What happens when you launch Google Chrome for the first time?

This post will describe, in great detail, what happens on a granular, network level when Chrome is run for the very first time.

When I launched Google Chrome for the first time (and let it sit for a minute), 32 requests were made, and 7.26 MB of data downloaded.

The first call Chrome makes is to the googleapis domain. It passes my OS type, browser channel (Stable), and version (v76) along. The response is 32KB of flags, features, and more. Not clear what they all do (as many can’t be found in Chromium source) but some are fairly clear.

The next call appears to try and communicate with the Google accounts server (already trying to pair me with a profile?). This call is to https://accounts.google.com, for the /ListAccounts path. The endpoint responds with [“gaia.l.a.r”,[]], meaning no account was found (AFAIK).

Based on the following, I would expect a positive GAIA (Google Accounts and ID Administration) to return with my Google Email address. Since it didn’t, I’m suspect they failed to pair to me anything.

Chrome’s next call is to the http://clients2.google.com endpoint. It passes quite a few extension/app IDs over the wire. Google responds with an XML document pointing towards endpoints in the Web Store that need to be queried. You see those queries later in the session list.

A brief tangent now; Chrome fires a request off to http://gstatic.com for some type of translation model. While the response isn’t easy to parse, it holds numerous language codes (as we’d expect in this instance):

Back to the extension/app IDs we were investigating earlier. Chrome now begins to issue requests for the corresponding CRX files. The first request is for the Google Drive extension. Honestly, this hardly qualifies as an extension IMHO. One line of JavaScript and a manifest file.

There are 9 extensions downloaded during the first-run. They’re mostly very small, and mainly related to Google Drive and Docs. Also an extension for YouTube, GMail, Chrome Cast, and Payments. Most of these can be seen on the /apps page in the browser itself.

The http://redirector.gvt1.com request is for Chrome Cast. It, for some reason, takes a different route than the other extensions. The same for their “craw” bits, which appear to be tied into Web Store Payments, judging by the locale files. I’m curious why these are served uniquely.

I should note, http://redirector.gvt1.com doesn’t actually serve the extension bits. Instead, it does (as it’s name suggests) a redirection. The path to which it directs us is quite odd: /r3 — sn-8xgp1vo-5uae.gvt1.com. This pattern looks familiar for some reason — not sure why.

The last thing we see related to these initial extensions is a verify request for each. IDs are sent over the wire, and googleapis responds with a bit of data to check integrity.

That appears to be all of the extension-related work. Next the browser made a call out to http://docs.google.com. Why? No idea. But it 302s to http://accounts.google.com—to the /ServiceLogin endpoint. A custom header appears to store a client_id, as well as a device_id.

Next up is a request to Google’s /searchdomaincheck endpoint. It simply responds with ‘http://google.com‘. I assume this is asking where search data should go, by default.

We now come to the very last call to http://clients2.google.com. At this point, it is confirming that none of the extensions need to be updated. What I find odd, though, is that the two which installed via redirector.* are recorded as ‘installedby=other’ instead of internal.

This wraps up the first-run experience for Google Chrome.

About the Author

Umair Akbar is a Senior Security Systems Engineer known for his contributions on Zero Trust Architecture. You can find his socials here or his blog where this post originally appeared.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store