Beta Channel Update for ChromeOS / ChromeOS Flex

The Beta channel is being updated to OS version 16295.44.0 (Browser version 138.0.7204.148) for most ChromeOS devices.

If you find new issues, please let us know one of the following ways:
  1. File a bug

  2. Visit our ChromeOS communities

    1. General: Chromebook Help Community

    2. Beta Specific: ChromeOS Beta Help Community

  3. Report an issue or send feedback on Chrome

  4. Interested in switching channels? Find out how.
Alon Bajayo
Google ChromeOS

Drive IRM Update: More Control for File Owners and Shared Drive Managers

What’s changing

The Information Rights Management (IRM) feature for Drive prevents the downloading, copying and printing of documents for viewers and commenters. Currently, individual file owners can use IRM to limit viewers and commenters from printing, copying, or downloading a file. Earlier this year, we launched the ability for admins to restrict these actions for users with edit permissions.

Now, individual file owners and shared drive managers can apply printing, copying, and downloading restrictions to users with edit permissions as well. Editors and owners can still edit the document itself, however they can only copy and paste document content within the document itself. 

As a whole, IRM controls give both admins and end users the ability to help prevent sensitive content from being leaked.


Getting started

  • End users: Once this feature is enabled, all entry points for downloading, printing, and copying will be removed from Google Drive, Docs, Sheets, and Slides on all platforms. Note: If a file has both an administrator-applied IRM setting and a file owner setting on it, the administrator setting takes priority. Visit the Help Center to learn more about stopping, limiting, or changing how your files are shared.

Rollout pace


Availability

  • IRM controls are available for all Google Workspace customers
  • Data Loss Prevention Rules and Context-Aware Access conditions are available for Google Workspace:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
    • Frontline Standard
    • Enterprise Essentials and Enterprise Essentials Plus

Resources

Join our “Google Advertising and Measurement Community” Discord Server

We’re launching our new “Google Advertising and Measurement Community” Discord server! To join, just click this invite link and follow the onboarding guide.

The current products available on this server are Analytics, Google Ads, Google AdMob, and Google Ad Manager.

The Ads Developer Relations team will be on this server regularly to discuss your feedback or questions using Google’s Advertising and Analytics APIs/SDKs, as well as to let you know what’s new with our products.

We’ll be hosting a “Meet the Team” in August, where we’ll go over who we are, and how you can expect to engage with us in Discord. Stay tuned as we add other events, and more channels.

Looking forward to chatting with you on Discord!

- Cory Liseno, on behalf of the Ads Developer Relations Team

Advancing Protection in Chrome on Android

Posted by David Adrian, Javier Castro & Peter Kotwicz, Chrome Security Team

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest security for mobile devices, providing greater peace of mind that you’re better protected against the most sophisticated threats.

Advanced Protection acts as a single control point for at-risk users on Android that enables important security settings across applications, including many of your favorite Google apps, including Chrome. In this post, we’d like to do a deep dive into the Chrome features that are integrated with Advanced Protection, and how enterprises and users outside of Advanced Protection can leverage them.

Android Advanced Protection integrates with Chrome on Android in three main ways:

  • Enables the “Always Use Secure Connections” setting for both public and private sites, so that users are protected from attackers reading confidential data or injecting malicious content into insecure plaintext HTTP connections. Insecure HTTP represents less than 1% of page loads for Chrome on Android.
  • Enables full Site Isolation on mobile devices with 4GB+ RAM, so that potentially malicious sites are never loaded in the same process as legitimate websites. Desktop Chrome clients already have full Site Isolation.
  • Reduces attack surface by disabling Javascript optimizations, so that Chrome has a smaller attack surface and is harder to exploit.

Let’s take a look at all three, learn what they do, and how they can be controlled outside of Advanced Protection.

Always Use Secure Connections

“Always Use Secure Connections” (also known as HTTPS-First Mode in blog posts and HTTPS-Only Mode in the enterprise policy) is a Chrome setting that forces HTTPS wherever possible, and asks for explicit permission from you before connecting to a site insecurely. There may be attackers attempting to interpose on connections on any network, whether that network is a coffee shop, airport, or an Internet backbone. This setting protects users from these attackers reading confidential data and injecting malicious content into otherwise innocuous webpages. This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

Beyond Advanced Protection, we previously posted about how our goal is to eventually enable “Always Use Secure Connections” by default for all Chrome users. As we work towards this goal, in the last two years we have quietly been enabling it in more places beyond Advanced Protection, to help protect more users in risky situations, while limiting the number of warnings users might click through:

  • We added a new variant of the setting that only warns on public sites, and doesn’t warn on local networks or single-label hostnames (e.g. 192.168.0.1, shortlink/, 10.0.0.1). These names often cannot be issued a publicly-trusted HTTPS certificate. This variant protects against most threats—accessing a public website insecurely—but still allows for users to access local sites, which may be on a more trusted network, without seeing a warning.
  • We’ve automatically enabled “Always Use Secure Connections” for public sites in Incognito Mode for the last year, since Chrome 127 in June 2024.
  • We automatically prevent downgrades from HTTPS to plaintext HTTP on sites that Chrome knows you typically access over HTTPS (a heuristic version of the HSTS header), since Chrome 133 in January 2025.

Always Use Secure Connections has two modes—warn on insecure public sites, and warn on any insecure site.

Any user can enable “Always Use Secure Connections” in the Chrome Privacy and Security settings, regardless of if they’re using Advanced Protection. Users can choose if they would like to warn on any insecure site, or only insecure public sites. Enterprises can opt their fleet into either mode, and set exceptions using the HTTPSOnlyMode and HTTPAllowlist policies, respectively. Website operators should protect their users' confidentiality, ensure their content is delivered exactly as they intended, and avoid warnings, by deploying HTTPS.

Full Site Isolation

Site Isolation is a security feature in Chrome that isolates each website into its own rendering OS process. This means that different websites, even if loaded in a single tab of the same browser window, are kept completely separate from each other in memory. This isolation prevents a malicious website from accessing data or code from another website, even if that malicious website manages to exploit a vulnerability in Chrome’s renderer—a second bug to escape the renderer sandbox is required to access other sites. Site isolation improves security, but requires extra memory to have one process per site. Chrome Desktop isolates all sites by default. However, Android is particularly sensitive to memory usage, so for mobile Android form factors, when Advanced Protection is off, Chrome will only isolate a site if a user logs into that site, or if the user submits a form on that site. On Android devices with 4GB+ RAM in Advanced Protection (and on all desktop clients), Chrome will isolate all sites. Full Site Isolation significantly reduces the risk of cross-site data leakage for Advanced Protection users.

JavaScript Optimizations and Security

Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8. V8 is Chrome’s high-performance Javascript and WebAssembly engine. The optimizing compilers in V8 make certain websites run faster, however they historically also have been a source of known exploitation of Chrome. Of all the patched security bugs in V8 with known exploitation, disabling the optimizers would have mitigated ~50%. However, the optimizers are why Chrome scores the highest on industry-wide benchmarks such as Speedometer. Disabling the optimizers blocks a large class of exploits, at the cost of causing performance issues for some websites.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting. The Site Setting also enables users to disable/enable Javascript optimizers on a per-site basis. Disabling these optimizing compilers is not limited to Advanced Protection. Since Chrome 133, we’ve exposed this as a Site Setting that allows users to enable or disable the higher-level optimizing compilers on a per-site basis, as well as change the default.

Settings -> Privacy and Security -> Javascript optimization and security

This setting can be controlled by the DefaultJavaScriptOptimizerSetting enterprise policy, alongside JavaScriptOptimizerAllowedForSites and JavaScriptOptimizerBlockedForSites for managing the allowlist and denylist. Enterprises can use this policy to block access to the optimizer, while still allowlisting1 the SaaS vendors their employees use on a daily basis. It’s available on Android and desktop platforms

Chrome aims for the default configuration to be secure for all its users, and we’re continuing to raise the bar for V8 security in the default configuration by rolling out the V8 sandbox.

Protecting All Users

Billions of people use Chrome and Android, and not all of them have the same risk profile. Less sophisticated attacks by commodity malware can be very lucrative for attackers when done at scale, but so can sophisticated attacks on targeted users. This means that we cannot expect the security tradeoffs we make for the default configuration of Chrome to be suitable for everyone.

Advanced Protection, and the security settings associated with it, are a way for users with varying risk profiles to tailor Chrome to their security needs, either as an individual at-risk user. Enterprises with a fleet of managed Chrome installations can also enable the underlying settings now. Advanced Protection is available on Android 16 in Chrome 137+.

We additionally recommend at-risk users join the Advanced Protection Program with their Google accounts, which will require the account to use phishing-resistant multi-factor authentication methods and enable Advanced Protection on any of the user’s Android devices. We also recommend users enable automatic updates and always keep their Android phones and web browsers up to date.

Notes

  1. Allowlisting only works on platforms capable of full site isolation—any desktop platform and Android devices with 2GB+ RAM. This is because internally allowlisting is dependent on origin isolation↩

Search for embedded content in Google Sites

What’s changing

Starting today, we're making it easier to find information within a Google Site. Previously, searching in a site only showed results from the text directly on the pages. Now, when you perform a search, the results will also include content from within embedded files, such as Google Docs, Sheets, Slides, and PDFs. 

This highly-requested update expands the search capabilities beyond just the content on the page, providing a more comprehensive and efficient experience. This feature helps you find exactly what you're looking for, whether it's on a page or within an embedded file. 
Search for embedded content in Google Sites

Additional details 

  • For existing sites, the fastest way to enable this feature is to re-publish your site. 
  • If you choose not to republish, embedded search will still become available on your Site in the coming months. 
  • No action is required for new sites as the feature will be enabled by default. 

Getting started 

Rollout pace 

Availability 

  • Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts. 

Resources 

Stable Channel Update for Desktop

The Stable channel has been updated to 138.0.7204.100/.101 for Windows, Mac and 138.0.7204.100 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.


Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Srinivas Sista
Google Chrome

Manage email subscriptions from a single location in Gmail

What’s changing 

Last year, we introduced web and mobile updates that enable you to unsubscribe from individual emails in Gmail more easily. Today, we’re building upon this with Gmail's new "Manage subscriptions" feature. 

With the “Manage subscriptions” view, you can organize your subscription emails and easily unsubscribe from the ones you no longer want – all from a single place. 

To find this view, click the navigation bar in the top-left corner of your inbox and select “Manage subscriptions.” Your active subscriptions are sorted by the most frequent senders alongside the number of emails they’ve sent you in the past few weeks. If there’s a sender you no longer wish to receive emails from, you can easily unsubscribe in one click, and Gmail will send an unsubscribe request to the sender on your behalf. 

Manage email subscriptions from a single location in Gmail

Additional details 

If you are a bulk sender wanting to know more about unsubscribe requirements, please see additional details here

Getting started 

Rollout pace

Web: 
Android: 
iOS: 

Availability 

  • Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts 

Resources 

Help shape Google Ads API’s future Model Context Protocol (MCP) Server

The Google Ads API team is exploring bringing a Model Context Protocol Server to the developer base to allow third-party GenAI tools to work with advertiser accounts. We are seeking your initial input to help us shape our roadmap.

If you are interested in providing feedback in relation to this topic please follow this link to participate in a short survey.

How to get help

If you have any questions or need help, check out the Google Ads API support page for options.

 - David Stevens, Google Ads API Product Manager/span>