solid thread

Why the hell do Steam need connection too Google Accounts? Its a massive security concern.

Thank you for this thread, lightwo!
Hopefully Valve will notice that we're not OK with these Chromium updates at the cost of our privacy!

Also, I would love an actual explanation from Valve why they decided to even introduce the browser rebuild in the first place? Which actual issues were solved by this?

We,, one solid reason to rebase chromium in the steam client is for security patches, often fairly seriously CVE tier stuff. But it sounds like valve is now doing less customisation on chromium than they used to. Seems like there could be a path to slimming down the steam client and making it more performant here.
Reminder that the entire steam UI is now actually a webpage running in a borderless chromium window, so optimisations here would help everywhere that steam runs. Including things like the battery life of the steam deck and presumably the upcoming steam frame, which runs steamOS too.

Originally posted by Broseph Joseph:

We,, one solid reason to rebase chromium in the steam client is for security patches, often fairly seriously CVE tier stuff. But it sounds like valve is now doing less customisation on chromium than they used to. Seems like there could be a path to slimming down the steam client and making it more performant here.
Reminder that the entire steam UI is now actually a webpage running in a borderless chromium window, so optimisations here would help everywhere that steam runs. Including things like the battery life of the steam deck and presumably the upcoming steam frame, which runs steamOS too.

I'm pretty sure the Chromium version number was the exact same before and after that change (Back in October I compared the stable version with the beta version).

Originally posted by Broseph Joseph:

Seems like there could be a path to slimming down the steam client and making it more performant here.

But that's the exact opposite of what is happening. There is now a lot more stuff running in the background that doesn't need to be.

Originally posted by nian:

Originally posted by Broseph Joseph:

We,, one solid reason to rebase chromium in the steam client is for security patches, often fairly seriously CVE tier stuff. But it sounds like valve is now doing less customisation on chromium than they used to. Seems like there could be a path to slimming down the steam client and making it more performant here.
Reminder that the entire steam UI is now actually a webpage running in a borderless chromium window, so optimisations here would help everywhere that steam runs. Including things like the battery life of the steam deck and presumably the upcoming steam frame, which runs steamOS too.

I'm pretty sure the Chromium version number was the exact same before and after that change (Back in October I compared the stable version with the beta version).

Ok well it seems inexplicable then.

Originally posted by lightwo:

Originally posted by Broseph Joseph:

Seems like there could be a path to slimming down the steam client and making it more performant here.

But that's the exact opposite of what is happening. There is now a lot more stuff running in the background that doesn't need to be.

I know.

Hate Google, get their crap as far away from me as possible, disappointing but shouldn't be very surprising sadly.

Recurring background connections to several Google services that are not technically necessary, which transfer extensive metadata and cannot be viewed or controlled by the user.

Thereby Valve is violating the principles of data minimization, purpose limitation, transparency, legal basis for processing and third-country transfers (important for Europeans in relation to the GDPR).

You can find the metadata examples in the announcement that lightwo has linked.

When Steam is running normally in the background without the user doing anything, e.g., with the library open, repeated callbacks occur at intervals of approximately 1-3 minutes, each with a full set of between 4 and 16 IP addresses.

The more products or other pages are opened by users, the more callbacks applies.

Number of IPv4 callbacks counted (may vary) during various tests

14 Google Autofill
1 Google Account
35 Google Optimization
20 Google main domain
2 Google Safebrowsing

Regulary active (e.g. during startup) and product dependent. These mechanics were introduced towards the end of 2021/beginning of 2022 and later.

9 Discovery callbacks (regular)
21 IPv6 Checks (regular and product dependent))
2 Captive Portal Checks (regular and product dependent))

Note:
Valve used Google GStatic for their captive portal checks for a short time, but replaced it with its own service. The system spammed over 15k queries when it was blocked in a short time.

Steam never should have integrated chromium in the first place, it should have chosen firefox or just built its own in built browser.

Even in the prior Vgui version of steam, they used a customized version of CEF to render web content like the Store and Community only, now the whole UI is CEF based ... but CEF has been there from the early days of Steam, probably data mining away like everything else does these days. I'd much prefer actual privacy protection, but there's no corporate profit in actually providing that.

Originally posted by Xenophobe:

Even in the prior Vgui version of steam, they used a customized version of CEF to render web content like the Store and Community only, now the whole UI is CEF based ... but CEF has been there from the early days of Steam, probably data mining away like everything else does these days. I'd much prefer actual privacy protection, but there's no corporate profit in actually providing that.

Not exactly considering Steam is way older than the Chromium engine itself, I think it used to hook into IE in the early years before switching to CEF once that became available.

Now its so bloated I accidentally managed to open up a full actual Chromium windows from inside Steam, so safe to assume now of all of it is there, the slight advantage this brings that I was able to install old Ublock Origin Manifest V2(non Lite) so no more ads in Steam Overlay which is really nice, I didn't try it before but the stripped back version of Chromium they used to use removed many features before including extension support.

Originally posted by tyl0413:

Originally posted by Xenophobe:

Even in the prior Vgui version of steam, they used a customized version of CEF to render web content like the Store and Community only, now the whole UI is CEF based ... but CEF has been there from the early days of Steam, probably data mining away like everything else does these days. I'd much prefer actual privacy protection, but there's no corporate profit in actually providing that.

Not exactly considering Steam is way older than the Chromium engine itself, I think it used to hook into IE in the early years before switching to CEF once that became available.

Now its so bloated I accidentally managed to open up a full actual Chromium windows from inside Steam, so safe to assume now of all of it is there, the slight advantage this brings that I was able to install old Ublock Origin Manifest V2(non Lite) so no more ads in Steam Overlay which is really nice, I didn't try it before but the stripped back version of Chromium they used to use removed many features before including extension support.

It's been a while per: https://developer.valvesoftware.com/wiki/Chromium_Embedded_Framework ... their modified version of CEF source code .zip file is dated April 24, 2012 ... early days was admittedly rather vague of me ...

Originally posted by tyl0413:

Now its so bloated I accidentally managed to open up a full actual Chromium windows from inside Steam, so safe to assume now of all of it is there, the slight advantage this brings that I was able to install old Ublock Origin Manifest V2(non Lite) so no more ads in Steam Overlay which is really nice, I didn't try it before but the stripped back version of Chromium they used to use removed many features before including extension support.

Wow, it actually works.
Definitely better than nothing.

The Chromium-style window always opens after the extension has been installed.
Make sure to set your extension preferences inside that window, because there is no easy way to get it back once it's closed.
Also, you can't access the extension settings inside the Steam-style browser windows.

Interestingly, the Chromium-style window doesn't crash Steam when opening new tabs from certain links (Yes, that's another bug in the Steam-style browser).

Chromium, which like some have mentioned is a core part of the Steam client and allows us to build rich web based UI has to be updated frequently to stay ahead of known public security vulnerabilities.

We use CEF to embed Chromium, and part of what the CEF team has been doing is changing some core pieces of the Chromium runtime, moving from the older Alloy runtime which was more stripped down to the Chrome runtime. In order to keep updating our CEF and Chromium builds we have no choice but to switch runtimes at this point.

However, some of these new Google services being called was not intended by us and was a surprise side effect to us. We appreciate your reports and we are investigating what can be done to disable many of these. We definitely share your concerns on not reporting data to Google when there is no clear need. We will not be able to move to the old runtime as the next versions of CEF and Chromium will have deleted it, and Chromium itself is ubiquitous in modern applications and required for us to continue building rich UI in Steam. However, we will definitely do what we can to minimize the Google API integration for things that are unnecessary for Steam's Chromium usage.