return to table of content

Google Chrome has a special hidden API accesible only from *.google.com

htrp
36 replies
1h22m

So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.

So I guess the question becomes how quickly you can spoof this ?

justo-rivera
25 replies
1h20m

You just need to "register" a subdomain. So basically any google employee has potentially full access to your system?

sophiebits
12 replies
1h18m

You’re likely severely underestimating the amount of internal paperwork and review that is required to launch a new google.com subdomain.

drpossum
9 replies
1h14m

I did one on my local network and didn't fill out anything

block_dagger
5 replies
1h12m

But only you have access to your local network.

drpossum
3 replies
1h3m

Good thing all networks everyone connects to are always known by that user to be secure

bqmjjx0kac
2 replies
45m

Do these APIs not require https?

drpossum
1 replies
38m

The case here was just injecting a domain. There's another thread for this post pointing out you would also need to inject a malicious root cert for https traffic, which is correct, but not impossible (and given some bad/lazy practices I've seen places do when they sign their own certs for internal infrastructure, not a far stretch)

jonas21
0 replies
17m

If they can do that, they can spoof or proxy any website and collect your passwords, auth cookies, and anything else sent over the network. At that point, who cares if they can also see how much CPU you're using?

therein
0 replies
1h11m

That's not necessarily true.

pharrington
2 replies
1h10m

is your local network google.com ?

shreddit
1 replies
58m

I can tell my pc what ca to trust, so yes i can make it to…

mimon
0 replies
4m

So if you can just trick someone into trusting a bogus root CA, take control of their DNS resolution, and get them to open an attacker controlled domain in Chrome then you can... Use this API to get information about their current CPU utilisation.

Wow some attack you got there.

riccardomc
0 replies
1h9m

Probably a 'something.google.com'...

But you could have teams with DNS zone delegation who can.create.anything.like.this.google.com

isodev
0 replies
1h15m

Maybe they don't need a new subdomain, something unused could do the trick.

drpossum
5 replies
1h18m

Or anyone who controls your DNS resolution which has a number of paths (for example a local hosts file, possibly a router, changing your config or how you get your config to a malicious DNS server, etc)

wbl
0 replies
1h14m

Also need a cert which is tricky

ruined
0 replies
1h16m

or public wifi access point

q3k
0 replies
1h14m

Not that easy with HSTS.

eknkc
0 replies
1h13m

Won’t work with https.

If that malicious actor can install a custom ca too, they can already install whatever spyware they want.

abirch
0 replies
1h13m

You'd probably need DNS and Root Certificates, something to which most employers have access

mywittyname
2 replies
1h17m

Is it really that easy? I just kind of assumed that devs could create subdomains under a dev TLD like googdev123.com, but not google.com until it was a fully-fledged product release.

hn_go_brrrrr
1 replies
1h13m

Nothing at Google is that easy. It is a large and slow-moving bureaucracy.

rpnx
0 replies
50m

Agree. I work at Google. I promise nothing happens quickly. It can take over a week to set up a new SQL database & client. Half coding (don't get me started on boq...) and half data integrity and criticality annotations for the data...

I don't know what setting up a new domain is like but I can't imagine it's something you "just do".

nashashmi
0 replies
1h7m

Drive.google.com links also work

mysterydip
0 replies
1h6m

What about anything on sites.google.com?

Tiberium
0 replies
1h11m

In what world does "system / tab CPU usage, GPU usage, and memory usage" mean "full access to the system"? Any Chrome extension can access this info easily, the point that the tweet makes is that there's a built-in Chrome extension that shares this info with Google's own websites without any confirmation.

fjni
3 replies
1h7m

Wouldn't you be able to deploy an app script website, which is hosted on "script.google.com" and make use of this?

jhdifdhsak
1 replies
45m

your code do not run from that domain at all.

rc_mob
0 replies
13m

it does if I hack your dns server :)

pixl97
0 replies
42m

Does Chrome do certificate pinning checking in this case?

sophiebits
1 replies
1h19m

If you mean can another domain trick Chrome into letting it access those APIs… probably not; it seems it’s based on the browser extension architecture which is already somewhat hardened and I believe doesn’t even load the code for the extension if you’re not on a matching domain (though the typical protection goes the other way around — preventing extensions from accessing website data without permission).

darby_nine
0 replies
59m

It seems bad enough that Google has access to it to justify ripping it out.

lyu07282
1 replies
1h17m

Pretty much impossible, would need to defeat https/ct. You would have to spoof *.google.com within chrome.

jandrese
0 replies
1h14m

So if you install your own certificate authority and then spoof the DNS it might be possible? Not so useful as an attack vector, but potentially useful for people who want to do fun things with the browsers they own.

AnimalMuppet
1 replies
1h15m

Don't have to spoof it - just put something on Google Docs and send people a link.

sophiebits
0 replies
1h12m

Google Docs is designed to not let you run arbitrary JS in a trusted (i.e. google.com origin) context, or else the author of any doc you visit could act as you on Google properties.

PNWChris
20 replies
55m

Disclaimer: I work at Google, but not on Chrome or on these APIs.

I think the explanation is quite mundane. An example usage: open google meet, start an empty meeting (an “instant meeting”), click the “…” menu, click “troubleshooting and help”.

There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded during a meet call, too.

It’s very helpful, I check it from time to time.

3D30497420
5 replies
49m

Are features like this available to other websites outside of Google? Say, could Zoom also add a feature like this?

SirMaster
3 replies
39m

If Zoom makes a chrome extension, then yes.

lwansbrough
1 replies
29m

Will the Zoom extension also be installed by default?

ikiris
0 replies
14m

Do you want every person in the world to run a line to your house, or do you want to have 1, and use that service to talk to them?

octopoc
0 replies
21m

That is incorrect. Zoom would have to modify the browser source code to enable the API on their domain.

RIMR
0 replies
41m

A level playing field for competition? This is Google we're talking about.

john-n
3 replies
49m

I believe this is the point, rather than being mundane. Other video conference tools are not able to offer this debugging option - which you have pointed out is useful.

tantalor
1 replies
43m

The user could easily install an extension that provides the same debugging capability. Most users don't care, so they won't need it.

elicksaur
0 replies
20m

Defaults are powerful.

hot_gril
0 replies
1m

Other video conferencing tools don't lag like Meet, so users don't need to debug ;) I think this has to do with all of them using H.264 while Meet uses VP8/9.

danielmarkbruce
2 replies
46m

It's hilarious how people jump to the most sensational explanation for things like this, when in almost every case the reason is mundane. In the VR team at google back in 2016, we spent soooo much time making sure we deleted any data that could in any way be imagined to be related to tracking, not because we tracked anything personal, but because it could be perceived the wrong way by people with sensational viewpoints. "yes, but if you have those random 27 pieces of information, and correlate it using x advanced method, you can track what some random dude is doing!"

rurp
0 replies
30m

Yeah, crazy to think that Google of all companies would track people in unexpected ways :eyeroll:.

Your post is evidence that the scrutiny Google gets is actually helping matters. Companies, especially powerful ones, should default to not tracking personal data any more than necessary. I'm glad to hear that at least one department took that seriously.

ascorbic
0 replies
33m

This isn't a mundane explanation though: this is exactly the example Luca gives in the original thread. It's anti-competitive, because it's functionality only available to Google Meet. Google is using its browser monopoly to advantage its other products.

miki123211
1 replies
29m

I think the explanation is quite mundane

There’ll be plots of various stats, including CPU utilization. I think meet will also helpfully suggest closing tabs if your machine is overloaded

This is not mundane at all, it's a perfect example of giving your product an unfair competitive advantage.

If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.

No wonder every other meeting provider pushes you aggressively into using their desktop app, Google Meet's desktop app is just Chrome!

trealira
0 replies
18m

If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.

I had to re-read this a few times; did you accidentally omit a word?

If Meet users are told why their meeting isn't working correctly but Zoom, Teams and Slack aren't, Meet users are going to have a better experience that Zoom, Teams or Slack has no way of replicating.

I fully agree with you, though; it's anticompetitive for them to use Chrome to give their other products an advantage.

vundercind
0 replies
23m

Oh wow.

This explanation was the first I read of what this actually does (yeah, yeah, I didn’t read the linked article first) and that’s a lot worse than I expected.

tamimio
0 replies
5m

And they do the same thing with YouTube by slowing down the initial load in other browsers. Google is evil, and this is the least of it.

lucacasonato
0 replies
1m

I agree it is very useful! This is also how I discovered this in the first place.

But that is not at all my point. The point is that google.com web properties have access to an API and a browser capability that is not available to it's competitors. Google only allows reading CPU info for itself.

The reason the data is not available for everyone, is because it would be a huge tracking vector. Same reason we don't allow webpages to read the device hostname, or username, or Chrome profile name. Google exposes this to google.com because it trusts itself. That poses this antitrust issue though.

jhdifdhsak
0 replies
48m

if we are guessing I would drawn my guess from the hyper controlled access to android play services, which do much more than what you are guessing.

my guess would also include some nifty debug info from FLoC ;)

RIMR
0 replies
42m

Very cool that Google built an anticompetitive browser that offers such useful features only to themselves.

Very cool of you as a Google employee to say the quiet part out loud for us.

Tiberium
15 replies
1h9m

I think the submission is a bit wrong in editing the title from the original. I understood it like this:

Chrome has a built-in extension that uses public Chrome APIs that are easily available to other Chrome extensions. The issue described is that this extension shares this information to Google's own domains when they're communicating with the extension, while other websites can't do this.

There's no "special hidden API".

simonw
6 replies
26m

Paste this into a Chrome DevTools console on a Google site - sure looks like a special API to me:

    chrome.runtime.sendMessage(
        'nkeimhogjdpnpccoofpliimaahmaaome', {
            method: 'cpu.getInfo'
        }, response => {
            console.log('CPU Info:\n', JSON.stringify(response, null, 2));
        }
    );

rundev
3 replies
19m

Paste this into a Chrome DevTools console

I just learned that Chrome's sandbox has a huge hole in it for Google sites, and you want me to paste code into DevTools for said sites? Any bash scripts you want me to run as root as well? :)

ikiris
1 replies
16m

You're literally running their program already. They're already running arbitrary code on your machine.

lnxg33k1
0 replies
8m

People are running it because they think Google is trustworthy, so telling about abuses might be useful in order to erode that trust and let people know they shouldn't run anything from that company

simonw
0 replies
18m

You're welcome to read the five lines of code I shared yourself before you run it!

replete
0 replies
4m

This does not work (as expected) on `ungoogled-chromium`.

Jcampuzano2
0 replies
20m

For what its worth, I'm on Brave (chromium based) and this also works there, so it appears to not necessarily be only Chrome but potentially any chromium browser where they haven't specifically blocked/disabled this

danans
3 replies
42m

There is potentially an innocuous and straightforward explanation for this. Imagine the browser comes with some functionality implemented as a google.com-signed web app (as opposed to compiled/linked C++ as a lot of the older Chrome UI).

It would be silly if that PWA-implemented browser code would need permission to access the system information, since it is part of the browser's functionality itself.

Another use case for a private API (that has long existed) is integration of the Chrome browser with Google-specific websites that provide core functionality, like the Chrome Web store, to allow for installation/removal of extensions from a web page.

ranger_danger
1 replies
22m

Any time things like this are needed, I think it should ask the user for permission first.

danans
0 replies
13m

My examples are of core browser functionality, just implemented with a different tool chain (a web app instead of C++). Should the user be asked for permission for C++ to send an IPC to another C++ component? Should the Chrome Web store ask for permission to install extensions in Chrome?

Down-thread I see that this is being used for Google Meet functionality, for which I agree it should ask for the user's permission.

runarberg
0 replies
8m

I think it is a mistake to give a company like Google the benefit of the doubt. Consumer protection is a lot like security, we should theorize the worst case scenario, and assume the company is willing to work against consumer interest if it serves their own interests.

If there exists a mundane and reasonable explanation for this, that doesn’t matter if there also exists a potential to exploit it in a way that harms consumers’ interests.

silverwind
0 replies
37m

A "built-in extension" is still part of the browser unless it can be disabled.

parhamn
0 replies
42m

Same thing with more steps?

lwansbrough
0 replies
31m

This is functionally equivalent.

Cyphus
0 replies
49m

"special" in the sense that unlike other extensions which are user-installed, this one is built into Chrome.

"hidden" in the sense that when I go to chrome://extensions it is not listed.

And as you already mentioned, it's a Chrome API.

MisterDizzy
11 replies
1h36m

Hardly surprising. This is very Google-like behavior. The question is do other Chromium browsers have this? Edge? Brave? Chromium? Ungoogled Chromium?

bakugo
10 replies
1h22m

Don't know about the rest, but ungoogled chromium scrambles every occurrence of the string "google" in the code specifically to avoid things like this, so probably not.

idunnoman1222
5 replies
1h19m

Scrambles to a static unpurchased domain?

doctorpangloss
2 replies
1h13m

You’d hope so right?

If you don’t want to use Google’s browser, don’t use Google’s browser.

scrollaway
1 replies
50m

I don’t think you understand the security implication of what you just said.

8organicbits
0 replies
24m

Perhaps you could explain.

rany_
0 replies
19m

No network traffic is allowed on that random TLD. It is blocked.

Dwedit
0 replies
51m

If you end up with characters outside of the valid range after scrambling, then probably not.

yreg
1 replies
1h11m

Unless Chromium does something like atob("Z29vZ2xlLmNvbQ==")

0cf8612b2e1e
0 replies
56m

Malware obfuscation techniques to fuel the ad machine.

xigoi
0 replies
1h11m

What if it’s checking a hash of the domain name?

jeffbee
10 replies
1h26m

You can build Chrome without this by setting `enable_hangout_services_extension` to false. Of course, then none of the WebRTC stuff on google.com will work.

ramesh31
7 replies
1h25m

One does not simply "build chrome".

lifesaverluke
4 replies
1h19m

The process is well documented :-)

dudus
2 replies
1h12m

FWIW I once tried and failed to compile Chrome. My machine didn't have enough RAM to compile chrome at the time. Even though it was able to fully compile any other software I threw at it.

sebazzz
0 replies
45m

Is that special to the Chrome codebase, or inherent to the fact that a web browser is now basically an operating system by itself?

lifesaverluke
0 replies
49m

Yeah, you need a big machine. I provide Chromium builds for AWS Lambda, compiling on a large EC2 instance.

recursive
0 replies
1h7m

Just like the US tax code is well documented?

ranger_danger
0 replies
1h8m

yes but that's Chromium, not Chrome (which is proprietary). I think that's what OP was saying

daft_pink
0 replies
1h14m

i just want to know if this is built into arc to be honest.

autoexec
0 replies
23m

No WebRTC would be a win, but people can just use firefox and disable WebRTC globally.

beardyw
10 replies
1h28m

What has an hidden API where? I have no idea what this is trying to say. Can anyone make sense of it?

jeffbee
4 replies
1h17m

I don't think that is an accurate description. The APIs are available in Chrome to anyone: https://developer.chrome.com/docs/extensions/reference/api/s...

The allowlisting going on here is that normally when you install an extension in Chrome it asks you to confirm the access to those APIs on the sites where the extension wants to run, but this one comes pre-confirmed from the factory. A quick GitHub search finds ~1000 manifest files that list system.cpu, possibly because that API is also in the boilerplate example chrome extension manifest.

josephcsible
3 replies
1h14m

That's still just as unfair, though. Google always has access to that information because their extension is preinstalled and you can't disable it, but other websites have no access to that information unless you go out of your way to install a third-party extension to do so.

IshKebab
1 replies
46m

I mean... You downloaded the browser from Google. Did you think Google wouldn't have some kind of privileged access to it?

autoexec
0 replies
19m

Google would naturally have privileged access to the browser, but that doesn't need to mean they have secret privileged access to my computer's hardware

jeffbee
0 replies
1h9m

OK. That's a point of view. I just thought it should be accurately described.

I think the idea that you will download a web browser from Google and then it won't be able to figure out what model of CPU it is running on is a bit weird, when you think it through. There are lots of features of Chrome that are only "available to Google" for example it will only download updates from Google, unless you've modified its source code.

ranger_danger
0 replies
1h7m

That is the source code of Chromium, not Chrome.

sophiebits
0 replies
1h26m

Websites hosted on the google.com domain can access more data about the device than websites hosted on any other domain.

emilsedgh
0 replies
1h26m

Google allows web pages from *.google.com to read a user's cpu usage, gpu usage, etc.

Other web pages don't have such access.

Loic
0 replies
1h20m

If correct, once you access a `.google.com` website, the browser makes available through javascript an API allowing the querying of a lot of information about all the open tabs (if open, for example, your banking website) and can send the collected information to the "mother ship".

If true, as usually, a lot of people have a Google tab open, you can easily deduct what it means.

This is definitely something to be investigated, for the moment, we only have a tweet.

bonestamp2
5 replies
1h37m

Is it fair to assume this is used for fingerprinting/tracking users?

sophiebits
1 replies
1h26m

No.

daniel_levine
0 replies
1h22m

this is a great comment, thank you for your service!

rolph
0 replies
1h17m

perhaps a measure to determine if the owners devices can tolerate one more web app or ad stream before it runs out of resources

plorkyeran
0 replies
28m

Google doesn't need any extra help to track users who are browsing Google sites in the Google browser. It is probably instead anticompetitive functionality that lets Google sites work better in Chrome in ways that other sites can't replicate.

diggan
0 replies
1h22m

The tweet says:

So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.

Those things can absolutely be used to "improve" fingerprinting. I don't think it's fair to assume it's being used for that though, without any further evidence. But it certainly could be used for it.

Anyone have any further context? As it stands right now, it's just a random claim without any proof what so ever? There is link in another comment, but how is that related to the tweet?

mike_hearn
4 replies
17m

The name hangout_services suggests this is some old tech debty hack intended to make developing Google Hangouts easier by giving that team a direct stream of telemetry. For those who have forgotten, Hangouts was the first app that did video calling in the browser using what became WebRTC. If you look at what this module is doing it's exposing stuff like CPU/GPU/RAM usage/hardware details back to the app that it wouldn't normally have.

My guess is that Google will react to this Twitter thread by simply deleting it. Hangouts has been a dead product for a while; if their server side code still uses it they can surely remove it as presumably the Chrome team monitor WebRTC performance themselves in a multi-site way now, given the much wider usage.

lucacasonato
3 replies
10m

No, this is used by Google Meet right now. Open the "Troubleshooting" panel in meet.google.com in Chrome, and you'll see live system wide CPU usage reporting :)

mike_hearn
1 replies
9m

Right, Meet is derived from the Hangouts codebase, I still think they'll probably just delete it. Meet is a stable product, how valuable is this special privilege now?

badgersnake
0 replies
2m

It works perfectly well in Firefox without it, so I guess not much.

cxr
0 replies
0m

[delayed]

madeofpalk
2 replies
1h9m

I'm not sure what these APIs are exactly and why they're there, but Firefox also does something similar. It has special APIs available only to Mozilla and/or Firefox domains, for things like installing extensions, or helping with first-run experience.

A blog post about it was shared here on Hacker news <12 months ago, but I'm having trouble finding it...

jhdifdhsak
0 replies
52m

Hardly the same.

apis are public, documented and the domain allowlist is both included in the UI and about:config (save from android playstore version where they hide everything to make the browser pure garbage for whatever reason)

and I'm pretty sure devs would at least think about adding your domain by default if you ask nicely with a great use case on bugzilla.

Osmose
0 replies
49m

I wrote a post about the UITour parts a long time ago: https://www.mkelly.me/blog/content-uitourjs/

It's pretty standard among browsers. The risk should be about equal to someone spoofing the domains that the browser downloads software updates from, and you can turn it off via prefs if you really don't want it.

ethanppl
2 replies
1h12m

I wonder how Chromium, Brave or Edge handle this?

mmsc
1 replies
1h7m

And? Google uses Chrome to retrieve data about the user.

Every Chromium-based browser has 'hidden' APIs only accessible on certain domains. That's how the custom (read: closed source) extensions work. "Component extensions" are used to interact with them normally: https://chromium.googlesource.com/chromium/src/+/main/extens...

See https://blogs.opera.com/security/2021/09/8000-bug-bounty-hig... and https://blogs.opera.com/security/2021/09/bug-bounty-guest-po... for examples of when there are vulnerabilities in those extensions, and how they can be abused for remote code execution.

Any whitelisted domains for these APIs cannot be written to using user-installed extensions, in order for a malicious extension to not be able to inject a script and execute the special API.

At Opera, we previously tried attacking the underlying implementation about how these 'hidden' APIs are accessible. Although we found a lot of Opera-specific issues, the Chromium logic seems sound and a "bypass" for other websites accessing the API is unlikely. It also seems that the developer here was just a bit overzealous in allowing this API to be accessed from all google.com subdomains.

jhdifdhsak
0 replies
40m

technically correct. google chrome should forever be called "Tainted Chromium" to use the same nomenclature as the Linux Kernel when you load blobs.

lwansbrough
1 replies
26m

For anyone having trouble with the logic here, which seems like a lot of people in this thread for some reason:

[Google's browser] comes with [code] that [does things] in a default installation of [Google's browser] that [Google's competitors] can't do in a default installation of [Google's browser].

SahAssar
0 replies
8m

Didn't you leave out that [Google's browser] allows [Google's websites] to do things [other websites] cannot?

Ostensibly [Google's websites] are websites like any other, but [Google's browser] treats them differently. IIRC Mozilla does similar things for addons.mozilla.org, but googles seem more broad since they are not as clearly linked to browser functionality.

lashkari
1 replies
59m

If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

DownrightNifty
0 replies
52m

JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS happens.

chrsig
1 replies
1h8m

Is there more of an explanation? I see a baseless claim without any specificity.

I'm not saying it's right/wrong, just that no evidence was presented.

develatio
0 replies
46m

There is a link pointing out the exact place in Chrome's code.

blackeyeblitzar
1 replies
1h18m

So this is a lot like Microsoft using specialized formats or APIs in Windows that competitors cannot access, which was a problem throughout the 90s. The problem never went away - it has just changed appearance.

Brian_K_White
0 replies
1h6m

This is a little different than Office being able to use some useful OS integration feature that LibreOffice can't use.

This is allowing Google to do something TO you that no one else can do to you, and that you assumed no one could do to you.

Palmik
1 replies
28m

People arguing that this is "just extension" are ignoring the fact that extensions have special priviledges compared to websites, and you would not want all websites to have the full power of arbitrary extension.

If it's "just extension", make it available to all domains.

Kuraj
0 replies
1m

It's still an extension made by Google, in a Google browser providing special privilegs to Google websites. This code could just as well live in the browser itself. You have already placed implicit trust in Google by using the browser in the first place. I don't see how this makes it any worse

toenail
0 replies
55m

Hm, I guess it's good I have a firewall?

simonw
0 replies
51m

If you want to see what this does, navigate to https://www.google.com/ in Chrome and paste this into your DevTools console:

    chrome.runtime.sendMessage(
        'nkeimhogjdpnpccoofpliimaahmaaome', {
            method: 'cpu.getInfo'
        }, response => {
            console.log('CPU Info:\n', JSON.stringify(response, null, 2));
        }
    );
I got this:

    {
      "value": {
        "archName": "arm64",
        "features": [],
        "modelName": "Apple M2 Max",
        "numOfProcessors": 12,
        "processors": [
          {
            "usage": {
              "idle": 26879793,
              "kernel": 5270058,
              "total": 42511068,
              "user": 10361217
            }
          },
          {
            "usage": {
              "idle": 27925505,
              "kernel": 5045974,
              "total": 42900999,
              "user": 9929520
            }
          },
          {
            "usage": {
              "idle": 29153545,
              "kernel": 4688719,
              "total": 43152989,
              "user": 9310725
            }
          },
          {
            "usage": {
              "idle": 30140852,
              "kernel": 4360719,
              "total": 43319960,
              "user": 8818389
            }
          },
          {
            "usage": {
              "idle": 34426211,
              "kernel": 2169516,
              "total": 43433582,
              "user": 6837855
            }
          },
          {
            "usage": {
              "idle": 38586206,
              "kernel": 1338183,
              "total": 43658789,
              "user": 3734400
            }
          },
          {
            "usage": {
              "idle": 41067872,
              "kernel": 598226,
              "total": 43874597,
              "user": 2208499
            }
          },
          {
            "usage": {
              "idle": 41795321,
              "kernel": 412479,
              "total": 43965499,
              "user": 1757699
            }
          },
          {
            "usage": {
              "idle": 34484688,
              "kernel": 2180147,
              "total": 43500079,
              "user": 6835244
            }
          },
          {
            "usage": {
              "idle": 38604714,
              "kernel": 1340358,
              "total": 43680869,
              "user": 3735797
            }
          },
          {
            "usage": {
              "idle": 41086212,
              "kernel": 599273,
              "total": 43883401,
              "user": 2197916
            }
          },
          {
            "usage": {
              "idle": 41802500,
              "kernel": 411499,
              "total": 43970596,
              "user": 1756597
            }
          }
        ],
        "temperatures": []
      }
    }
This won't work on non-Google URLs.

ranger_danger
0 replies
1h11m

login-walled

pcwalton
0 replies
1h32m

Google has done this sort of thing before. My memory is fuzzy as to the details, but I think it was Native Client being allowlisted at the domain level to only work on Hangouts, or something like that.

mcpar-land
0 replies
1h14m

Google spent billions muscling their way into their majority market share of web browsers, now they're going to keep on cashing out with unfair practices like these.

leros
0 replies
43m

I briefly worked on Internet Explorer in ages past. They would develop APIs with the Windows team for use in IE to give IE special features that other browsers couldn't implement.

kderbyma
0 replies
6m

That was one reason I don't use Chrome. They clearly do special stuff on their sites. And spyware is guaranteed with chrome

jgalt212
0 replies
1h11m

It's like Google relishes in giving the FTC all the help it could ever want.

hpen
0 replies
59m

I guess all those Apple hating PWA lovers aren't gonna be happy about this.

bastien2
0 replies
1h18m

This just in: Google Spyware has features accessible only to Google.

baggy_trough
0 replies
1h15m

Wonder if Edge renames this to *.microsoft.com or bing.com.

CMYKninja
0 replies
1h3m

I can hear the regulators in Strasbourg typing up complaints and fines now.