← Back to release summary

crypto.randomUUID()

Category

Miscellaneous

Type

New or changed feature

Status

Enabled by default (Chrome 92)

Intent stage

Start incubating

Summary

Introduces the method crypto.randomUUID() for generating RFC 4122 version 4 identifiers. The method returns the namespace specific string representation (for example, "6e4decd0-6066-4a25-98e3-0227317cda52").

Motivation

Generating random UUIDs is a common need for web applications (the uuid module on npm is installed > 200,000,000 times a month). Developers who have not been exposed to RFC 4122 might naturally opt to invent their own approaches to UUID generation, potentially using insufficient PRNG implementations. Standardizing a UUID method, which dictates that a CSPRNG must be used, helps protect developers from security pitfalls.

Standards & signals

• Specification: https://wicg.github.io/uuid/
• Firefox: No signal — Some discussion in thread: https://github.com/mozilla/standards-positions/issues/511
• Safari: No signal — Discussion thread: https://lists.webkit.org/pipermail/webkit-dev/2021-April/031783.html
• Web developers: Positive — In twitter post (https://twitter.com/tomayac/status/1380445180403318785) from when randomUUID was landed behind flag, response from community was positive: “Would be super useful”, “Cool enough, I should start providing keys to react list elements using this uuid”, “We could roll one with crypto.getRandomValues(), but this is easier”. Stack overflow thread with over 4000 upvotes (https://stackoverflow.com/questions/105034/how-to-create-a-guid-uuid), notable in that: several suggested implementations use Math.random(), which is not a CSPRNG; users were specifically looking for direction regarding how to create UUIDs safely. uuid npm module (https://www.npmjs.com/package/uuid) is downloaded over 50,000,000 times a week, and it is one of the 20 most depended upon modules. It is unknown how much UUID is used server-side, vs., on the web, observationally I noted that the module is used by the web framework Gatsby. The Node.js crypto.randomUUID implementation is already seeing usage across hundreds of codebases (https://github.com/search?p=2&q=%22crypto.randomUUID%22&type=Code).
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1197594

Explainers: https://github.com/WICG/uuid/blob/gh-pages/explainer.md

View on chromestatus.com