Planet Chromium

June 19, 2018

Google Chrome Releases

Dev Channel Update for Desktop

The dev channel has been updated to 69.0.3464.0 for Windows, Linux and 64.0.3464.2 for Mac.


A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Krishna Govind
Google Chrome

by Krishna Govind (noreply@blogger.com) at June 19, 2018 06:02 PM

Dev Channel Update for Chrome OS

The Dev channel has been updated to 69.0.3464.0 (Platform version: 10798.0.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements.

If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).


Cindy Bayless
Google Chrome

by Cindy Bayless (noreply@blogger.com) at June 19, 2018 05:25 PM

June 18, 2018

Google Chrome Releases

Beta Channel Update for Chrome OS

The Beta channel has been updated to 68.0.3440.25 (Platform version: 10718.22.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. A list of changes can be found here.

If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

Bernie Thompson
Google Chrome

by Bernie Thompson (noreply@blogger.com) at June 18, 2018 03:15 PM

Chromium Blog

Chrome 68 Beta: add to home screen, payment handler, page lifecycle

h1, h2, h3, h4 { margin-top: .7em; } Unless otherwise noted, changes described below apply to the newest Chrome Beta channel release for Android, Chrome OS, Linux, macOS, and Windows. View a complete list of the features in Chrome 68 on ChromeStatus.com. Chrome 68 is beta as of June 7, 2018.


New add to home screen behavior for progressive web apps

We've heard from developers that they want more control over how and when the add to home screen prompt appears. Starting in Chrome 68 on Android, the behavior is changing to provide more control over when the prompt appears. Developers can now provide additional context for their add to home screen experience, and improve the click-through rate.
Add to home screen dialog


If a site meets the add to home screen criteria, Chrome will fire a beforeinstallprompt event, and no longer automatically show the add to home screen banner. Instead, when the event has fired, developers can save the event and add a button or other UI element to the app to indicate it can be installed. When the user clicks the install button, developers can call prompt() on the saved beforeinstallprompt event to show the new add to home screen modal dialog. Although the beforeinstallprompt event may be fired without a user gesture, calling prompt() requires one.


let installPromptEvent;

window.addEventListener('beforeinstallprompt', (event) => {
// Prevent Chrome <= 67 from automatically showing the prompt
event.preventDefault();
// Stash the event so it can be triggered later.
installPromptEvent = event;
// Update UI notify the user they can add to home screen
document.querySelector('#install-button').disabled = false;
});


As a temporary measure to provide developers with time to handle the beforeinstallpromptevent and add an install button to their app, Chrome will show a mini-infobar the first time the user visits a site that meets the add to home screen criteria. Once dismissed, the mini-infobar will not be shown again until a sufficient amount of time (currently 3 months) has passed.
Add to home screen mini infobar


See Changes to add home screen behavior for complete details, code samples and screenshots of the new UI elements.

Payment Handler API

The Payment Request API brought the web a simpler, faster way to check out online by combining a seamless native-browser UI with a user's preferred form of payment and shipping addresses.

The just-launched Payment Handler API extends the reach of Payment Request by enabling web-based payment apps to facilitate payments directly within the Payment Request experience.


const request = new PaymentRequest([{
// Your custom payment method identifier comes here
supportedMethods: 'https://bobpay.xyz/pay'
}], {
total: {
label: 'total',
amount: { value: '10', currency: 'USD' }
}
});

Making a payment through the Payment Request API. "Pay with BobPay" is a custom payment method built with the Payment Handler API.

Protecting users from unwanted destinations

In this version of Chrome we are changing a few user interface behaviors to improve users' experience.

Require user gesture for redirects in cross-origin iframes

Unless forbidden by the sandbox attribute, content embedded in an iframe can generally navigate the top-level browsing context to a different website. This functionality is used by many types of websites, including single-sign-on providers and payment processors. Unfortunately, this behavior is also a common abuse vector, redirecting users to unwanted destinations without their knowledge or consent.

Beginning in Chrome 68, content embedded in an iframe will require a user gesture to navigate the top-level browsing context to a different origin. Similar to pop-up blocking, when this protection triggers users will see Chrome UI giving them the option to allow the redirect the continue.

A demonstration illustrates the behavior. The demo behind this link will exhibit the old behavior in Chrome 67 and early. The improved behavior works in Chrome 68.

Block tab-under navigations

A tab-under is when a page both opens a popup to some destination and navigates the opener page to some third-party content. Typically this behavior is used to send the user to a desired destination while also creating another tab with an unwanted destination. Similar to pop-ups, Chrome will prevent these unwanted navigations and instead show native UI to the user so they can choose whether to follow this redirect to the new direction.

The Page Lifecycle API

Application lifecycle is a key way that modern operating systems manage resources. On Android, iOS and recently Windows, apps can be started and stopped at any time by the platform. This allows these platforms to streamline and reallocate resources where they best benefit the user.

On the web, there has historically been no such lifecycle, and apps can be alive indefinitely. With large numbers of web apps (and tabs) running, critical resources such as memory, CPU, battery, and network can be oversubscribed, leading to a bad end-user experience.

In Chrome 68, developers will be able to listen for and respond to system-initiated CPU suspension of backgrounded tabs using the new freeze and resume events. In cases where a frozen page needs to be discarded to conserve memory, the document.wasDiscarded property is now available so developers can restore view state (saved in the freeze event) when the user refocuses the tab and the page is reloaded. Developers wanting to test these events in their own applications can visit chrome://discards to simulate page freezing, resuming, and discarding.

For more information on the Page Lifecycle API, refer to the specification or the explainer on GitHub.

Other features in this release

CSS

Accept two values in the overflow shorthand

The overflow shorthand will accept two values, making it possible to set the horizontal and vertical overflow to different values. If two values are specified, the first is overflow-x and the second is overflow-y. Changing the shorthand allows developers to specify a single statement where previously two were required.

CSS position values with three parts

The object-position and perspective-origin properties will no longer accept three-part values like "top right 20%". This also applies for positions in basic shapes and gradients. Valid position values will now always have 1, 2 or 4 parts. Deprecation of 3-part values occurred in Chrome 66.

Support 'x' as a resolution unit

CSS Values and Units Module Level 4 defines a new resolution unit called "dot per pixel" for support of high-resolution displays. This change adds 'x' as a synonym for the existing abbreviation, 'dppx'.

Unprefix CSS "grab" and "grabbing" values for cursor property

The CSS values "grab" and "grabbing" change the mouse cursor to an open hand or closed hand, commonly used to indicate that something can be grabbed or is currently grabbed. Prefixed versions of these properties have been supported since Chrome 1. With this change Chrome will support the standard, unprefixed versions of these values.

Gamepads

High resolution timestamp for Gamepad

Gamepad.timestamp now uses a DOMHighResTimeStamp, a high resolution monotonic time with microsecond resolution. Timestamps are measured as offsets from the PerformanceTiming.navigationStart property.

Custom elements

New customElements.upgrade()

This function invokes custom element constructors for custom elements whose constructors are not called yet explicitly. If a custom element is created with the innerHTML setter and its parent node is not connected to a document, the custom element constructor is not called until it's connected. This method explicitly allows developers to fully control the timing of custom element constructor calls regardless of connectedness.

Input

Keyboard lock

While in fullscreen, this API allows apps to receive keys that are normally handled by the system or the browser like Cmd-Tab/Alt-Tab, or Esc. Users can escape keyboard lock (and fullscreen) by holding the Esc key for two seconds.

Make PointerEvent.fromElement and PointerEvent.toElement null

To improve consistency with other browsers, PointerEvents for fromElement and toElement fields not follow the Pointer Events Level 2 spec by always reporting null.
In a MouseEvent (from which a PointerEvent inherits these fields), fromElement and toElement are non-standard, and have been inconsistent among major browsers for many years. Moreover, there are standard and consistent alternatives already: target and relatedTarget.

Unified touch adjustment

Touch adjustment changes the TouchEvent and the corresponding PointerEvent target to a best target within the touch area. TouchEvent coordinates will not be changed.

Treat long-press as a user gesture

Long-press is now considered a user gesture because it indicates user interaction with the page. This allows a web app to call restricted APIs like navigator.vibrate() on long-press to match native behavior.

Media

WebAudio: add user selectable automation rate for AudioParams

The AudioParam.automationRate
attribute allows the user to select whether the AudioParam is either "a-rate" or "k-rate". Most but not all AudioParam attributes allow changing the rate, as given in the spec.
For example, BiquadFilterNode with default "a-rate" automation is expensive to compute due to the complex relationship between the parameters and the filter coefficients. If this fast automation is not needed (the most typical case), the parameters can be set to "k-rate".

ServiceWorker

Improve cache management for service worker scripts

The HTTP cache will be ignored when requesting updates to the service worker. Requests for importScripts will still go through the HTTP cache. But this is just the default. A new registration option, ServiceWorkerRegistration.updateViaCache is available that offers control over this behavior.
Previously, HTTP requests that checked for updates to the service worker were fulfilled by the HTTP cache by default. If a Cache-Control header was inadvertently set on a service worker, then service worker updates could be delayed, and if your service worker contained versioning information for your sites other assets, those updates would also be delayed.

WebRTC

RTCRtpSender.getParameters()/setParameters() return and control track encoding

The getParameters() and setParameters() methods return or update the RTCRtpSender object's current parameters for how the RTCRtpSender.track property is encoded and transmitted to a remote RTCRtpReceiver. These methods enable you to change encoding parameters for WebRTC streams such as the maximum transmission bitrate without doing any SDP munging or renegotiation.

Deprecations and interoperability improvements

Chrome sometimes deprecates, removes, or changes features to increase interoperability with other browsers. This version of Chrome includes the following such changes.

Deprecate and remove negative brightness values in filter

For compliance with specification, filter's brightness() function no longer accepts negative values.

Remove document.createTouch

The document.createTouch() method is being removed because the Touch() constructor has been supported since Chrome 48.

Remove Document.selectedStylesheetSet and Document.preferredStylesheetSet

The Document.selectedStylesheetSet and Document.preferredStylesheetSet attributes are removed because they are non-standard and only implemented by Chrome and WebKit. The standard versions of these attributes were removed from the spec in 2016.

WEBGL_compressed_texture_atc

Previously, Chrome provided the AMD_compressed_ATC_texture formats. Hardware support has dwindled to near-zero, so the extension has been rejected by the WebGL Working Group. Support for it has been removed.

by Chrome Blog (noreply@blogger.com) at June 18, 2018 11:53 AM

June 15, 2018

Google Chrome Releases

Dev Channel Update for Chrome OS

The Dev channel has been updated to 68.0.3440.25 (Platform version: 10718.22.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. 

If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser). 


Bernie Thompson
Google Chrome

by Bernie Thompson (noreply@blogger.com) at June 15, 2018 11:44 AM

June 13, 2018

Google Chrome Releases

Chrome Beta for Android Update

Ladies and gentlemen, behold!  Chrome Beta 68 (68.0.3440.23) for Android has been released and is available in Google Play.  A partial list of the changes in this build is available in the Git log. Details on new features is available on the Chromium blog, and developers should check out our updates related to the web platform here.

If you find a new issue, please let us know by filing a bug. More information about Chrome for Android is available on the Chrome site.

Estelle Yomba
Google Chrome

by Estelle Yomba (noreply@blogger.com) at June 13, 2018 09:39 PM

Beta Channel Update for Desktop

The beta channel has been updated to 68.0.3440.25 for Windows, Mac, and, Linux.


A full list of changes in this build is available in the log. Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Abdul Syed
Google Chrome

by Abdul Syed (noreply@blogger.com) at June 13, 2018 02:27 PM

Igalia Chromium

Jacobo Aragunde: Chromium official/release builds and icecc

You may already be using icecc to compile your Chromium, either by following some instructions like the ones published by my colleague Gyuyoung or using the popular icecc-chromium set of scripts. In those cases, you will probably get in some trouble if you try to generate an official build with that configuration.

First, let me refresh what an “official build” is called in Chromium. You may know that build optimization in Chromium builds depends on two flags:

  • is_debug
    Debug build. Enabling official builds automatically sets is_debug to false.
  • is_official_build
    Set to enable the official build level of optimization. This has nothing
    to do with branding, but enables an additional level of optimization above
    release (!is_debug). This might be better expressed as a tri-state
    (debug, release, official) but for historical reasons there are two
    separate flags.

  • The GN documentation is pretty verbose about this. To sum up, to get full binary optimization you should enable is_official_build which will also disable is_debug in the background. This is what other projects would call a release build.

    Back to the main topic, I was running an official build distributed via icecc and stumbled on some compilation problems:

    clang: error: no such file or directory: /usr/lib/clang/7.0.0/share/cfi_blacklist.txt
    clang: error: no such file or directory: ../../tools/cfi/blacklist.txt
    clang: error: no such file or directory: /path/to/src/chrome/android/profiles/afdo.prof
    

    These didn’t happen when icecc build was disabled, so I was certain to have found some limitations in the distributed compiler. The icecc-chromium set of scripts was already disabling a number of clang cleanup/sanitize tools, so I decided to take the same approach. First, I checked the GN args that could be related to these errors and identified two:

    • is_cfi
      Current value (from the default) = true
      From //build/config/sanitizers/sanitizers.gni:53

    Compile with Control Flow Integrity to protect virtual calls and casts.
    See http://clang.llvm.org/docs/ControlFlowIntegrity.html

    TODO(pcc): Remove this flag if/when CFI is enabled in all official builds.

  • clang_use_default_sample_profile
    Current value (from the default) = true
    From //build/config/compiler/BUILD.gn:117

    Some configurations have default sample profiles. If this is true and
    clang_sample_profile_path is empty, we’ll fall back to the default.

    We currently only have default profiles for Chromium in-tree, so we disable
    this by default for all downstream projects, since these profiles are likely
    nonsensical for said projects.

  • These two args were enabled, I just disabled them and got rid the compilation flags that were causing trouble: -fprofile-sample-use=/path/to/src/chrome/android/profiles/afdo.prof -fsanitize=cfi-vcall -fsanitize-blacklist=../../tools/cfi/blacklist.txt. I’ve learned that support for -fsanitize-blacklist is available in upstream icecc, but most distros don’t package it yet, so it’s safer to disable that.

    To sum up, if you are using icecc and you want to run an official build, you have to add a couple more GN args:

    clang_use_default_sample_profile = false
    is_cfi = false
    

    by Jacobo Aragunde Pérez at June 13, 2018 08:06 AM

    June 12, 2018

    Google Chrome Releases

    Stable Channel Update for Desktop

    The stable channel has been updated to 67.0.3396.87 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.

    Security Fixes and Rewards


    Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.



    This update includes 1 security fix contributed by external researchers. Please see the Chrome Security Page for more information.




    [$TBD][848672] High CVE-2018-6149: Out of bounds write in V8. Reported by Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab on 2018-06-01



    We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.



    A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

    Krishna Govind
    Google Chrome

    by Krishna Govind (noreply@blogger.com) at June 12, 2018 09:37 PM

    Stable Channel Update for Chrome OS

    The Stable channel has been updated to 67.0.3396.87 (Platform version: 10575.55.0) for most Chrome OS devices. This build contains a number of bug fixes and security updates. Systems will be receiving updates over the next several days.  A list of changes can be found here.

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).


    Kevin Bleicher
    Google Chrome

    by Kevin Bleicher (noreply@blogger.com) at June 12, 2018 07:09 PM

    Chrome for Android Update

    Good news, everyone!  Chrome 67 (67.0.3396.87) for Android has been released and will be available on Google Play over the course of the next few weeks. This release includes a fix for an Autofill issue.

    A list of the changes in this build is available in the Git log.

    If you find a new issue, please let us know by filing a bug. More information about Chrome for Android is available on the Chrome site.

    Estelle Yomba
    Google Chrome









    by Estelle Yomba (noreply@blogger.com) at June 12, 2018 02:44 PM

    Hangouts Meet Hardware Update

    The stable channel has been updated to Chrome OS 66 for Hangouts Meet hardware and Chrome devices for meetings. Systems will be receiving updates over the next several days.

    In addition to Chrome OS bug fixes and security updates, this update contains:

    • Improved accuracy in Huddly GO camera self-remediation feature

    For more information about this release, along with known issues and bug fixes, check out the Hangouts Meet hardware and Chrome OS release notes.

    Kota Hisamatsu
    Hangouts Meet hardware

    by Kota Hisamatsu (noreply@blogger.com) at June 12, 2018 02:04 PM

    Chromium Blog

    Improving extension transparency for users

    We strive to ensure choice and transparency for all Chrome users as they browse the web. Part of this choice is the ability to use the hundreds of thousands of extensions available in the Chrome Web Store to customize the browsing experience in useful and productivity-boosting ways. However, we continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly — and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites. As we’ve attempted to address this problem over the past few years, we’ve learned that the information displayed alongside extensions in the Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension. When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.

    Later this summer, inline installation will be retired on all platforms. Going forward, users will only be able to install extensions from within the Chrome Web Store, where they can view all information about an extension’s functionality prior to installing.

    This change will roll out in three phases:

    • Starting today, inline installation will be unavailable to all newly published extensions. Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
    • Starting September 12, 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
    • In early December 2018, the inline install API method will be removed from Chrome 71.


    If you distribute an extension using inline installation, you will need to update install buttons on your website to link to your extension’s Chrome Web Store page prior to the stable release of Chrome 71. And if you haven’t already, be sure to read up on how to create a high quality store listing, and consider using our install badge on your site.

    We’re proud of the choices the Chrome Web Store provides users in enhancing their browsing experience. At the same time, it’s crucial that users have robust information about extensions prior to installation, so that they fully understand how their browsing experience will be impacted. We’re confident this change will improve transparency for all users about their extension choices in Chrome.

    Posted by James Wagner, Extensions Platform Product Manager

    by Chrome Blog (noreply@blogger.com) at June 12, 2018 11:03 AM

    June 08, 2018

    Chromium Blog

    Chrome 67 Beta: WebXR Origin Trial, and Generic Sensors

    Unless otherwise noted, changes described below apply to the newest Chrome Beta channel release for Android, Chrome OS, Linux, macOS, and Windows. View a complete list of the features in Chrome 67 on ChromeStatus.com.

    Generic Sensors

    Sensor data is used in many native applications to enable experiences like immersive gaming, fitness tracking, and augmented or virtual reality. This data is now available to web applications using the Generic Sensor API. The API consists of a base Sensor interface with a set of concrete sensor classes built on top. Here are links to the sensor specs and examples of how they might be used.

    Accelerometer: Use the motion of the device to move around in a 3D video.

    Gyroscope: Use the orientation of the device to implement a table-top maze.

    Orientation Sensor: This is what's called a fusion sensor meaning it combines readings from two or more sensors, in this case the accelerometer and the gyroscope. Whereas a maze implemented using only the gyroscope might only move the location marker in two dimensions, one implemented with the orientation sensor could require the user to physically turn the device to turn a corner.

    Motion Sensors: This is a fusion sensor that includes a magnetometer as well as the accelerometer and the gyroscope. The most obvious use case for this as a virtual compass.

    Accelerometer sensor measurements provide the movement speed of the device in terms of x, y, and z coordinates.


    Intel has a website devoted to demonstrations of the sensor APIs with sample code available for download. The article published at the start of the origin trial has been updated.

    WebXR Device API Origin Trial

    The WebXR Device API enables the creation of virtual and augmented reality experiences on mobile devices and desktops - unifying experiences across AR enabled mobile devices, mobile-based VR headsets like Google Daydream View and Samsung Gear VR, as well as desktop-hosted headsets like Oculus Rift, HTC Vive, and Windows Mixed Reality Headsets.

    The new API is available as an origin trial (explainer, sign-up form). You can find samples and documentation in the Immersive Web Community Group GitHub repos. There's also a polyfill available that supports browsers with WebVR 1.1 support, browsers without support, and "magic window" on mobile devices.

    Watching a video in virtual reality

    Virtual and augmented reality experiences enabled by this API include games as well as other "long tail" applications, such as:
    • Immersive 360° videos
    • Traditional 2D (or 3D) videos presented in immersive surroundings
    • Data visualization
    • Home shopping
    • Art
    Note: If you are participating in the WebVR origin Trial that has been available in Chrome since version 62, you cannot use your existing token for the WebXR origin Trial. The WebVR origin Trial (the old one) previously set to end on July 24, 2018, has been extended to September.

    Other Features in this Release

    SVG

    SVG2 requires <foreignObject> to be a stacking context. Making <foreignObject> a stacking context allows developers to place HTML content underneath a <foreignObject> without confusion.

    DOM

    The DOM specification was updated so that DOMTokenList.replace() returns a boolean value indicating whether a replacement occurred. This is useful for code that takes different paths depending on whether a replacement occurred, avoiding the need for an extra condition using contains(). Chrome now follows the specification.

    HTML > CustomElements

    Authors can now create custom elements that inherit from the semantics of native, built-in elements. This saves developers from reimplementing built-in functionality such as accessibility, semantics, JavaScript methods/properties.

    Input

    Web pages can now process mouse events (mousedown, auxclick, mouseup) for back and forward buttons on mice with five or more buttons. This allows back and forward mouse buttons to be prevented by applications such as games that wish to override them.

    On Windows the right-hand Alt key serves as AltGraph (ISO-Level-3-Shift) on some layouts, such as many European language layouts, to allow generating additional printable-characters. Internally the key generates Ctrl+Alt modifiers, so that Chrome reports all of Control, Alt and AltGraph in the flags for these keys. In this change, Chrome distinguishes AltGraph from Ctrl+Alt under Windows for consistency with these modifiers on other platforms.

    For developers this removes an edge-case from keyboard event modifier handling. If an app handles keydown/keypress/keyup to implement shortcuts, it will no longer need workarounds to cope with certain (mainly European) keyboard layouts. For example, if an app uses Ctrl+# as a shortcut (as GMail did) then previously the app would need to check for both Ctrl, and for AltGraph, otherwise French users would not be able to use it.
    This change applies to Windows only.

    JavaScript

    JavaScript now has a numeric primitive that provides support for arbitrary precision integers. Previously, numbers in JavaScript were represented as double-precision floats, giving them limited precision. Using the BigInt() function and 'n' suffix on numeric literals you can safely store and operate on large integers even beyond the safe integer limit for numbers.

    Layout

    Formatting contexts will now behave exactly like floats do when they are positioned. In other words, they no longer look at the shape-outside property of the float for positioning and instead are positioned according to their margin box. The new behavior may be seen in this example by changing the height of the flex class. This also affects how new formatting contexts are sized and positioned.

    Loader

    Client Hints enable origins to receive device-specific preferences in the HTTP request headers. Accept-CH-Lifetime adds a client hint that allow origins to persist their opt-in policy for a specified period so they can receive client hints on navigation requests. Additionally, on the first page load, this feature provides hints for all subresources of the page.

    Network > Streams API

    TransformStream is part of the Streams API, which is used for creating, composing, and consuming streams of data. It enables transforming data in stream form. It is typically used in a pipe between a ReadableStream and a WritableStream. The following example uses TransformStream to decode text received in a streaming response body.

    function textDecodeTransform() {
    const decoder = new TextDecoder();
    return new TransformStream({
    transform(chunk, controller) {
    controller.enqueue(decoder.decode(chunk, { stream: true }));
    }
    });
    }

    fetch(url).then(response => {
    // response.body is a stream of Uint8Array chunks.
    // But if we want chunks of text:
    const stream = response.body.pipeThrough(textDecodeTransform());
    // …
    });

    Shadow DOM

    The <slot> element can now participate in a flat layout tree, with UA style display: contents. Before this change, applying a CSS selector to a <slot> element had no effect. Not only is this fixed, but when selectors are applied to a <slot> element, its children inherit its styles.

    Deprecations and Interoperability Improvements

    Chrome sometimes deprecates, removes, or changes features to increase interoperability with other browsers. This version of Chrome includes the following such changes.

    Deprecate HTTP-Based Public Key Pinning

    HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain. It has very low adoption, and although it provides security against certificate mis-issuance, it also creates risks of denial of service and hostile pinning.

    To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function. Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from configuration errors, and due to the built-in support offered by a number of CAs.

    We expect to remove this in Chrome 69.

    Deprecate AppCache on Non-secure Contexts

    AppCache over HTTP is deprecated. AppCache is a powerful feature that allows offline and persistent access to an origin. Allowing AppCache to be used over non-secure contexts makes it an attack vector for cross-site scripting hacks.
    Removal is expected in Chrome 69.

    Layout

    Several Webkit-prefixed CSS properties will be removed in this release.

    -webkit-box-flex-group: This property has minimal usage based on the UseCounter in stable.

    Percent (%) values for -webkit-line-clamp: There is interest in finding a standards-based solution to the number values use case, but we haven't seen demand for the %-based values.

    -webkit-box-lines: This property was never fully implemented. It was originally intended such that a "vertical"/"horizontal" -webkit-box could have multiple rows/columns.

    by Chrome Blog (noreply@blogger.com) at June 08, 2018 02:36 PM

    Google Chrome Releases

    Dev Channel Update for Desktop

    The dev channel has been updated to 69.0.3452.0 for Windows, Linux and 69.0.3451.0 for Mac.


    A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

    Krishna Govind
    Google Chrome

    by Krishna Govind (noreply@blogger.com) at June 08, 2018 11:17 AM

    June 07, 2018

    Google Chrome Releases

    Stable Channel Update for Chrome OS

    The Stable channel has been updated to 67.0.3396.78 (Platform version: 10575.54.0) for most Chrome OS devices. This build contains a number of bug fixes and security updates. Systems will be receiving updates over the next several days.
    New Features
    • Android Debug Bridge support over USB in developer mode
    • Progressive Web Apps can now be installed as stand-alone apps
    • Extend Chrome page zoom to Google Play Apps
    • Visual update for ext4 filesystem migration
    • Feedback reports on sign-in screen
    • Cleaner improved Bluetooth list
    • Touchable material 2.0 Chrome for tablet devices
    • Select-to-Speak ability to select specific text to be read aloud
    • Inline touchable folders in launcher
    • Split Screen support in Tablet mode
    • Support for zipping files on Drive via the Files app
    • Power menu shortcuts when holding the power button
    • Detachable base swap detection

    Security Fixes
    Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
    • We're continuing to roll out Site Isolation to a larger percentage of the stable population.
    • Spectre variant 2 fixes for ARM devices on 4.4 kernels.

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

    Kevin Bleicher
    Google Chrome


    by Kevin Bleicher (noreply@blogger.com) at June 07, 2018 06:13 PM

    Chromium Blog

    Expanding user protections on the web

    One of the advantages of the web is that it allows developers to create any type of experience they can imagine, which has led to the rich diversity of content available on the web today. While most content producers are interested in providing excellent experiences for their users, we've found that a small number use the flexibility and power of the web to take advantage of users and redirect them to unintended destinations. 1 out of every 5 feedback reports from Chrome users on desktop mention encountering some type of unwanted content, and we take this feedback seriously when considering how to improve Chrome. Following on from features like Chrome's pop-up blocker and autoplay protections, over the next few releases we'll be rolling out three new protections designed to give users all the web has to offer, but without many of these types of unwanted behaviors.

    One piece of feedback we regularly hear from users is that a page will unexpectedly navigate to a new page, for seemingly no reason. We've found that this redirect often comes from third-party content embedded in the page, and the page author didn't intend the redirect to happen at all. To address this, in Chrome 68 all redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user had been interacting with that frame. This will keep the user on the page they were reading, and prevent those surprising redirects.
    An example of a redirect being blocked on a test site. The iframes embedded in the site are attempting to navigate the page to an unintended destination, but Chrome prevents the redirect and shows an infobar.

    When the user interacts with content, things can also go wrong. One example that causes user frustration is when clicking a link opens the desired destination in a new tab, while the main window navigates to a different, unwanted page. Starting in Chrome 68 we'll also detect this behavior, trigger an infobar, and prevent the main tab from being redirected. This allows the user to continue directly to their intended destination, while also preserving the context of the page they came from.

    Finally, there are several other types of abusive experiences that send users to unintended destinations but are hard to automatically detect. These include links to third-party websites disguised as play buttons or other site controls, or transparent overlays on websites that capture all clicks and open new tabs or windows. 
    Two types of abusive experiences where a deceptive site control appears to do one thing, but has a different behavior when clicked. One looks like a play button on a video but sends the user to an unwanted download when clicked (left), and the other looks like a close button but instead opens unwanted pop-up windows (right).

    Similar to how Google Safe Browsing protects users from malicious content, starting in early January Chrome's pop-up blocker will prevent sites with these types of abusive experiences from opening new windows or tabs. To help site owners prepare for this change, today we're also launching the Abusive Experiences Report alongside other similar reports in the Google Search Console. Site owners can use the report to see if any of these abusive experiences have been found on their site and improve their user experience. Otherwise, abusive experiences left unaddressed for 30 days will trigger the prevention of new windows and tabs.

    Together, these protections will dramatically improve users' web browsing experiences while still allowing them access to all that the web has to offer. 

    Posted by Ryan Schoen, Product Manager

    Update 2018-06-07: The two protections described above that prevent unwanted redirects and unwanted tabs or windows are now scheduled to be released with Chrome 68. The timeline for expanding Chrome's pop-up blocker remains unchanged, as it already launched in January.

    by Chrome Blog (noreply@blogger.com) at June 07, 2018 03:19 PM

    Google Chrome Releases

    Beta Channel Update for Desktop

    The Chrome team is excited to announce the promotion of Chrome 68 to the beta channel for Windows, Mac and Linux. Chrome 68.0.3440.17 contains our usual under-the-hood performance and stability tweaks, but there are also some cool new features to explore - please head to the Chromium blog to learn more!


    A full list of changes in this build is available in the log. Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


    Abdul Syed
    Google Chrome

    by Abdul Syed (noreply@blogger.com) at June 07, 2018 12:38 PM

    June 06, 2018

    Google Chrome Releases

    Beta Channel Update for Chrome OS

    The Beta channel has been updated to 67.0.3396.78 (Platform version: 10575.54.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. A list of changes can be found here.

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

    Kevin Bleicher
    Google Chrome

    by Kevin Bleicher (noreply@blogger.com) at June 06, 2018 05:52 PM

    Chrome Beta for Android Update

    Ladies and gentlemen, behold!  Chrome Beta 68 (68.0.3440.14) for Android has been released and is available in Google Play.  A partial list of the changes in this build is available in the Git log. Details on new features is available on the Chromium blog, and developers should check out our updates related to the web platform here.

    If you find a new issue, please let us know by filing a bug. More information about Chrome for Android is available on the Chrome site.

    Estelle Yomba
    Google Chrome

    by Estelle Yomba (noreply@blogger.com) at June 06, 2018 02:07 PM

    Dev Channel Update for Chrome OS

    The Dev channel has been updated to 68.0.3440.15 (Platform version: 10718.13.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. 

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser). 


    David McMahon
    Google Chrome

    by djmm (noreply@blogger.com) at June 06, 2018 12:26 PM

    Chromium Blog

    Chrome 64 Beta: stronger pop-up blocker, Resize Observer, and import.meta

    Unless otherwise noted, changes described below apply to the newest Chrome Beta channel release for Android,
    Chrome OS, Linux, Mac, and Windows.


    Stronger pop-up blocker
    1 out of every 5 user feedback reports submitted on Chrome for desktop mention some type of
    unwanted content. Examples include links to third-party websites disguised as play buttons or other
    site controls, or transparent overlays on websites that capture all clicks and open new tabs or
    windows. In this release, Chrome's pop-up blocker now prevents sites with these types of abusive
    experiences from opening new tabs or windows. Site owners can use the Abusive Experiences
    Report in Google Search Console to see if any of these abusive experiences have been found on
    their site and improve their user experience.

     
    Two types of abusive experiences where a deceptive site control appears to do one thing, but has a different behavior when clicked. One looks like a play button on a video but sends the user to an unwanted download when clicked (left), and the other looks like a close button but instead opens unwanted pop-up windows (right).

    Resize Observer
    Traditionally, responsive web applications have used CSS media queries or window.onresize to
    build responsive components that adapt content to different viewport sizes. However, both of these
    are global signals and require the overall viewport to change in order for the site to respond
    accordingly. Chrome now supports the Resize Observer API to give web applications finer
    control to observe changes to sizes of elements on a page.

    const ro = new ResizeObserver((entries) => {
     for (const entry of entries) {
       const cr = entry.contentRect;
       console.log('Element:', entry.target);
       console.log(`Element size: ${cr.width}px × ${cr.height}px`);
       console.log(`Element padding: ${cr.top}px / ${cr.left}px`);
     }
    });

    // Observe one or multiple elements
    ro.observe(someElement);
    The code snippet above uses the Resize Observer API to observe changes to an element.

    import.meta
    Developers writing JavaScript modules often want access to host-specific metadata about the
    current module. To make this easier, Chrome now supports the import.meta property within
    modules that exposes the module URL via import.meta.url. Library authors might want to
    access the URL of the module being bundled into the library to more easily resolve resources
    relative to the module file as opposed to the current HTML document. In the future, Chrome plans to
    add more properties to import.meta.

    Other features in this release

    Blink > Animation

    • The offset-path property can be used to animate an element by specifying the geometry of the path that an element moves along.

    Blink>Fonts

    Blink>Input

    Blink>JavaScript

    • To improve developer experience, Chrome now supports named captures in regular expressions, allowing developers to assign meaningful names to portions of a string that a regular expression matches.
    • Chrome now supports the Unicode property escapes \p{…} and \P{…} for regular expressions that have the u flag set, allowing developers to create more powerful Unicode-aware regular expressions.
    • To assist with local-aware formatting of strings produced by internationalization formatters, developers can now use Intl.NumberFormat.prototype.formatToParts() to format a number to a list of tokens and their type. Thanks to Igalia for helping make this happen!

    Blink>Media

    Blink>Network

    • Developers can now use the cache option to specify the cache mode of a Request.
    • Developers can now use Request.prototype.cache to view the cache mode of a Request and determine whether a request is a reload request.  

    Blink>Permissions API

    • To better align with the Permissions API spec, the Permissions API can now be used to query the status of the camera and microphone permissions.

    Blink>Scroll

    • In Focus Management APIs, developers can now focus an element without scrolling to it by using the preventScroll attribute.

    Blink>SVG

    Blink>WebAudio

    • AudioWorklet, an API that exposes low-level audio processing capability to support custom AudioNodes, is now available in origin trials and the experimental flag.

    Blink>WebRTC

    • To align with the WebRTC 1.0 spec, RTCPeerConnection now supports addTrack() for single stream use cases, as well as removeTrack(), getSenders(), ontrack, and a minimal version of the RTCRtpSender interface.

    Blink>WindowDialog

    • To improve interoperability and end user experience, window.alert() no longer brings a backgrounded tab to the foreground but instead shows the alert when the user switches to the background tab.

    UI>Notifications

    Deprecations and interoperability improvements

    Blink> CSS

    Blink> DOM

    Blink> Performance APIs


    For a complete list of all features (including experimental features) in this release, see the
    Chrome 64 milestone hotlist.  
    Posted by Charles Harrison, Pop-Up Popping Engineer

    by Chrome Blog (noreply@blogger.com) at June 06, 2018 12:18 PM

    Google Chrome Releases

    Stable Channel Update for Desktop

    The stable channel has been updated to 67.0.3396.79 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.

    Security Fixes and Rewards


    Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


    This update includes 1 security fix contributed by external researchers. Please see the Chrome Security Page for more information.


    [$TBD][845961] High CVE-2018-6148: Incorrect handling of CSP header. Reported by Michał Bentkowski on 2018-05-23

    We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

    A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

    Krishna Govind
    Google Chrome

    by Krishna Govind (noreply@blogger.com) at June 06, 2018 12:05 PM

    June 05, 2018

    Google Chrome Releases

    Dev Channel Update for Desktop

    The dev channel has been updated to 68.0.3440.15 for Windows, Mac and Linux.


    A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

    Abdul Syed
    Google Chrome

    by Abdul Syed (noreply@blogger.com) at June 05, 2018 12:33 PM

    June 04, 2018

    Google Chrome Releases

    Stable Channel Update for Desktop

    The Chrome team is delighted to announce the promotion of Chrome 67 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

    Chrome 67.0.3396.62 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 67.


    Site Isolation Trial

    We're continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67. Site Isolation improves Chrome's security and helps mitigate the risks posed by Spectre.

    To diagnose whether an issue is caused by Site Isolation, use chrome://flags#site-isolation-trial-opt-out as described here. Please report any trial-specific issues to help us fix them before Site Isolation is launched more broadly.


    Security Fixes and Rewards

    Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

    This update includes 34 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.


    [$3000][835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22
    [$5000][840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07
    [$5000][818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05
    [$N/A][844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18
    [$10,000][842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15
    [$7,500][841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09
    [$N/A][838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01
    [$N/A][838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30
    [$N/A][826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27
    [$500][839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04
    [$500][817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28
    [$500][797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23
    [$1000][823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19
    [$1500][831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12
    [$2000][835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21
    [$2000][810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by François Lajeunesse-Robert on 2018-02-08
    [$2000][805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24
    [$2000][798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01
    [$2000][796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2017-12-19
    [$4500][837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28
    [$2,000][843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15
    [$500][828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02
    [$500][805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25
    [$N/A][818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02


    We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

    As usual, our ongoing internal security work was responsible for a wide range of fixes:

    • [847542] Various fixes from internal audits, fuzzing and other initiatives


    If you're interested in Enterprise relevant information please look through the Enterprise Release Notes for Chrome 67.

    Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

    Thank you,
    Krishna Govind


    by Krishna Govind (noreply@blogger.com) at June 04, 2018 04:07 PM

    June 01, 2018

    Google Chrome Releases

    Beta Channel Update for Chrome OS

    The Beta channel has been updated to 67.0.3396.69 (Platform version: 10575.52.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. A list of changes can be found here.

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

    Kevin Bleicher
    Google Chrome

    by Kevin Bleicher (noreply@blogger.com) at June 01, 2018 09:55 AM

    May 31, 2018

    Google Chrome Releases

    Stable Channel Update for Chrome OS

    The Stable channel has been updated to 66.0.3359.203 (Platform version: 10452.99.0) for most Chrome OS devices. This build contains a number of bug fixes and security updates. Systems will be receiving updates over the next several days.

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

    Josafat Garcia
    Google Chrome

    by Josafat (noreply@blogger.com) at May 31, 2018 06:44 PM

    Chrome for Android Update

    Good news, everyone!  Chrome 67 (67.0.3396.68) for Android has been released and will be available on Google Play over the course of the next few weeks. Thanks for choosing Chrome! This release includes stability and performance improvements.

    A list of the changes in this build is available in the Git log.

    If you find a new issue, please let us know by filing a bug. More information about Chrome for Android is available on the Chrome site.

    Estelle Yomba
    Google Chrome

    by Estelle Yomba (noreply@blogger.com) at May 31, 2018 01:06 PM

    Dev Channel Update for Chrome OS

    The Dev channel has been updated to 68.0.3440.4 (Platform version: 10718.4.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. 

    If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser). 


    Bernie Thompson
    Google Chrome

    by Bernie Thompson (noreply@blogger.com) at May 31, 2018 11:44 AM

    May 30, 2018

    Google Chrome Releases

    Dev Channel Update for Desktop

    The dev channel has been updated to 68.0.3440.7 for Windows, Mac and Linux.


    A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

    Abdul Syed
    Google Chrome

    by Abdul Syed (noreply@blogger.com) at May 30, 2018 03:56 PM