Chrome 62

Google released earlier today version 62 of its Chrome browser that comes with quite a few new features but also fixes for 35 security issues.

The most interesting new features are support for OpenType variable fonts, the full release of the Network Quality Estimator API, the ability to capture and stream DOM elements, and HTTP warnings for the browser's Normal and Incognito mode.

OpenType variable fonts

While for most users this wouldn't seem like a big deal, the most important new feature added in Chrome 62 is support for OpenType variable fonts.

Until now, web developers had to load multiple font families whenever they wanted variations on a font family. For example, if a developer was using the Open Sans font family on a site, if he wanted a font variation such as Regular, Bold, Black, Normal, Condensed, Expanded, Highlight, Slab, Heavy, Dashed, or another, he'd have to load a different font file for each.

OpenType variable fonts allow font makers to merge all these font family variations in one file that developers can use on their site and control via CSS. This results in fewer files loaded on a website, saving bandwidth and improving page load times.

Chrome 62 variable fonts

HTTP warnings for Normal and Incognito mode

Announced earlier in April, starting with Chrome 62, Google will add a "Not secure" marker under certain conditions in Chrome's Normal and Incognito modes. Google's plan includes two major changes.

The first is how Chrome marks HTTP pages in the default browsing mode. Until now, Chrome labeled HTTP pages as "Not secure" when there was a form field present on the page for entering payment card or password information. This change was added in Chrome in January, with the release of version 56.

Starting today, Chrome 62 will mark any HTTP page as "Not secure" if the user is entering data in any kind of field, may it be a search field or a simple numeric input.

The second major change is in Incognito mode. Google says that all HTTP pages will be marked as "Not Secure" starting with Chrome 62. This labeling will happen regardless if there's a form field on the page or not.

Chrome 62 HTTP warnings

Network Quality Estimator & Media Capture from DOM APIs

Two other features that will interest mostly developers are the Network Quality Estimator and the Media Capture from DOM Elements APIs.

As the name hints, the first grants developers access to network speed and performance metrics, information that some websites may use to adapt video streams, audio quality, or deliver low-fi versions of their sites.

Developers can use the second API — the Media Capture from DOM Elements — to record videos of how page sections behave during interaction and stream the content over WebRTC. This latter API could be useful for developers debugging a page, but also support teams that want to see what's happening on the user's side.

Other features

  • The Payment Request API is now available on Chrome for iOS.
  • PaymentRequest now supports different prices and line items per payment method with PaymentDetailsModifier.data.
  • DOM interfaces are now supported for the and HTML elements to give developers a native, machine-readable way to store client-side content.
  • The CSS color parser now supports 8- and 4-digit hex colors of the format #RRGGBBAA and #RGBA.
  • Lookbehind assertions are now available in addition to lookaheads, so developers can use regular expressions to ensure that a pattern is or isn’t preceded by another, e.g. matching a dollar amount without capturing the dollar sign.
  • A new WebVR Origin Trial is now available, enabling developers to experiment with building rich Virtual Reality experiences on the web.
  • Following previous announcements, the “Not secure” warning will now be displayed when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
  • The `tabindex` attribute now enables the on-screen keyboard on Chrome for Android to more easily navigate between the next and previous fields within a form, thanks to a contribution from Samsung.
  • Developers can now use the s flag to enable dotAll mode in ECMAScript regular expressions, making “.” match any character, including line terminators.
  • Uploading images on Chrome for Android has an improved user experience and multi-select support that triggers on any site that invokes < input type="file" > with an accept attribute specifying that only images are accepted.
  • Apps using the MediaSource API can now more effectively customize their HTMLMediaElement.seekable range logic using the new Media Source Extensions APIs, setLiveSeekableRange and clearLiveSeekableRange.
  • The new visibility:collapse CSS declaration now hides table rows while preserving their contribution to column widths, rather than treating it like visibility:hidden, which merely skips painting the rows.
  • Media Source Extensions (MSE) now support FLAC, a lossless audio coding format, in ISO-BMFF.
  • Protected media can now be played offline through EME on Chrome for Android.
  • Chrome for Android now supports Widevine L1, allowing sites to play encrypted media in a secure way.
  • Loosened restrictions on escape sequences in template literals unlock new use cases for template tags, such as LaTeX processing.
  • In Android O, sites with notification permissions now appear as a Notification Channel in Android Settings under Chrome, affording users a simpler way to manage permissions.

 Deprecations and interoperability improvements

  • Following an update to native button appearance on macOS, the appearance of < input > buttons and the < button > element have been similarly changed, affecting the default values for the background-color,  border,  border-radius, and padding CSS properties.
  • The ability to request permission to show notifications has been removed over HTTP connections and within cross-origin iframes, in line with our policy on restricting powerful features to only HTTPS.
  • To increase accuracy and ensure that users receive content in the language they expect, base language is now added immediately after language+region when generating accept-language headers from language settings.
  • To improve UX and browser consistency, transitional mouse events will now be dispatched, and hover states will now be updated more quickly after the intended layout has been modified.
  • OfflineAudioContext now accepts a dictionary argument, in addition to the existing constructor that takes three separate arguments.
  • In line with other browsers, the getStreamById method on RTCPeerConnection has now been removed.
  • SharedWorker.workerStart has been removed, following its deprecation and removal from other major browsers.
  • To better conform to spec, the default value of < ol >.start has been set to 1.

Security fixes

[$7500+$1337][762930] - High - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07
[$5000][749147]- High - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26
[$3000][760455]- High - CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30
[$3000][765384]- High - CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14
[$3000][765469]- High - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14
[$3000][765495]- High - CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15
[$3000][718858]- High - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05
[$N/A][722079]- High - CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14
[$5000][744109] - Medium - CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16
[$2000][762106]- Medium - CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05
[$1000][752003]- Medium - CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03
[$1000][756040]- Medium - CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16
[$1000][756563]- Medium - CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17
[$500][739621]- Medium - CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06
[$500][750239]- Medium - CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28
[$500][598265] - Low - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28
[$N/A][714401]- Low - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22
[$N/A][732751]- Low - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
[$N/A][745580]- Low - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18
[$N/A][759457] - Low - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by johberlvi@ on 2017-08-28
[$N/A][775550] Various fixes from internal audits, fuzzing and other initiatives.