Chromium Weekly Summary

Chromium Weekly: 2026 Week 13

Overview

This week was marked by an exceptional volume of API refactoring, resulting in an unprecedented number of breaking changes across core libraries, Blink, networking, and platform-specific code. Across 3365 commits (2501 relevant), major architectural work continued with Project Bedrock, multinetworking support was advanced, and significant security hardening measures were landed. Embedders should prepare for substantial migration work to adapt to the numerous changes in C++, Java, and Mojo interfaces.

Unprecedented Wave of Breaking Changes

⚠️ BREAKING BREAKING CHANGE Core embedder interfaces were broken. content::ContentBrowserClient now requires implementing IsFullscreenAllowedForUnfocusedWebContents and using the new content::BluetoothDelegate. The ExtensionsBrowserClient interface also gained a new pure virtual method, forcing updates for all embedders. (395a125) (3cb4ab6) (cb457f6)
⚠️ BREAKING BREAKING CHANGE The base library saw fundamental changes: base::Thread::IsRunning() behavior was altered, base::CurrentThread::SetTaskRunner() was removed, and the //base:base_java build target was split into smaller, granular targets, requiring build file updates. (440b72b) (031d58e) (1397b82)
⚠️ BREAKING BREAKING CHANGE Core Blink APIs were heavily modified. A new virtual GetHTMLElementType() was added to blink::Node (an ABI break), and numerous string utilities like AtomicString::FromUTF8() and String::Left() were renamed or removed. (f252b9b) (bd3411c) (f72257b)
⚠️ BREAKING BREAKING CHANGE Major component relocations will break include paths and build dependencies. ProfileManager was moved to a new build target, Account settings was extracted from Autofill, and the harfbuzz-ng directory was renamed to harfbuzz. (fa00b2f) (a1b05c5) (2f9f433)
⚠️ BREAKING BREAKING CHANGE Numerous public Mojo interfaces were changed, including network::mojom::NetworkContext::CreateWebSocket, blink::mojom::PermissionService, and pdf.mojom.PdfHost. On ChromeOS, the entire crosapi::mojom::cros_display_config interface was removed. (0f1662a) (eee991e) (97d9dd9) (13cedb9)

Architecture & Core Internals

⚠️ BREAKING BREAKING CHANGE As part of Project Bedrock's goal to decouple UI from core logic, many public UI functions (e.g., ShowSettings) now require a BrowserWindowInterface* instead of a Browser*, and chrome::GetTabbedBrowserCount was removed. (7f61ab9) (ebb63bf)
⚠️ BREAKING BREAKING CHANGE Support for multinetworking was advanced, with core classes like net::ClientSocketPool::GroupId and URLRequest updated to include a target_network parameter. (52a2dea) (ba4fdb3)
The kMojoUseEventFd feature was enabled by default on Android to improve input delay and INP metrics by optimizing Mojo communication. (04ae8a0)
⚠️ BREAKING BREAKING CHANGE The compositor's cc::TreeSynchronizer was refactored to use OwnedLayerImplList for tree synchronization, and cc::LayerImpl::PushPropertiesTo was renamed to CopyPropertiesTo. (bbda441) (b3d21ec)

Web Platform & Rendering

Cookie parsing was hardened to reject cookies with an empty name and an ambiguous value (e.g., =Foo=Bar), a fundamental platform change that may affect some sites. (6e5ceda)
CSS functionality was enhanced: text-decoration-skip-ink: all is now on by default, support for image-animation: stopped was added, and @keyframes lookup across shadow DOM boundaries was fixed. (1e520da) (4fa3a3f) (8607d18)
⚠️ BREAKING BREAKING CHANGE WebGL will now generate a GL_INVALID_VALUE error for SVG images that lack an intrinsic size, whereas it previously used a default size. (213ac82)
An experimental implementation of ML-DSA, a post-quantum signature algorithm, was added to the WebCrypto API behind a feature flag. (2da14fd)
Support was added for parsing Dolby Vision RPU metadata in H.265 video and the AVAR2 font table for advanced font variations. (3e77dae) (0fa7607)

Security & Privacy

Permission prompt security was hardened by having the browser process directly validate the transient activation state, no longer trusting user gesture signals from a potentially compromised renderer. (89632d8) (8dda06b)
Several vulnerabilities were patched, including a webRequestBlocking permission bypass and a popup blocker bypass, both exploitable by a compromised extension. (2619b94) (3b4c638)
The JavaScript code cache is now disabled for PDF renderers and origin-restricted sandboxed iframes as a mitigation against potential code tampering attacks. (6fa3337)

Platform-Specific Highlights

⚠️ BREAKING BREAKING CHANGE On Android, the core TabModel Java interface was refactored to extend TabGroupModelFilter, a major change impacting any custom UI implementations. (401697a)
⚠️ BREAKING BREAKING CHANGE The default behavior for downloaded PDFs on Android has changed to open them in Chrome's native viewer instead of firing an intent for an external app. (483eccb)
Work to enable extensions on Android progressed, with the chrome://management page being converted to a WebUI and numerous extension API tests being enabled for the platform. (bed3443) (1fa9861)
On iOS, drag-and-drop is now enabled by default, and a new SetUserAgent API was added to web::WebState to allow per-tab overrides. (34fefe1) (f521739)

Daily Summaries (6)

2026-03-22: Chromium Digest: 2026-03-22 (0 commits)
2026-03-23: Chromium Digest: 2026-03-23 (0 commits)
2026-03-24: Chromium Digest: 2026-03-24 (0 commits)
2026-03-25: Chromium Digest: 2026-03-25 (0 commits)
2026-03-26: Chromium Digest: 2026-03-26 (0 commits)
2026-03-27: Chromium Digest: 2026-03-27 (0 commits)