Dev/Chromium
Donate
Development Considerations regarding default installation of Chromium in Kicksecure.
This page is a collection of notes, issues, criticism, advantages of Chromium. Development Considerations regarding default installation of Chromium in Kicksecure.
DISCLAIMER: This is only a collection of mostly user contributed notes. It will be reviewed, commented at a later time.
Firefox and Chromium Security[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
https://madaidans-insecurities.github.io/firefox-chromium.html
Daniel Micay, security researcher, KSPP member, developer of GrapheneOS, linux-hardened, hardened_malloc and more:
https://grapheneos.org/usage#web-browsing
https://old.reddit.com/r/firefox/comments/gokcis/firefox_is_insecure_refuted/frh286y/
https://old.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/ev6m2ot/?context=3
https://old.reddit.com/r/GrapheneOS/comments/bx6h6s/apps_and_phone_set_up_grapheneos/eqcqayp/
https://old.reddit.com/r/GrapheneOS/comments/bg03np/browsers/elhivgg/
Thaddeus Grugq (thegrugq), information security researcher:
https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
Dan Guido, CEO of Trail of Bits:
https://news.ycombinator.com/item?id=13623735
Matthew Green, cryptography expert:
https://twitter.com/matthew_d_green/status/830488564672626690
Thomas Ptacek, founder of Matasano Security, security researcher at Latacora:
https://twitter.com/tqbf/status/930807512609296384
https://twitter.com/tqbf/status/930860544927649792
https://twitter.com/tqbf/status/830511154950766595
https://twitter.com/tqbf/status/1107763320428417030
Theo de Raadt, founder and leader of OpenBSD:
https://marc.info/?l=openbsd-misc&m=152872551609819&w=2
PaXTeam/Pipacs of GRsecurity:
Chromium Debian Package Security[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Contributed b @madaidan.
The Chromium package on Debian has massively crippled security and disables numerous, important security mechanisms, a few examples of which are documented below:
- The Debian Chromium package is not a production build so basic security features like sandboxing, ASLR and CFI are crippled or nonexistent. [1]
- Clang's type-based, forward-edge Control-Flow Integrity is not enabled. [2]
- Automatic variable initialization is disabled with a source code patch. [3]
- Debian disables Chromium's own hardened memory allocator (PartitionAlloc) and defaults to the likely non-hardened system malloc implementation (usually glibc). [4]
- Debian applies many of its own patches to Chromium. Many of these are unnecessary and can potentially introduce new vulnerabilities. [5]
- Furthermore, Debian's current Chromium package is extremely outdated, making it miss countless security fixes and new security features. It has even been susceptible to publicly known exploits being used in the wild. [6] In addition, Debian's Clang package is also severely outdated, making it impossible to enable any modern compiler mitigations even if the Debian maintainers cared enough to.
Thus, the Debian Chromium has substantially worsened security than an official version. However, despite this, it may still be more secure than Firefox (Firefox never had many of the disabled mitigations in the first place).
Chromium Doesnt give your Freedom of Modifications[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Chromium doesnt has the easiness of about:config in Firefox for e.g if you want to disable certain TLS ciphers or WebRTC its not possible because its not there, This will force the users to only stick to whatever comes by default (unless recompile).
Note: Although Chromium has chrome://flags but its way less powerful/modifiable than Firefox about:config.
Chromium and Google API keys[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Chromium uses API resides in google, only keys shipped within Debian/Chromium [7]
Someone suggested this [8]
Why not modify chromium to read the api keys from a file, rather than
building them into the binary? The file could then be put in a separate package. If necessary in non-free.
This would have the additional benefit that those of us who want chromium to under no circumstances send every word we type and every website we visit to Google would no longer need to dig around in multiple prefereces dialogs to diable the multiple antifeatures enabled
by the keys.
Chromium Unknown Licenses with automated tool[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Many of them comes with free software, but there is no indication all of them are. (+10 years ticket) [9]
Distribution of Adobe "Pepper" Flash Player proprietary plugin[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Chromium comes with proprietary abilities within itself one of them is Adobe Flash Player [10].
This was resolved a long time ago. pepperflashplugin-nonfree is now its own separate package. https://packages.debian.org/pepperflashplugin-nonfree
Chromium reduced capabilities to plugin with adblocker[edit]
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Chromium_reduced_capabilities_to_plugin_with_adblocker]Chromium reduced capabilities to plugin with adblocker[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Ad blocking poses an existential threat to publishers and big sellers of digital ads like Google — which is reported to have lost as much as $US6.6 billion in revenue to ad blockers last year.
Now one former Googler is fighting back against the blockers.
The move has angered Chrome users beyond belief, with many vowing to switch browsers, and many setting their eyes on Firefox, whose developers have been working to transform and rebrand the former fan-favorite into a privacy-first product.
But Google's planned Manifest V3 changes are being added to the Chromium base, meaning they'll also likely impact other Chromium-based browsers as well.
Reply by madaidan: [13]
The goal of manifest v3 is not to neuter ad blockers. It allows content filtering in a more secure way while also not allowing extensions to spy on users extensively. It doesn’t kill ad blocking - it only provides a safer way of doing it. Manifest v3 removes the legacy webRequest and replaces it with declarativeNetRequest.
https://developer.chrome.com/extensions/declarativeNetRequest
https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html
Besides, this hasn’t even been implemented yet and likely won’t be for a long time. Other browsers will probably follow suit too. For example, this is how it already works in Safari.
Reply by Patrick:
Technically too difficult to compare the old API with the new API. It cannot be deduced from media reports. Developers of existing adblocking extensions might also be less than happy if they have to rewrite their extensions, i.e. trash a lot of previous work.
In conclusion, it remains to be seen if the new API will result in a significantly worse adblocking experience for Chromium versus lets say Firefox users. Should that be the case, it would a a disadvantage. Until that happens, it doesn't speak against Chromium.
Another reply by Patrick:
"The goal of manifest v3 is not to neuter ad blockers." - Goals, intentions are not the most important point here. These will be speculative and hard to proof beyond reasonable denial. What however does matter here is the outcome.
Quote Raymond Hill, the developer behind uBlock Origin and uMatrix, explained in the Chromium bug tracker that one of the changes in Manifest v3 would break complex content filtering:
https://bugs.chromium.org/p/chromium/issues/detail?id=896897#c23
"Key portions of uBlock Origin and all of uMatrix use a different matching algorithm than that of the declarativeNetRequest API. Block/allow rules are enforced according to their *specificity*, whereas block/allow rules can override each others with no limit. This cannot be translated into a declarativeNetRequest API (assuming a 30,000 entries limit would not be a crippling limitation in itself)."
Many extension developers complaining about new API, saying it would break their extension:
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/veJy9uAwS00%5B1-25%5D
Chromium: secretly stores referrer and URL for downloaded files[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_secretly_stores_referrer_and_URL_for_downloaded_files
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Chromium:_secretly_stores_referrer_and_URL_for_downloaded_files|Chromium: secretly stores referrer and URL for downloaded files]]
Copy as Wikitext
[Chromium: secretly stores referrer and URL for downloaded files](https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_secretly_stores_referrer_and_URL_for_downloaded_files)
for Discourse, reddit, GitHub
[Chromium: secretly stores referrer and URL for downloaded files](https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_secretly_stores_referrer_and_URL_for_downloaded_files)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_secretly_stores_referrer_and_URL_for_downloaded_files]Chromium: secretly stores referrer and URL for downloaded files[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Can have impact on privacy and security [14], Bug was fixed later [15].
Reply by Patrick:
Bug happen. If now fixed, not sure it's even worth mentioning it.
Chromium: unconditionally downloads binary blob[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_unconditionally_downloads_binary_blob
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Chromium:_unconditionally_downloads_binary_blob|Chromium: unconditionally downloads binary blob]]
Copy as Wikitext
[Chromium: unconditionally downloads binary blob](https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_unconditionally_downloads_binary_blob)
for Discourse, reddit, GitHub
[Chromium: unconditionally downloads binary blob](https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_unconditionally_downloads_binary_blob)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Chromium:_unconditionally_downloads_binary_blob]Chromium: unconditionally downloads binary blob[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Nasty bug,Got fixed [16].
Bug happen. If now fixed, not sure it's even worth mentioning it.
Questionable Chromium Privacy[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Questionable_Chromium_Privacy
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Questionable_Chromium_Privacy|Questionable Chromium Privacy]]
Copy as Wikitext
[Questionable Chromium Privacy](https://www.kicksecure.com/wiki/Dev/Chromium#Questionable_Chromium_Privacy)
for Discourse, reddit, GitHub
[Questionable Chromium Privacy](https://www.kicksecure.com/wiki/Dev/Chromium#Questionable_Chromium_Privacy)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Questionable_Chromium_Privacy]Questionable Chromium Privacy[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Chromium privacy infrastructure is basically Google [17]:
"Additional Information on Chromium, Google Chrome, and Privacy Features that communicate with Google made available through the compilation of code in Chromium are subject to the Google Privacy Policy."
Reply by madaidan:
Chromium has some telemetry by default but it can all be disabled in the settings. By default, it's actually *less* invasive than others like Firefox.
Google Chrome and (weird) DNS requests[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_and_.28weird.29_DNS_requests
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Google_Chrome_and_.28weird.29_DNS_requests|Google Chrome and (weird) DNS requests]]
Copy as Wikitext
[Google Chrome and (weird) DNS requests](https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_and_.28weird.29_DNS_requests)
for Discourse, reddit, GitHub
[Google Chrome and (weird) DNS requests](https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_and_.28weird.29_DNS_requests)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_and_.28weird.29_DNS_requests]Google Chrome and (weird) DNS requests[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
This is part of chromium/chrome design [18] [19]:
When Chrome is started it will lookup domain names for previously opened web pages early in the startup process so if the user clicks on one of those links Chrome can connect to the target site immediately.
madaidan reply:
This isn’t weird. It improves page load time and is a standard thing that’s done in other browsers like Firefox. It can also be disabled.
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
Patrick reply:
This is called DNS Prefetching.
chromium does it: https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching
firefox also does it: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
What Chromium features are removed for privacy/security reasons? (Done by Brave Browser)[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#What_Chromium_features_are_removed_for_privacy.2Fsecurity_reasons.3F_.28Done_by_Brave_Browser.29
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#What_Chromium_features_are_removed_for_privacy.2Fsecurity_reasons.3F_.28Done_by_Brave_Browser.29|What Chromium features are removed for privacy/security reasons? (Done by Brave Browser)]]
Copy as Wikitext
[What Chromium features are removed for privacy/security reasons? (Done by Brave Browser)](https://www.kicksecure.com/wiki/Dev/Chromium#What_Chromium_features_are_removed_for_privacy.2Fsecurity_reasons.3F_.28Done_by_Brave_Browser.29)
for Discourse, reddit, GitHub
[What Chromium features are removed for privacy/security reasons? (Done by Brave Browser)](https://www.kicksecure.com/wiki/Dev/Chromium#What_Chromium_features_are_removed_for_privacy.2Fsecurity_reasons.3F_.28Done_by_Brave_Browser.29)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#What_Chromium_features_are_removed_for_privacy.2Fsecurity_reasons.3F_.28Done_by_Brave_Browser.29]What Chromium features are removed for privacy/security reasons? (Done by Brave Browser)[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
- Disable google services in privacy settings #244
- Disable Prediction Service - DNS prefetching #340
- Disable Chrome Google URL Tracker #248
- On startup disable connections to google domains #514
- Disable chrome.webstore.install for inline extensions #614
- Disable anchor ping attribute #764
- Disabling getBattery | bluetooth | credential.get/store | navigator.usb apis #114
- Disable network time tracker #792
- Block ChromeMetadataSource network access #769
- Remove dl.google.com repository from Linux packages #1078
- Disabling metrics reporting; Updating ad-block deps to fix audit_deps error; Updating crypto deps to fix audit_deps error; #2029
And Others you can check them here here
Patrick reply:
Please sort this list according to different lists:
- privacy impact only
- security impact only
- security and privacy impact (optional category)
Remotely Exploitable Chromium Security Vulnerability CVE-2021-21193 exploited in the wild[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Remotely_Exploitable_Chromium_Security_Vulnerability_CVE-2021-21193_exploited_in_the_wild
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Remotely_Exploitable_Chromium_Security_Vulnerability_CVE-2021-21193_exploited_in_the_wild|Remotely Exploitable Chromium Security Vulnerability CVE-2021-21193 exploited in the wild]]
Copy as Wikitext
[Remotely Exploitable Chromium Security Vulnerability CVE-2021-21193 exploited in the wild](https://www.kicksecure.com/wiki/Dev/Chromium#Remotely_Exploitable_Chromium_Security_Vulnerability_CVE-2021-21193_exploited_in_the_wild)
for Discourse, reddit, GitHub
[Remotely Exploitable Chromium Security Vulnerability CVE-2021-21193 exploited in the wild](https://www.kicksecure.com/wiki/Dev/Chromium#Remotely_Exploitable_Chromium_Security_Vulnerability_CVE-2021-21193_exploited_in_the_wild)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Remotely_Exploitable_Chromium_Security_Vulnerability_CVE-2021-21193_exploited_in_the_wild]Remotely Exploitable Chromium Security Vulnerability CVE-2021-21193 exploited in the wild[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Summary[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Summary
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Summary|Summary]]
Copy as Wikitext
[Summary](https://www.kicksecure.com/wiki/Dev/Chromium#Summary)
for Discourse, reddit, GitHub
[Summary](https://www.kicksecure.com/wiki/Dev/Chromium#Summary)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Summary]Summary[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Viewing the situation as of 14 March 2021:
- Remotely exploitable Chromium security vulnerability CVE-2021-21193 is as reported by Google being used in the wild.
- Unfixed in Debian.
- Unfixed in Chromium on Flathub.
- Unfixed in Chromium on Snap Store
- Fixed in official Google Chrome (non-freedom!) version.
- Fixed in Arch Linux
.
Viewing the situation as of 03 April 2021:
- Still unfixed in Debian stable (buster at time of writing).
- Fixed on flathub on 31 March 2021 (version 89.0.4389.114)
- Fixed on Snap Store on 31 March 2021 (version 89.0.4389.114)
Sources[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Sources
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Sources|Sources]]
Copy as Wikitext
[Sources](https://www.kicksecure.com/wiki/Dev/Chromium#Sources)
for Discourse, reddit, GitHub
[Sources](https://www.kicksecure.com/wiki/Dev/Chromium#Sources)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Sources]Sources[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Quote Official Chrome Blog:
Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.
- Fixed in version
89.0.4389.90
Quote vulmon (Bold added.):
Google Chrome could allow a remote malicious user to execute arbitrary code on the system, caused by a use-after-free in Blink. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
version of Chromium on Flathub:
89.0.4389.82
version of Chromium on Snap Store
89.0.4389.82
Debian:
- https://web.archive.org/web/20210314095053/https://security-tracker.debian.org/tracker/CVE-2021-21193
- https://web.archive.org/web/20210314095657/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985142
Chrome (non-freedom!) version.
Click = Copy Copied to clipboard!
89.0.4389.90-1
Conclusion[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Conclusion
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Conclusion|Conclusion]]
Copy as Wikitext
[Conclusion](https://www.kicksecure.com/wiki/Dev/Chromium#Conclusion)
for Discourse, reddit, GitHub
[Conclusion](https://www.kicksecure.com/wiki/Dev/Chromium#Conclusion)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Conclusion]Conclusion[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
TODO: write conclusion
notes:
03 April 2021- firefox-esr on Debian Security Tracker
- One unimportant issue.
- No security vulnerabilities reported being exploited in the wild.
- chromium on Debian Security Tracker
- 6 CVEs.
- At least 1 vulnerability reported being exploited in the wild.
Special Permissions by Chrome for google.com[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Special_Permissions_by_Chrome_for_google.com
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Special_Permissions_by_Chrome_for_google.com|Special Permissions by Chrome for google.com]]
Copy as Wikitext
[Special Permissions by Chrome for google.com](https://www.kicksecure.com/wiki/Dev/Chromium#Special_Permissions_by_Chrome_for_google.com)
for Discourse, reddit, GitHub
[Special Permissions by Chrome for google.com](https://www.kicksecure.com/wiki/Dev/Chromium#Special_Permissions_by_Chrome_for_google.com)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Special_Permissions_by_Chrome_for_google.com]Special Permissions by Chrome for google.com[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Google Chrome Repository Insecurity[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_Repository_Insecurity
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Google_Chrome_Repository_Insecurity|Google Chrome Repository Insecurity]]
Copy as Wikitext
[Google Chrome Repository Insecurity](https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_Repository_Insecurity)
for Discourse, reddit, GitHub
[Google Chrome Repository Insecurity](https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_Repository_Insecurity)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Google_Chrome_Repository_Insecurity]Google Chrome Repository Insecurity[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
See Google Chrome Repository Insecurity.
Hardened Malloc[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Hardened_Malloc
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Hardened_Malloc|Hardened Malloc]]
Copy as Wikitext
[Hardened Malloc](https://www.kicksecure.com/wiki/Dev/Chromium#Hardened_Malloc)
for Discourse, reddit, GitHub
[Hardened Malloc](https://www.kicksecure.com/wiki/Dev/Chromium#Hardened_Malloc)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Hardened_Malloc]Hardened Malloc[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Hardened Malloc (HM)
https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/147
Can Chromium from Flatpak be used with Hardened Malloc?Which memory allocator is more secure, Chromium’s built-in or Hardened Malloc?
Meanwhile HM was deprecated in Kicksecure.
Chromium Forks[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Chromium_Forks
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Chromium_Forks|Chromium Forks]]
Copy as Wikitext
[Chromium Forks](https://www.kicksecure.com/wiki/Dev/Chromium#Chromium_Forks)
for Discourse, reddit, GitHub
[Chromium Forks](https://www.kicksecure.com/wiki/Dev/Chromium#Chromium_Forks)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Chromium_Forks]Chromium Forks[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
- https://github.com/brave/brave-browser
- https://github.com/Eloston/ungoogled-chromium
- https://github.com/GrapheneOS/Vanadium
- https://github.com/bromite/bromite
Development Discussion[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Development_Discussion
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Development_Discussion|Development Discussion]]
Copy as Wikitext
[Development Discussion](https://www.kicksecure.com/wiki/Dev/Chromium#Development_Discussion)
for Discourse, reddit, GitHub
[Development Discussion](https://www.kicksecure.com/wiki/Dev/Chromium#Development_Discussion)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Development_Discussion]Development Discussion[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
Chromium Browser for Kicksecure Discussions (not Whonix)
Related[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Related
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Related|Related]]
Copy as Wikitext
[Related](https://www.kicksecure.com/wiki/Dev/Chromium#Related)
for Discourse, reddit, GitHub
[Related](https://www.kicksecure.com/wiki/Dev/Chromium#Related)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Related]Related[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
- Dev/Default Browser
- Chromium Browser for Kicksecure Discussions (not Whonix)
- Chromium in Kicksecure
- Chrome in Kicksecure
- Google Chrome Repository Insecurity
Footnotes[edit]
Copy or share this direct link!
https://www.kicksecure.com/wiki/Dev/Chromium#Footnotes
Click below ↴ = Copy to Clipboard
[[Dev/Chromium#Footnotes|Footnotes]]
Copy as Wikitext
[Footnotes](https://www.kicksecure.com/wiki/Dev/Chromium#Footnotes)
for Discourse, reddit, GitHub
[Footnotes](https://www.kicksecure.com/wiki/Dev/Chromium#Footnotes)
Copy as Markdown
[url=https://www.kicksecure.com/wiki/Dev/Chromium#Footnotes]Footnotes[/url]
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
- ↑
is_official_build=trueis not set and its default value is false; it must be explicitly enabled which Chromium does not do: - ↑
is_cfi=trueis also not set: https://salsa.debian.org/search?utf8=%E2%9C%93&search=is_cfi&group_id=3323&project_id=20972 Compare this to another distribution which does such as Arch Linux: https://github.com/archlinux/svntogit-packages/blob/2cbe439471932d30ff2c8ded6b3dfd51b312bbc9/trunk/PKGBUILD#L145
- ↑ https://salsa.debian.org/chromium-team/chromium/-/blob/e55c310bb078d3c2b10fd27935b6a5a1a207f480/debian/patches/buster/clang7.patch
- ↑ https://salsa.debian.org/chromium-team/chromium/-/blob/7810576a1215c28d5daff0e0fbd0e3687fc43d72/debian/rules#L64
- ↑ https://salsa.debian.org/chromium-team/chromium/-/tree/7810576a1215c28d5daff0e0fbd0e3687fc43d72/debian/patches One of these patches have likely introduced a memory corruption bug that is currently causing hardened_malloc to kill Chromium:
- ↑ https://forums.whonix.org/t/chromium-browser-for-kicksecure-discussions-not-whonix/10388/49
- ↑
https://lists.debian.org/debian-legal/2013/10/msg00021.html
- ↑
https://lists.debian.org/debian-legal/2013/10/msg00023.html
- ↑
https://bugs.chromium.org/p/chromium/issues/detail?id=28291
- ↑
https://lists.debian.org/debian-legal/2013/02/msg00010.html
- ↑
https://www.businessinsider.com/former-google-exec-launches-sourcepoint-with-10-million-series-a-funding-2015-6
- ↑
https://www.zdnet.com/article/opera-brave-vivaldi-to-ignore-chromes-anti-ad-blocker-changes-despite-shared-codebase/
- ↑
https://forums.whonix.org/t/chromium-browser-for-kicksecure-discussions-not-whonix/10388
- ↑
https://green-possum-today.blogspot.com/2018/09/chromechromium-is-storing-url-and.html
- ↑
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883746
- ↑
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
- ↑ https://www.chromium.org/Home/chromium-privacy
- ↑
https://isc.sans.edu/diary/Google+Chrome+and+%28weird%29+DNS+requests/10312
- ↑
https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching
A secure by default operating system with the latest security research in place.
Copy or share this direct link!
Click = Copy
Copied to clipboard!
Click below ↴ = Copy to Clipboard
Click = Copy
Copied to clipboard!
Copy as Wikitext
Click = Copy
Copied to clipboard!
for Discourse, reddit, GitHub
Click = Copy
Copied to clipboard!
Copy as Markdown
Click = Copy
Copied to clipboard!
Copy as phpBB
We don't use embedded scripts
This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also
Social Share Button.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!