Google today launched Chrome 75 for Windows, Mac, Linux, Android, and iOS. The release includes hint for low latency canvas contexts, files supported in the Web Share API, numeric separators, and more developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed.
Android and iOS
Chrome 75 for Android is rolling out slowly on Google Play. The changelog is all about passwords:
- Generate strong and unique passwords with Chrome’s built-in password manager.
- Quickly look up your passwords by tapping any password field and using the new keyboard option.
Chrome 75 for iOS is also slowly rolling out on Apple’s App Store. It includes two improvements:
- To protect your privacy, links that are clicked in Incognito mode will no longer open native applications.
- Custom search engine settings now show the search engine’s icon.
Chrome 75 is not a major mobile release.
Chrome 75 implements 42 security fixes. The following were found by external researchers:
- [$5000] High CVE-2019-5828: Use after free in ServiceWorker. Reported by leecraso of Beihang University and Guang Gong of Alpha Team, Qihoo 360 on 2019-04-25
- [$500] High CVE-2019-5829: Use after free in Download Manager. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2019-05-01
- [$TBD] Medium CVE-2019-5830: Incorrectly credentialed requests in CORS. Reported by Andrew Krasichkov, Yandex Security Team on 2016-11-16
- [$TBD] Medium CVE-2019-5831: Incorrect map processing in V8. Reported by yngwei(JiaWei, Yin) of IIE Varas and sakura of Tecent Xuanwu Lab on 2019-04-07
- [$TBD] Medium CVE-2019-5832: Incorrect CORS handling in XHR. Reported by Sergey Shekyan (Shape Security) on 2019-05-03
- [$N/A] Medium CVE-2019-5833: Inconsistent security UI placement. Reported by Khalil Zhani on 2019-03-23
- [$N/A] Medium CVE-2019-5834: URL spoof in Omnibox on iOS. Reported by Khalil Zhani on 2019-05-13
- [$1000] Medium CVE-2019-5835: Out of bounds read in Swiftshader. Reported by Wenxiang Qian of Tencent Blade Team on 2019-03-07
- [$1000] Medium CVE-2019-5836: Heap buffer overflow in Angle. Reported by Omair on 2019-03-29
- [$500] Medium CVE-2019-5837: Cross-origin resources size disclosure in Appcache . Reported by Adam Iwaniuk on 2018-12-30
- [$500] Low CVE-2019-5838: Overly permissive tab access in Extensions. Reported by David Erceg on 2018-10-08
- [$500] Low CVE-2019-5839: Incorrect handling of certain code points in Blink. Reported by Masato Kinugawa on 2019-01-26
- [$N/A] Low CVE-2019-5840: Popup blocker bypass. Reported by Eliya Stein, Jerome Dangu on 2019-04-11
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $9,000 in bug bounties for this release, which is easily the lowest amount in years. As always, the security fixes alone should be enough incentive for you to upgrade.
canvas.getContext() method now supports a desynchronized hint, which provides a low-latency alternative to the now-deprecated NaCl/PPAPI solution. To use the new solution, which requires either 2D or WebGL context types, pass
desynchronized: true in the options parameter of
canvas.getContext() and specify
WebGL2RenderingContext, or a 65
WebGL2ComputeRenderingContext as the context type.
Next, files are now supported by the Web Share API. For years, Google has been working to bring native sharing capabilities to the web. The Web Share API allows web apps to invoke the same share dialog box as a native app. The implementation brings a new method and a new
Numeric literals now allow underscores (
U+005F) as separators to make them more readable. Underscores can only appear between digits, and consecutive underscores are not allowed.
Other developer features in this release include:
- Allow PaymentRequest.show() to take optional detailsPromise: The
detailsPromiseargument is a way to signal that the browser should show a spinner or equivalent and wait on allowing user interaction until an update. Some users may not know the total or the number of line items at the time of attempting to open the payment sheet with
- Animation improvements: The new
Animation()constructor gives developers more control over the created animation by using the exact
KeyframeEffectallow a developer interactive control over the target (the element being animated) and the timing properties (duration, delay, etc.).
- AppCache: Cross-origin resource size padding: For quota accounting purposes, the size of cross-origin
AppCacheresources are now padded. Cross-origin resources are resources whose origin differs from the manifest’s origin. The padding size will be a random number between 0 and about 14MB. Quota accounting purposes include the size reported by the Quota API and quota enforcement. An origin’s storage API calls are blocked when the origin exceeds its quota.
- CSP: `script-src-attr`, `script-src-elem`, `style-src-attr`, `style-src-elem` provide the functionality of the script/style directive but with more granularity, applying to elements or attributes.
- HTMLVideoElement.playsInline: This is a hint a website may provide to a user agent to display a video content within the element’s playback area. MediaStreamTrack.getCapabilities() support for audio device-related constrainable properties.
MediaStreamTrack.getCapabilities()now returns the device-related capabilities of the source associated with a
MediaStreamTrack, specifically sample size, sample rate, latency, and channel count. There is also a variant
InputDeviceInfo.getCapabilities(), available in the results of
MediaDevices.enumerateDevices(). These devices are used as sources for
getCapabilities()in this case returns the same values as
- noreferrer attribute for window.open(): Allows a web page to use
window.open()without leaking referrer information by leaving the referrer header out of page navigations.
- Web RTC improvements: RTCDtlsTransport provides information about active transports. RTCIceTransport provides information about the state of the ICE transports used by
RTCPeerConnectionto send and receive media to another endpoint.
- Service workers now appear in Chrome’s Task Manager.
- The new
stale-while-revalidateresponse directive is used by the
Cache-Controlheader to define an extra window of time during which a user agent can use a stale asset during asynchronous revalidation. The revalidation of such assets bypasses the service worker. This change improves subsequent page load latencies by keeping stale assets out of the critical path.
- FIDO CTAP2 PIN support: This feature extends Chrome’s implementation of the Web Authentication API to support local user authorization of security key operations via a user-defined PIN for keys that implement the FIDO CTAP2 protocol. Web sites using web authentication can request or require such authorization via the API’s user verification mechanisms.
- To conform to the specification,
FetchEvent.respondWith()can now be called during the microtask checkpoint at the end of event dispatch. Previously, this would throw an
For a full rundown of what’s new, check out the Chrome 75 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 76 will arrive by the end of July.