|Chrome 84 Adds Web OTP API
|Written by Ian Elliot
|Thursday, 23 July 2020
Google has launched Chrome 84 with improvements including the Web OTP API, Web Animations API, and changes to SameSite cookies, along with the removal of older versions of Transport Layer Security (TLS).
The removal of support for older versions of TLS began with Chrome 81 in April, when support for TLS 1.0 and TLS 1.1 was deprecated. This has now been completely removed with Chrome 84. The TLS cryptographic protocol handles the encryption of HTTPS connections along with communications between web servers and browsers, but older versions of TLS have security flaws, hence the removal of support.
The second developer-related improvement to Chrome is the introduction of the Web OTP API. This was present in earlier versions as the SMS Receiver API, but the new version has significant differences. The Web OTP API helps users enter a one-time password (OTP) on a webpage based on an SMS message that is delivered to their Android phone. An OTP can be used to verify that a phone number entered onto a webpage belongs to the person entering the data on the page. The OTP is sent to the phone number using SMS, and this has to be copied and pasted back into the form on the website, or manually entered by the user. The Web OTP API lets developers help users enter the code with one tap.
The final major improvement for developers is to the handling of SameSite cookies. The SameSite attribute was introduced in Chrome 51 and provides a way to declare that cookies should be restricted to avoid cross-site request forgeries (CSRF).Chrome uses a SameSite attribute on a cookie with three settings - not set, strict or lax. If you set SameSite to Strict, cookies will only be sent if the site for the cookie matches the site currently shown in the browser's URL bar.
Google says that not many developers bother using SameSite, leaving users vulnerable to CSRF and unintentional information leakage.To overcome this, Chrome now implements the secure-by-default system for cookie classification, treating cookies that have no declared SameSite value as SameSite=Lax cookies.
or email your comment to: email@example.com
|Last Updated ( Thursday, 23 July 2020 )