Frontend Development 14 min read

Chrome 93 Unveiled: Error Cause, Object.hasOwn, and Key Security Fixes

Chrome 93, released on August 31, 2021, introduces 18 new features including the Error Cause proposal, Object.hasOwn method, port blocking to mitigate ALPACA attacks, removal of 3DES cipher suites, cross‑device WebOTP support, and SVG support in the Clipboard API, all enhancing web development and security.

Alibaba Terminal Technology

Aug 31, 2021

Chrome 93 was released on 2021-08-31 and introduces 18 new features.

Error Cause

Chrome 93 adds the Error Cause proposal (Stage 3 ECMAScript), allowing developers to pass a cause option when constructing an Error. This helps with better exception handling.

try {
  return await fetch("//unintelligible-url-a")
    .catch((err) => {
      throw new Error("Download raw resource failed", { cause: err });
    });
} catch (err) {
  console.log(err); // Error: Download raw resource failed
  console.log("Caused by", err.cause); // Caused by TypeError: Failed to fetch
}

The proposal was driven by Alibaba engineer Zhaolang and marks China's first ECMAScript proposal reaching Stage 3.

Object.hasOwn

Chrome 93 adds the static method Object.hasOwn(obj, prop) to check property existence more concisely than hasOwnProperty. Example:

const obj = { name: "test" };
console.log(Object.hasOwn(obj, "name")); // true

Because hasOwnProperty can be overridden, ESLint’s no-prototype-builtins rule discourages its direct use.

Block ports 989 and 990

To mitigate the ALPACA attack, Chrome 93 blocks ports 989 and 990 used by FTPS. The ALPACA attack exploits shared TLS certificates across different application‑layer protocols, enabling cross‑protocol attacks such as upload, download, and reflection attacks.

Key mitigation: avoid sharing TLS certificates across protocols and enable ALPN.

Remove 3DES in TLS

Chrome 93 drops support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite to protect against Sweet32 and Lucky Thirteen attacks. The article explains the birthday‑attack vulnerability of 64‑bit block ciphers and provides a JavaScript snippet that could be used to trigger a Sweet32 attack.

// Sweet32 attack example
var url = "https://10.0.0.1/index.html";
var xhr = new XMLHttpRequest();
var x = 10000000;
for (var i = 0; i <= 500; i++) {
  url += x++;
}
while (true) {
  xhr.open("HEAD", url, false);
  xhr.withCredentials = true;
  xhr.send();
  xhr.abort();
}

WebOTP API: cross‑device support

Chrome 93 extends the WebOTP API so that a verification code received on an Android device can be automatically delivered to a logged‑in Chrome session on a PC, eliminating manual entry.

Clipboard API: SVG support

Chrome 93 adds SVG to the Clipboard API, enabling copy‑paste of vector graphics in web applications such as Inkscape, Adobe Illustrator, Figma, and Photopea.

Reference links have been omitted for brevity.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

Browser Security Clipboard API Error Cause Chrome 93 Object.hasOwn WebOTP

Written by

Alibaba Terminal Technology

Official public account of Alibaba Terminal

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.