Google has launched Chrome 62 for Windows, Mac, and Linux. Additions in this release include improvements to the Network Quality Estimator API, OpenType variable fonts, media capture from DOM elements, and more warnings related to HTTP, among other developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.
Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
While the Network Infomation API has been available in previous versions of Chrome, it only provided theoretical network speeds based on the type of connection a user has. In Chrome 62, the API now provides developers with network performance metrics as experienced by the client. Developers can thus inspect the current expected round trip time and throughput, be notified of performance changes, and tailor content to network constraints. To simplify application logic, the API even summarizes measured network performance as the cellular connection type most similar to it, regardless of whether the actual connection is another technology entirely (such as Wi-Fi or ethernet).
Chrome 62 also gains support for OpenType font variations. Until now, one font file contained just a single instance of a font family, including only one weight (Regular, Bold, Black, and so on) or one stretch (Normal, Condensed, Expanded, and so on). OpenType variations provide a continuous spectrum of stylistic variations while saving space and bandwidth, since they all load from a single compact font file. Stretch, style, and weight can be adjusted using the respective updated CSS properties (which now allow numeric values) and fine-tuning of variation axis parameters, such as weight or width, is possible using the font-variation-settings CSS property.
The W3C Media Capture from DOM Elements API now allows sites to live-capture content in the form of a MediaStream directly from HTMLMediaElements. Streamed content can be recorded with the captureStream() method, sent remotely using WebRTC, and processed with WebAudio.
Arguably the biggest change in this release, however, is one Google announced back in April. As part of the company’s plan to mark all HTTP sites as non-secure in Chrome, version 62 now marks HTTP sites with entered data and HTTP sites in Incognito mode as non-secure.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
With the release of Chrome 56 in January 2017, Google’s browser started marking HTTP pages that collect passwords or credit cards as “Not Secure” in the address bar. Chrome 62 takes this to the next level:
Passwords and credit cards are naturally the most important data to keep private, but ideally no data that users type into websites should be accessible to others on the network. Chrome 62 thus shows the “Not secure” warning when users type data into HTTP sites.
As for browsing in Incognito mode, Google believes users have “increased expectations of privacy.” In this mode, HTTP browsing is potentially visible to others on the network, just like in normal mode. Chrome 62 thus warns users when visiting an HTTP page in Incognito mode.
Eventually, Chrome will always mark HTTP sites as “Not secure.”
Other developer features in this release (some are mobile-specific):
- The Payment Request API is now available on Chrome for iOS.
- PaymentRequest now supports different prices and line items per payment method with new”; PaymentDetailsModifier.data.
- DOM interfaces are now supported for the new”; <data> and new”; <time> HTML elements to give developers a native, machine-readable way to store client-side content.
- The CSS color parser now supports 8- and 4-digit hex colors of the format new”; #RRGGBBAA and new”; #RGBA.
- Lookbehind assertions are now available in addition to lookaheads, so developers can use regular expressions to ensure that a pattern is or isn’t preceded by another, e.g. matching a dollar amount without capturing the dollar sign.
- A new WebVR Origin Trial is now available, enabling developers to experiment with building rich Virtual Reality experiences on the web.
- Following previous announcements, the “Not secure” warning will now be displayed when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
- The `tabindex` attribute now enables the on-screen keyboard on Chrome for Android to more easily navigate between the next and previous fields within a form, thanks to a contribution from Samsung.
- Developers can now use the new”; s flag to enable new”; dotAll mode in ECMAScript regular expressions, making “new”; .” match any character, including line terminators.
- Uploading images on Chrome for Android has an improved user experience and multi-select support that triggers on any site that invokes new”; <input type=”file”> with an new”; accept attribute specifying that only images are accepted.
- Apps using the MediaSource API can now more effectively customize their new”; HTMLMediaElement.seekable range logic using the new Media Source Extensions APIs, new”; setLiveSeekableRange and new”; clearLiveSeekableRange.
- The new new”; visibility:collapse CSS declaration now hides table rows while preserving their contribution to column widths, rather than treating it like new”; visibility:hidden, which merely skips painting the rows.
- Media Source Extensions (MSE) now support FLAC, a lossless audio coding format, in ISO-BMFF.
- Protected media can now be played offline through EME on Chrome for Android.
- Chrome for Android now supports Widevine L1, allowing sites to play encrypted media in a secure way.
- Loosened restrictions on escape sequences in template literals unlock new use cases for template tags, such as LaTeX processing.
- In Android O, sites with notification permissions now appear as a Notification Channel in Android Settings under Chrome, affording users a simpler way to manage permissions.
For what’s new in the browser’s DevTools, check out the release notes.
Chrome 62 also implements 35 security fixes. The following ones were found by external researchers:
- [$7500+$1337] High CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07
- [$5000] High CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26
- [$3000] High CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30
- [$3000] High CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14
- [$3000] High CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14
- [$3000] High CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15
- [$3000] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05
- [$N/A] High CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14
- [$5000] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16
- [$2000] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05
- [$1000] Medium CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-08-03
- [$1000] Medium CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16
- [$1000] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet’s FortiGuard Labs on 2017-08-17
- [$500] Medium CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-07-06
- [$500] Medium CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28
- [$500] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28
- [$N/A] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22
- [$N/A] Low CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
- [$N/A] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18
- [$N/A] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by johberlvi@ on 2017-08-28
Google thus spent at least $40,337 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Google releases a new version of its browser every six weeks or so. Chrome 63 will arrive by early December.
Update on October 24: Google today released Chrome 62 for Android. In addition to performance and stability fixes, you can expect three new features: Download files faster with accelerated downloads, view and copy passwords saved with Chrome if device lock is enabled, and quickly see your data savings in the Chrome menu when Data Saver is on.