Google has launched Chrome 63 for Windows, Mac, and Linux. Additions in this release include dynamic module imports, async iterators and generators, Device Memory API, among other developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.
Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
Async generator functions can help developers streamline the consumption or implementation of streaming data sources, while async iterators can be used in for loops and also to create custom async iterators through async iterator factories. This should lead to more elegant code — see the async iteration proposal for more information.
Chrome 63 was supposed to add a new option to completely disable audio for individual sites. It doesn’t appear to be included for whatever reason, but we’ll update you if that changes.
Other developer features in this release (some are mobile-specific):
- To improve interoperability, a TypeError is now thrown for EventTarget.addEventListener and removeEventListener when the callback passed is not an EventListener, null, or undefined.
- Developers can now make pixel-level adjustments using the new Q length unit, which is especially useful on small viewports.
- Developers can now prevent apps from using Chrome’s pull-to-refresh feature or create custom effects using overscroll-behavior, which allows changing the browser’s behavior once the scroller has reached its full extent.
- font-variant-east-asian is now supported, allowing developers to control the usage of alternate glyphs for East Asian languages like Japanese and Chinese.
- To improve interoperability, Chrome will fire beforeprint and afterprint events as part of the printing standard, allowing developers to to annotate the printed copy and edit the annotation after the printing command is done executing.
- Using Promise.prototype.finally, a callback can now be registered to be invoked after a Promise has been fulfilled or rejected.
- The Intl.PluralRules API allows developers to build applications that understand pluralization of a given language by indicating which plural form applies for a given number and language.
- MediaStreamTrack.applyConstraints() is now supported for local video MediaStreamTracks, including tracks obtained from getUserMedia(), capture from media elements or screen capture.
- Version 2 of NT LAN Manager (NTLM) API is now shipped, enabling applications to authenticate remote users and provide session security when requested by the application.
- Thanks to contributors from engineers at Intel, an Origin Trial is now available that exposes the following sensors via the new Generic Sensors API syntax: Accelerometer, LinearAccelerationSensor, Gyroscope, AbsoluteOrientationSensor, and RelativeOrientationSensor.
- The localStorage and sessionStorage APIs now use getItem() rather than an anonymous getter, so attempting to access a key using getItem() will now return null rather than undefined. Thanks to Intel for the contribution!
- To improve developer experience, the methods on sessionStorage and localStorage such as getItem(), removeItem(), and clear() are now enumerable. Thanks to Intel for making this happen!
- display: minimal-ui is now supported by Chrome on Android, enabling developers to display a UI similar to Chrome Custom Tabs for users.
- To improve interoperability, instance properties with a Promise type now return a rejected promise instead of throwing an exception.
- The /deep/ or >>> selector, as well as ::shadow, are now removed from CSS dynamic profile, following their deprecation in Chrome 45.
- To improve interoperability, HTMLAllCollection, HTMLCollection, HTMLFormControlsCollection, and HTMLOptionsCollection are no longer enumerable, so they are now left out of calls to Object.keys() or for-in loops.
For what’s new in the browser’s DevTools, check out the release notes.
Chrome 63 also implements 37 security fixes. The following ones were found by external researchers:
- [$10500] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
- [$6337] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-09-06
- [$5000] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
- [$5000] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
- [$5000] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
- [$3500] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
- [$500] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
- [$3337] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
- [$2500] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
- [$2000] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
- [$1000] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet’s FortiGuard Labs on 2017-09-15
- [$1000] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
- [$500] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-23
- [$TBD] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
- [$500] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
- [$N/A] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
- [$N/A] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-08-17
- [$N/A] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-08-18
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $46,674 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Google releases a new version of its browser every six weeks or so. Chrome 64 will arrive by late January.
In related news, Google released Chrome 63 for Android yesterday. In addition to performance and stability fixes, you can enjoy improvements to autocompletion in the address bar and permission requests presented as modal dialogs (which Google claims reduces the overall number of permission prompts by 50 percent).