest?
> So which browser would you suggest?
Generally Brave. On Android also consider Bromite. For anonymity the Tor Browser Bundle.
Avoid the garbage rest.
@Shadowed
> preferably FF
Get your engineering up to scratch, then we’ll talk.
https://madaidans-insecurities.github.io/firefox-chromium.html
Also, it’s not like Firefox doesn’t support any problematic APIs.