[go: up one dir, main page]

Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 95 is beta as of September 23, 2021.

Origin Trials

This version of Chrome introduces the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.

New Origin Trials

Access Handles for the File System Access API

It's our eventual goal to merge the origin private file system of the File System Access API with the Storage Foundation API to reduce the number of entry points for getting access to file-based storage in the browser. A first step toward this objective is the newly proposed access handle. The new feature differs from existing functionality by offering in-place and exclusive write access to a file's content. This change, along with the ability to consistently read unflushed modifications and the availability of a synchronous variant on dedicated workers, significantly improves performance and unblocks new use cases. To join the origin trial, see its entry on Chrome Origin Trials. For more on access handlers, see the information we've added to The File System Access API: simplifying access to local files.

Reduce User Agent String Information

Chrome is trying to reduce the amount of information the user agent string exposes in HTTP requests as well as in navigator.userAgent, navigator.appVersion, and navigator.platform. The user agent string can be used for passive user fingerprinting. To join the origin trial, see its entry on Chrome Origin Trials.

Completed Origin Trials

The following features, previously in a Chrome origin trial, are now enabled by default.

Secure Payment Confirmation

Secure payment confirmation augments the payment authentication experience on the web with the help of the Web Authentication API. The feature adds a new 'payment' extension to that API, which allows a relying party such as a bank to opt-in to creating a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the 'secure-payment-confirmation' payment method.

This feature enables a consistent, low friction, strong authentication experience using platform authenticators. Strong authentication with the user's bank is becoming a requirement for online payments in many regions, including the European Union. The proposed feature provides a better user experience and stronger security than existing solutions.

WebAssembly Exception Handling

WebAssembly now provides exception handling support. Exception handling allows code to break control flow when an exception is thrown. The exception can be any that is known by the WebAssembly module, or it may be an unknown exception that was thrown by a called imported function.

Other Features in this Release

Adding droppedEntriesCount to PerformanceObserver Callback

Currently, web developers can call PerformanceObserver.observe() with the buffered option to listen to past and future performance entries about their site. Unfortunately, past entries need to be stored, and there is a buffer size limit. The droppedEntriesCount parameter helps developers know if they may have lost an entry due to storage being full.

The droppedEntriesCount property is one of the options specified as the third parameter of the callback passed in the PerformanceObserver constructor. It provides the number of entries dropped due to the buffer being full.

EyeDropper API

The EyeDropper API provides a browser-supplied eyedropper for the construction of custom color pickers. Creative applications built for the web could benefit from an ability to sample a color from pixels on the screen. Many OS applications, PowerPoint for example, have this ability but are unable to carry it over to their web equivalents.

Even though some browsers have eyedropper capability built into <input type=color> elements, web applications are limited in their ability to integrate this into their custom color pickers since the eyedropper is generally accessible only through the non-customizable popup triggered by the <input> element.

New UA platform Version Source on Windows for User Agent Client Hints

Chrome has updated the value provided by the Sec-CH-UA-Platform-Version on Windows to provide a reasonable level of fidelity to allow sites to identify meaningful Windows platform changes. This enables sites to deliver appropriate binary executables and help content specific to a particular operating system version. The current user agent string and existing Sec-CH-UA-Platform-Version implementation provides the major and minor version Windows components. However, as of Windows 10, Windows generally doesn't increase either of these numbers across significant releases. Notably, Windows 11 does not increase either of these numbers. You can find a table of value mappings to Windows releases in the UA Client Hints' repo issue 220.

self.reportError()

This function, available in windows and workers, allows developers to report errors to the console and any global "error" event handlers in the same way as an uncaught JavaScript exception. It is mainly useful for custom event-dispatching or callback-manipulating libraries.
This allows library developers to report exceptions in the same way the browser does, which is useful when they need custom control over running the callback.

URLPattern

URLPattern is a new web API that provides operating system support for matching URLs given a pattern string. It can be used in JavaScript directly or by passing patterns to other web platform APIs such as, for example, as a service worker scope. Both web platform features and JavaScript applications often need to match against URLs. Examples include, service worker scopes on the web platform and URL routing in JavaScript frameworks. Past web platform features have individually created their own URL matching mechanisms. JavaScript has relied on libraries such as path-to-regexp.

Deprecations, and Removals

This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of current deprecations and previous removals.

FTP Support Removed

Chrome is removing support for FTP URLs. Use of FTP in the browser is sufficiently low that it is no longer viable to invest in improving the existing FTP client. In addition, more capable FTP clients are available on all affected platforms.

Google Chrome 72 and later removed support for fetching document subresources over FTP and rendering of top level FTP resources. Currently navigating to FTP URLs results in showing a directory listing or a download depending on the type of resource. A bug in Google Chrome 74 and later resulted in dropping support for accessing FTP URLs over HTTP proxies. Proxy support for FTP was removed entirely in Google Chrome 76. In Chrome 86 FTP support was turned off for pre-release channels (Canary and Beta) and experimentally turned off for one percent of stable users, though it could be reenabled via the command line. In Chrome 87 it was turned off for fifty percent of users but could also be enabled through the command line. Since Chrome 88, it was only available through a deprecation trial and is now disabled.

Support for URLs with non-IPv4 Hostnames Ending in Numbers

Most hostnames that aren't valid IPv4 addresses, but end in numbers are treated as valid, and looked up via DNS (for example, http://foo.127.1/). Per the Public Suffix List spec, the eTLD+1 of the hostname in that URL should be 127.1. If that is ever fed back into a URL, http://127.1/ is mapped to http://127.0.0.1/ by the URL spec, which seems potentially dangerous. 127.0.0.0.1 could also potentially be used to confuse users. URLs with these hostnames are now rejected.

WebAssembly Cross-Origin Module Sharing

Chrome now deprecates sharing WebAssembly modules between cross-origin, but same-site environments to allow agent clusters to be scoped to origins long term.

Deprecate U2F API (Cryptotoken)

Chrome's legacy U2F API for interacting with security keys is deprecated and beginning a deprecation trial in Chrome 95 wherein the API remains enabled by default, but the trial token will disable the key for participating sites. U2F security keys themselves are not deprecated and will continue to work.

Affected sites should migrate to the Web Authentication API. Credentials that were originally registered via the U2F API can be challenged via web authentication. USB security keys that are supported by the U2F API are also supported by the Web Authentication API.

U2F is Chrome's original security key API. It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but rather shipped a component extension called cryptotoken, which exposes an equivalent chrome.runtime.sendMessage() method. U2F and Cryptotoken are firmly in maintenance mode and have encouraged sites to migrate to the Web Authentication API for the last two years.

The following timeline is currently planned for deprecation and removal:

Chrome 93

Stable as of August 31, 2021. Support added for the googleLegacyAppIdSupport extension.

Chrome 95

Beta as of September 23, 2021. The following changes were implemented:

  • Gated U2F API requests behind a user permission prompt.
  • Logged a deprecation notice in the DevTools console for every request.

Chrome 98

Beta expected in early January 2022, stable in February. The deprecation trial will continue, but its behavior will reverse: the API will be disabled by default, but may be kept alive by trial participants.

Chrome 103

Beta expected in late May 2022, stable in late June. The deprecation trial will end.

Chrome 104

Beta expected in late June 2022, stable in early August. The  U2F API will be fully removed.
Labels:

Back in May, we published an update on our User-Agent string reduction plans with a promise to publish further details on timing. Now that we have an origin trial ready for testing the Reduced User-Agent header (and associated JS interfaces) we have estimated timelines to share. What follows is repeated from the original blog post, but contains estimated Chrome versions where these Phases will begin to help you prepare. 


The Chromium schedule dashboard will be useful for understanding dates associated with each Chrome version and its progression from Canary into Beta and Stable Release.


Note: The usual disclaimers about estimating engineering deadlines apply—unforeseen circumstances may dictate delays. But in the case that we encounter delays, we do not intend to accelerate timelines between Phases.


Proposed Rollout Plan

We plan to roll out these changes slowly and incrementally in 7 Phases—pending origin trial feedback.


Reduction Preparation

Phase 1: Since Chrome 92 (July 20, 2021)

Call to Action (CTA): Audit your site usage to understand where migration may be necessary.


Warn about accessing navigator.userAgent, navigator.appVersion, and navigator.platform in DevTools, beginning in M92.


Phase 2: Chrome 95 to Chrome 100

CTA: Enroll in the origin trial for your site, and provide feedback until Chrome 101 is released.


Launch an origin trial for sites to opt into the final reduced UA string for testing and feedback, for at least 6 months. 


We will evaluate feedback from origin trial partners and the community, and based on this feedback proceed to Phases 3 through 7 of our plan, giving the ecosystem adequate time to adapt in between them. Otherwise, depending on feedback we will reconsider the best course of action.


Reduction Rollout

Phase 3: Chrome 100

CTA: Enroll in the deprecation trial or Enterprise policy for your site, when needed.


Launch deprecation trial and Enterprise policy, for instances where a site may need more time for migration.


Phase 4: Chrome 101

CTA: Ensure your site is compatible with the reduced Chrome version number, and migrate to UA Client Hints if not.


Ship reduced Chrome MINOR.BUILD.PATCH version numbers (“0.0.0”). Once rolled-out, the reduced UA string would apply to all page loads on desktop and mobile operating systems for sites that do not opt into the deprecation trial.


Phase 5: Chrome 107

CTA: Ensure your site is compatible with the reduced Desktop UA string and related JS APIs, and migrate to UA Client Hints if not.


Begin roll-out of reduced Desktop UA string and related JS APIs (navigator.userAgent, navigator.appVersion, navigator.platform). Once rolled-out, the reduced UA string would apply to all page loads on desktop operating systems for sites that do not opt into the deprecation trial.


Phase 6: Chrome 110

CTA: Ensure your site is compatible with the reduced Mobile UA string and related JS APIs, and migrate to UA Client Hints if not.


Begin roll-out of reduced Android Mobile (and Tablet) UA string and related JS APIs. Once rolled-out, the reduced UA string would apply to all page loads on Android that do not opt into the deprecation trial.


Reduction Completion

Phase 7: Chrome 113


Deprecation trial ends and all page loads receive the reduced UA string and related JS APIs.


See the companion Reduced User Agent string updates page for more details and example User Agent strings at each of these phases. We will note any significant delays or changes on this page as well.

Posted by Mike Taylor and Jade Kessler, Chrome Team

Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 94 is beta as of August 26, 2021.

WebCodecs

Existing media APIs (HTMLMediaElement, Media Source Extensions, WebAudio, MediaRecorder, and WebRTC) are high-level and narrowly-focused. A low-level codec API would better support emerging applications, such as latency-sensitive game streaming, client-side effects or transcoding, and polyfillable media container support, without the increased network and CPU cost of JavaScript or WebAssembly codec implementations.

The WebCodecs API eliminates these deficiencies by giving programmers a way to use media components that are already present in the browser. Specifically:

  • Video and audio decoders
  • Video and audio encoders
  • Raw video frames
  • Image decoders

This feature has also completed its origin trial in Chrome 93 and is now available by default. For more information, see Video processing with WebCodecs.

WebGPU

The WebGPU API is the successor to the WebGL and WebGL2 graphics APIs for the Web. It provides modern features such as "GPU compute" as well as lower overhead access to GPU hardware and better, more predictable performance. This is an improvement over the existing WebGL interfaces, which were designed for drawing images but could only be repurposed for other kinds of computations with great effort.

WebGPU exposes modern computer graphics capabilities, specifically Direct3D 12, Metal, and Vulkan, for performing rendering and computation operations on a graphics processing unit (GPU). Advantages of WebGPU over earlier technologies include:

  • Separating resource management, work preparation, and submission to the GPU.
  • Pipeline states that function similarly to OS APIs.
  • Binding groups that allow graphics drivers to perform needed preparations in advance of rendering.

This feature is starting an origin trial in Chrome 94 with the hope of shipping in Chrome 99. For more information, see Access modern GPU features with WebGPU.

Scheduling APIs: Prioritized scheduler.postTask()

It's difficult to build web apps that are responsive to user interaction and that remain responsive over time. Scripts are one of the primary culprits hurting responsiveness. Consider a "search-as-you-type" feature: an app with this capability needs to keep up with the user's typing at the same time that it is fetching and displaying results. This doesn't take into account anything happening on the page such as animation, which must be rendered smoothly.

The problem is usually tackled by chunking and scheduling main thread work, specifically executing work asynchronously at appropriate times. This approach has its own problems, including the fact that whatever priority the developer sets, it's still competing for time on the main thread, which doesn't recognize the developer's prioritization, and is also responsible for browser tasks such as fetch() operations and garbage collection.

The scheduler.postTask() method fixes these scheduling dilemmas by letting developers schedule tasks (JavaScript callbacks) with an OS browser scheduler at three levels of priority: user-blocking, user-visible, and background. It also exposes a TaskController interface, which can dynamically cancel tasks and change their priority.

This feature completed its origin trial in Chrome 93 and is now available by default in Chrome. For a list of other new and completed origin trials, see the Origin Trials section below.

Origin Trials

In addition to the items above, this version of Chrome introduces the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.

New Origin Trials

Early Hints for Navigation

Chrome is testing a new HTTP status code: 103 Early Hints for preloading subresources earlier.
When a 103 response includes <link rel=preload> or other link headers Chromium tries to preload (and/or preconnect, prefetch) specified resources before the final response is received. This gives web developers a way to optimize apps, sites, and pages.

Completed Origin Trials

The following features, previously in a Chrome origin trial, are now enabled by default.

Canvas Color Management

This update formalizes that the default color space for CanvasRenderingContext2D objects and ImageData objects is sRGB. This clarifies that the CanvasRenderingContext2D interface is fully color managed (that all inputs are converted to the canvas color space). These were previously conventions and not clearly specified. This updates makes the following changes:

  • Adds parameters to specify a non-sRGB color space when creating a CanvasRenderingContext2D object or an ImageData object.
  • Adds support for the Display P3 color space for these parameters.

Content displayed by CanvasRenderingContext2D is currently limited to the sRGB color space, which is less than the capabilities of modern displays and cameras. This feature allows creating a CanvasRenderingContext2D object that is in the Display P3 color space. This also clears up several points of ambiguity about the color behavior of CanvasRenderingContext2D.

VirtualKeyboard API

The VirtualKeyboard interface has methods and properties to control when a virtual keyboard is shown or hidden. It also fires events with the size of the virtual keyboard when it occludes content in the page. The virtual keyboard is the on-screen keyboard used for input in scenarios where a hardware keyboard may not be available.

Unlike a hardware keyboard, a virtual keyboard can adapt its shape to optimize for the expected input. Developers have control over the displayed shape of the virtual keyboard through the inputmode attribute, but have limited control over when the virtual keyboard is shown or hidden.

Other features in this release

CSS

Align transform-style: preserve-3d and perspective Property with the Spec

The transform-style: preserve-3d and perspective properties now align with the spec. The preserve-3d property allows child elements to participate in the parent's 3D scene, and the perspective property applies a perspective transform to child elements. Before this change, Chromium applied both of these effects based on the containing block hierarchy rather than the DOM tree, and allowed them to extend through elements without transform-related properties on them.

flex-basis Honors Keywords 'content' and 'min/max/fit-content'

Chrome now supports the keywords content, min-content, max-content, and fit-content as values for the flex-basis property and its flex shorthand. The content keyword makes flex base size use the default sizing rules as if flex-basis and preferred size property (width or height) are both auto, ignoring any specified width or height in the main axis dimension when flex-basis is auto. The other keywords are the same as usual and give more options for specifying the flex base size.

In responsive layouts, when adding or removing display:flex to a container, you previously had to sometimes add/remove values for each individual item. content eliminates the need in some situations.

scrollbar-gutter

The scrollbar-gutter property provides control over the presence of scrollbar gutters (the space reserved to display a scrollbar), allowing developers to prevent layout changes as content expands while avoiding unwanted visuals when scrolling isn't needed.

Note that the presence of the scrollbars themselves is determined by the overflow property. The choice of classical or overlay scrollbars is up to the user agent. This property provides developers with more control over how their layouts interact with the scrollbars provided by the browser.

MediaStreamTrack Insertable Streams (a.k.a. Breakout Box)

This API lets developers manipulate raw media carried by MediaStreamTracks such as the output of cameras, microphones, screen captures or the decoder part of a codec and the input to the decoder part of a codec. It uses WebCodecs interfaces to represent raw media frames and exposes them using streams, similar to the way the WebRTC Insertable Streams exposes encoded data from RTCPeerConnections. Example use cases include funny hats and real-time object identification and annotation.

Return Fixed Lists for navigator.plugins and navigator.mimeTypes

With the removal of Flash, there is no longer a need to return anything for navigator.plugins and navigator.mimeTypes. These APIs were used primarily for:

  • Probing for Flash player support
  • Fingerprinting.

Some sites use these APIs to probe for PDF viewer support. With this change, these arrays will return fixed lists containing a standard list of PDF viewer plugins.

Note that this is not the removal or change of any API, it is merely the return of fixed arrays for these two existing APIs.

JavaScript

This version of Chrome incorporates version 9.4 of the V8 JavaScript engine. It specifically includes the change listed below. You can find a complete list of recent features in the V8 release notes.

Self Profiling API

Chrome now supports a web-exposed sampling profiler for measuring client JavaScript execution time. Gathering JavaScript profiles from real users can help developers debug slow observed performance without invasive manual instrumentation.

Deprecations, and Removals

This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of current deprecations and previous removals.

Deprecate and Remove WebSQL in Third-Party Contexts

WebSQL in third-party contexts is now deprecated. Removal is expected in Chrome 97. The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated in in 2019. The W3C encourages Web Storage and Indexed Database for those needing alternatives.

Developers should expect that WebSQL itself will be deprecated and removed when usage is low enough.

Restrict Private Network Requests for Subresources to Secure Contexts

Private network requests for subresources may now only be initiated from a secure context. Private network requests are those initiated from a public network, targeting a private network. Examples include internet to intranet requests and intranet loopbacks.

This is a first step towards fully implementing Private Network Access. Servers running inside local networks, or on a user's device, expose powerful capabilities to the web in ways that can be quite dangerous. Private Network Access proposes a set of changes to limit the impact of requests to these servers by ensuring that the servers are opting-into any communication with external entities.

For this opt-in to have any meaning, the servers need to be able to ensure that the client origin is authenticated. To that end, only secure contexts are empowered to make external requests.

Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Android WebView, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 93 is beta as of July 29, 2021.

Origin Trials

This version of Chrome introduces the origin trials described below. Origin trials allow you to try new features and give feedback on usability, practicality, and effectiveness to the web standards community. To register for any of the origin trials currently supported in Chrome, including the ones described below, visit the Chrome Origin Trials dashboard. To learn more about origin trials in Chrome, visit the Origin Trials Guide for Web Developers. Microsoft Edge runs its own origin trials separate from Chrome. To learn more, see the Microsoft Edge Origin Trials Developer Console.

New Origin Trials

Cross-Origin-Embedder-Policy: credentialless

Cross-origin no-CORS requests can now be made to omit credentials (cookies, client certificates, etc.) using the credentialless keyword. Similarly to COEP: require-corp, it can enable cross-origin isolation.

Sites that wish to continue using SharedArrayBuffer must opt-in to cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc.).

Multi-Screen Window Placement

The Multi-Screen Window Placement API allows you to place windows on any display connected to your machine, store that placement, and make a window full-screen on any display. With this API, a presentation app can show slides on one screen and speaker notes on another. An art or music creation app can place palettes on a second screen. And a restaurant can show a touchscreen menu on a kiosk and a separate window for employees. Incorporating developer feedback from the first origin trial, the API enters a second origin trial with an improved shape and ergonomics.

Window Controls Overlay for Installed Desktop Web Apps

Window controls overlay extends an app's client area to cover the entire window, including the title bar, and the window control buttons (close, maximize/restore, minimize). The web app developer is responsible for drawing and input-handling for the entire window except for the window controls overlay. Developers can use this feature to make their installed desktop web apps look like O.S. apps. For more information, see Customize the window controls overlay of your PWA's title bar.

PWAs as URL Handlers

PWA as URL Handlers allows apps like music.example.com to register themselves as URL handlers for URLs that match patterns like https://music.example.com, https://*.music.example.com, or https://🎵.example.com, so that links from outside of the PWA, for example, from an instant messenger application or an email client, open in the installed PWA rather than in a browser tab.

Completed Origin Trials

The following features, previously in a Chrome origin trial, are now enabled by default.

Subresource loading with Web Bundles

Web Bundles provides a new approach to load a large number of resources efficiently using a format that allows multiple resources to be bundled. This feature addresses issues with previous approaches to resource bundling.

The output of some JavaScript bundlers does not interact well with the HTTP cache and configuring them can sometimes be difficult. Even with bundled JavaScript, execution needs to wait for all bytes to download. Ideally loading multiple subresources should use streaming and parallelization, which is not possible with one JavaScript file. For JavaScript modules, execution still needs to wait for an entire resource tree to download because of deterministic execution.

WebXR Plane Detection API

WebXR applications can now retrieve data about planes present in a user's environment, which enables augmented reality applications to create more immersive experiences. Without this feature, developers would have to resort to running their own computer vision algorithms on data from getUserMedia() (available on navigator and MediaDevices) in order to detect planes present in the users' environment. Such solutions have thus far been unable to match the quality and accuracy of native augmented reality capabilities or support world scale.

Other features in this release

AbortSignal.abort() Static Method

AbortSignal.abort() is a static method that allows creating a new AbortSignal object that is already aborted. It is similar in spirit to Promise.reject(), and provides improved developer ergonomics.

Web developers have found aborted AbortSignal objects to be useful for a variety of purposes. They signify to JavaScript APIs that no work should be done. Currently, creating an already-aborted AbortSignal object requires multiple lines of code. AbortSignal.abort() requires one:

return AbortSignal.abort();

CSS Flexbox: Support Alignment Keywords start, end, self-start, self-end, left, right

The flexbox and flex items now obey positional alignment keywords. Flexbox previously only obeyed center, flex-start, and flex-end. The additional alignment keywords (start, end, self-start, self-end, left, right) allow authors to more easily align the flex items in the face of varying writing modes and flex flows.

Without these additional keywords, developers need to change the keyword values whenever they change the writing mode, text direction, or flex reversal properties (flex-direction: row-reverse, flex-direction:column-reverse or align-content: wrap-reverse). The keywords implemented here let them set alignment once.

Error.cause Property

The Error() constructor supports a new options property called cause, which will be assigned to the error as a property. This allows errors to be chained without unnecessary and overelaborate formalities on wrapping the errors in conditions.

Honor Media HTML Attribute for meta name=theme-color

The meta element's "media" attribute will be honored for meta[name="theme-color"] so that web developers can adjust the theme color of their site based on a media query (dark and light modes for instance). The first one that matches will be picked.

noplaybackrate in HTMLMediaElement.controlsList

The HTMLMediaElement.controlsList property now supports noplaybackrate, which allows websites to enabled or disable the playback speed control exposed by the browser. With browser vendors adding playback speed control to their media controls, developers should have a way to control the visibility of this new control. Try the new property on the noplaybackrate in HTMLMediaElement.controlsList Sample.

Sec-CH-Prefers-Color-Scheme Client Hint Header

The CSS user preference media feature prefers-color-scheme has a potentially significant impact on the amount of CSS that needs to be delivered by a page and on the experience the user is going to have when the page loads. The new Sec-CH-Prefers-Color-Scheme client hint header allows sites to obtain the user's preference optionally at request time, allowing servers to inline the right CSS and therefore avoid a flash of incorrect color theme.

User-Agent Client Hints API Updates

This version of Chrome adds four new features and changes to the User-Agent client hints API.

  • Sec-CH-UA-Bitness: a request header that gives a server information about the bitness of the architecture of the platform on which a given user agent is executing. Bitness is the number of bits comprising the basic value a particular system can evaluate.
  • Make Sec-CH-UA-Platform a low-entropy hint: Sec-CH-UA-Platform is a request header that gives a server information about the platform on which a given user agent is executing.
  • Adds low-entropy hints to UADataValues.getHighEntropyValues(): If a hint moves from high to low-entropy, this future proofs any code relying on it.
  • Improves NavigatorUAData.toJSON() method: This method now returns useful data.

Low-entropy hints are those that don't give away too much information, or give information that would be too easy to discover in other ways to realistically hide. In the context of client hints, this means that these hints are available in every request, whether or not the origin involved requested it or whether the frame involved is a first or third party context.

WebOTP API: Cross-Device Support

The WebOTP API will now be supported on desktop when both Chrome on Desktop and Android Chrome are logged in using the same Google account. The WebOPT API provides the ability to programmatically read a one-time code from specially-formatted SMS messages addressed to their origin, reducing user friction during sign-on. Previously, this was only available on mobile devices where SMS was supported.

JavaScript

This version of Chrome incorporates version 9.3 of the V8 JavaScript engine. It specifically includes the changes listed below. You can find a complete list of recent features in the V8 release notes.

Object.hasOwn

Object.hasOwn, a new boolean property, provides an easier-to-use, static method version of Object.prototype.hasOwnProperty.

Deprecations, and Removals

This version of Chrome introduces the deprecations and removals listed below. Visit ChromeStatus.com for lists of current deprecations and previous removals.

Block ports 989 and 990

Connections to HTTP, HTTPS or FTP servers on ports 989 and 990 now fail. These ports are used by the FTPS protocol, which has never been implemented in Chrome. However, FTPS servers can be attacked in a cross-protocol attack by malicious web pages using carefully-crafted HTTPS requests. This is a mitigation for the ALPACA attack.

Remove 3DES in TLS

Chrome has now removed support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. TLS_RSA_WITH_3DES_EDE_CBC_SHA is a remnant of the SSL 2.0 and SSL 3.0 era. 3DES in transport layer security (TLS) is vulnerable to the Sweet32 attack. Being a CBC cipher suite, it is also vulnerable to the Lucky Thirteen attack. The first replacement AES cipher suites were defined for TLS in RFC3268, published around 19 years ago, and there have been several iterations since.

WebAssembly Cross-Origin Module Sharing

WebAssembly module sharing between cross-origin but same-site environments will be deprecated to allow agent clusters to be scoped to origins long term. This follows a WebAssembly specification change, which has an impact on the platform as well.

Labels:




Keeping Chrome users safe as they browse the web is crucially important to Chrome; in fact, security has always been one of our four core principles. In some cases, security can come at the expense of performance. In our next post in The Fast and the Curious series, we are excited to share how improvements to our phishing detection algorithms keeps users safe online. With these improvements, phishing detection is now 50 times faster and drains less battery.

Phishing detectionEvery time you navigate to a new page, Chrome evaluates a collection of signals about the page to see if it matches those of phishing sites. To do that, we compare the color profile of the visited page - that’s the range and frequency of the colors present on the page - with the color profiles of common pages. For example in the image below, we can see that the colors are mostly orange, followed by green and then a touch of purple.





If the site matches a known phishing site, Chrome warns you to protect your personal information and prevent you from exposing your credentials.



What you will see if a phishing attempt is detected

To preserve your privacy, by default Chrome's Safe Browsing mode never sends any images outside the browser. While this is great for privacy, it means that your machine has to do all the work to analyze the image.

Image processing can often generate heavy workloads because analyzing the image requires an evaluation of each pixel in what is commonly known as a “pixel loop.” Some modern monitors display upwards of 14 million pixels, so even simple operations on each of those pixels can add up to a lot of CPU use! For phishing detection, the operation that takes place on each pixel is the counting of its basic colors.

Here is what this looks like. The counts are stored in an associative data structure called a hashmap. For each pixel, we extract its RGB color values and store the counts in one of 3 different hashmaps -- one for each color.





Making it more efficientAdding one item to a hashmap is fast, but we have to do this for millions of pixels. We try to avoid reducing the number of pixels to avoid compromising the quality of the analysis. However, the computation itself can be improved.

Our improvements to the pipeline look like this:
  • The code now avoids keeping track of RGB channels in three different hashmaps and instead uses only one to index by color. Three times less counting!
  • Consecutive pixels are summed before being counted in the hashmap. For a site with a uniform background color, this can reduce the hashmap overhead to almost nothing.
Here is what the counting of the colors looks like now. Notice how there are significantly fewer operations on the hashmap:





How much faster did this get?Starting with M92, Chrome now executes image-based phishing classification up to 50 times faster at the 50th percentile and 2.5 times faster at the 99th percentile. On average, users will get their phishing classification results after 100 milliseconds, instead of 1.8 seconds.

This benefits you in two ways as you use Chrome. First and foremost, using less CPU time to achieve the same work improves general performance. Less CPU time means less battery drain and less time with spinning fans.

Second, getting the results faster means Chrome can warn you earlier. The optimization brought the percentage of requests that took more than 5 seconds to process from 16.25% to less than 1.6%. This speed improvement makes a real difference in security - especially when it comes to stopping you from entering your password in a malicious site!

Overall, these changes achieve a reduction of almost 1.2% of the total CPU time used by all Chrome renderer processes and utility processes.

At Chrome’s scale, even minor algorithm improvements can result in major energy efficiency gains in aggregate. Here’s to many more centuries of CPU time saved!

Stay tuned for many more performance improvements to come!

Posted by Olivier Li Shing Tat-Dupuis, Chrome Developer

Data source for all statistics: Real-world data anonymously aggregated from Chrome clients.



Labels: , ,


When a browser connects to websites over HTTPS (vs. HTTP), eavesdroppers and attackers on the network can't intercept or alter the data that's shared over that connection (including personal info, or even the page itself). This level of privacy and security is vital for the web ecosystem, so Chrome continues to invest in making HTTPS more widely supported.

Thankfully, HTTPS adoption has come a long way in recent years, and most operating systems now see 90%+ of page loads over HTTPS in Chrome. Still, there's more we can do to help make HTTPS the preferred protocol on the web, and better protect users on the remaining slice of the web that doesn’t yet support HTTPS, so today we're sharing some future work in this area.



Opting in to an HTTPS-First World

Beginning in M94, Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible, and that they will see a warning before connecting to sites over HTTP. Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future. Mozilla has also shared their intent to make HTTPS-only mode the future of web browsing in Firefox.



Experimenting with the lock icon
As we approach an HTTPS-first future, we're also re-examining the lock icon that browsers typically show when a site loads over HTTPS. In particular, our research indicates that users often associate this icon with a site being trustworthy, when in fact it's only the connection that's secure. In a recent study, we found that only 11% of participants could correctly identify the meaning of the lock icon. To try and reduce this confusion, Chrome will run an experiment in M93 that replaces the lock in the address bar with a more neutral entry point to Page Info (example below). We hope that this experiment will improve the discoverability of critical privacy and security information and controls provided in Page Info, such as site permissions. Importantly, a "Not Secure" indicator will continue to show on sites without HTTPS support, and the experiment includes an enterprise policy in case organizations want to opt-out. In all cases, we'll provide advance notice if we decide to move ahead with a full launch.





Protecting users on the HTTP web
While we are excited to see users adopt HTTPS-First Mode in future versions of Chrome, HTTP connections will still continue to be supported and Chrome will take additional steps to protect and inform users whenever they are using insecure connections. Continuing from our past efforts to restrict new features to secure origins and deprecate powerful features on insecure origins, we’ll evaluate a broad set of web platform features to determine if they should be limited or restricted on HTTP webpages.

In order to focus on changes that provide the greatest security improvements to our users, we are relying on a set of guiding principles to prioritize our future work in this area:

  • Better inform users when making trust decisions about sites over insecure connections
  • Limit the ability for sites to opt out of security policies over insecure connections
  • Restrict how, and for how long, Chrome stores site content provided over insecure connections
A deeper explanation of how we plan to act on these principles, as well as an updated list of affected features will be maintained on the Chromium wiki and we are excited to announce more details later this year.

Posted by Shweta Panditrao, Devon O'Brien, Emily Stark, Google Chrome team


Labels: ,

We previously announced that Chrome will soon release a new milestone every 4 weeks, starting with Chrome 94 in Q3 of 2021. We’re excited to also share our plans today for adjusting the Chrome OS release schedule.

To deliver new features more rapidly to consumers while also continuing to prioritize the key pillars of Chrome OS – security, stability, speed and simplicity – Chrome OS will move to a 4-week stable channel starting with M96 in Q4. For enterprise and education users, Chrome OS will also introduce a new channel with a 6-month update cadence by M96. More details to be announced soon.

To bridge the gap between M94 when Chrome moves to a four week release and M96, Chrome OS will skip M95 (see the updated Chrome schedule page for milestone-specific details).

As we head into our next decade, these changes enable us to evolve Chrome OS to keep helping people get things done and to provide more helpful and secure experiences.


Marina Kazatcker, Chrome OS Release TPM Lead

Labels: