Google today launched Chrome 70 for Windows, Mac, and Linux. The release includes an option to disable linking Google site and Chrome sign-ins, Progressive Web Apps on Windows, the ability for users to restrict extensions’ access to a custom list of sites, an AV1 decoder, and plenty more. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often must make an effort to stay on top of everything available — as well as what has been deprecated or removed.

Fixing Chrome sign-in

The biggest change in this release is probably one where Google is backpedaling. In Chrome 69, Google tried to “simplify” how it handles Google site sign-ins by also signing you into Chrome with the same account. If you sign out, whether from Chrome or from any Google site, you’re signed out of both.

This led to a massive outcry from Chrome users, at least in part because there was concern that the change meant Chrome sync was turned on. While that wasn’t the case (you still had to turn on syncing of data like browsing history, passwords, and bookmarks to make it available on other devices), many still didn’t appreciate Google automatically signing them into Chrome just because they were signed into a Google site.

Chrome 70 thus makes three changes:

  • An option (see above) that allows users to turn off linking web-based sign-in with browser-based sign-in. If you disable this feature, signing into a Google site will not sign you into Chrome.
  • An update to the user interface (see below) to better communicate a user’s sync state.
  • Instead of keeping the Google auth cookies to allow you to stay signed in after cookies are cleared, as Chrome 69 does, the browser will once again delete all cookies.

Sadly, Google still doesn’t get it. All three changes are certainly an improvement, but the first doesn’t address the main problem: The automatic sign-in is still on by default. Chrome users should not have to opt out of automatic sign-in if they use Google sites, but instead opt in if they want the functionality.

PWAs on Windows and AV1 decoder

In addition to trying to fix what it broke, Google has added a slew of new features in Chrome 70. The browser now supports Progressive Web Apps (PWAs) on Windows. These apps can launch from the Start menu, and run like all other installed apps (without an address bar or tabs). Google killed off Chrome apps earlier this year and is now focusing on PWAs instead.

If you’re a developer, you should check out the standard PWA criteria that Chrome will check. If your PWA passes, Chrome will fire the beforeinstallprompt event, which you can add to with prompt().

AV1 is a royalty-free codec developed by the Alliance for Open Media. AV1 improves compression efficiency by more than 30 percent over the codec VP9, which it is meant to succeed.

Chrome 70 adds an AV1 decoder (no encoding capabilities are included) with MP4 as the supported container (ISO-BMFF). You can try it out yourself by going to YouTube’s TestTube page, selecting “Prefer AV1 for SD” or “Always Prefer AV1,” and playing clips from the AV1 Beta Launch Playlist. If you right-click the video and select “Stats for nerds,” you should see the above (note the codec is av01).

Android and iOS

Chrome 70 for Android isn’t out quite yet, but it should arrive soon over on Google Play. Chrome 70 for iOS meanwhile is available on Apple’s App Store, but the changelog isn’t anything too extensive:

  • Bug fixes and design polish for the redesign.
  • Updates to how Chrome launches other apps to improve reliability and security.
  • Fixes to authentication issues caused by using out-of-date cookies. Let us know if you encounter any issues with signing in to or out of websites.

Security fixes and improvements

As promised, Google is cracking down on extensions. Chrome 70 lets users restrict extension host access to a custom list of sites or to configure extensions to require a click for access to the current page.

Host permissions, which allow extensions to automatically read and change data on websites, enable various powerful and creative use cases, but Google says they have also led to a broad range of malicious and unintentional misuses. In later Chrome releases, Google plans to further tweak how its browser handles the user experience around host permissions. If your extension requests host permissions, you should check out the transition guide and make any necessary changes over the next two weeks.

Chrome 70 also continues Google’s war on HTTP sites.

HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.

Google has been pushing the web to HTTPS for years, but it accelerated those efforts last year by making changes to Chrome’s user interface. Chrome 56, released in January 2017, started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.” Chrome 68, released in July, marks all HTTP sites as “Not secure” right in the address bar, and Chrome 69, released in September, removed the “Secure” wording from HTTPS sites.

Now, with the release of Chrome 70, HTTP sites will show a red “Not secure” warning when users enter data:

The plan was always to mark all HTTP sites as “Not secure.” Eventually, Google will change the icon beside the “Not secure” label and make the text red to further emphasize you should not trust HTTP sites:

Chrome 70 also implements 23 security fixes. The following were found by external researchers:

  • [$N/A][888926] High CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25
  • [$N/A][888923] High CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25
  • [$3500][872189] High CVE to be assigned: Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn (@quangnh89) of Viettel Cyber Security on 2018-08-08
  • [$3000][887273] High CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2018-09-20
  • [$3000][870226] High CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian on 2018-08-02
  • [$1000][880906] High CVE-2018-17466: Memory corruption in Angle. Reported by Omair on 2018-09-05
  • [$3000][844881] Medium CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-19
  • [$2000][876822] Medium CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2018-08-22
  • [$1000][880675] Medium CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-09-05
  • [$1000][877874] Medium CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-08-27
  • [$1000][873080] Medium CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang on 2018-08-10
  • [$1000][822518] Medium CVE-2018-17472: iframe sandbox escape on iOS. Reported by Jun Kokatsu (@shhnjk) on 2018-03-16
  • [$500][882078] Medium CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-09-08
  • [$500][843151] Medium CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-15
  • [$500][852634] Low CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew on 2018-06-14
  • [$500][812769] Low CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani on 2018-02-15
  • [$500][805496] Low CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger on 2018-01-24
  • [$N/A][863703] Low CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton <aaron@correspondwith.me> on 2018-07-14
  • [895893] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $22,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

Chrome 70 implements the Shape Detection API (available through a Chrome origin trial), which lets developers identify faces, barcodes, and text in images “without the use of a performance-killing library.” The API really consists of three APIs: a Face Detection API, a Barcode Detection API, and a Text Detection API. Given an image bitmap or a blob, the Face Detection API returns the location of faces and the locations of eyes, noses, and mouths within those faces (you can limit the number of returned faces and prioritize speed over performance). The Barcode Detection API decodes barcodes and QR codes into strings (anything from a single set of digits to multi-line text). The Text Detection API reads Latin-1 text (as per iso8859-1) in images.

The Web Authentication API now enables macOS’ TouchID and Android’s fingerprint sensor by default. These allow developers to access biometric authenticators through the Credential Management API‘s PublicKeyCredential type.

Chrome 70 updates the V8 JavaScript engine to version 7.0. It includes embedded builtins on more platforms, a preview of WebAssembly Threads, and new JavaScript language features. Check out the full list of changes for more information.

Other developer features in this release include:

  • Displaying a dialog causes pages to lose fullscreen: Dialog boxes, specifically authentication prompts, payments, and file pickers require context for users to make decisions. Fullscreen, by definition is immersive, and removes the context that a user needs to make a decision. Chrome now exits full screen whenever a page shows a dialog box.
  • Add referrerpolicy support to <script> elements: Many resource-fetching elements have support for the referrerpolicy attribute, which lets developers provide a keyword to influence the value of the Referer HTTP header that accompanies a request. The <link> element already has support for this, so it is technically possible to preload a script with a developer-set referrer policy. Starting in this version of Chrome, the <script> element supports the referrerpolicy as well.
  • Change for the <rp> element: The default style of the <rp> element is changed to display:none instead of display:inline even if it is not inside the <ruby> element as defined in the HTML specification. This behavior is implemented in the user agent stylesheet, but the web author can override it.
  • Intervention Reports: An intervention is when a user agent does not honor an application request for security, performance, or annoyance reasons. With this change, Chrome can be configured to send intervention and deprecation messages to your servers using the Report-To HTTP Response header field and surface them in the ReportingObserver interface. This is the first of several proposed uses for the Report-To header. Follow these links to learn more about the header and the interface.
  • Support codec and container switching with MSE using SourceBuffer.changeType(): This change adds the SourceBuffer.changeType() method to improve cross-codec or cross-bytestream transitions during playback with Media Source Extensions.
  • Support Opus in mp4 with Media Source Extensions: Opus is an audio codec already supported by the HTML5 src attribute on <url> elements. It is now supported by Media Source Extensions.
  • ‘name’ attribute for dedicated workers: Dedicated workers now have a name attribute, which is specified by an optional argument on the worker’s constructor. This lets you distinguish dedicated workers by name when you have multiple workers with the same URL. Developers can print name in the DevTools console which will make it easier to debug workers. When the name parameter is omitted, an empty string is used as the default value. For more information, see the discussion on GitHub.
  • ontouch* APIs default to disabled on desktop: To avoid confusion on touch feature detection, ontouch* members on window, document, and element are disabled by default on desktop (Mac, Windows, Linux, ChromeOS). Note that this is not disabling touches, and usage such as addEventListener("touchstart", ...) is not affected.
  • Options dictionary for postMessage methods: An optional PostMessageOptions object has been added as an argument to postMessage() for 6 of the 7 interfaces where it’s supported, specifically, DedicatedWorkerGlobalScope, MessagePort, ServiceWorker, ServiceWorker.Client, Window, and Worker. This gives the function a similar interface on its definitions and allows it to be extended in the future. Because broadcastChannel.postMessage() doesn’t take additional arguments (such as transfer) it is not being changed.
  • RTCPeerConnection.getConfiguration(): This  getConfiguration() was implemented according to the WebRTC 1.0. Specifically it returns the last configuration applied via setConfiguration(), or if setConfiguration() hasn’t been called, the configuration the RTCPeerConnection was constructed with.
  • Symbol.prototype.description: A description property is being added to Symbol.prototype to provide a more ergonomic way of accessing the description of a Symbol. Previously, the description could only be accessed indirectly through Symbol.protoype.toString().
  • TLS 1.3: TLS 1.3 is an overhaul of the TLS protocol with a simpler, less error-prone design that improves both efficiency and security. The new design reduces the number of round-trips required to establish a connection and removes legacy insecure options, making it easier to securely configure a server. It additionally encrypts more of the handshake and makes the resumption mode more resilient to key compromise.
  • Update behavior of CSS Grid Layout percentage row tracks and gutters: Percentage row tracks and gutters in grid containers now have indefinite heights. Previously, these were behaving similarly to percentage heights in regular blocks, but the CSS Working Group has resolved to make them behave the same as for columns, making them symmetric. Percentages are now ignored when computing intrinsic height and resolved afterwards against that height. That way both column and row axes will have symmetric behavior to resolve percentages tracks and gutters.
  • Web Bluetooth available on Windows 10: Web Bluetooth allows websites to communicate over GATT with nearby user-selected Bluetooth devices in a secure and privacy-preserving way. In Chrome 56, this shipped on Android, ChromeOS, and macOS. In Chrome 70 it is shipping on Windows 10. For earlier versions of Windows and Linux, it is still behind a flag (chrome://flags/#enable-experimental-web-platform-features).
  • WebUSB on Dedicated Workers: WebUSB is enabled inside dedicated workers. This allows developers to perform heavy I/O and processing of data from a USB device on a separate thread to reduce the performance impact on the main thread.

For a full rundown of what’s new, check out the Chrome 70 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 71 will arrive by early December.