Google has unveiled the new stable release of Chrome 140, accompanied by the open-source Chromium, which serves as its foundation. Unlike Chromium, Chrome includes proprietary branding, DRM modules for protected content playback, an automatic update system, integrated Sandbox isolation, API access keys, and the transmission of RLZ parameters during searches. For users requiring more time to transition, the parallel Extended Stable branch remains available with an eight-week update cycle. The next release, Chrome 141, is scheduled for September 30.
The central focus of Chrome 140 is enhanced privacy. In Incognito Mode, IP addresses are now concealed in third-party contexts, such as iframes. This is achieved through the Masked Domain List (MDL): if a domain appears on the list, requests are routed through Google’s proxy, ensuring the site sees only the proxy’s address. Additionally, Chrome introduces the Probabilistic Reveal Token system, which allows websites to receive randomized, truncated samples of users’ real IP addresses—decoupled from specific actions. These are delivered via encrypted tokens, only partially containing IP data, and decryptable solely with Google’s keys after a delay. Such data may aid in anti-fraud mechanisms and traffic quality analysis.
Work to curb covert fingerprinting continues. Incognito Mode now features a Script Blocking option that selectively restricts access to JavaScript APIs frequently used for browser fingerprinting, notably differences in Canvas rendering. Blocking activates for third-party code hosted on blacklisted MDL domains observed engaging in such practices.
On the graphical side, Chrome now enables OverrideDefaultOzonePlatformHintToAuto, allowing automatic switching to the Wayland backend when supported, without being bound to X11. Among new features is the automatic password reset: if a login uses credentials found in breach databases, Chrome prompts users to replace them, generates a strong password, submits it on the site, and securely stores it in the password manager.
Performance has been improved through Default Search Engine Prewarming. The moment a user places the cursor in the address bar, Chrome preloads resources for the search results page, reducing latency when a query is entered. This feature is not yet enabled for all users. Autofill has also been expanded: it now relies on an AI-driven model that interprets context from prior behavior. The setting, renamed from Autofill with AI to Enhanced Autofill, now supports more languages, countries, and data types.
In the U.S., Chrome users have gained access to the built-in Gemini chatbot, capable of explaining page content and answering related questions, with both text and voice interaction available—without switching tabs. Expansion to additional regions is planned. Moreover, all users can now join shared tab groups, though creating them remains limited to Beta, Dev, and Canary channels. Content within these groups synchronizes instantly across participants’ devices.
Warning dialogs for non-HTTPS websites have been redesigned: when secure-only connections are required, Chrome now blocks the page load with a prompt under the address bar, awaiting user action. For prefetch and prerender requests, a new HTTP header, Sec-Purpose, replaces the deprecated Purpose: prefetch, which remains temporarily for compatibility.
At the API level, ToggleEvent gains a source property, pointing to the element that triggered the event—e.g., a button with a popovertarget attribute when opening a popover.
In CSS, new capabilities include the counter() and counters() functions in content, the caret-animation property, broader animation parameters, and font-variation-settings support in @font-face. Typed arithmetic has been introduced in calc(), enabling expressions such as calc(10em / 1px) with correct unit handling. In JavaScript, new methods—Uint8Array.prototype.toBase64, Uint8Array.prototype.toHex, along with Uint8Array.fromBase64 and Uint8Array.fromHex—allow seamless conversion between byte arrays and string representations.
DevTools now integrates AI-powered performance analysis and adds emulation for the Save-Data header. Chrome 140 patches six vulnerabilities, all identified through automated tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. No critical sandbox escape flaws were found. Google awarded four bug bounties totaling $10,000—including prizes of $5,000, $4,000, and $1,000, with the fourth yet to be determined.
