Use emoji reactions in your client-side encrypted documents

What’s changing

We’re excited to announce that client-side encrypted (CSE) files including Google Docs, Sheets and Slides now support emoji reactions. Users can use emojis to react to comments and content, bringing an expressive collaboration feature to CSE files. 

This update brings a core Google Workspace feature into our secure CSE framework, allowing users to provide quick feedback, express agreement, or acknowledge updates. Teams can now work together more efficiently and expressively, while still benefiting from the robust security of client-side encryption.

Emoji reactions are fully integrated in CSE documents. Users can add, resolve, delete, and re-open emoji reactions, and these reactions are also surfaced in a file’s version history. Reactions are preserved during export or when editing a Microsoft Office file in Workspace. They are also preserved when additional encryption is added to or removed from a file.


Emoji reactions to content and comments in a CSE Doc

Emoji reactions to content and comments in a CSE Doc

Getting started

  • Admins: There is no admin control for this feature.
  • End users: There is no end user setting for this feature. Visit the Help Center to learn more about emoji reactions.

Rollout pace

Availability

Available for Google Workspace

  • Enterprise Plus
  • Education Standard and Plus
  • Frontline Plus

Resources

Educators can now convert rubrics in Google Classroom from Drive or local files with help from Gemini

What’s happening

This year, we’ve been bringing the capabilities of Gemini into Google Classroom to help educators get help with common tasks. In June, we launched Gemini in Classroom to help educators create first drafts of content and resources, accessed through one central destination in Classroom. Recently, we started to bring Gemini into educator workflows with the ability to generate stories in Read Along in Classroom using Gemini. Starting today, educators can now quickly adapt existing rubrics from Drive or local files for Google Classroom assignments with Gemini's assistance.

From the Rubric menu in the assignment creation screen, educators can now select “Convert from file” to instantly turn existing rubrics from various files and use them in Google Classroom, without the need to enter the information manually.


convert rubrics in Google Classroom

Additional details

This feature is a part of Gemini in Google Classroom. Gemini in Classroom is only available in English for education users over the age of 18.

Getting started

  • Admins: There is no admin control for this feature.
  • End users: Visit the Help Center to learn more.

Rollout pace

Availability

  • Available for Google Workspace Education Fundamentals, Standard, and Plus

Resources

AI credit overages admin control and related billing

What’s changing

We previously announced an increased credit limit of 25,000 credits per user per month for Google AI Ultra for Business users. Now, we're adding a new admin control that enables admins to allow users with an Google AI Ultra for Business license to exceed their 25,000 per user per month AI credit limit. If a customer turns on this setting and has users who exceed their monthly allocation, then we'll send them an invoice at the end of the month to pay for any overages. 

We hope this additional control will enable admins to make sure their users have the right amount of access to the tools they need. 

Additional details

  • Pricing depends on your local currency. You can use the Admin console to review specific pricing for credit overages in your region before you enable this feature.
  • Your organization is billed only for the additional credits they use. You'll see a separate line item on your monthly invoice for any additional credits used during the previous billing cycle.
  • You can't enable credit overages if your account is managed by a reseller. 

Getting started

Rollout pace

  • The Admin console setting is available now. Credit overages will begin accruing on November 1, 2025.

Availability

  • Available for Google AI Ultra for Business

Resources

Protecting Gmail users from XS-Search with Cross-Origin Opener Policy (COOP)

What’s happening

Gmail is enhancing user security by enabling the Cross-Origin Opener Policy (COOP). As a result, developers of websites and browser extensions opening or manipulating the Gmail page may have to update their code to ensure continued functionality when enforcement begins on January 20, 2026. There is no action needed from Workspace admins or end users.

COOP background

Cross-Site Search (XS-Search) is a type of Cross-Site Leaks (XS-Leaks) attack that targets query-based search systems, like Gmail. Attackers exploit this vulnerability by gaining control of a Gmail window, either by opening a new popup or accessing an existing one via its window handle. Once they have this access, they can gather information via a side channel to determine if specific search results exist by repeatedly loading different search terms, thereby leaking sensitive user data.

COOP is a web security feature designed to isolate the web applications from untrusted origins. This measure will prevent attackers from accessing Gmail's window handle, thereby protecting users from various Cross-Site Search (XS-Search) attacks that rely on window handles for collecting side-channel information, such as frame counting. This also significantly hinders attacks like cache probing, which rely on timing and other observations for resources that Gmail loads for search results. While these attacks don't directly collect side-channel information through the window handles themselves, COOP prevents repeated searches and thereby increases difficulty and reduces effectiveness, making them far less of a threat.

Who’s impacted

Websites or browser extensions that open Gmail in a pop-up window and interact with that window by accessing its properties (closed, location, length, focus) or invoking its functions (close, postMessage). Also, browser extensions that are injected into Gmail page and access the opener handle which is a reference to the window that opened the current Gmail page.

Additional details

To enforce COOP, the Cross-Origin-Opener-Policy header will be present in the response:

Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gmail-web-coop-coep"
Report-To:{"group":"gmail-web-coop-coep","endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gmail-web"}]}

Getting started

  • Developers:
    • For websites and browser extensions opening Gmail, refactor the offending code to avoid accessing the window properties or functions through the window handle and instead, utilize alternative APIs to achieve the desired functionality (e.g., chrome.tabs, Messaging).
    • For browser extensions injected into the Gmail page, instead of trying to communicate with or access the opener, the browser extension should be updated so it doesn't need to interact with it at all and the extension's logic should be revised to work independently. If that is not possible, browser extensions can use existing APIs (e.g., chrome.tabs) to implement their logic.
  • Admins: There is no admin control for this feature.
  • End users: There is no end user setting for this feature. 

Rollout pace

  • Enforcement will begin on January 20, 2026. Rollout will be extended (potentially longer than 15 days for feature visibility).

Resources