Google today launched Chrome 67 for Windows, Mac, and Linux. The desktop release includes new APIs and BigInt support, plus the usual security improvements and new developer features. You can update to the latest version now using the browser’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often make a point to ensure they are aware of everything available — as well as what has been deprecated or removed.
The biggest addition in this release is the Generic Sensor API. Sensor data used in many native applications and games is now available to web apps via an API, which consists of a base Sensor interface with a set of concrete sensor classes built on top.
Google offers the following sensor specs and examples of how they might be used:
- Accelerometer: Use the motion of the device to move around in a 3D video. Accelerometer sensor measurements provide the movement speed of the device in terms of x, y, and z coordinates (as shown above).
- Gyroscope: Use the orientation of the device to implement a table-top maze.
- Orientation Sensor: This is what’s called a fusion sensor meaning it combines readings from two or more sensors, in this case the accelerometer and the gyroscope. Whereas a maze implemented using only the gyroscope might only move the location marker in two dimensions, one implemented with the orientation sensor could require the user to physically turn the device to turn a corner.
- Motion Sensors: This is a fusion sensor that includes a magnetometer as well as the accelerometer and the gyroscope. The most obvious use case for this [is] a virtual compass.
Speaking of new APIs, Chrome 67 also includes the WebXR Device API, which enables the creation of augmented reality and virtual reality experiences on mobile devices and desktops. The new API is, however, available as an origin trial (sign-up form). More information is available in the Immersive Web Community Group.
This is a big move. The idea is to unify the experiences across AR-enabled mobile devices, mobile-based VR headsets like Google Daydream View and Samsung Gear VR, and desktop-hosted headsets like Oculus Rift, HTC Vive, and Windows Mixed Reality Headsets. Google hopes this API will be used to develop AR and VR games, but also immersive 360-degree videos, traditional 2D (or 3D) videos presented in immersive surroundings, data visualization, home shopping, and even art.
Other developer features in this release (some are mobile-specific) include:
- SVG: SVG2 requires
<foreignObject>to be a stacking context. Making
<foreignObject>a stacking context allows developers to place HTML content underneath a
- DOM: The DOM specification was updated so that
DOMTokenList.replace()returns a boolean value indicating whether a replacement occurred. This is useful for code that takes different paths depending on whether a replacement occurred, avoiding the need for an extra condition using
contains(). Chrome now follows the specification.
- Input: Webpages can now process mouse events (
mouseup) for back and forward buttons on mice with five or more buttons. This allows back and forward mouse buttons to be prevented by applications such as games that wish to override them. On Windows, the right-hand Alt key serves as AltGraph (ISO-Level-3-Shift) on some layouts, such as many European language layouts, to allow generating additional printable characters. Internally the key generates Ctrl+Alt modifiers, so that Chrome reports all of Control, Alt, and AltGraph in the flags for these keys.
BigInt()function and ‘
n‘ suffix on numeric literals, you can safely store and operate on large integers even beyond the safe integer limit for numbers.
- Layout: Formatting contexts will now behave exactly like floats do when they are positioned. In other words, they no longer look at the
shape-outsideproperty of the float for positioning and instead are positioned according to their margin box. The new behavior may be seen in this example by changing the height of the
flexclass. This also affects how new formatting contexts are sized and positioned.
- Loader: Client Hints enable origins to receive device-specific preferences in the HTTP request headers.
Accept-CH-Lifetimeadds a client hint that allow origins to persist their opt-in policy for a specified period so they can receive client hints on navigation requests. Additionally, on the first page load, this feature provides hints for all subresources of the page.
- Streams API:
TransformStreamis part of the Streams API, which is used for creating, composing, and consuming streams of data. It enables transforming data in stream form. It is typically used in a pipe between a
WritableStream. The following example uses TransformStream to decode text received in a streaming response body.
- Shadow DOM: The
<slot>element can now participate in a flat layout tree, with UA style
display: contents. Before this change, applying a CSS selector to a
<slot>element had no effect. Not only is this fixed, but when selectors are applied to a
<slot>element, its children inherit its styles.
- Deprecate HTTP-Based Public Key Pinning: HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site’s certificate chain. It has very low adoption, and although it provides security against certificate mis-issuance, it also creates risks of denial of service and hostile pinning. To defend against certificate misissuance, web developers should use the
Expect-CTheader, including its reporting function.
Expect-CTis safer than HPKP due to the flexibility it gives site operators to recover from configuration errors, and due to the built-in support offered by a number of CAs.
- Deprecate AppCache on Non-secure Contexts: AppCache over HTTP is deprecated. AppCache is a powerful feature that allows offline and persistent access to an origin. Allowing AppCache to be used over non-secure contexts makes it an attack vector for cross-site scripting hacks.
- Layout: -webkit-box-flex-group, percent values for -webkit-line-clamp, and -webkit-box-lines have been removed
For a full rundown of what’s new, check out the Chrome 67 milestone hotlist.
Chrome 67 also implements 34 security fixes. The following ones were found by external researchers:
- [$3000] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22
- [$5000] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07
- [$5000] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05
- [$N/A] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18
- [$TBD] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15
- [$TBD] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09
- [$N/A] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01
- [$N/A] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30
- [$N/A] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27
- [$500] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04
- [$500] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28
- [$500] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23
- [$1000] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19
- [$1500] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12
- [$2000] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21
- [$2000] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by François Lajeunesse-Robert on 2018-02-08
- [$2000] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24
- [$2000] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01
- [$2000] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2017-12-19
- [$4500] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28
- [$TBD] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15
- [$500] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02
- [$500] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25
- [$TBD] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $32,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Speaking of security, Chrome implements the Web Authentication API, catching up to Firefox 60, the first browser to support the new security standard. The API lets users log into their online accounts using a single device, like a YubiKey, eliminating the need for passwords.
Chrome 66 included a small percentage trial of Site Isolation, which improves the browser’s security and helps mitigate the risks posed by Spectre. Chrome 67 expands this trial “to a larger percentage” of the stable channel’s population.
Google releases a new version of its browser every six weeks or so. Chrome 68 will arrive by mid-July.
Update on March 31: Google today released Chrome 67 for Android as well, but there are no major changes of note.