Google today launched Chrome 69 for Windows, Mac, and Linux, Android, and iOS, just a few days after the browser’s 10-year anniversary. The release includes a new design, more powerful omnibox, updated password manager, more accurate autofill, plenty of developer-specific changes, and a slew of security improvements. You can update to the latest version now using Chrome’s built-in updater, download it directly from google.com/chrome, or grab it from Google Play and Apple’s App Store.
With over 1 billion users, Chrome is a browser as well as a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often must make an effort to stay on top of everything available — as well as what has been deprecated or removed.
New look and new features
Chrome’s new look, based on Material 2 principles, includes more rounded shapes, updated icons, and a new color palette. Prompts and menus have been simplified, while tabs are now shaped to make website icons easier to see. The Material 2 design applies to desktop and mobile, and on iOS the revamp includes moving the toolbar to the bottom “so it’s easy to reach.” Google has even dropped the HTTP/HTTPS protocol designator from the address bar, so URLs no longer start with that prefix.
Speaking of Chrome’s address bar, which Google calls the omnibox, it can now show you answers without having to open a new tab (including rich results on public figures or sporting events, instant answers like the local weather via weather.com, or a translation of a foreign word). If you search for a website in your omnibox, Chrome can now tell you if it’s already open and let you jump straight to it by clicking “Switch to tab.”
Chrome 69 can also more accurately fill in your passwords, addresses, and credit card numbers — all this information is saved to your Google account, accessible directly from the Chrome toolbar. Chrome’s password manager has also been improved: When it’s time to create a new password, Chrome for desktop can now generate a unique password, save it, and make that login available on both your laptop and phone.
It’s also now easier to personalize Chrome. You can create and manage shortcuts to your favorite websites directly from the new tab page (just hit “Add shortcut”) and customize the background of a newly opened tab with your favorite image.
Security fixes and improvements
Chrome 69 also continues Google’s war on HTTP sites.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
Google has been pushing the web to HTTPS for years, but it accelerated its efforts last year by making changes to Chrome’s user interface. Chrome 56, released in January 2017, started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.” Chrome 68, released in July, marks all HTTP sites as “Not secure” right in the address bar.
Google isn’t stopping there. Now, with the release of Chrome 69, HTTPS sites no longer sport the “Secure” wording:
With the release of Chrome 70, HTTP sites will show a red “Not secure” warning when users enter data:
The plan was always to mark all HTTP sites as “Not secure.” Eventually, Google will change the icon beside the “Not secure” label and make the text red to further emphasize you should not trust HTTP sites:
Chrome 69 also implements 40 security fixes. The following ones were found by external researchers:
- [$5000] High CVE-2018-16065: Out of bounds write in V8. Reported by Brendon Tiszka on 2018-07-26
- [$3000] High CVE-2018-16066:Out of bounds read in Blink. Reported by cloudfuzzer on 2018-05-29
- [$500] High CVE-2018-16067: Out of bounds read in WebAudio. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-07-05
- [N/A] High CVE-2018-16068: Out of bounds write in Mojo. Reported by Mark Brand of Google Project Zero on 2018-08-23
- [N/A] High CVE-2018-16069:Out of bounds read in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-05-31
- [N/A] High CVE-2018-16070: Integer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-06-01
- [N/A] High CVE-2018-16071: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-06-21
- [$4000] Medium CVE-2018-16072: Cross origin pixel leak in Chrome’s interaction with Android’s MediaPlayer. Reported by Jun Kokatsu (@shhnjk) on 2018-07-17
- [$3000] Medium CVE-2018-16073: Site Isolation bypass after tab restore. Reported by Jun Kokatsu (@shhnjk) on 2018-07-12
- [$3000] Medium CVE-2018-16074: Site Isolation bypass using Blob URLS. Reported by Jun Kokatsu (@shhnjk) on 2018-07-13
- [$2500] Medium: Out of bounds read in Little-CMS. Reported by Quang Nguyễn (@quangnh89) of Viettel Cyber Security on 2018-07-18
- [$2000] Medium CVE-2018-16075: Local file access in Blink. Reported by Pepe Vila (@cgvwzq) on 2017-11-27
- [$2000] Medium CVE-2018-16076: Out of bounds read in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2018-07-25
- [$1000] Medium CVE-2018-16077: Content security policy bypass in Blink. Reported by Manuel Caballero on 2014-05-27
- [$1000] Medium CVE-2018-16078: Credit card information leak in Autofill. Reported by Cailan Sacks on 2018-06-28
- [$500] Medium CVE-2018-16079: URL spoof in permission dialogs. Reported by Markus Vervier and Michele Orrù (antisnatchor) on 2017-05-17
- [$500] Medium CVE-2018-16080: URL spoof in full screen mode. Reported by Khalil Zhani on 2018-06-29
- [N/A] Medium CVE-2018-16081: Local file access in DevTools. Reported by Jann Horn of Google Project Zero on 2016-11-17
- [N/A] Medium CVE-2018-16082: Stack buffer overflow in SwiftShader. Reported by Omair on 2018-06-11
- [N/A] Medium CVE-2018-16083: Out of bounds read in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-06-26
- [$1000] Low CVE-2018-16084: User confirmation bypass in external protocol handling. Reported by Jun Kokatsu (@shhnjk) on 2018-07-18
- [N/A] Low CVE-2018-16085: Use after free in Memory Instrumentation. Reported by Roman Kuksin of Yandex on 2018-06-26
- [$3000] Medium To be allocated: Insufficient policy enforcement in Payments. Reported by Jun Kokatsu (@shhnjk) on 2018-06-18
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $29,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Other developer features in this release include:
- Canvas: OffscreenCanvas is a new interface that allows 2D and WebGL canvas rendering contexts to be used in Workers. This increases parallelism in web applications and improves performance on multi-core systems. Chrome now also supports DedicatedWorker.requestAnimationFrame(), allowing animation-like events to be triggered the same on dedicated workers as they are in Window.
- DOM: A new method named Element.toggleAttribute() allows toggling the existence of an element’s attribute in a way similar to Element.classList.toggle. An optional force parameter forces addition or deletion of the attribute depending on the value of force. This makes managing boolean attributes much simpler as the interface doesn’t use strings as does Element.setAttribute().
- Fetch API: Request.isHistoryNavigation is a boolean property to request objects to indicate whether a particular request is a history navigation. This allows a service worker to know whether a request was due to a back/forward navigation. An example of how this might be used is that a service worker could respond to such a navigation with a cached response.
- Keyboard Map API: Some applications such as games assign specific functions to specific physical keys. When the interface references these keys it needs to show either the character displayed on the key, which varies by locale, or the character assigned to the key by an alternate keyboard layout that may have been installed by the user. This new API provides a way to translate KeyboardEvent.code values representing physical keys into correct strings for display to the user.
- Loader: Support for the “rtt”, “downlink”, and “ect” client hint values and HTTP request headers have been added to Chrome to convey a device’s network connection speed to servers.
- Querying encryption scheme support through EME: Some platforms or key systems only support AES-128 in CTR mode, while others only support CBCS mode. Still others are able to support both. A new method allows web developers to query whether a specific encryption scheme is supported by Encrypted Media Extensions (EME).
- Mid-ligature text selection: Chrome now allows for text to be selected inside ligatures. (A ligature is a combination of two or more letters in a single symbol.) This includes both mouse selection as well as cursor selection in input and textarea elements.
- Performance: To avoid leaking information between frames, performance.memory values are currently heavily quantized, and delayed by 20 minutes. If the renderer process is locked to documents from a single site, Chrome can expose this information with fewer concerns about leaking information between frames, not returning quantized memory consumption information, delayed by 30 seconds. This allows developers to detect performance regressions from user data more easily because the memory measurements will be more accurate and can be taken more frequently.
- Service workers have two improvements: ServiceWorkerRegistration.update() now resolves to the registration object (previously resolved with undefined), and navigator.serviceWorker now returns undefined (previously threw a SecurityError when accessed on an insecure context).
- The Web Locks API allows scripts running in one tab to asynchronously acquire a lock, hold it while work is performed, then release it. While held, no other script executing in the same origin can acquire the same lock. A lock represents some potentially shared resource, identified by a name chosen by the web app.
- Web Authentication adds support for CTAP2 devices, which provide advanced security capabilities such as biometric authentication and resident keys (keys stored on the device).
- WebRTC has two improvements: Chrome now supports the RTCRtpParameters.headerExtensions dictionary entry which is returned by RTCRtpSender.getParameters() while the RTCRtpSender and RTCRtpReceiver interfaces now provide the getCapabilities() method.
For a full rundown of what’s new, check out the Chrome 69 milestone hotlist.
Chrome turned 10 years old this past Saturday (September 2, 2018). To celebrate, the team has updated the browser’s Offline Dino Game that you can play when you don’t have an internet connection (you can also access the game by typing chrome://dino/ into your address bar). The “birthday edition” of Chrome’s Offline Dino Game will be available through the end of the month.
Google releases a new version of its browser every six weeks or so. Chrome 70 will arrive by mid-October.