Google today launched Chrome 77 for Windows, Mac, Linux, Android, and iOS. The release includes new performance metrics, form capabilities, and Origin Trials. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 77, for example, removes credit card issuer networks as payment method names (like “amex,” “mastercard,” and “visa”).
Performance metrics, forms, and Origin Trials
Google is obsessed with speeding up the web, and Chrome is its main tool for doing so. Chrome 77 introduces two new performance metrics to help developers measure how quickly the main content of a web page loads and is made visible to users.
The first addition is Largest Contentful Paint, which attempts to provide more meaningful data by using the largest content element as a proxy for when the main content of the page is likely visible to users.
The second is the PerformanceEventTiming interface, which provides timing information about the latency of the first discrete user interaction. Specifically, Chrome measures for a key down, mouse down, click, or the combination of pointer down and pointer up. This is a subset of the EventTiming API but can be exposed in advance to help measure and optimize responsiveness.
Chrome 77 has also added two new features that support custom form controls. The
FormData object containing the data being submitted, which can now be modified.
Lastly, Chrome 77 also introduces Origin Trials that let you to try new features and provide feedback on usability, practicality, and effectiveness to the web standards community. The first new feature is the Contact Picker API, an on-demand picker that lets users select entries from their contact list and share limited details of the selected entries with a website.
Chrome 77 includes site isolation improvements to protect cross-site data, such as cookies and HTTP resources, in attacker-controlled websites. Site isolation will also now be enabled on some Android devices for sites where mobile users enter passwords.
IT admins can now define the URL of an XML file that will never trigger a browser switch using the BrowserSwitcherExternalGreylistUrl policy. There’s also a new chrome://browser-switch/internals page for verifying that Legacy Browser Support rules are being followed.
Chrome 77 also has an updated first-run experience to set up new users with popular Google services (Gmail, YouTube, Google Maps, Google News, and Google Translate). It also prompts you to set Chrome as the default browser. You can disable the new flow with the PromotionalTabsEnabled policy.
The new version also lets you launch guest browsing by default using the
--guest command line flag or the new BrowserGuestModeEnforced policy. With guest browsing, browsing activity is not written to the disk and does not persist between browser sessions.
Android and iOS
Chrome 77 for Android is rolling out slowly on Google Play, but the full changelog isn’t up yet.
Chrome 77 for iOS is rolling out on Apple’s App Store. It includes four improvements:
- A new language settings page, giving you more control over which languages Chrome offers translations for.
- You can clear your browsing data from a specific range of time, like the past hour or past day.
- Omnibox suggestions are easier to read with added thumbnails and icons.
Ensuring only languages you don’t understand are translated should be handy for polyglots. For everyone else, there’s more granular controls for clearing browser data.
Chrome 77 implements 52 security fixes. The following were found by external researchers:
- [$TBD] Critical CVE-2019-5870: Use-after-free in media. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-08-29
- [$7500] High CVE-2019-5871: Heap overflow in Skia. Reported by Anonymous on 2019-08-03
- [$3000] High CVE-2019-5872: Use-after-free in Mojo. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 on 2019-07-05
- [$3000] High CVE-2019-5873: URL bar spoofing on iOS. Reported by Khalil Zhani on 2019-07-31
- [$3000] High CVE-2019-5874: External URIs may trigger other browsers. Reported by James Lee (@Windowsrcer) on 2019-08-01
- [$2000] High CVE-2019-5875: URL bar spoof via download redirect. Reported by Khalil Zhani on 2019-06-28
- [$TBD] High CVE-2019-5876: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-23
- [$TBD] High CVE-2019-5877: Out-of-bounds access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-08-29
- [$TBD] High CVE-2019-5878: Use-after-free in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-03
- [$3000] Medium CVE-2019-5879: Extension can bypass same origin policy. Reported by Jinseo Kim on 2019-07-20
- [$2000] Medium CVE-2019-5880: SameSite cookie bypass. Reported by Jun Kokatsu (@shhnjk) on 2018-04-11
- [$2000] Medium CVE-2019-5881: Arbitrary read in SwiftShader. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 on 2019-07-03
- [$1000] Medium CVE-2019-13659: URL spoof. Reported by Lnyas Zhang on 2018-07-30
- [$1000] Medium CVE-2019-13660: Full screen notification overlap. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-10
- [$1000] Medium CVE-2019-13661: Full screen notification spoof. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-11
- [$1000] Medium CVE-2019-13662: CSP bypass. Reported by David Erceg on 2019-05-28
- [$500] Medium CVE-2019-13663: IDN spoof. Reported by Lnyas Zhang on 2018-07-14
- [$500] Medium CVE-2019-13664: CSRF bypass. Reported by thomas “zemnmez” shadwell on 2018-12-16
- [$500] Medium CVE-2019-13665: Multiple file download protection bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-05
- [$500] Medium CVE-2019-13666: Side channel using storage size estimate. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2019-05-07
- [$500] Medium CVE-2019-13667: URI bar spoof when using external app URIs. Reported by Khalil Zhani on 2019-06-11
- [$500] Medium CVE-2019-13668: Global window leak via console. Reported by David Erceg on 2019-07-22
- [$N/A] Medium CVE-2019-13669: HTTP authentication spoof. Reported by Khalil Zhani on 2019-05-30
- [$N/A] Medium CVE-2019-13670: V8 memory corruption in regex. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-07-03
- [$TBD] Medium CVE-2019-13671: Dialog box fails to show origin. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-02-27
- [$TBD] Medium CVE-2019-13673: Cross-origin information leak using devtools. Reported by David Erceg on 2019-08-26
- [$500] Low CVE-2019-13674: IDN spoofing. Reported by Khalil Zhani on 2018-10-18
- [$500] Low CVE-2019-13675: Extensions can be disabled by trailing slash. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-07
- [$TBD] Low CVE-2019-13676: Google URI shown for certificate warning. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-08-17
- [$TBD] Low CVE-2019-13677: Chrome web store origin needs to be isolated. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-06
- [$TBD] Low CVE-2019-13678: Download dialog spoofing. Reported by Ronni Skansing on 2019-03-27
- [$TBD] Low CVE-2019-13679: User gesture needed for printing. Reported by Conrad Irwin, Superhuman on 2019-05-31
- [$TBD] Low CVE-2019-13680: IP address spoofing to servers. Reported by Thijs Alkemade from Computest on 2019-06-03
- [$TBD] Low CVE-2019-13681: Bypass on download restrictions. Reported by David Erceg on 2019-06-04
- [$TBD] Low CVE-2019-13682: Site isolation bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-06-07
- [$TBD] Low CVE-2019-13683: Exceptions leaked by devtools. Reported by David Erceg on 2019-07-25
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $33,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Other developer features in this release include:
- Enter Key Hint: The
enterkeyhintcontent attribute is an enumerated attribute for
<form>elements that specifies what action label (or icon) to present as the enter key on virtual keyboards. This allows authors to customize the presentation of the enter key to make it more helpful for users. The attribute takes one of
- Feature Policy Control over Document.domain: The document-domain policy governs access to document.domain. It is enabled by default, and, if disabled, attempting to set
document.domainwill throw an error.
- Layout Instability Monitoring: Adds the
LayoutShiftinterface to the Performance API, allowing developers to monitor changes to a DOM element’s on-screen position.
- Limit the “referer” Header’s Length to 4kB: Strips the
refererheader down to an origin when it’s size exceeds 4kB.
- Limit registerProtocolHandler() url Argument to http/https: The
registerProtocolHandler()now only accepts URLs with http or https schemas.
- New Features for Intl.NumberFormat: This change improves
Intl.NumberFormatby adding support for measurement units, currency and sign display policies, and scientific and compact notation.
- Overscroll Behavior Logical Longhands: Adds CSS
flow-relativeproperties for controlling overscroll behavior through logical dimensions.
flow-relativeproperties are those that are interpreted relative to the flow of content. The new properties are
- PerformanceObserverInit Buffered Flag: Adds a
PerformanceObservercan receive entries created before the call is executed.
- RTCPeerConnection.onicecandidateerror adds the
incecandidateerrorevent which provides detailed information about WebRTC ICE candidate gathering failures, including the ones defined by STUN (RFC5389) and TURN (RFC5766).
- RTCPeerConnection.restartIce() adds a method for triggering an ICE restart which causes a WebRTC connection to try to reconnect. This feature is already available in Chrome by passing the
restartIce()is a version of this method that works regardless of
- Preserve Request Priorities through Service Worker: Preserves a request’s original priority when it passes through a service worker. Previously, all requests going through a service worker would get “High” priority.
- Service Workers Support Basic HTTP Authentication: Displays HTTP authentication dialog boxes even if the request was from a service worker. This shows the native login dialog shown when an HTTP 401 response is received.
- Stop Action for Media Sessions: Adds
MediaSessionActionfor calls to
MediaSession.setActionHandler(). An action is an event tied specifically to a common media function such as pause or play. The
stopaction handler is called when the site should stop the playback and clear the state if appropriate.
- Web Payments: Throw a TypeError on Invalid “basic-card” Data. The
PaymentRequestconstructor now throws a
supportedTypesare specified for basic card payment.
For a full rundown of what’s new, check out the Chrome 77 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 78 will arrive by the end of October.