ungoogled-chromium
Chromium without Google tracking — privacy-focused, drop-in replacement
ungoogled-chromium is a privacy-focused build of Google Chromium that eliminates every dependency on Google web services without altering the core browsing experience. It removes all background requests to Google infrastructure, strips pre-built proprietary binaries from the source tree, and introduces configurable transparency features — delivering a browser that behaves like Chromium but operates entirely under the user’s control.
The project achieves this through a layered approach: source patches disable specific Google-dependent features (Safe Browsing, Cloud Messaging, GAIA authentication, domain reliability reporting), while a domain substitution pass replaces hardcoded Google URLs with a non-existent fake TLD (qjz9zk) at compile time. A runtime blocking layer then intercepts any requests to those substituted domains, creating a two-stage defense that catches even undiscovered tracking vectors added in future Chromium releases.
ungoogled-chromium ships as a build toolchain rather than a standalone binary — it provides the patches, configuration files, and Python utilities needed to produce a de-Googled Chromium build. Platform-specific repositories extend this base with distribution-appropriate build scripts, and the result is available through major package managers including Homebrew, AUR, Flatpak, NixOS, and Debian OBS.
Patch contributions are organized into two tiers: core patches that remove Google service dependencies (required across all platforms) and extra patches that enhance transparency and control (optional, may not persist across Chromium updates). This separation allows platform maintainers to maintain stable builds while the project tracks Chromium upstream releases closely.
What You Get
- Google Web Service Removal - Patches disable Safe Browsing, Google Host Detector, Google Cloud Messaging, GAIA authentication, domain reliability reporting, and URL tracking across more than 28 core patches.
- Compile-Time Domain Substitution - Replaces hardcoded Google domains in source code with the non-existent qjz9zk TLD before building, so even newly introduced tracking endpoints are neutralized without additional patches.
- Runtime Request Blocking - Intercepts any network requests targeting qjz9zk domains or the trk: URL scheme at runtime, providing a second line of defense against tracking that survives compile-time substitution.
- Binary Pruning - Strips all pre-built proprietary binaries from the Chromium source tree before compilation, replacing them with system-provided or user-supplied alternatives to ensure full source transparency.
- Extended chrome://flags and Command-Line Switches - Adds numerous configurable flags for disabling automatic URL formatting, forcing pop-ups into tabs, controlling Omnibox behavior, and toggling translation features.
- No Search Omnibox Provider - Introduces a ‘No Search’ search engine option that completely suppresses search suggestions and query submissions from the address bar.
- Privacy-Hardened Default Settings - Ships with third-party cookies blocked, background app continuation disabled, password saving disabled, search suggestions off, and WebRTC IP handling set to disable non-proxied UDP by default.
- AI Feature Disabling - Includes a dedicated patch (disable-ai.patch) to disable Chromium’s built-in AI features, reflecting ongoing vigilance against new Google service integrations.
- Zone Identifier Removal (Windows) - Prevents Windows from attaching Zone Identifier metadata to downloaded files, reducing tracking via file system attributes.
- Reproducible Platform-Extensible Build System - Provides a clean base toolchain that platform-specific repositories extend, enabling consistent de-Googling across Linux distributions, macOS, Windows, FreeBSD, and OpenBSD.
Common Use Cases
- Privacy-conscious developers - Run ungoogled-chromium as a daily driver for web development and testing, maintaining full Chromium DevTools compatibility while ensuring no browsing activity is reported to Google.
- Journalists and security researchers - Browse sensitive sources and conduct research without Google Safe Browsing reporting visited URLs or telemetry leaking behavioral data to Google’s infrastructure.
- System administrators in regulated environments - Deploy ungoogled-chromium on corporate or government workstations where data sovereignty requirements prohibit connections to Google web services, using AUR, Flatpak, or OBS packages for managed deployment.
- NixOS and Guix users - Install ungoogled-chromium as the primary browser in declarative, reproducible system configurations where third-party service dependencies must be auditable.
- Users building custom Chromium variants - Integrate ungoogled-chromium’s patch set and domain substitution toolchain into existing Chromium build pipelines to layer additional privacy modifications on top of the de-Googled base.
Under The Hood
Architecture ungoogled-chromium implements a build-time transformation pipeline organized around declarative configuration files that drive a sequence of source-level processors. The architecture separates concerns cleanly across four stages: download orchestration (downloads.ini), binary pruning (pruning.list), domain substitution (domain_regex.list and domain_substitution.list), and patch application (patches/series). Each stage is stateless relative to the others and communicates entirely through the filesystem, making the pipeline auditable, restartable, and reproducible without any runtime state management. Patches are organized into two explicit tiers — core patches that remove mandatory Google service dependencies and extra patches that add optional transparency features — allowing platform repositories to extend the base without forking the essential de-Googling logic. This build-time-only architecture means there are no runtime components, no daemon processes, and no network agents; the entire modification surface is inspectable source code applied before compilation.
Tech Stack The toolchain is implemented in Python 3 using the standard library exclusively — pathlib for filesystem operations, argparse for CLI interfaces, subprocess for invoking system tools, re for domain substitution regex processing, and tarfile for archive handling. Patches are in GNU Quilt unified diff format applied via the system patch binary. GN (Google’s meta-build system) handles the Chromium build layer, configured through flags.gn. CI runs on Cirrus CI. Testing uses pytest with coverage reporting. Development tooling includes pylint for linting and yapf for formatting, with helper scripts in devutils/. A shell.nix file supports reproducible development environments via Nix. The intentional absence of third-party Python dependencies reflects the project’s philosophy: every dependency is a potential trust boundary.
Code Quality The codebase is modular and consistently organized, with _common.py providing shared utilities and each processor (domain_substitution.py, prune_binaries.py, patches.py, downloads.py) implemented as an independent, CLI-invocable module. Tests exist in both utils/tests/ and devutils/tests/ using pytest, covering domain substitution timestamp handling, patch file validation, and config file integrity checks. However coverage is limited to the toolchain utilities rather than end-to-end integration scenarios, and no type annotations are present in any module. Error handling relies on standard Python exceptions without structured recovery. The devutils/validate_config.py script provides comprehensive defensive validation of patch series, GN flags, and download manifests. Pylint and yapf scripts exist but are not enforced as CI gates. Overall the code is readable and purposeful, with the narrow scope keeping complexity manageable despite limited formal quality tooling.
What Makes It Unique The domain substitution approach is architecturally distinctive: rather than patching individual known tracking calls, ungoogled-chromium replaces all Google domain references at compile time with a fake non-resolvable TLD, then adds a runtime blocker for that TLD. This means any new Google service integrated into Chromium upstream — even one not yet identified as a tracking vector — will automatically fail to connect when it inherits a substituted domain. This defense-in-depth design sets ungoogled-chromium apart from other privacy forks that maintain lists of specific endpoints to block. The disable-ai.patch and ongoing patch additions demonstrate the project’s commitment to tracking Chromium’s evolving feature surface. Combined with the two-tier patch organization and platform-extensible architecture, ungoogled-chromium represents a principled, systematic approach to browser de-Googlification rather than a one-time modification.
Self-Hosting
ungoogled-chromium is licensed under the BSD 3-Clause license, the same permissive license used by the Chromium project itself. This license allows unrestricted use, modification, and distribution in both commercial and non-commercial contexts, with no copyleft requirements. Organizations can deploy ungoogled-chromium on any number of machines, integrate its patch toolchain into proprietary build pipelines, and redistribute modified builds without obligation to release source changes — the only requirements are attribution and retention of the license notice.
Running ungoogled-chromium in practice means taking on the full operational responsibility of building and distributing a browser. The core repository provides the patch toolchain, not a ready-to-run binary — production deployments depend on platform-specific repositories or community package managers (AUR, Flathub, Nix, OBS, Homebrew) that maintain distribution-specific build scripts. Organizations requiring specific Chromium versions or security patch timelines must monitor both Chromium upstream and ungoogled-chromium releases, as the project typically follows Chromium’s release cadence closely but without formal SLA commitments. Security patches require waiting for the de-Googling patches to be updated against each new Chromium version, which can introduce a short lag relative to official Chromium security releases.
There is no managed cloud offering, enterprise support tier, or commercial hosting option for ungoogled-chromium — it is a pure open-source project maintained by volunteers. Organizations that need guaranteed patch timelines, centralized policy management, vulnerability disclosure programs, or formal support contracts must establish these themselves or evaluate commercially supported Chromium-based browsers (such as those offered by enterprise browser vendors). For organizations with data sovereignty requirements that prohibit Google service dependencies, ungoogled-chromium is one of the few technically auditable options, but the operational tradeoff is accepting full responsibility for build infrastructure, update cadence, and security monitoring.
Related Apps
Ladybird
Browser
A truly independent web browser built from scratch — no Chromium, no WebKit, no Gecko.
Ladybird
BSD 2Zen Browser
Browser
A Firefox-based browser that puts focus, privacy, and workflow front-and-centre without sacrificing compatibility
Zen Browser
MPL 2.0Helium
Browser
Privacy-first Chromium browser with unbiased ad-blocking and no bloat