Planet Chromium

• Fixes to login problems that users may have encountered on machines that were shipped with versions R11 and earlier.
• Updated Pepper flash version.

Known issues:

• 25557 & 25559 - Hangouts will not display video of yourself or participants on Chromebooks. Audio does work, and other Hangout participants will be able to see you if video is enabled. This problem does not affect GTalk Video.
• 25509 - Occasionally when switching tabs, the screen will not redraw the content to the new tab. Workaround: Closing all tabs or restarting the machine resolves the issue.

Vsevolod Vlasov has been a major contributor to the recent improvements to the Web Inspector. Please join me in congratulating Vsevolod on his new role as a WebKit reviewer!

The Beta channel has been updated to 17.0.963.43 (Platform versions: 1412.142) for Chromebooks (Samsung Series 5 , and Cr-48).

Highlights:

• This update fixes a number of stability and UI issues.
• Introduces new Verizon activation and top-up portal featuring many user-requested improvements:
• Enables recurring billing as the default for pre-paid monthly plans
• Greatly simplifies the Verizon activation and top-up process
• Allows purchase of additional data prior to current bundle expiration
• Eliminates credit card requirement for free 100MB plan

If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

Update:  The transition to Verizon's new portal is being rolled out gradually over the next week.

Orit Mazor
Google Chrome

In the two years since we announced SPDY, we’ve been working with the web community on evolving the spec and getting SPDY deployed on the Web.

Chrome, Android Honeycomb devices, and Google's servers have been speaking SPDY for some time, bringing important benefits to users. For example, thanks to SPDY, a significant percentage of Chrome users saw a decrease in search latency when we launched SSL-search. Given that Google search results are some of the most highly optimized pages on the internet, this was a surprising and welcome result.

We’ve also seen widespread community uptake and participation. Recently, Firefox has added SPDY support, which means that soon half of the browsers in use will support SPDY. On the server front, nginx has announced plans to implement SPDY, and we're actively working on a full featured mod-spdy for Apache. In addition, Strangeloop, Amazon, and Cotendo have all announced that they’ve been using SPDY.

Given SPDY's rapid adoption rate, we’re working hard on acceptance tests to help validate new implementations. Our best practices document can also help website operators make their sites as speedy as possible.

With the help of Mozilla and other contributors, we’re pushing hard to finalize and implement SPDY draft-3 in early 2012, as standardization discussions for SPDY will start at the next meeting of the IETF.

We look forward to working even closer with the community to improve SPDY and make the Web faster!

To learn more about SPDY, see the link to a Tech Talk here, with slides here.

Posted by Roberto Peon and Will Chan, Software Engineers

The Beta channel has been updated to 17.0.963.44 for all platforms other than Chrome OS.  This update fixes a number of stability and UI issues.  Full details about what changes are in this build are available in the SVN revision log.  Interested in switching release channels?  Find out how.  If you find a new issue, please let us know by filing a bug.

Jason Kersey
Google Chrome

One of my favorite features of Chrome got a boost earlier today, as we announced support for an experimental new “autocomplete type” attribute for form fields. The new attribute will allow web developers to unambiguously label text and select fields with common data types such as ‘full-name’ or ‘street-address’ and guarantee that their site’s forms work correctly with Chrome Autofill and other form-filling providers.

We’ve been working on this design in collaboration with several other autofill vendors. Like any early stage proposal we expect this will change and evolve as the web standards community provides feedback, but we believe this will serve as a good starting point for the discussion on how to best support autofillable forms in the HTML5 spec. For now, this new attribute is implemented in Chrome as x-autocompletetype to indicate that this is still experimental and not yet a standard, similar to the webkitspeech attribute we released last summer.

For more information, you can read the full text of the proposed specification, ask questions on the Webmaster help forum, or you can share your feedback in the standardization discussion!


Posted by Ilya Sherman, Software Engineer

Cross-posted from the Google Enterprise Blog.

Editor's note: We’re posting this electronic communication from sunny Orlando, where we’re chatting with schools at the annual FETC ed-tech conference. We wanted to share highlights from our keynote this morning, which featured a panel moderated by Tom Vander Ark, author of Getting Smart: How Digital Learning is Changing the World. You can watch a replay of the keynote on YouTube in a few hours. If you’re in town, come visit us at our booth #1101 - we’d love to say hi!

When we first conceived of Chromebooks, we were focused on providing a device that brought you to the web in the fastest, simplest and securest way possible. What we didn't realize at the time was that this device would be so welcome and popular in classrooms! Many schools are eager to improve access to the web and technology for students and are planning to provide each student with their own device – a concept known as "1-to-1" computing. We've heard from our customers that they choose Chromebooks for 1-to-1 because the simplicity of the web takes away the hassle for teachers, students and administrators.

During our keynote at FETC this morning, we had the opportunity to share some exciting news: hundreds of schools in 41 states across the U.S. are using one or more classroom sets of Chromebooks today. As a highlight, three new school districts in Iowa, Illinois and South Carolina are going 1-to-1 – that is, one Chromebook each for nearly 27,000 students.

• Council Bluffs Community School District in Iowa is planning a Chromebook 1:1 Initiative for all 2,800 students in their two high schools and will use an additional 1500 Chomebooks in their two middle schools


• Leyden Community High School District in Illinois will roll out devices to 3,500 students in their two high schools


• Richland School District Two in South Carolina is going 1-to-1 with a total of 19,000 students

It's great to see this positive momentum for Chromebooks in classrooms. It's similar to where we were about five years ago when Google Apps was just getting off the ground. At that time, educational institutions were the most interested and it was inspiring to hear the different ways schools and districts had begun using Gmail, Calendar and Docs. At FETC we’ve been similarly excited to see how teachers have formed communities around professional development for Chromebooks, districts all across the US are piloting Chromebooks in their classrooms, and more and more reach out to us to learn about Chromebooks for Education every day. We believe Chromebooks and the web have the ability to facilitate learning in a powerful way, and we’re committed to helping schools recognize their goals to go 1-to-1.

But enough words from us. We’d like to close with thoughts from representatives of each of these school districts.

“From my perspective, Chromebooks couldn’t get any simpler; setting up this many laptops would have typically taken our team at least 3 months. And from the instructional side, we are teaching content not technology, and Chromebooks simply support teachers in what they do best while giving students the resources they need to be productive citizens. As just one example the quality of work that students turn in has improved literally overnight - from incomplete sentences to full paragraphs, in some cases - because they are much more engaged and participating readily in class.”

David Fringer, executive director, information systems at Council Bluffs Community school district, Iowa

“When we started on our digital evolution path we were looking for just the right tool - one that is invisible and gets out of the way to allow students and teachers to focus on instruction. With Chromebooks our students are publishing, producing and sharing with each other, and best of all, we don’t have to assign students a particular device number. Any student can use any device because all their work is saved online - for that matter they could access their work from home while logged in from the Chrome browser.”

Bryan Weinert, director of technology at Leyden school district, Illinois


Student at East Leyden high school selects a Chromebook from the charging cart. With Chromebooks, students can work on any device in any class period and access their work from anywhere - including from the Chrome browser installed on a home computer.

“Chromebooks make our 1-to-1 computing dream a reality. Teachers don't need to add ‘help desk’ to their job description, and they save valuable class time knowing they can instruct students to close the Chromebooks to stay on task and they won't have to wait when it’s time to open them again. Furthermore, we’ve seen that any behavior issues become an absolute non-issue because the technology is so compelling.”

Tom Cranmer, executive director of information technology, Richland School District Two, South Carolina


Fifth grade student teaches a younger student how to use a Chromebook in the Chrome Buddy project in Tim Swick's classroom at Pontiac Elementary School in Richland School District Two.

Learn more about Chromebooks for Education on our website, and join us for the Chromebook Classroom webinar series, Wednesdays at 9AM PT/12PM ET.

Posted by Rajen Sheth, Group Product Manager for Chromebooks

The Dev channel has been updated to 16.0.912.77 (Platform versions: 1193.194.0) for Chromebooks (Acer AC700, Samsung Series 5, and Cr-48).

This build contains a number of performance, stability and security improvements. Additional fixes include:

• 24748 - Device not scanning for networks
• 23518 - No UI notification given on connection timeout

Full details about what changes have been made in this release are available in the SVN revisions log. Interested in switching to another channel?  Find out how.  If you find a new issue, please let us know by filing a bug.

Anthony Laforge
Google Chrome

Last week brought 563 new commits in WebKit’s repository and 709 new commits to Chromium’s, totalling up to 1,272 changes. Highlights include a content shell for Chromium and work on emulating screen sizes.

Chromium’s content shell for Linux-based systems was announced on the chromium-dev mailing list on Friday, sharing the news that it’s now usable for day-to-day WebKit development. It uses Chromium’s content module but leaves out other parts of the browser, so it’ll be significantly faster to compile and run.

For free-flow HTML editing in the Resources Panel of Web Inspector, revisions will now be tracked. Unsafe cross-origin requests will now show a stack trace in the console, making them easier to track down and content in iframes won’t appear to be in the same document anymore when using the DOM Viewer. Finally, a screen-size emulation back-end has been implemented, which will eventually allow you to emulate mobile device screens!

The -webkit-cross-fade will now report the intrinsic size of the background, fixing rendering when the background-size property is being used. Baseline grid alignment has been implemented, as have the text-overflow property for input fields and parsing for the custom() function of CSS Shaders. Painting background colors for regions has been re-enabled, and regions will now be exposed to the DOM.

WebKit’s Device Orientation implementation has been updated with the absolute property, which indicates whether the angles in the event are absolute. The abort() method for Application Cache has been added, as has a constructor for MediaStream accepting a collection of MediaStreamTracks. A window’s innerWidth and innerHeight properties won’t be affected by page scales anymore and drop and dragend events will now be issued for contentEditable elements.

Finally, the first significant patch in exposing the Shadow DOM to JavaScript has landed in WebKit! Minor as it is right now, it’ll pave the path to implementing the rest of the specification.

Other changes which occurred last week:

• Hardware accelerated brightness and contrast filters have been implemented for Safari.
• IndexedDB has also been made supplemental and moved out of DOMWindow.cpp.
• Values of the Access-Control-Request-Headers header will now be send in lowercase.
• Another 0.8 MB of memory will be saved when viewing some random version of the HTML Specification.
• A special honorable mention for this immediately obvious commit message.
• Software-based 3D rendering can be disabled through about:flags now.
• Documentation of several Web Inspector-related Extension APIs is no longer experimental either.
• The experimental Settings Extension API now understands the unlimitedStorage permission as well.
• The headers and body of HTTP requests will now be merged if the total length is <1400 characters.
• The Network Action Predictor (chrome://network-action-predictor) now features probability filtering.

Finally, be sure to take a look at HTML5 Please, a new website sharing recommendations about which features of the Web Platform can be used today!

The Dev channel has been updated to 18.0.1010.2 (Platform versions: 1590.2.0) for Chromebooks (Acer AC700, Samsung Series 5, and Cr-48).


This build contains a number of performance, stability and security improvements. Additional changes:

• Improvement to wifi stability.
• Improved system hardening [Yama support, etc]

Known issues:

• 25144 - External storage devices fail to automount. Workaround: Login using Guest mode and automount of the device will work.
• Machines shipped with R11 and earlier versions may encounter problems with users being able to login to the machine. This may also occur after the user changes their password. Workaround: You may recover either from erasing the stateful partition or performing a machine recovery. Instructions can be found here.

The Beta channel has been updated to 17.0.963.38 for all platforms other than Chrome OS.  This update fixes a number of stability and UI issues.  Full details about what changes are in this build are available in the SVN revision log.  Interested in switching release channels?  Find out how.  If you find a new issue, please let us know by filing a bug.

Jason Kersey
Google Chrome

Since we open sourced WebRTC this past summer, we’ve been working hard with browser vendors to integrate WebRTC technology in their products. Today, we reached an important milestone: WebRTC is now integrated in the Chrome browser available on the dev channel.

Building industry-leading voice and video capabilities into the browser makes it easier for web developers to incorporate real time communications in their apps. Instead of relying on custom, OS specific, proprietary plug-ins, they can now easily build and maintain their apps using a few simple JavaScript APIs and have the browser do the heavy lifting.

Even though WebRTC is still evolving, we are receiving feedback from the standards process in W3C and IETF and there are already plenty of apps in development. For example, companies like Polycom, Vonage, Vehix.com, Firespotter, Siemens, Nimbuzz and PCCW are currently actively developing browser based solutions using WebRTC.If you are interested to learn more on how you can use WebRTC in your app, review our documentation, join our developer discussion group and go to the WebRTC blog for more details. We are looking forward to seeing what you come up with!


Posted by Niklas Enbom, Software Engineer

Exactly 1,500 changes landed last week, 890 for Chromium and 610 for WebKit, bringing changes such as some usability updates in the CSS Profiler and new font-related CSS properties.

The experimental Sidebar Extension API has been removed from Chromium. The Downloads Extension API gained an getFileIcon method and now also works for POST-download requests, and Panels may now be resized and spawned without drawing attention using the chrome.windows API. chrome.experimental.dns made its entry.

Early steps in supporting IndexedDB in Web Inspector have been made and a “source” column has been added to the CSS Profiler, directly pointing out the offending CSS rule.
As part of an ongoing effort in WebKit, several failing tests on the IE Testcenter have been fixed. Among these are executing prepared scripts even when they’ve been removed from the DOM and sandboxed i-frames will now block the autofocus attribute if the sandbox flags request it.

WebKit now also supports getting the computed style for border-radius properties. Four compliance improvements have been made to JavaScriptCore, namely that defineOwnProperty is now available for arrays, changes around the length property for arrays, defineProperty and handling of colons in timezones. Finally, the navigator.startActivity method for Web Intents has been implemented, albeit behind a compile-time guard.

Following a specification change, the flex-align CSS property has been renamed to flex-item-align and a new version of flex-align has been implemented, and the implementation has been taught about handling absolutely positioned elements within flexboxes. Color matrix-based filters will now be done by Skia for Chromium, and the serpia tone filter has been aligned color-wise for Mac OS X. Text decorations won’t propagate to all descendants anymore and several more element types can now render outlines.

Two new CSS properties were implemented. The font-kerning property from the CSS Fonts specification will allow you to define kerning behavior, and the initial implementation of the font-variant-ligatures property will allow you to explicitly enable or disable OpenType’s common ligatures feature on a font.

Other changes which occurred last week:

• A basic content-shell has been added for Linux, part of the Content API refactoring.
• Another eight patches have been landed by Mike Lawther containing lots of new CSS3 calc() tests.
• Preparations are being made in the WebGL implementation to allow sharing resources.
• Calculating collapsed borders will now be done less often, resulting in a performance improvement.
• Injecting a stylesheet with only scoped selectors will now only invalidate the sub-tree.
• A JavaScript error-event will be emitted when a full-screen request has been rejected.
• Speech input will now be send to the right element, even if the focus has changed.
• Radio-button group selection will now only apply to the actual document they’re in.
• The WebIDL [Supplemental] IDL has been used to begin modularizing WebSQL.

Some interesting things currently going on include a Baidu contribution and basic grid alignment from the CSS Line Grid specification.

(See the original post for background.)

Everyone seems to have settled on 1/n-1 record splitting as a workaround for the BEAST attack in TLS 1.0 and SSLv3. Briefly: 1/n-1 record splitting breaks CBC encrypted records in two: the first with only a single byte of application data and the second with the rest. This effectively randomises the IV and stops the attack.

The workaround which OpenSSL tried many years ago, and which hit significant issues, was 0/n record splitting. It's the same thing, but with the first record being empty. The problem with it was that many stacks processed the empty record and returned a 0-byte read, which higher levels took to mean EOF.

1/n-1 record splitting doesn't hit that problem, but it turns out that there's a fair amount of code out there that assumes that the entire HTTP request comes in a single read. The single byte record breaks that.

We first implemented 1/n-1 record splitting in Chrome 15 but backed off after only a couple of days because logging into several large sites broke. But that did motivate the sites to fix things so that we could switch it on in Chrome 16 and it stuck that time.

Opera also implemented it around this time, but I think Chrome took the brunt of the bug reports and it's time consuming dealing with them. Myself and a colleague have been emailing and phoning a lot of sites and vendors while dealing with upset users and site admins. Chrome certainly paid a price for moving before Firefox and IE but then we're nice like that.

Thankfully, this week, Microsoft released a security update which implements 1/n-1 record splitting in SChannel and switches it on in IE. (Although it defaults to off for other users of SChannel, unlike NSS.) Now the sites which broke with Chrome 16 are also broken in a patched IE and that takes some pressure off us. In a few weeks, Firefox 10 should be released and then we'll be about as good as we're going to get.

After taking the brunt with Chrome 16, there is one case that I'm not going to fight: Plesk can't handle POST payloads that don't come in a single read. Chrome (currently) sends POSTs as two writes: one for the HTTP headers and a second for the POST body. That means that each write is split into two records and Plesk breaks because of the second split. IE and Firefox send the headers and body in a single write, so there's only a single split in the HTTP headers, which Plesk handles.

Chrome will start merging small POST bodies into the headers with Chrome 17 (hopefully) and this will fix Plesk. Also, merging as Firefox and IE do saves an extra packet so it's worthwhile on its own. Once again, anything that's mostly true soon becomes an unwritten rule on the Internet.

It's worth contrasting the BEAST response to the renegotiation attack. The BEAST workaround caused a number of problems, but it worked fine for the vast majority of sites. The renegotiation fix requires that very nearly every HTTPS site on the Internet be updated and then that browsers refuse to talk to unpatched servers.

I'd bet that we'll not manage to get enough patched servers for any browser to require it this side of 2020. Unpatched servers can still disable renegotiation to protect themselves, but it's still not hard to find major sites that allow insecure renegotiation (www.chase.com was literally the second site that I tried).

“Off the record” is, unfortunately, an overloaded term. To many it's feature in gTalk and AOL IM which indicates that the conversation isn't logged. However, to crypto folks it's a protocol for secure chat.

(In fact, resoloving the ambiguity is on the EFF's wish list.)

Pidgin has been my chat client of choice for some time because it's pretty fully featured and supports OTR via a plugin. However, I just don't trust it from a security point of view. The latest incident was only a couple of weeks ago: CVE-2011-3919.

So, I implemented otr in Go, as well as an XMPP library and client. It's an absolutely minimal client (except for OTR support) and implements only what I absolutely need in a client.

But it does mean that the whole stack, including the TLS library, is implemented in a memory safe language. (On the other hand, pretty much everything in that stack, from the modexp function to the terminal handling code was written by me and has never really been audited. I'm a decent programmer but I'm sure there are some howlers of security issues in there somewhere.)

When we first set out to design Chrome, we knew we had a unique opportunity to improve the security of the web. In addition to speed and simplicity, we’ve been adamant that security be a central tenet of everything we build. Chrome and the web have since come a long way, and we’ve been challenged to protect a complex and rapidly changing browser against the many threats that emerge on the web.

After spending tens-of-thousands of hours working on ways to make users safer on the web, we thought it might be worth sharing the Chrome security principles that guide the work that we do.

There are lots of technical details, but the fundamentals have always been simple. Security should compliment your browsing experience, not detract from it, and your browser should be secure by default -- no configuration required. No defense is ever perfect, so we rely on multiple layers of protection to help guard against single points of weakness. We support and fund the security research community in their work to identify weaknesses, and when vulnerabilities are found, we pride ourselves on patching them faster than any other browser.

These principles have served us well in protecting users while keeping Chrome super fast and easy to use. If you develop software, we hope you find them helpful in securing your own product, and if you’re a Chrome user, that they give some insight into the many ways we work to help you surf with confidence.

Posted by Justin Schuh and Travis McCoy, Chrome Security Team

The Beta channel has been updated to 17.0.963.33 for all platforms other than Chrome OS.  This update fixes a number of stability and UI issues.  Full details about what changes are in this build are available in the SVN revision log.  Interested in switching release channels?  Find out how.  If you find a new issue, please let us know by filing a bug.

Jason Kersey
Google Chrome

The new year’s first week ended calmly, bringing in 547 commits to WebKit and 650 to Chromium. Highlights include support for temporal dimensions for media files, alignment of Safari’s JavaScript engine with ES5 and lots of performance improvements.

Engadget, among other sites, has become significantly faster in WebKit, now using 10% less CPU over the entire page load due to analyzing inline stylesheet scopes. A CSS Selector using multiple indirect adjacency combinators won’t be able to be superlinear anymore, inserting nodes into the DOM has been sped up and several other tweaks were implemented.

Sanitization of non-parsable strings in date and time input boxes is now possible in WebKit, emptying the value if an invalid value has occurred. The </script>-close tag will now be properly highlighted in View Source, and horizontal paddings and borders will be used instead of vertical ones for a CSS table’s fixed width.

Safari’s JavaScript engine aligned its behavior closer to the ECMAScript specification. The JSON object is now configurable, the parseInt method won’t parse octal numbers anymore, ThrowTypeError is now a singleton and date parsing has been made more liberal. Alexis Menard implemented getComputedStyle output for the outline, border, list-style, border-image and background properties. Finally, the Web Audio API is now able to integrate with audio and video elements throught the MediaElementAudioSourceNode object!

Eric Carlson implemented the temporal dimension portion of the Media Fragments URI specification. This allows you to append a formatted hash-string to any media file’s URL selecting which portion of the file should be played. For example, this plays the fourth until the twelfth second: video.webm#t=4,12.

Other changes which occurred last week:

• Initial sets of layout tests for the CSS3 calc() function are being committed, pending the feature itself.
• Web Inspector now also allows you to modify HTML content through the Resources Panel.
• The WebKit build-bot console page now displays builders based on their port.
• The BlackBerry WebKit Port has enabled the download attribute.

And that’ll be all for now! Lets get back on the Monday-track for updates starting next week!