Today Google launched version 61 of the Chrome browser for Windows, Mac, and Linux. With this release, we have 21 security updates, numerous improvements and bug fixes, and three APIs that allow developers to further enhance their sites and apps.
Of particular note is the addition of Javascript modules, the Payment Request API for Chrome desktop, the Web Share API, and WebUSB. I personally enjoy the Web Share API as it can allow me to utilize Androids native sharing methods from within a site.
While not considered a major addition, a new improvement in this release is that Chrome will now automatically exit full screen if a JavaScript dialog opens. This is a huge help against tech support scam sites that make it difficult for victims to to navigate away from by forcing the browser into full screen mode and then displaying dialog boxes and alerts.
Other features & improvements
The Network Information API is now available on desktop as well as Android, enabling sites to access the underlying connection information of a device.
Developers can now specify scrolling smoothness via a new optional parameter in existing Scroll APIs or with the scroll-behavior CSS property.
The CSSOM View Smooth Scroll API brings native smooth scrolling to the platform through a the scroll-behavior: smooth CSS property or by using the window.scrollTo() DOM scroll method, eliminating the need to implement this behavior with JavaScript
CSS color values can now be 8- and 4-digit hex colors of the format #RRGGBBAA and #RGBA.
Sites can now access the relative positions of the screen content with the Visual Viewport API, exposing complex functionality like pinch-and-zoom in a more direct way.
The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.
When navigating from an installed web app to a site outside the initial web app’s scope, the new site now automatically loads in a Custom Chrome Tab.
For video using native controls, Chrome will now automatically expand video to fullscreen when a user rotates their device in an orientation that matches a video playing on the screen.
nextHopProtocol is now available in Resource Timing and Navigation Timing, providing access to the network protocol used to fetch a resource.
Sites can now require embedded third-party content to enforce a given Content Security Policy via the new csp attribute on iframe elements.
The DOMTokenList interface now supports replace() to easily change all identical tokens to a new one, such as active to inactive on expiration.
To access a list of attribute names of an element, getAttributeNames() is now supported and gives developers a more direct mechanism than going through the attributes collection.
To increase security, sites will now automatically exit full screen if a JavaScript dialog opens.
Sites can now access an estimate for the disk space used by a given origin and quota in bytes via the Storage API’s new navigator.storage.estimate() function.
To improve the browser’s cache hit rate, URLSearchParams now supports sort() to list all stored name-value pairs.
The URLSearchParams constructor has been updated to accept any object as a parameter instead of only other URLSearchParams instances.
To prevent the use of mis-issued certificates from going unnoticed, sites can use the new Expect-CT HTTP header which will enable automated reporting and/or enforcement of Certificate Transparency requirements.
Chrome will no longer decode frames for videos using Media Source in background tabs.
“Non-Live” camera settings such as photo resolution, red eye reduction, and flash mode can now be retrieved with ImageCapture.getPhotoSettings().
Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.
Deprecations and interoperability improvements
To increase security, resources with URLs containing both \n and < characters will now be blocked.
To increase security, support for the Presentation API’s start function has been deprecated and removed for insecure contexts.
- To align with the spec and preserve browser consistency, the scrollingElement is now thedocumentElement in standards mode.
To increase consistency across on attributes, onwheel attributes have been moved from Element to Window, Document, HTMLElement, and SVGElement.
To better follow spec and provide more granular control over the flow of referred content, Chrome now supports three new Referrer Policy values, same-origin, strict-origin, and strict-origin-when-cross-origin.
Following the change in spec, the maximum value for colSpan has been decreased from 8190 to 1000.
Security fixes
This release of Chrome 61 also includes 21 security updates. Those fixes that were contributed by external researchers and their bounty are:
| Bounty | Internal Ticket ID | Severity | CVE | Description | Discovered By |
|---|---|---|---|---|---|
| $5,000 | 737023 | High | CVE-2017-5111 | Use after free in PDFium. | Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-06-27 |
| $5,000 | 740603 | High | CVE-2017-5112 | Heap buffer overflow in WebGL. | Tobias Klein (www.trapkit.de) on 2017-07-10 |
| $5,000 | 747043 | High | CVE-2017-5113 | Heap buffer overflow in Skia. | Anonymous on 2017-07-20 |
| $3,500 | 752829 | High | CVE-2017-5114 | Memory lifecycle issue in PDFium. | Ke Liu of Tencent’s Xuanwu LAB on 2017-08-07 |
| $3,000 | 744584 | High | CVE-2017-5115 | Type confusion in V8. | Marco Giovannini on 2017-07-17 |
| TBD | 759624 | High | CVE-2017-5116 | Type confusion in V8. | Anonymous on 2017-08-28 |
| $1,000 | 739190 | Medium | CVE-2017-5117 | Use of uninitialized value in Skia. | Tobias Klein (www.trapkit.de) on 2017-07-04 |
| $1,000 | 747847 | Medium | CVE-2017-5118 | Bypass of Content Security Policy in Blink. | WenXu Wu of Tencent’s Xuanwu Lab on 2017-07-24 |
| N/A | 725127 | Medium | CVE-2017-5119 | Use of uninitialized value in Skia. | Anonymous on 2017-05-22 |
| N/A | 718676 | Low | CVE-2017-5120 | Potential HTTPS downgrade during redirect navigation. | Xiaoyin Liu (@general_nfs) on 2017-05-05 |
Google’s ongoing internal security work was responsible for the following fixes: