Google Chrome logo

Google launched today version 60 of the Chrome browser. This version brings mostly developer and API-related changes, with no changes to visible UI functions. In addition, the Chrome team also fixed 40 security issues.

The biggest of the Chrome 60 changes is the addition of the Paint Timing API, a new tool for website developers that allows them to measure the time Chrome takes to "paint" their web page.

Second is the CSS font-display property that allows developers to tell Chrome to display default OS fonts while the browser downloads custom fonts in the page's background. This would prevent pages from loading but not showing their text until the custom font was downloaded on the user's PC.

Apart from this two, the other changes are generally low-level modifications, with little interest to the casual user.

Other features & improvements

  • In response to developer feedback and to make the Credential Management API easier to use for all sites, the need for a custom fetch() to access the stored password is now deprecated. Starting in Chrome 60, the user’s password will now be returned directly as part of the PasswordCredential.
  • The Payment Request API is now supported on desktop versions of Chrome.
  • Sites can now collect payments through native Android payment apps using the Payment Request API.
  • Object rest & spread properties are now supported, making it simpler to merge and shallow-clone objects and implement various immutable object patterns.
  • The new Web Budget API enables sites with the Push Notification permission to send a limited number of push messages that trigger background work such as syncing data or dismissing notifications the user has handled on another device, without the need to show a user-visible notification.
  • The new Web Push Encryption format is now supported and PushManager.supportedContentEncodings can be used to detect where it can be used.
  • PushSubscription.expirationTime is now available, notifying sites when and if a subscription will expire.
  • To improve performance and predictability,  pointermove and mousemove events are now delivered once per AnimationFrame, matching the current functionality of scroll and TouchEvents.
  • The :focus-within CSS pseudo-class is now available, affecting any element the :focus pseudo-class affects, as well as any element with a descendant affected by :focus.
  • The CSS frames timing function is now available, making it useful for animation loops where the animation should display all frames for exactly the same length, including its first and last frames.
  • To provide an enriched way to capture editing actions, InputEvent now allows user input to be managed by script, enhancing the details provided to editable elements.  
  • To increase security, a BeforeUnload dialog triggered when the user leaves a site will now only be shown if the frame attempting to display it has ever received a user gesture or user interaction, though the BeforeUnloadEvent will still be dispatched regardless.
  • VP9, an open and royalty-free video coding format, can now be used with the MP4 (ISO BMFF) container and requires the new VP9 string format mentioned below.
  • A new VP9 string format is now available and accepted by various media-related APIs, enabling developers to describe the encoding properties that are common in video codecs, but are not yet exposed.

Deprecations and interoperability improvements

  • getElementsByTagName() now accepts qualified names in response to an update to the DOM specification.
  • /deep/ now behaves like the descendant combinator, which is effectively a no-op.
  • To improve user experience, calls to Navigator.vibrate() now immediately return false if the user hasn't explicitly tapped on the frame or any embedded frame, matching existing behavior for cross-origin iframes.
  • WEBKIT_KEYFRAME_RULE and WEBKIT_KEYFRAMES_RULE have been removed in favor of the unprefixed standardized APIs, KEYFRAME_RULE and KEYFRAMES_RULE.
  • Support for non-standard WebKitAnimationEvent and WebKitTransitionEvent has been removed from document.createEvent().
  • To better align with spec, NodeIterator.filter and TreeWalker.filter no longer wrap JavaScript objects, and .prototype has been removed from window.NodeFilter.
  • RTCPeerConnection.getStreamById() is being removed, and a polyfill is recommended as a replacement.
  • SVGPathElement.getPathSegAtLength() has been deprecated as it has been removed from the SVGPathElement spec.
  • Headers.prototype.getAll() has been removed from the Fetch API in line with its removal from the spec.

Security fixes

[$10000][728887] High CVE-2017-5091: Use after free in IndexedDB. Reported by Ned Williamson on 2017-06-02
[$5000][733549] High CVE-2017-5092: Use after free in PPAPI. Reported by Yu Zhou, Yuan Deng of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室) on 2017-06-15
[$3000][550017] High CVE-2017-5093: UI spoofing in Blink. Reported by Luan Herrera on 2015-10-31
[$1000][702946] High CVE-2017-5094: Type confusion in extensions. Reported by Anonymous on 2017-03-19
[$1000][732661] High CVE-2017-5095: Out-of-bounds write in PDFium. Reported by Anonymous on 2017-06-13
[$TBD][714442] High CVE-2017-5096: User information leak via Android intents. Reported by Takeshi Terada on 2017-04-23
[$TBD][740789] High CVE-2017-5097: Out-of-bounds read in Skia. Reported by Anonymous on 2017-07-11
[$TBD][740803] High CVE-2017-5098: Use after free in V8. Reported by Jihoon Kim on 2017-07-11
[$N/A][733548] High CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by Yuan Deng, Yu Zhou of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室) on 2017-06-15
[$2000][718292] Medium CVE-2017-5100: Use after free in Chrome Apps. Reported by Anonymous on 2017-05-04
[$1000][681740] Medium CVE-2017-5101: URL spoofing in OmniBox. Reported by Luan Herrera on 2017-01-17
[$1000][727678] Medium CVE-2017-5102: Uninitialized use in Skia. Reported by Anonymous on 2017-05-30
[$500][726199] Medium CVE-2017-5103: Uninitialized use in Skia. Reported by Anonymous on 2017-05-25
[$500][729105] Medium CVE-2017-5104: UI spoofing in browser. Reported by Khalil Zhani on 2017-06-02
[$N/A][742407] Medium CVE-2017-7000: Pointer disclosure in SQLite. Reported by Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
[$1000][729979] Low CVE-2017-5105: URL spoofing in OmniBox. Reported by Rayyan Bijoora on 2017-06-06
[$TBD][714628] Medium CVE-2017-5106: URL spoofing in OmniBox. Reported by Jack Zac on 2017-04-24
[$N/A][686253] Low CVE-2017-5107: User information leak via SVG. Reported by David Kohlbrenner of UC San Diego on 2017-01-27
[$N/A][695830] Low CVE-2017-5108: Type confusion in PDFium. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-02-24
[$N/A][710400] Low CVE-2017-5109: UI spoofing in browser. Reported by José María Acuña Morgado on 2017-04-11
[$N/A][717476] Low CVE-2017-5110: UI spoofing in payments dialog. Reported by xisigr of Tencent's Xuanwu Lab on 2017-05-02

Google's ongoing internal security work was responsible for the following fix:

[748565] Various fixes from internal audits, fuzzing and other initiatives

Related Articles:

Google Chrome’s AI feature lets you quickly check website trustworthiness

Google says “Enhanced protection” feature in Chrome now uses AI

New tool bypasses Google Chrome’s new cookie encryption system

Google warns uBlock Origin and other extensions may be disabled soon

Microsoft re-releases Exchange updates after fixing mail delivery