Google released earlier today version 62 of its Chrome browser that comes with quite a few new features but also fixes for 35 security issues.
The most interesting new features are support for OpenType variable fonts, the full release of the Network Quality Estimator API, the ability to capture and stream DOM elements, and HTTP warnings for the browser's Normal and Incognito mode.
OpenType variable fonts
While for most users this wouldn't seem like a big deal, the most important new feature added in Chrome 62 is support for OpenType variable fonts.
Until now, web developers had to load multiple font families whenever they wanted variations on a font family. For example, if a developer was using the Open Sans font family on a site, if he wanted a font variation such as Regular, Bold, Black, Normal, Condensed, Expanded, Highlight, Slab, Heavy, Dashed, or another, he'd have to load a different font file for each.
OpenType variable fonts allow font makers to merge all these font family variations in one file that developers can use on their site and control via CSS. This results in fewer files loaded on a website, saving bandwidth and improving page load times.
HTTP warnings for Normal and Incognito mode
Announced earlier in April, starting with Chrome 62, Google will add a "Not secure" marker under certain conditions in Chrome's Normal and Incognito modes. Google's plan includes two major changes.
The first is how Chrome marks HTTP pages in the default browsing mode. Until now, Chrome labeled HTTP pages as "Not secure" when there was a form field present on the page for entering payment card or password information. This change was added in Chrome in January, with the release of version 56.
Starting today, Chrome 62 will mark any HTTP page as "Not secure" if the user is entering data in any kind of field, may it be a search field or a simple numeric input.
The second major change is in Incognito mode. Google says that all HTTP pages will be marked as "Not Secure" starting with Chrome 62. This labeling will happen regardless if there's a form field on the page or not.
Network Quality Estimator & Media Capture from DOM APIs
Two other features that will interest mostly developers are the Network Quality Estimator and the Media Capture from DOM Elements APIs.
As the name hints, the first grants developers access to network speed and performance metrics, information that some websites may use to adapt video streams, audio quality, or deliver low-fi versions of their sites.
Developers can use the second API — the Media Capture from DOM Elements — to record videos of how page sections behave during interaction and stream the content over WebRTC. This latter API could be useful for developers debugging a page, but also support teams that want to see what's happening on the user's side.
DOM interfaces are now supported for the and HTML elements to give developers a native, machine-readable way to store client-side content.
Lookbehind assertions are now available in addition to lookaheads, so developers can use regular expressions to ensure that a pattern is or isn’t preceded by another, e.g. matching a dollar amount without capturing the dollar sign.
A new WebVR Origin Trial is now available, enabling developers to experiment with building rich Virtual Reality experiences on the web.
- Following previous announcements, the “Not secure” warning will now be displayed when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
- The `tabindex` attribute now enables the on-screen keyboard on Chrome for Android to more easily navigate between the next and previous fields within a form, thanks to a contribution from Samsung.
Developers can now use the s flag to enable dotAll mode in ECMAScript regular expressions, making “.” match any character, including line terminators.
Uploading images on Chrome for Android has an improved user experience and multi-select support that triggers on any site that invokes < input type="file" > with an accept attribute specifying that only images are accepted.
The new visibility:collapse CSS declaration now hides table rows while preserving their contribution to column widths, rather than treating it like visibility:hidden, which merely skips painting the rows.
Protected media can now be played offline through EME on Chrome for Android.
Chrome for Android now supports Widevine L1, allowing sites to play encrypted media in a secure way.
Loosened restrictions on escape sequences in template literals unlock new use cases for template tags, such as LaTeX processing.
- In Android O, sites with notification permissions now appear as a Notification Channel in Android Settings under Chrome, affording users a simpler way to manage permissions.
Deprecations and interoperability improvements
[$7500+$1337] - High - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07
[$5000]- High - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26
[$3000]- High - CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30
[$3000]- High - CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14
[$3000]- High - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14
[$3000]- High - CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15
[$3000]- High - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05
[$N/A]- High - CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14
[$5000] - Medium - CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16
[$2000]- Medium - CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05
[$1000]- Medium - CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03
[$1000]- Medium - CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16
[$1000]- Medium - CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17
[$500]- Medium - CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06
[$500]- Medium - CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28
[$500] - Low - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28
[$N/A]- Low - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22
[$N/A]- Low - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
[$N/A]- Low - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18
[$N/A] - Low - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by johberlvi@ on 2017-08-28
[$N/A] Various fixes from internal audits, fuzzing and other initiatives.