Posted by April 4, 2017
on Google just released Chrome 58 browser for Windows, Linux and Mac OSX. And we just deployed it to our cross-browser testing cloud. You can start testing your websites in this new browser version already.
Try Chrome 58 in Browserling now!
Key changes in Chrome 58
- IndexedDB 2.0.
- Workers and SharedWorkers in data-URLs.
- Useful actions like "Find in page" available in apps that open web pages using Chrome. (Android)
- More frequently updated article suggestions on the New Tab page. (Android)
- Use recently visited search engines as your default search engine. (Android)
- See Physical Web suggestions, based on your surroundings, in the address bar. (Android)
- Stability improvements, bug fixes and performance improvements. (Android and iOS)
Developer features and updates in Chrome 58
- Security: allow-top-navigation-by-user-activation <iframe sandbox> keyword - Adds a new keyword named "allow-top-navigation-by-user-activation" for iframe sandbox, which requires a user activation (or gesture) being processed to trigger a top-level navigation. This change would enable more use cases of sandboxing untrusted third-party contents (eg., ads) by allowing top navigation while blocking malicious auto-redirecting, and thus help building a safer internet (eg., a safer ads ecosystem in which all ads could be sandboxed to prevent unexpected malicious behaviors like.
- DOM: <abbr> and <acronym> have underline by default - A dotted underline has been added by default according to the HTML standard.
- Multimedia: Allowing autoplay unmuted in WebAPK manifest scope - In WebAPK mode, frames that are within the WebAPK manifest scope will be allowed to autoplay media unmuted.
- CSS: Depreciate classes - CSS class names Apple-interchange-newline, Apple-converted-space, Apple-paste-as-quotation, Apple-style-span, and Apple-tab-span are now depreciated as these non-standard CSS classes are used to differentiate the span elements added by Blink itself in editing.
- User input: ClipboardEvent Constructor - ClipboardEvent constructor is now exposed.
- Misc: Create Workers from
data:
URLs - HTML specifies thatdata:
URLs can be used to create workers with opaque origins. We should support this as a first step towards defining a sandboxing mechanism for Workers (and parity with other browsers). - Deprecate and Remove case-insensitive matching for usemap attribute - "Compatibility caseless" had been applied to usemap attribute matching. The specification was updated so that case-sensitive matching is applied. A deprecation warning is printed to the console starting in Chrome 57.
- DOM: Deprecate and Remove: setting Event.cancelBubble to false - Setting cancelBubble to true is considered as an alias to stopPropagation(), and the spec indicates setting cancelBubble to false should do nothing.
- DOM: Geometry interfaces added - Several geometry interfaces for the representation of points, rectangles, quadrilaterals and transformation matrices with the dimension of 3x2 and 4x4. SVGPoint, SVGRect and SVGMatrix will be aliased to new interfaces. Their old methods will be maintained and some new methods are introduced. In the near future, CSS transform will be updated so they can work directly with the new objects. This avoid parsing on the js side.
- DOM: input element: selectionDirection, selectionStart, and selectionEnd attribute getters should not throw - For input types which don't support text selection API, we have thrown InvalidStateError. The specification was changed so that null is returned in such case.
- Offline/Storage: IndexedDB 2 added - IndexedDB 2.0 introduces a few APIs that optimize some database access patterns and improve programming ergonomics. Chrome will support the full standard by shipping the following features: support for binary keys, object store and index renaming, getKey() on IDBObjectStore, getPrimaryKey() on IDBIndex.
- Offline/Storage: IndexedDB: depreciate webkitGetDatabaseNames - The API asynchronously returns a list of existing database names in an origin, which seemed sensible enough. The design is flawed, in that the results may be obsolete as soon as they are returned, so it can really only be used for logging, not serious application logic. Not implemented in other browsers.
- DOM: Legacy caller for HTMLEmbedElement and HTMLObjectElement removed - Interface has a legacy caller means that an instance can be called as a function. This used to be the case for HTMLEmbedElement and HTMLObjectElement but is being removed. Calling will instead throw an exception. This was deprecated in Chrome 57.
- JavaScript: Long Task API - A performance API to enable applications to detect presence of "long tasks" that monopolize the UI thread for extended periods of time and block other critical tasks from being executed - e.g. reacting to user input.
- User input: Mouse on Android stops firing TouchEvents - A mouse on an Android M (or later) device: (a) will no longer fire TouchEvents, and (b) will fire a consistent sequence of MouseEvents with appropriate buttons & other properties. Before this change, a low-level mouse events in Android reached blink as a touch event, hence fired a touch event then a compat mouse event if the touch event went uncanceled.
- Multimedia: Native media controls customization - We propose extending the "controls" attribute of the HTMLMediaElement so that the website could enable/disable certain media controls without having to implement all the controls on its own. A "controlsList" property will be added reflecting the current value of "controls" similar to the "class" and "classList" on HTMLElement.
- Network/Connectivity: Offline Previews - When users are on slow connections, Chrome will show an offline copy of a page if there is an offline version of the page available on the user's device. Users will see a message at the bottom of their screens that allows them to load the original page. If Chrome determines the network has 2G speeds and there's an offline page stored, Chrome shows the offline page. Chrome's offline pages are based on MHTML snapshots.
- Multimedia: Pause autoplaying muted video by attribute when invisible on Android - As a muted video with autoplay attribute only starts playing when it's becoming visible, it's reasonable to pause them when invisible to reduce power usage.
- User input: PointerEvent.getCoalescedEvents - An API to return all the coalesced events of the received events in javascript. This API enables apps like drawing app to draw smoother curves using the precise history of points.
- Security: Remove EME from Unsecure Contexts - Chrome team is deprecating and then removing EME from insecure contexts. EME is a powerful feature that exposes DRM implementations that involve access to persistent unique identifiers, are not open source, and/or run unsandboxed or with privileged access. The risks are increased when exposed via insecure HTTP, because they could be attacked by anyone on the channel. This was deprecated in Chrome 44.
- Security: Deprecate Insecure usage of Notifications - Remove access to the Notifications API on insecure origins. This will prevent sites from requesting notification permission or creating non-persistent local notifications over HTTP. Sites using the Notification API for web push must already be on secure origins due to the requirement for a service worker. Removal is anticipated in Chrome 61.
- Security: Remove pre-standard ChaCha20-Poly1305 ciphers - In 2013, Chrome 31 deployed new TLS cipher suites based on Prof. Dan Bernstein's ChaCha20 and Poly1305 algorithms. This was later standardized, with small tweaks, at the IETF as RFC 7539 and RFC 7905. We shipped the standardized variant early in 2016 with Chrome 49. We are now removing the pre-standard variants.
- Security: Deprecate content initiated top frame navigations to data URLs - Chrome team intends to block web pages from loading data: URLs in the top frame using <A> tags, window.open, window.location and similar mechanisms. Pseudo URLs such as data: are generally a source of confusion for users. Because of their unfamiliarity, these schemes are widely being used in spoofing and phishing attacks. Users browsing the web ideally should only ever end up on the two well known schemes (http and https). Deprecated in M58 Removal in M60.
- DOM: Selection API: addRange() ignores additional ranges - In a case where document already has text selection and Selection.addRange() is called, Blink merges the Range and the existing text selection into one if they have overlap, and does nothing otherwise. We'll change it so that Blink always ignore the Range. It matches to Edge.
- DOM: Selection API: getRangeAt() returns a Range registered by addRange() - Blink had a bug that getRangeAt() always returns a new Range with position normalization. It didn't match to Edge, Firefox, and Selection API specification.
- DOM: Selection API: removeRange() function - Selection interface should support removeRange() function to remove the specified Range.
- DOM: Selection API: setBaseAndExtent() throws IndexSizeError for too large offsets - setBaseAndExtent() silently clamped too large offset values. IndexSizeError should be thrown for such values to match to Firefox, Edge, and the specification.
- DOM: Selection API: setBaseAndExtent(), extend(), and collapse() throw InvalidNodeTypeError for DOCTYPE - These function silently normalized the specified position with DOCTYPE. However, they should throw InvalidNodeTypeError to match to Edge, Firefox, and the specification.
- DOM: Ship PointerEvent.tangentialPressure and PointerEvent.twist - Adding support of tangentialPressure and twist attributes in the pointer events API on Mac. They are supported by some stylus devices and are already used in numerous painting apps.
- Network/Connectivity: Streams API: WritableStream - WritableStream is part of the Streams API for creating, composing, and consuming streams of data. It is the writable counterpart to ReadableStream, which is already shipping in Chrome. It provides a standard abstraction for writing streaming data to a sink, with built-in backpressure and queuing. This is expected to be on by default in Chrome 59.
- Security: Strict Secure Cookies - This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.
- Network/Connectivity: Remove support for commonName matching in Certificates - RFC 2818 describes two methods to match a domain name against a certificate - using the available names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName. The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly.
- JavaScript: Trailing comma in JavaScript function parameter lists - A small modification to JavaScript syntax allows trailing comma in formal parameter lists and in argument lists. For example, all the following become valid: function f(a, b,) { return a + b } let g = (a, b,) => a + b f(1, 2,) + g(3, 4,) This is expected to be available by default in Chrome 58.
- Multimedia: Remove VTTRegion-related bits of TextTrack - The interface elements regions, addRegion() and removeRegion() have been removed from the WebVTT spec and will be removed from Chrome. The VTTCue.region property was added and the VTTRegion interface was updated to match a late version of the specification.
- Multimedia: WebAudio: Add buffering/latency hint via playbackCategory - Currently, WebAudio will use the lowest latency possible for the audio device for the best interactive behavior. However, for some use-cases such as media playback, this causes unnecessary power and/or CPU utilization. The playbackCategory is a hint from the developer that such a latency is not required, allowing the developer to give a hint on the desired latency. Chrome will make the actual selection based on the category.
- Multimedia: WebAudio: AudioBuffer constructor only takes one argument - Currently the AudioBuffer constructor takes two arguments: the context, and the AudioBufferOptions. The context argument is removed so that only AudioBufferOptions is required. In addition the sampleRate member of AudioBufferOptions is now required.
- Multimedia: WebAudio: Remove AudioSourceNode interface - Remove the AudioSourceNode interface. This interface is not part of the WebAudio specification, is not constructible, and has no attributes so it basically has no user-accessible functionality.
- Security: XSS Auditor violation report MIME type - The XSS Auditor's violation reports are now sent with a MIME type of
application/xss-auditor-report
(as opposed toapplication/json
). - CSS: color-gamut media query - Expose the approximate range of colors supported by the user agent and the output device in a CSS Media Query.
- CSS: display: flow-root - display: flow-root generates a block container box, and lays out its contents using flow layout. It always establishes a new block formatting context for its contents.
- DOM: Remove webkitdropzone global attribute - The dropzone global attribute was introduced by the HTML5 drag and drop specification as a declarative method for specifying an HTML element's willingness to be the target of a drag-and-drop operation, the content types that can be dropped onto the element, and the drag-and-drop operation (copy/move/link). No browser has implemented the unprefixed version. Blink and WebKit implement a prefixed form of the attribute, webkitdropzone. We would like to remove the prefixed attribute.
Security fixes in Chrome 58
Chrome 58 includes 29 security fixes. The following fixes were disclosed by Chromium team:
- CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team.
- CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani.
- CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng.
- CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani.
- CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous.
- CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman.
- CVE-2017-5066: Incorrect signature handing in Networking. Credit to Prof. Zhenhua Duan, Prof. Cong Tian, and Chu Chen.
- CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar.
- CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip.
- CVE-2017-5059: Type confusion in Blink. Credit to SkyLined.
- CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang.
- CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani.
Happy cross-browser testing in Chrome 58!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!