Planet Chromium

October 11, 2019

Google Chrome

Software Engineer, Chrome Accessibility

Google is helping people who are blind browse the web by incorporating machine image descriptions in Chrome.

by Dominic Mazzoni at October 11, 2019 04:00 PM

Google Chrome Releases

Dev Channel Update for Desktop

The Dev Channel has been updated to 79.0.3938.0 for Windows, Mac, and Linux.



A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Lakshmana Pamarthy Google Chrome

by Lakshmana Pamarthy (noreply@blogger.com) at October 11, 2019 01:00 PM

October 10, 2019

Google Chrome Releases

Stable Channel Update for Desktop

The Stable channel has been updated to 77.0.3865.120 for Windows, Mac, and Linux. This will roll out over the coming days/weeks. A list of all changes is available in the log.



Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 8 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$20500][1005753] High CVE-2019-13693: Use-after-free in IndexedDB.
Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-19
[$TBD][1005251] High CVE-2019-13694: Use-after-free in WebRTC.
Reported by banananapenguin on 2019-09-18
[$15000][1004730] High CVE-2019-13695: Use-after-free in audio.
Reported by Man Yue Mo of Semmle Security Research Team on 2019-09-17
[$7500][1000635] High CVE-2019-13696: Use-after-free in V8.
Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-04

[$2000][990849] High CVE-2019-13697: Cross-origin size leak.
Reported by Luan Herrera @lbherrera_ on 2019-08-05

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the Stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [1011875] Various fixes from internal audits, fuzzing and other initiatives



Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Lakshmana Pamarthy
Google Chrome

by Lakshmana Pamarthy (noreply@blogger.com) at October 10, 2019 12:00 PM

Chromium Blog

Chrome 78 Beta: a new Houdini API, native file system access and more

Unless otherwise noted, changes described below apply to the newest Chrome Beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Find more information about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 78 is beta as of September 19, 2019.

CSS Properties and Values

CSS variables are getting more power with CSS Properties and Values API Level 1. With it, you can register your variables as full custom properties, ensuring they're always a specific type, and letting you set a default value, or even, animate them.

Take the image below, for example.



What you're seeing is a transition created with a CSS custom property. In addition to being impossible without the new API, this transition is also type safe. For details and access to the code used to generate this image, see Smarter custom properties with Houdini's new API.

Native File System

The new Native File System API, now in an origin trial, enables developers to build powerful web apps that interact with files on the user's local device such as IDEs, photo and video editors, text editors, and more. After a user grants access, this API allows web apps to read or save changes directly to files and folders on the user's device. It does all this by invoking the platform's own open and save dialog boxes. The image below shows a web page invoked using the open dialog box on Mac.



To learn more, see sample code, and a text editor demonstration app, see The Native File System API: Simplifying access to local files for details.

See the Origin Trials section for information on signing up and for a list of other origin trials in this release.

Origin Trials

This version of Chrome introduces the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including those described here, visit the Origin Trials dashboard. To learn more about origin trials themselves, visit the Origin Trials Guide for Web Developers.

Signed Exchange Subresource Prefetching and Loading by Extending the HTTP Link Header.

Signed Exchanges allow a distributor to provide content signed by a publisher and displayed in such a way that user agents show the publisher's URL, and scripts access the publisher's local storage. The URLs of subresources are fixed in the signed top-level HTML file, which prevents their loads from taking advantage of any signed versions that might be prefetched from the distributor's origin. To allow the subresources to be prefetched from the same distributor as the top-level page,the publisher needs to change the subresource URLs in the HTML to point to each distributors’ URL and needs to sign for each distributor. The intent of this is to allow publishers to create a single signed top-level HTML file that allows its subresources to be prefetched from a variety of distributors.

SMS Receiver API

Websites use SMS messages as a way to verify phone numbers by sending a one-time-password for manual entry into a form (or for copy and paste). Native platforms offer an API that gives programmatic access to such messages that allows users to skip manual interaction with the form.
The SMS Receiver API allows websites to access SMS messages that are delivered to the user's phone specifically addressed to the origin (via a special formatting convention).

Other Features in this Release

Apply Opacity for the Default Style of INPUT/TEXTAREA placeholder

Changes the default style for ::placeholder from #757575 to rgba(0, 0, 0, 0.54).

Extend Byte-for-Byte Update Check to all Service Worker importScripts() Resources

Byte-for-byte checks are now available for service worker scripts imported by importScripts(). Currently, service workers update only when the service worker main script has changed. In addition to not conforming to the latest spec, this forces developers to build workarounds such as adding hashes to the imported script's urls.

Faster Web Sockets

Chrome 78 improves the download speed of ArrayBuffer objects when used with WebSocket objects on desktop. We have seen the following improvements in our own testing. Results depend on network speed and hardware so your results may be vary.
  • Linux: 7.5 times faster
  • Windows: 4.1 times faster
  • Mac: 7.8 times faster

More restrictive hasEnrolledInstrument() for Autofill Instruments

Improves the authorization of transactions by requiring unexpired cards and a billing address. This improves the quality of autofill data and increases the chances that PaymentRequest.hasEnrolledInstrument() returns true. This improves the user experience on transactions that use autofill data.

PaymentResponse.prototype.retry()

In cases where there is something wrong with the payment response's data (for example, the shipping address is a PO box), the retry() method of a PaymentResponse instance now allows you to ask a user to retry a payment.

Percentage Opacity

Adds support for percentage values to the opacity properties, specifically, opacity, stop-opacity, fill-opacity, stroke-opacity, and shape-image-threshold. For example, opacity: 50% is equivalent to opacity: 0.5. This brings consistency and spec compliance. The rgba() function already accepts percentage alpha value, for example rgba(0, 255, 0, 50%).

Redact Address in PaymentRequest.onshippingaddresschange Event

Removes fine-grained information from the shipping address before exposing it to a merchant website in the ShippingAddressChange event. PaymentRequest.onshippingaddresschange is used to communicate the shipping address a user has selected to the merchant so they can make adjustments to the payment amounts such as shipping cost and tax. At this point, the user has not fully committed to the transaction, so the principle should be to return as little information as possible to the merchant. The redaction removes recipient, organization, addressLine and phoneNumber from the shipping address because these are not typically needed for shipping cost and tax computation.

Seeking

Adds a media session action handler for the seekto action. An action handler is an event tied specifically to a common media function such as pause or play. The seekto action handler is called when the site should move the playback time to a specific time.

User Timing L3

Extends the existing User Timing API to enable two new use cases:
  • Developers can pass custom timestamps to performance.measure() and performance.mark(), so as to conduct measurement across arbitrary timestamps.
  • Developers can report arbitrary metadata with performance.mark() and performance.measure(), which provides rich data to analytics via a standardized API.

Deprecations, and Removals

XSS Auditor

XSS Auditor has been removed from Chrome. The XSS Auditor can introduce cross-site information leaks and mechanisms to bypass the Auditor are widely known.

by Chromium Blog (noreply@blogger.com) at October 10, 2019 09:20 AM

October 09, 2019

Google Chrome Releases

Beta Channel Update for Desktop

The beta channel has been updated to 78.0.3904.50 for Windows, Mac, and Linux.

A full list of changes in this build is available in the log. Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Srinivas Sista
Google Chrome

by Srinivas Sista (noreply@blogger.com) at October 09, 2019 05:10 PM

Chrome Beta for Android Update

Hi everyone! We've just released Chrome Beta 78 (78.0.3904.53) for Android: it's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

by Krishna Govind (noreply@blogger.com) at October 09, 2019 05:00 PM

Dev Channel Update for Chrome OS

The Dev channel has been updated to 79.0.3931.2 (Platform version: 12576.0.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. Changes can be viewed here.

If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

Cindy Bayless
Google Chrome OS

by Cindy Bayless (noreply@blogger.com) at October 09, 2019 11:45 AM

October 08, 2019

Google Chrome Releases

Chrome for Android Update

Hi, everyone! We've just released Chrome 77 (77.0.3865.116) for Android: it'll become available on Google Play over the next few weeks.

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Ben Mason
Google Chrome

by Ben Mason (noreply@blogger.com) at October 08, 2019 06:45 PM

October 04, 2019

Google Chrome Releases

Dev Channel Update for Desktop

The Dev Channel has been updated to 79.0.3928.4 for Windows, Mac, and Linux.



A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Lakshmana Pamarthy Google Chrome

by Lakshmana Pamarthy (noreply@blogger.com) at October 04, 2019 01:31 PM

October 03, 2019

Google Chrome Releases

Beta Channel Update for Desktop

The beta channel has been updated to 78.0.3904.44 for Windows, Mac, and Linux.


A full list of changes in this build is available in the log. Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Srinivas Sista
Google Chrome

by Srinivas Sista (noreply@blogger.com) at October 03, 2019 01:55 PM

Chromium Blog

No More Mixed Messages About HTTPS

Today we’re announcing that Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources. In a series of steps outlined below, we’ll start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy and security on the web, and present a clearer browser security UX to users.

In the past several years, the web has made great progress in transitioning to HTTPS: Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms. We’re now turning our attention to making sure that HTTPS configurations across the web are secure and up-to-date.

HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users’ privacy and security. For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.

In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://. Users will be able to enable a setting to opt out of mixed content blocking on particular websites, and below we’ll describe the resources available to developers to help them find and fix mixed content.

Timeline


Instead of blocking all mixed content all at once, we’ll be rolling out this change in a series of steps.

  • In Chrome 79, releasing to stable channel in December 2019, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.
  • In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
  • Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning. Here is the planned treatment:
  • In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.

Resources for developers

Developers should migrate their mixed content to https:// immediately to avoid warnings and breakage. Here are some resources:

  • Use Content Security Policy and Lighthouse’s mixed content audit to discover and fix mixed content on your site.
  • See this guide for general advice on migrating servers to HTTPS.
  • Check with your CDN, web host, or content management system to see if they have special tools for debugging mixed content. For example, Cloudflare offers a tool to rewrite mixed content to https://, and WordPress plugins are available as well.
Posted by Emily Stark and Carlos Joan Rafael Ibarra Lopez, Chrome security team

by Chromium Blog (noreply@blogger.com) at October 03, 2019 10:30 AM

October 02, 2019

Google Chrome Releases

Chrome Beta for Android Update

Hi everyone! We've just released Chrome Beta 78 (78.0.3904.43) for Android: it's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

by Krishna Govind (noreply@blogger.com) at October 02, 2019 05:45 PM

October 01, 2019

Google Chrome Releases

Dev Channel Update for Chrome OS

The Dev channel has been updated to 79.0.3927.0 (Platform version: 12554.0.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements.

If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

Cindy Bayless
Google Chrome

by Cindy Bayless (noreply@blogger.com) at October 01, 2019 04:14 PM

Chromium Blog

Chrome UI for Deprecating Legacy TLS Versions


Last October we announced our plans to remove support for TLS 1.0 and 1.1 in Chrome 81. In this post we’re announcing a pre-removal phase in which we’ll introduce a gentler warning UI, and previewing the UI that we’ll use to block TLS 1.0 and 1.1 in Chrome 81. Site administrators should immediately enable TLS 1.2 or later to avoid these UI treatments.

While legacy TLS usage has decreased, we still see over 0.5% of page loads using these deprecated versions. To ease the transition to the final removal of support and to reduce user surprise when outdated configurations stop working, Chrome will discontinue support in two steps: first, showing new security indicators for sites using these deprecated versions; and second, blocking connections to these sites with a full page warning.


Pre-removal warning

Starting January 13, 2020, for Chrome 79 and higher, we will show a “Not Secure” indicator for sites using TLS 1.0 or 1.1 to alert users to the outdated configuration:


The new security indicator and connection security information that will be shown to users who visit a site using TLS 1.0 or 1.1 starting in January 2020.
When a site uses TLS 1.0 or 1.1, Chrome will downgrade the security indicator and show a more detailed warning message inside Page Info. This change will not block users from visiting or using the page, but will alert them to the downgraded security of the connection.

Note that Chrome already shows warnings in DevTools to alert site owners that they are using a deprecated version of TLS.




Removal UI


In Chrome 81, which will be released to the Stable channel in March 2020, we will begin blocking connections to sites using TLS 1.0 or 1.1, showing a full page interstitial warning:




The full screen interstitial warning that will be shown to users who visit a site using TLS 1.0 or 1.1 starting in Chrome 81. Final warning subject to change.

Site administrators should immediately enable TLS 1.2 or later. Depending on server software (such as Apache or nginx), this may be a configuration change or a software update. Additionally, we encourage all sites to revisit their TLS configuration. In our original announcement, we outlined our current criteria for modern TLS.

Enterprise deployments can preview the final removal of TLS 1.0 and 1.1 by setting the SSLVersionMin policy to “tls1.2”. This will prevent clients from connecting over these protocol versions. For enterprise deployments that need more time, this same policy can be used to re-enable TLS 1.0 or TLS 1.1 and disable the warning UIs until January 2021.

Posted by Chris Thompson, Chrome security team

by Chromium Blog (noreply@blogger.com) at October 01, 2019 10:01 AM

September 30, 2019

Google Chrome Releases

Beta Channel Update for Chrome OS

The Beta channel has been updated to 78.3904.35 (Platform version: 12499.14.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. Changes can be viewed here.


If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

Geo Hsu
Google Chrome OS

by Geo Hsu (noreply@blogger.com) at September 30, 2019 01:13 PM

September 27, 2019

Google Chrome Releases

Stable Channel Update for Chrome OS

The Stable channel is being updated to 77.0.3865.105 (Platform version: 12371.75.0) for most Chrome OS devices. This build contains a number of bug fixes and security updates. Systems will be receiving updates over the next several days.

You can review new features here.

If you find new issues, please let us know by vising our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using 'Report an issue...' in the Chrome menu (3 vertical dots in the upper right corner of the browser).

Daniel Gagnon
Google Chrome OS

by Daniel Gagnon (noreply@blogger.com) at September 27, 2019 03:57 PM

September 25, 2019

Google Chrome Releases

Chrome Beta for Android Update

Hi everyone! We've just released Chrome Beta 78 (78.0.3904.35) for Android: it's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

by Krishna Govind (noreply@blogger.com) at September 25, 2019 06:13 PM

Beta Channel Update for Desktop

The beta channel has been updated to 78.0.3904.34 for Windows, Mac, and Linux.


A full list of changes in this build is available in the log. Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Srinivas Sista
Google Chrome

by Srinivas Sista (noreply@blogger.com) at September 25, 2019 12:03 PM

September 24, 2019

Google Chrome

Google Chrome Releases

Dev Channel Update for Desktop

The Dev Channel has been updated to 79.0.3921.0 for Windows, Mac, and Linux.



A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Lakshmana Pamarthy Google Chrome

by Lakshmana Pamarthy (noreply@blogger.com) at September 24, 2019 01:48 PM