When you sign in to a site, Chrome may give you a warning if the username/password have been exposed as a result of a data breach on some website or app. The feature is available on all platforms but only to the users signed in with a Google account. On Android the feature is only available if sync is also enabled, due to the way the accounts are managed by the OS.
Being signed in to a Google account is a technical requirement that prevents abuse of the API. When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy. From the response, Chrome can tell if the submitted username and password appear in the database of leaked credentials. The final resolution is done locally; Google doesn't know whether or not the credential is present in the database.
The feature can be disabled in settings under Sync and Google services. On desktop and Android versions of Chrome, this feature is not available if Safe Browsing is turned off. Usage statistics contain information such as system information, preferences, user interface feature usage, responsiveness, performance, and memory usage. This feature is enabled by default for Chrome installations of version 54 or later. You can control the feature in the "Sync and Google services" section of Chrome's settings. Additionally, if your device has network location enabled , the X-Geo header may also include visible network IDs , used to geocode the request server-side.
HTTPS will be required to include this header in the request. You can learn more about how to control the Android OS location sharing with apps on this article for Nexus, or find your device here if you do not use a Nexus. How to control location sharing with a site within Chrome is written in this article. See the Geolocation section of this whitepaper for more information on default geolocation permissions.
If you're not signed in, Chrome offers to save your credit cards locally. If the card is not stored locally, you will be prompted for your CVV code or device authentication, such as Touch ID, Windows Hello, or Android screen lock, each time you use the card. In some versions of Chrome, it is possible to store a card to Google Payments and locally in Chrome at the same time, in which case Chrome will not ask for a CVV or device authentication confirmation. If you have cards stored in this way, their local copies will persist until you sign out of your Google account, at which point the local copy will be deleted from your device. If you choose not to store the card locally, you will be prompted for your CVV code or device authentication each time you use the card. You can opt out of using device authentication in the Payment methods section of Chrome settings.
If you use a card from Google Payments, Chrome will collect information about your computer and share it with Google Payments to prevent fraudulent use of your card. Enhanced protection also enables reporting additional data relevant to security to help improve Safe Browsing and overall web security, and it enables Chrome's password breach detection. When browsing in incognito or guest mode, these extra checks do not occur, and Enhanced protection mode operates the same way as Standard protection. Chrome helps protect you against password phishing by checking with Google when you enter your password on an uncommon page. Chrome keeps a local list of popular websites that Safe Browsing found to be safe.
The verdict received from Safe Browsing is usually cached on your device for 1 week. For users who have enabled the "Help improve security on the web for everyone" setting, Chrome will ignore the list of popular websites for a small fraction of visits, to test the accuracy of that list. This beacon's URL is not sent to Google's PWS unless the Physical Web feature is enabled. Users can also enable the feature in the Privacy settings.
The user receives a silent notification when Chrome finds a nearby URL. On Android and desktop, Chrome signals to Google web services that you are signed into Chrome by attaching an X-Chrome-Connected header to any HTTPS requests to Google-owned domains. On Android, Chrome sends the X-Chrome-Connected header to accounts.google.com to indicate it is eligible for account consistency . This allows those Google web services to update their UI accordingly. On desktop, Chrome sends the X-Chrome-ID-Consistency-Request header with all HTTPS requests to account.google.com if the "Allow Chrome sign-in" setting is enabled.
If you are using a managed device, your system admin may disable the sign in feature or require that data be deleted when you disconnect your account. Synced data can include bookmarks, saved passwords, open tabs, browsing history, extensions, addresses, phone numbers, payment methods, and more. In advanced sync settings, you can choose which types of data to synchronize with this device. You can turn sync on or off in the "You and Google" section of Chrome settings.
You can manage and delete your saved credentials in the "Forms and passwords" section of Chrome's settings. If you enable password management, the same kind of data about forms as described above is sent to Google to interpret password forms correctly. If stored credentials are used for the first time in a username field which was already filled differently by the website itself, Chrome also transmits a short one-byte hash of the prefilled value. This allows Google to classify if the website uses a static placeholder in the username field which can be safely overwritten without deleting valuable user-specific data.
The Windows version of Chrome is able to detect and remove certain types of software that violate Google's Unwanted Software Policy. If left in your system, this software may perform unwanted actions, such as changing your Chrome settings without your approval. Chrome periodically scans your device to detect potentially unwanted software. Your preferences will be sent to Google so that better suggestions are provided to you in the future. For example, if you indicate that you're not interested in a particular topic or publisher, suggestions about that topic or publisher will not be shown in the future.
Likewise, you can indicate that you're not interested in a specific article via the "Hide story" option in the article's three dots menu. Suggestions are also personalized based on your interactions with the suggested articles . You can manage this interaction data, which is stored in the Discover section of your Google account, at My Activity. Google may use anonymized and aggregated interest and interaction data from you to improve the quality of suggested articles for other users.
For instance, if you view or open a suggestion it might be suggested more often, while if you report its contents as inappropriate it might stop being suggested. Additionally, if Google is your default search engine and you have enabled sync, omnibox may also show suggestions for your Google Drive files. You can turn this functionality off by disabling the "Drive suggestions" option in the "Sync and Google services" section of Chrome's settings.
This document describes the features in Chrome that communicate with Google, as well as with third-party services (for example, if you've changed your default search engine). This document also describes the controls available to you regarding how your data is used by Chrome. Here we're focusing on the desktop version of Chrome; we touch only tangentially on Chrome OS and Chrome for Mobile. They must always be coupled with necessary actions such as retrieving or sending data to the server or loading heavy assets like large images in the background.
To combat this bad user experience, page reloads must always be accompanied by spinners or loaders. All the methods demonstrated in this guide work equally fine, but in situations where some props can not be accessed you must use custom event handlers. Chrome extensions and applications that you've installed are kept up to date with a similar system used for updating desktop versions of Chrome.
These update requests include similar information (such as the application ID, when the application was last used, and how long it's been installed). We use these requests to determine the aggregate popularity and usage of applications and extensions. If you are using an extension or application restricted to a certain audience, authentication tokens are sent with the update requests for these add-ons. Google Update requests include information necessary for the update process, such as the version of Chrome, its release channel, basic hardware information, and update errors that have been encountered. Google Update also periodically sends a non-unique four-letter tag that contains information about how you obtained Google Chrome.
This tag is not personally identifiable, does not encode any information about when you obtained Google Chrome, and is the same as everyone who obtained Google Chrome the same way. If the website is deemed unsafe by Safe Browsing, you may see a warning like the one shown above. This mechanism is designed to catch unsafe sites that switch domains very quickly or hide from Google's crawlers. Pages loaded in Incognito are not checked using this mechanism. For Chrome on Android, in certain countries, Chrome may download the content of the New Tab page suggestions from Google, for use while offline. Chrome sends to Google a cookieless request with the URL for each suggestion, along with Chrome's user agent string, in order to render the content.
You can remove downloaded content by clearing Chrome's cache data, or by opening the Downloads menu and selecting individual pages to delete. You can disable this feature by disabling "Download articles for you on Wi-Fi" in Chrome's Downloads settings. If the Android Backup Service is enabled on your device, some of your Chrome preferences will be saved and stored on Google servers. For Nexus and Android One devices, it is described under "Back up your data and settings with Android Backup Service" in this article.
For other Android devices, you may be able to find help by looking up your device on this page. When setting up a new Android device, you may request that it copies the preferences from a previously set up device. If you do so, Android may restore backed up Chrome preferences when Chrome is first installed. On iOS devices, users can enable the feature in the Privacy settings or by adding the Chrome widget to their Today view in the notification center. Additionally, the feature is automatically enabled for users who have location enabled on their device, granted Chrome the location permission, and have granted Google the geolocation permission.
Chrome scans for nearby devices whenever it is open in the foreground. When Chrome finds nearby URLs, users will see them as omnibox suggestions. Additionally, Chrome scans for nearby devices for a few seconds when the Today widget is displayed in the notification center. The Physical Web lets you see a list of URLs being broadcast by objects in the environment around you. Google Chrome looks for Physical Web devices with Bluetooth Low Energy beacons that are broadcasting URLs using the Eddystone protocol. Bluetooth signals can be received from 90 feet away or more, depending on signal strength and the user's environment .
If the Physical Web feature is enabled, Chrome sends detected URLs to Google's Physical Web Service via a cookieless HTTPS request. For each URL, the PWS obtains the title of the web page, filters out unsafe results, and returns a ranking based on non-personalized signals about the quality and relevance of the web page. Your device may receive push messages from the backend servers of apps and extensions installed in Chrome, websites that you grant the "notification" permission to, and your default search engine. Disabling push messages from your default search engine is done in the same way as disabling push messages from any site, by visiting the "Notifications" section of "Site settings".
Using the same secure method described above, you can check all the saved passwords against the public data breaches in the "Passwords" section of Chrome's settings. Once you've run a password check, Chrome will show a list of breached passwords. If a password in this list is outdated, you can manually edit it to store the current version. If you choose to edit, the new username/password pair will be checked automatically but only if the feature described above is not disabled.
If Autofill is enabled and you encounter a web page containing a form, Chrome sends some information about that form to Google. In response, Chrome receives a prediction of each field's data type (for example, "field X is a phone number, and field Y is a country"). This information helps Chrome match up your locally stored Autofill data with the fields of the form. This feature is disabled by default; to turn it on, click "Ask Google for suggestions" in the context menu that appears when you right-click on a misspelled word. You can also turn this feature on or off with the "Enhanced spell check" checkbox in the "Sync and Google services" section of Chrome settings.
When the feature is turned off, spelling suggestions are generated locally without sending data to Google's servers. Google uses strategies to ensure that surveys are spread evenly across users and not repeatedly served to a single user. On Android, Chrome stores a randomly generated unique token on the device. On Desktop, Chrome uses a cookie to connect with the server.
This token or cookie is used solely for the survey requests and does not contain any personal information. If you disable sending usage statistics, the token or cookie will be cleared. On iOS, if you are syncing your browsing history without a sync passphrase, Chrome reports usage for certain URLs that other Google apps could open. For example, when you tap on an email address, Chrome presents a dialog that allows you to choose between opening with Google Gmail or other mail apps installed on your device. The usage information also includes which apps were presented to you, which one was selected, and if a Google app was installed. If you are signed in, this usage is tied to your Google account.
If you are signed out, the information is sent to Google with a unique device identifier that can be regenerated by resetting the Google Usage ID found in Chrome settings. The raw reports are deleted within 60 days, after which only the aggregated statistics remain. A tap on that menu item will redirect you to the Lens experience in the Google App and the image bytes of the selected image will be sent to the Google Lens app.
For non-incognito users, the name of the currently signed-in account , image tag attributes, and Chrome experiments may also be sent to the Google App. This information is used to improve the user experience within the Lens app. Chrome tries to make personalized suggestions that are useful to you. For this, Chrome uses the sites you have visited from your local browsing history. To save data, Chrome may additionally send a hash of the content that Google provided to you the last time, so that you only download content when there is something new. This information helps improve the quality of the suggestion feature, and it's logged and anonymized in the same manner as Google web searches.
Logs of these suggestion requests are retained for two weeks, after which 2%% of the log data is randomly selected, anonymized, and retained in order to improve the suggestion feature. We need to use the polyfill because the Cache API is not yet fully supported in all browsers. The install event listener opens the caches object and then populates it with the list of resources that we want to cache. One important thing about the addAll operation is that it's all or nothing.
If one of the files is not present or fails to be fetched, the entire addAll operation fails. For a web application, the default behavior is to persist a user's session even after the user closes the browser. This is convenient as the user is not required to continuously sign-in every time the web page is visited on the same device.
This could require the user having to re-enter their password, send an SMS verification, etc, which could add a lot of friction to the user experience. Periodically, the cached content will expire and CloudFlare will need to pass the request on to my server. But on aggregate, this approach can drastically reduce load on your server because far fewer requests end up getting through. As a bonus, the user experience is improved because returning the cached content is much faster than having your web server generate it from scratch. Instead, it contains a handful of placeholder elements, along with some links to JavaScript files.
