Slashdot Mirror

Chrome devs have removed the hidden setting while they debate promoting it into the regular settings UI. If you want this, star the bug (but don't flood the comments too much):
Issue 935978

Telling a Google server that you want to load a common Javascript framework used on millions of web sites every now and then (after the first load it is cached locally) isn't exactly a massive information leak. It doesn't send the URL you are trying to access or anything like that.

Where are you getting your information?

The only place I could find that has any information about this feature is this:
https://blog.chromium.org/2019...

It says specifically "When Chrome optimizes an HTTPS page, only the URL is shared with Google; other information â" cookies, login information, and personalized page content â" is not shared with Google."

What do you know that overrides this?

No.

What else do you call it when information is being leaked from secure site to Google including internal resources loaded and page URLs?

This does not require any data about your browsing habits to be sent to Google

Not according to chromium blog:
https://blog.chromium.org/2019...

"When Chrome optimizes an HTTPS page, only the URL is shared with Google; other information â" cookies, login information, and personalized page content â" is not shared with Google. "

Sharing URL is very much requiring data about browsing habits.

Except it's already a feature in Chrome(ium) since version 67, and you can read how it works here: http://www.chromium.org/Home/c...

This takes up a bit more RAM however, because each process has its own heap and executable thread for each tab or domain if you enable it by domains only (disabled by default).

This looks to be almost the same thing except just by domains instead.

I spend so much money on computers that I should be ashamed of myself. I am a grown man but if a relative or immediate family ask me how much that costs I pretend that I got it dirt cheap. I even quickly throw away the receipt. I promise myself not to do this any more in 2019! So now I try to budget and if I see something I like I do research on it.. I do not just purchase everything computer related randomly any more.

On https://duckduckgo.com/ all review pages are from years ago! and the only thing modern about the webpages are the videos that play automatically... and i keep on having to customise adblocker to block them.. And then duckduckgo seems to want to give me Japanese websites which have backgrounds that flicker with a advertising video that flickers so much you have to look away from your monitor..

I think I may be the only person who still uses the World Wide Web, everybody else is stuck on Facebook and YouTube. And now I have my suspicions that the Vivaldi web browser may be spying on me. All these software companies can never get enough of everybody's information. What do you want? https://youtu.be/zalndXdxriI

https://www.chromium.org/

https://vivaldi.net/

Since they are impacting many people, people will simply ditch it.
If the people ditch it, the website developers will not support those new features.
If they start blackholing browsers from their own sites, they will die off too.
It won't be an overnight thing, but it will happen.
Mozilla was loved and now despised because of the shit they did to FF over the years.
Google are already despised and the only reason they are still used is because there is NO legit alternative.

All it needs is the effort and momentum to maintain it.
For a start, get away from that cancerous C++ and I'd support the fuck out of it. Fuck C++. Fuck it so much. Monolithic garbage piece of shit language now. Half those new features are atrocious. It makes Brainfuck look sensible. No wonder companies are banning the features. Some of them are totally incompatible! LOL WAT
Ditch the ENTERPRISE QUALITY coding style while you are at it. Retards shouldn't be programming. Don't cater to their stupidity and ignorance.
Chromium is filled with these idiots. I've argued with them many times to the point I got banned eventually because of Ben. (over the sidebar API)
The less of them, the better.
On that note, delete the bubble window API and add a sidebar API. Those bubble-popups are the worst thing any browser has ever had. Even ActiveX is not as bad as that shit. ActiveX was at least useful, those things AREN'T. They are terrible. The overhead to support the shit things for any complex extension is hilarious.
Any good extension already uses a pop-up window to get away from them.
Wontfix - reasons: "simplicity"
Morons.

So there might be a problem when you want to troubleshoot a machine which is supposed to run unattended

A Chromebook is not "supposed to run unattended". From the horse's mouth: "Remember: Chrome OS devices are not general-purpose PCs."

Yeah, it was so secure that it was disabled last March because of security holes.

https://bugs.chromium.org/p/ch...

Except that certificate pinning is being deprecated in Chrome:

• https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
• https://bugs.chromium.org/p/chromium/issues/detail?id=779166

Certification Authority Authorization (CAA) seems to be the replacement for preventing misissuance.

not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google

That's not even the thought process from Google. Here is the proposal from way back when. Relevant section:

We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin. Roughly speaking, there are three basic transport layer security states for web origins: Secure (valid HTTPS, other origins like (*, localhost, *)); Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and Non-secure (broken HTTPS, HTTP).

Emphasis mine. And if you are wondering about the wording there, the exact definition can be found on the W3 site here. Which says if you trust the site then you can be assured that the information you transmit to the site has done so securely, that you can trust that they received the information that you sent them.

At no point can any standards body or web vendor indicate how compromised or fully functioning the host you are sending your data to is. At no point has any web browser maker (Apple, Google, Microsoft, Mozilla, et al) indicated that "Secure Host" == "Non Compromised Host". They have only indicated transmission "Secure Transmission to host" == "Non Compromised Transmission to host". What the host does with it, be it to send your data to some gulag in Siberia, to your bank for processing, or both is completely dependent on the remote host.

See here and here

A few examples from the issues above:

* "subdomain.www.domain.com" displays as "subdomain.domain.com".
* "http://www.example.www.example.com" turns to "example.example.com"
* "www.m.www.m.example.com" becomes "example.com".

Obviously this is all screwed up, and a web site at "example.com" and "www.example.com" and "m.example.com" can be completely different.

See here and here

A few examples from the issues above:

* "subdomain.www.domain.com" displays as "subdomain.domain.com".
* "http://www.example.www.example.com" turns to "example.example.com"
* "www.m.www.m.example.com" becomes "example.com".

Obviously this is all screwed up, and a web site at "example.com" and "www.example.com" and "m.example.com" can be completely different.

To the person at Google who stated that www is now considered a 'trivial' subdomain":

In my experience, "www" is not typically a subdomain. It is a host name. For example, in your DNS you might have an A record that resolves "www" to the IP address of your web server, just as you might have an A record that resolves "ftp" to your FTP server, or whatever.

The interesting thing about DNS, however, is that you can create an A record for a subdomain. This means you can make the "www" part of a URL optional by having "www.mydomain.com" and "mydomain.com" resolve to the same IP address (or group of addresses).

So, Google, kindly do not fuck with my DNS naming preferences. When I pay to register a domain, that includes the right to determine what I do (and don't do) with the DNS for my domain. If I want to show "www" in my URLs, that's my bloody business, not yours.

Ah, but a Chromebook is a PC

"Developer Information for Chrome OS Devices" disagrees with this claim:

Caution: Modifications you make to the system are not supported by Google, may cause hardware, software or security issues and may void warranty.

Remember: Chrome OS devices are not general-purpose PCs. We believe you should be able to hack on your own property, but if you do it's not our fault if something breaks.

I am aware of six ways to use a Chromebook as if it were a general-purpose PC, each of which has serious drawbacks.

Google's "trivial domains" list also includes "m." which is commonly used for mobile versions of web pages.

Bug ".m." label in middle of domain is stripped has the example:

Steps to reproduce the problem:
1. Attempt to visit: https://concourse.m.example.com

What is the expected behavior?
Host is shown as "concourse.m.example.com"

What went wrong?
Host is shown as "concourse.example.com"

Not being able to differentiate mobile-optimized and desktop-optimized web URLs is also a problem.

Fonts have ceased to be a bottle neck about a twenty years ago.

Mozilla needs more work on rendering performance. Rendering SVGs is slower than on Internet Explorer 11 in many cases, and in general about four times slower than on Chrome. In one extreme test case it is even about ten times slower than Chrome ( https://testdrive-archive.azur... ), but luckily that is not a typical example.

The problem with fixing this is that it is really hard work and this kind of work is not really valued. And that is where Open Source does not work too well. Why should people work their ass off if work is not really recognized? At Google engineers are at least paid well, so it's much easier to find people who are willing to do the hard work. Just look at the team size for Google's Slimming Paint project: https://www.chromium.org/blink...

Yeah, sorry, but variable fonts won't win you too many users I suspect.

Windows, no, why would you want to install Windows on a 32GB SSD?
Linux, yes.
Friendly guide: https://www.servethehome.com/g...
Google instructions: https://www.chromium.org/a/chr...

It's not locked, so they can't unlock it. You just need to boot into developer mode and turn off OS verification.

They also tell you how to install Linux
https://www.chromium.org/a/chr...

Here's an guide to install Ubuntu 18
https://www.servethehome.com/g...

Setting up Google Authenticator or another TOTP app requires first setting up either SMS, U2F, or Google Search prompts, and printing backup codes. From "Install Google Authenticator":

To use Google Authenticator on your Android device, you'll need:
[...]
2-Step Verification turned on

The phrase "2-Step Verification turned on" links to "Turn on 2-Step Verification", which implies that you'll need to have one of these:

A. A mobile phone to receive SMS.
B. A USB security key implementing FIDO U2F and a desktop or laptop computer running a compatible version of the Google Chrome browser. I haven't tested whether Chromium from a GNU/Linux distribution works as well or whether U2F is one of the proprietary extras included only in Google Chrome. In addition, the U2F key has to have been manufactured in batches of at least 100,000.
C. A phone or tablet with the Gmail or Google Search app installed (which works only on iOS or Android with Google Play, not AOSP alone or Windows Phone). This was introduced fairly recently, and I began using 2FA on Google once it was introduced.

You'll also need to own a second phone as a backup or a printer to receive backup codes.

Nice new look and probably the right time to make Flash usage more difficult.

Here are the technical updates in M69: https://blog.chromium.org/
- New CSS features
- Some new APIs including a new Keyboard API that looks like it will be useful for games
- Improvements to service workers
- And more

Looks like a good update.

Development of Chrome should be sent off to an independent organization (perhaps forced to by anti trust courts). Chrome now has more market share than internet explorer used to and also owns phones and schools with chromebooks. We also need to force Google to code to standards and work on all of the competition’s browsers under interoperability laws. this includes minority browers like waterfox and falkon.

So I'm not fan of Google, but this is 100% crap. Some actual facts:

• Chromium is open source -- -- the only parts that aren't included are the the commercial codecs like H.264, and those will never be open-source because Google pays the licensing costs and gives away the results for free
• Google does code to standards. Shadow DOM v0 API is a standard. It's just an old one (relatively speaking)

Google does a lot of things that I don't like, but Chrome on the whole is a net positive contribution to the web-going world. They push companies like Apple and Mozilla to move faster and do more. Suggesting that someone "take it away" is absurd. Fork the code, release your own browser, have a nice day.

For several years now Safari has outpaced Chrome nearly across the board in javascript and DOM operations.

I've been tracking it as a web app developer because it has serious implications for UX on mobile devices. The DOM operations can easily be 3-4X faster in safari, when combined with the iPhones processing advantages stacks up a 10X difference in performance between the average iPhone and the average android phone. Its a big problem for javascript app developers.
examples:
https://bugs.chromium.org/p/ch...
https://discuss.emberjs.com/t/...

The fact the Safari is left out of these comparisons puts a reality distortion field on the market, and keeps Google from getting their act together.

Most (All?) browsers and caching proxy servers do not save https content to disk.

Citation needed. Google Search for https disk cache returns, as its first result, "HTTPS Disk Cache Controller Browser Extensions" which contradicts your claim: "The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store." Farther down the first page of results is the Chromium project's documentation of the disk cache mechanism used by Chromium and Google Chrome. Because this document doesn't contain "HTTPS", "secure", or "encrypt", it appears to say nothing about any distinction between cleartext and HTTPS.

Some caching proxies don't save HTTPS content to disk because they don't cache HTTPS at all. The FAQ of the Polipo proxy states that it falls back to a tunnel using the CONNECT method for HTTPS connections. It doesn't support a shared HTTPS cache with a private CA.

There are likely to be builds of ChromiumOS that you can install on the computer, and it produces the effect of ChromeOS running on hardware which will almost certainly be much better than some Chromebook.

But for what fraction of those "decades" have you been able to buy a compact GNU/Linux laptop in major electronics store chains?

Approximately since the ASUS eeePC started the "sub-notebook with Linux in your local store" craze

That craze covers fourth quarter 2007 through roughly fourth quarter 2012.

that subsequently jump-started the whole wave of Chromebooks

Chromebooks run Linux as their kernel, I'm aware. But until now, they haven't given the user ability to run GNU outside the self-destructing developer mode. Straight from the horse's mouth, with emphasis in the original:

Remember: Chrome OS devices are not general-purpose PCs.

So from first quarter 2013 through second quarter 2018, compact laptops usable as general-purpose GNU/Linux laptops were not widely available with a warranty in stores. Sure, netbooks are still scattered across pawn shops, but they haven't seen any updates, and at least one anonymous commenter on Slashdot has unironically suggested to stockpile the dwindling supply of old netbooks and maintain them by replacing lithium cells in their battery packs.

If you have a Intel Kaby Lake processor (newer), use Intel graphics, and Google Chrome then don't upgrade. https://bugs.chromium.org/p/ch... The newer ThinkPads all hit this combo.

One amendment, that CT policy is better than I presumed it would be:
http://www.chromium.org/admini...

Would have been nice to link in the article, it took me a while to find it. So this provides a more targeted way to relax the CT, which can in turn limit the efficacy of that internal CA, so it seems to be a step in the positive direction.

Good to see progress being made in limiting the collateral damage enabling https internally can inflict, but it's still in many ways convoluted and an ill fit for how many teams do internal IT.

http://www.chromium.org/admini...

Seemingly on a domain level. So long as you have domain names...

It would be interesting to treat IP based urls different from name based urls somehow... or at least private and link local addresses somehow differently (unless resolved by name)

Firefox comes with a basic PDF viewer. So does Google Chrome (and Chromium since third quarter 2014), though Mozilla PDF.js is also available from Chrome Web Store.

Or are Chromium and Firefox also a "bug-fest"?

Another reporter is confirming my findings: very old uTorrent clients (3.0) are not susceptible to these attacks.

Can't be Chrome since it is less secure than Firefox, even pre-Quantum.

Since when did Firefox start using OS-level process sandboxing the way Chromium and Google Chrome do?

If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...

Nor does an implementation comply if the browser implements it over cleartext HTTP but the standard specifies that it shall not work over cleartext HTTP. A growing number of web standards specify such, citing things like the W3C Candidate Recommendation "Secure Contexts".

Those heavy-handed tactics could work when your market share was about 50%, but not anymore...

That'd be a good comeback if plurality browser Chrome weren't also doing it.

I'd assume that, like every other new feature, they're thinking "well, Chrome did it."

Yip

There are this link in the article that M'Smash should have linked to instead of the article.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3

And that link contains this one

https://support.apple.com/en-us/HT208334

No school today...because the vendor pushed out an untested update again.

Let me help you, as it appears you didn't do 30 seconds of Googling to help yourself. Chrome OS is heavily beta tested, and is built upon Chromium OS, which it itself is heavily beta tested. As a Google admin for a public K-12 school (~1200 Chromebooks), I have the option of assigning all my Chrome devices into one of three categories of development. Google "recommends" I activate a policy that will randomly assign 5% of all devices to a beta channel* to assist them with testing and development, though our district chooses to use stable-only software.

Occasionally, a serious bug actually does make it through to a stable, but if it is found, Google has been incredibly quick to prioritize its fix and release an update. It's only when there's a doozie like this where suddenly everyone starts the finger-shaming.

* The first time I turned this on, the very next day, we had about five Chromebooks all come into our office. Every one of them had Chrome crashing randomly, usually within about 30 seconds of it opening up. All had the exact same version of Chrome on it, v.51 I think, when every other one of our Chromebooks had v.50 or below. The only way we were able to fix them was to use a CrOS repair drive utility to reinstall CrOS with a previous version. When I saw that other Chromebooks that had v.50 couldn't be upgraded to v.51, I reasoned that these were the beta tested Chromebooks. I turned that feature back off, but I still saw a few more Chromebooks trickle into my office over the next few days that also "got lucky". After that, never again.

No school today...because the vendor pushed out an untested update again.

Let me help you, as it appears you didn't do 30 seconds of Googling to help yourself. Chrome OS is heavily beta tested, and is built upon Chromium OS, which it itself is heavily beta tested. As a Google admin for a public K-12 school (~1200 Chromebooks), I have the option of assigning all my Chrome devices into one of three categories of development. Google "recommends" I activate a policy that will randomly assign 5% of all devices to a beta channel* to assist them with testing and development, though our district chooses to use stable-only software.

Occasionally, a serious bug actually does make it through to a stable, but if it is found, Google has been incredibly quick to prioritize its fix and release an update. It's only when there's a doozie like this where suddenly everyone starts the finger-shaming.

* The first time I turned this on, the very next day, we had about five Chromebooks all come into our office. Every one of them had Chrome crashing randomly, usually within about 30 seconds of it opening up. All had the exact same version of Chrome on it, v.51 I think, when every other one of our Chromebooks had v.50 or below. The only way we were able to fix them was to use a CrOS repair drive utility to reinstall CrOS with a previous version. When I saw that other Chromebooks that had v.50 couldn't be upgraded to v.51, I reasoned that these were the beta tested Chromebooks. I turned that feature back off, but I still saw a few more Chromebooks trickle into my office over the next few days that also "got lucky". After that, never again.

They're working on it it Chromium

https://bugs.chromium.org/p/v8...

However this page

https://peterjensen.github.io/...

Complains that SIMD isn't implemented in Chrome 62, and unfortunately it's not implemented in Firefox 57 either.

So the answer is probably no, not yet.

Last time I used SIMD I used the Intel intrinsics in C++. Which are OK, but Visual Studio's C compiler didn't do a particularly good job at generating efficient assembler. Mind you, a vectorizable algorithm will still run faster using the intrinsics than not using them, and the compilers get better with each release. And of course if you use the intrinsics wrapped in a Float32xN class instead of hand rolled assembler it's pretty easy to support other SIMD instruction sets. E.g. 128 bit SSE to AVX512 you just need to fill in the operators with the appropriate intrinsic function and then tell your code to use Float32x16 instead of Float32x4. With hand rolled assembler you'd have to rewrite everything. So they do make sense. AVX512 has gather too -

https://en.wikipedia.org/wiki/...

And if you need to support NEON you can use the NEON intrinsics.

Bullocks. They enforced this policy through their industry position, nothing more.

Hard HSTS "pinning" within the browser, is a nightmare waiting to happen. Any badguy(tm) who can MITM you, can also strip HSTS -- EXCEPT on their preloaded list : https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json/

It's almost as bad as the current list of DEFAULT CA's. Why in the hell should I trust Hongkong Post when I'm neither employed by them, nor even IN HONGKONG.

Hypothetically they could remove .dev from the HSTS preload list.

The same could be said for any domain in the list
https://cs.chromium.org/chromi...
What if the ownership of one of the 40,000 entries in that list changes?

Whoops, forgot to throw this link in there.

https://blog.chromium.org/2017...

Chrome has been talking about a solution, but they aren't there yet.

https://bugs.chromium.org/p/ch...

In the meanwhile, I use a Google Chrome extension that is growing more out of date since the author moved on to other things.

https://chrome.google.com/webs...

https://github.com/Eloston/dis...

I use ublock and umatrix too, so I basically just use the extension to prevent autoplay on sites I actually want to view content on.

The answer is here: https://bugs.chromium.org/p/ch...

You can install legacy boot option rom without removing the screw Tepples. :P

Based on the results of a Google search for legacy boot chromebook, such as this and this and this, I'm under the impression that legacy boot can be reached only from developer mode, which we've established is fragile, and it tends to corrupt itself when the battery runs dry. What keywords should I have used to find a guide to setting up legacy boot on Chromebook?

Also, you normally dont need to disassemble the hinge mechanism to get to the screw. It is usually accessible just after removing the back of the clamshell.

That's not the scenario I had in mind. What I had in mind was that the hinge would eventually develop a fault through wear and tear unrelated to the installation of custom firmware, and then a warranty service program trying to minimize costs might notice that the firmware isn't stock and refuse to service the hinge on grounds of having modified the firmware.

The whole point of that is to intentionally steer people into the Chromebook walled garden.

This is the reason I say Chromebooks are not good enough. The owner cannot completely remove Chrome OS nor even disable it. It rears it's ugly head every time the system boots, and desperately tries to gain control again. No password or other lockout mechanism to over come, just press the space bar. Worse, because they want to ensure your experience is secure, they wipe the harddrive so you loose all the data on the device too. What happens when the current crop goes EOL and no longer gets updates? Do we get a patch to disable this bad behavior so the clueless user doesn't inadvertently "reinstall" and run the insecure and out dated OS? Because after all Chrome is all about protecting it's users right? Giving them a secure experience? Nope. They'll let them fill up landfills while pushing the next batch on you for more profit. Wash, Rinse, and Repeat just like every other company.

Even better is the fact that they've duped school systems into using them. Before you could at least try to stretch the lifetime of the machine out (by upgrading the OS), if you needed to pad out the budget before making the next round of purchases. Now it's going to be either cough up or go unprotected. To say nothing of the smaller (and less financially prepared) school systems who are peer pressured into paying money they don't have to replace everything in IT. Worse most Chromebook software (but really it's happening everywhere) is now, or is quickly turning into, RSaaS (Rent Seeking as a Service), so for those smaller school systems it's a case of BOHICA. Software is limited to a web site you don't host (or are paying an annual licensing fee to host yourself...), and the hardware is locked down to prevent you from using anything else. (Can't give Developer Mode to a kid, even if they wouldn't mess with the thing, someone would eventually press that space bar during startup.)

I'll also leave this here: Proof Google "cares" about random users so much, they tell device owners they can't control the device they own. (Even if it's federally mandated by law.)

Marking cleartext HTTP as "not secure" is actually the eventual plan, as I understand blog posts by Google, Mozilla, and DigiCert. First documents delivered over HTTP containing a password form was marked not secure. Then documents delivered over HTTP containing any forms. Then documents delivered over HTTP containing scripts. And finally, all documents delivered over HTTP other than from localhost.

You can also change the proxy settings for chrome via the command line. (Or shortcut settings in Windows.)

Only under broken Windows must a user be an admin to change the proxy settings. (Which are used globally for all connections.) This isn't so much a Chrome issue as a "Windows' proxy code was written way back in the 90's and hasn't been looked at since" issue.

The issue I'll have with this is if they decide that any proxy settings change (or use of a proxy) is "bad" and must have a constant warning displayed. It's gotten to the point where anything but a direct HTTPS link is considered "evil" despite the legitimate needs of the network / system operators. (Enterprise / Organization). Then I get 10 million calls about "why is it not secure anymore?" and have to tell them to ignore it while at work. (And hope to high hell, they DO pay attention to it anywhere else.)

DANE is pretty well dead. See the Chromium and Firefox (now reopened, actually) bugs on the issue. This blog post gives a good set of arguments why supporting DANE may be a bad idea. Not sure I agree, but the browser vendors seem to.

the "fast" websites you're referring to are things like the universities, and the "big commercial" websites. things that the majority of smartphone-addicted chinese citizens use every waking moment of their lives. things like wechat and other companies. wechat *has* to be fast because it's now used pretty much everywhere, for paying for everything from bills to groceries. the average medium-sized business however is still stuck with ridiculously-slow internet access. component suppliers in shenzhen simply cannot tolerate maintaining a decent web site because it's so slow that they just don't perceive there to be any benefit at all in doing so. i uploaded a stack of datasheets to my server on behalf of one of my suppliers, because for them to do it the speed would be so ridiculously slow they might as well not bother, and to just email them to clients on request: it's quicker and more reliable. note that's CHINESE clients.

some insight:

https://bugs.chromium.org/p/ch...

this gives you an idea of what it's like to try to browse websites. literally every single problem that you've ever encountered arbitrarily and very very occasionally, perhaps maybe once every two to twelve months if that: HTTPS errors, socket errors, timeout errors at the network layer, timeout errors at the SSL layer, SSL certificate errors, cache inconsistency errors - LITERALLY every single possible network-related error - occurred on a regular and unending excruciatingly monotonous basis.

trying to log in to https accounts.google.com just to enable IMAP took me TWO HOURS and over TWENTY refresh attempts. eventually enough got into the browser cache for it to take ONLY five minutes for the page to load... but the AJAX-controlled radio button refused to update properly, so i had to repeat the process. offlineimap (and running cyrus imap server *on my laptop*) was the only way to gain access to the 50,000 emails in my gmail inbox. it took five days to sync them all down.

the chromium team have accidentally marked this bugreport as "related to and problem is directly caused by VPN" but it's not. you can emulate this behaviour (answering the OP's question) by setting up a network filter (which you can do with a userspace tun/tap program written e.g. in python) that randomly and arbitrarily drops between 20 and 80% of packets, and limits the traffic rate to between 15 and SIX kilobytes per second. also you should add huge packet latency as an option: up to around 20 seconds should do the trick.

access to the UK is particularly bad (15k/sec); access to the USA is slightly better (around 70k/sec). during that massive DDOS attack (i happened to be in shenzhen at the time) all speeds dropped to around 5-10k/sec and packet loss was consistently around 80% (i run a constant "ping" in a window).

the worst latency i saw on openvpn was around 120 seconds, when using TCP instead of UDP. yes you read that right: not 120 MILLI-seconds - one hundred and twenty SECONDS. the connection was so bad that the bandwidth throttling option of openvpn simply did not work. i had to constantly change from TCP to UDP and back, and to regularly change the port number of the VPN.

as i have a server with a fixed IP address i gave serious consideration to writing my own userspace traffic proxy/router - not even a VPN, just a NAT/forwarding service - that would automatically make multiple connections over an arbitrary and random series of TCP and UDP connections, XOR something over the top of every packet, add a sequence number in front of the packet (exactly like TCP) and then reassemble the stream in-order at the other end of the connection.

basically with all my contacts being outside of china, there was absolutely no way that i could conduct business in china. every single software developer that i met INCLUDING CHINESE NATIONAL CITIZENS had a VPN connection. every foreigner trying to do business had a VPN connection. every tourist th

And I really hope and pray that in one of the next releases we will see SVG Font support. That would be awesome.

Extremely unlikely. They had SVG font support at one point. They deliberately removed it, way back when they were still with WebKit.