Google has launched Chrome 60 for Windows, Mac, and Linux. Among the additions is Touch Bar support, the Paint Timing API, CSS font-display, and improvements to the Credential Management API. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.
Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
First up, macOS means users can now change the layout of the Touch Bar. Just open up the menu bar, choose View, and hit Customize Touch Bar. You can add and remove buttons, have brightness and volume settings alongside Chrome-specific shortcuts, and even disable typing suggestions.
Chrome now supports the new Paint Timing API, which exposes metrics that capture First Paint and First Contentful Paint and gives developers better insight into their site’s loading performance. No generalized metric perfectly captures when a page is loaded in all cases, but First Paint and First Contentful Paint are “invaluable numbers to measure critical user moments during loading,” according to Google.
Next up, Chrome now supports the CSS @font-face descriptor and corresponding font-display property, allowing developers to specify how and when Chrome displays text content while downloading fonts. Until now, Chrome delayed rendering text until the specified font had been downloaded, but that can time on a poor connection, delaying content from loading.
Lastly, the Credential Management API has been updated: The need for a custom fetch() to access the stored password has been deprecated. The user’s password is now returned directly as part of the PasswordCredential.
Other developer features in this release include:
- The Payment Request API is now supported on desktop versions of Chrome.
- Sites can now collect payments through native Android payment apps using the Payment Request API.
- Object rest & spread properties are now supported, making it simpler to merge and shallow-clone objects and implement various immutable object patterns.
- The new Web Budget API enables sites with the Push Notification permission to send a limited number of push messages that trigger background work, such as syncing data or dismissing notifications the user has handled on another device, without the need to show a user-visible notification.
- The new Web Push Encryption format is now supported, and PushManager.supportedContentEncodings can be used to detect where it can be used.
- PushSubscription.expirationTime is now available, notifying sites when and if a subscription will expire.
- To improve performance and predictability, pointermove and mousemove events are now delivered once per AnimationFrame, matching the current functionality of scroll and TouchEvents.
- The :focus-within CSS pseudo-class is now available, affecting any element the :focus pseudo-class affects, as well as any element with a descendant affected by :focus.
- The CSS frames timing function is now available, making it useful for animation loops where the animation should display all frames for exactly the same length, including its first and last frames.
- To provide an enriched way to capture editing actions, InputEvent now allows user input to be managed by script, enhancing the details provided to editable elements.
- To increase security, a BeforeUnload dialog triggered when the user leaves a site will now only be shown if the frame attempting to display it has ever received a user gesture or user interaction, though the BeforeUnloadEvent will still be dispatched, regardless.
- VP9, an open and royalty-free video coding format, can now be used with the MP4 (ISO BMFF) container and requires the new VP9 string format mentioned below.
- A new VP9 string format is now available and accepted by various media-related APIs, enabling developers to describe the encoding properties that are common in video codecs but are not yet exposed.
For what’s new in the browser’s DevTools, check out the release notes.
Chrome 60 also implements 40 security fixes. The following ones were found by external researchers:
- [$10000] High CVE-2017-5091: Use after free in IndexedDB. Reported by Ned Williamson on 2017-06-02
- [$5000] High CVE-2017-5092: Use after free in PPAPI. Reported by Yu Zhou, Yuan Deng of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室) on 2017-06-15
- [$3000] High CVE-2017-5093: UI spoofing in Blink. Reported by Luan Herrera on 2015-10-31
- [$1000] High CVE-2017-5094: Type confusion in extensions. Anonymous on 2017-03-19
- [$1000] High CVE-2017-5095: Out-of-bounds write in PDFium. Anonymous on 2017-06-13
- [$TBD] High CVE-2017-5096: User information leak via Android intents. Takeshi Terada on 2017-04-23
- [$TBD] High CVE-2017-5097: Out-of-bounds read in Skia. Anonymous on 2017-07-11
- [$TBD] High CVE-2017-5098: Use after free in V8. Jihoon Kim on 2017-07-11
- [$N/A] High CVE-2017-5099: Out-of-bounds write in PPAPI. Yuan Deng, Yu Zhou of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室) on 2017-06-15
- [$2000] Medium CVE-2017-5100: Use after free in Chrome Apps. Anonymous on 2017-05-04
- [$1000] Medium CVE-2017-5101: URL spoofing in OmniBox. Luan Herrera on 2017-01-17
- [$1000] Medium CVE-2017-5102: Uninitialized use in Skia. Anonymous on 2017-05-30
- [$500] Medium CVE-2017-5103: Uninitialized use in Skia. Anonymous on 2017-05-25
- [$500] Medium CVE-2017-5104: UI spoofing in browser. Khalil Zhani on 2017-06-02
- [$N/A] Medium CVE-2017-7000: Pointer disclosure in SQLite. Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro’s Zero Day Initiative
- [$1000] Low CVE-2017-5105: URL spoofing in OmniBox. Rayyan Bijoora on 2017-06-06
- [$TBD] Medium CVE-2017-5106: URL spoofing in OmniBox. Jack Zac on 2017-04-24
- [$N/A] Low CVE-2017-5107: User information leak via SVG. David Kohlbrenner of UC San Diego on 2017-01-27
- [$N/A] Low CVE-2017-5108: Type confusion in PDFium. Guang Gong of Alpha Team, Qihoo 360 on 2017-02-24
- [$N/A] Low CVE-2017-5109: UI spoofing in browser. José María Acuña Morgado on 2017-04-11
- [$N/A] Low CVE-2017-5110: UI spoofing in payments dialog. xisigr of Tencent’s Xuanwu Lab on 2017-05-02
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $26,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Google releases a new version of its browser every six weeks or so. Chrome 61 will arrive by early September.