Today Chrome version 68 was released and we rushed to install this fresh new version on our cloud servers. We at Browserling think that time is of the essence and we always make sure that new versions are installed as soon as they become public.

Chrome 68 Version

Try it yourself right away!


What's new in Chrome 68?

The most notable features are as follows:

  • HTTP sites marked as "not secure".
  • The Page Lifecycle API tells you when your tab has been suspended or restored.
  • The Payment Handler API makes it possible for web-based payment apps to support the Payment Request experience.
  • Content embedded in an iframe requires a user gesture to navigate the top-level browsing context to a different origin.
  • Since Chrome 1, the CSS cursor values for grab and grabbing have been prefixed; standard, un-prefixed values now supported.
  • A number of other fixes and improvements.

For Android:

  • Fix for an Autofill issue.
  • The Add to Home Screen behavior on Android is changing to give you more control.

For iOS:

  • Improved downloading from websites. Downloading now works while the app is in the background. You can also continue browsing in the same tab while your file downloads.
  • Improvements to Forms Autofill.
  • Improved handling of links to the App Store.

Changes to the "Add to Home Screen"

If your site meets the "add to home screen criteria", Chrome will no longer show the add to home screen banner. Instead, you’re in control over when and how to prompt the user.

Page Lifecycle API

A large number of tabs running usually leads to critical resources (such as memory, CPU, battery and network) being oversubscribed, which on the other hand leads to a bad user experience. It is no myth that if your site is running in the background, the system may suspend it to conserve these resources and with the new Page Lifecycle API, you can now listen for, and respond to those events.

Payment Handler API

The Payment Request API is an open, standards-based way to accept payments. It can collect payment credentials as well as shipping and contact information from the payer through a quick and easy user interface.

HTTP sites marked as "not secure"

Google chrome complementary tightens security by recommending sites to adopt HTTPS encryption. Since Chrome 68, sites that are still based on solely HTTP will be marked as "Not secure".

Chrome 68 not secure and secure


Developer features and updates in Chrome 68

  • Accept two values in the overflow shorthand - The overflow shorthand will accept two values making it possible to set overflow-x and overflow-y to different values. If two values are specified, the first is overflow-x and the second is overflow-y. This property previously only accepted one value, meaning that a developer who wanted to set them to different values was forced to write longhand statements for both. Changing the shorthand reduces complexity by allowing developers to specify both in a single statement.
  • Block tab-under navigations - A tab-under is when a page both opens a popup to some destination (usually where the user wants to go) AND navigates the opener page to some third party content (usually an advertisement). Chrome will block these navigations and show native UI to the user so they can follow the redirect just in case.
  • CSS position values with 3 parts - The object-position and perspective-origin properties should not accept 3 part values like "top right 20%". This also applies for positions in basic shapes and gradients. Valid position values always have 1, 2 or 4 parts. Deprecation of 3-part values is occurred in Chrome 66, and removal occurred in Chrome 68.
  • Deprecate and Remove: negative brightness values in filter - For compliance with specification, filter's brightness() function no longer accepts negative values.
  • Feature Policy: Image Compression - Allows developers to selectively enable and disable the use of images with large byte-per-pixel ratio (compression ratio) through the Feature-Policy HTTP header or the <iframe> 'allow' attribute. This provides more control over minimizing image file size, on a per-origin basis. Use this policy to optimize image loading experience. The identifier for the feature in policies is 'image-compression'. By default, 'image-compression' is allowed in all frames.
  • Feature Policy: Legacy Image Format - Allows developers to selectively enable and disable the use of images with legacy image formats through the Feature-Policy HTTP header or the <iframe> 'allow' attribute. This provides more control over images using legacy formats, on a per-origin basis. Use this policy to improve image loading performance. The identifier for the feature in policies is 'legacy-image-formats'. By default, 'legacy-image-formats' is allowed in all frames.
  • Feature Policy: Maximum Image Downscaling - Allows developers to selectively enable and disable the use of images whose sizes that are much bigger than the containers' through the Feature-Policy HTTP header or the <iframe> 'allow' attribute. This provides more control over images with unnecessarily large intrinsic size, on a per-origin basis. Use this policy to improve image loading performance. The identifier for the feature in policies is 'maximum-downscaling-image'. By default, 'maximum-downscaling-image' is allowed in all frames.
  • Feature Policy: animations - Allows developers to selectively disable the use of certain CSS animations through the Feature-Policy HTTP header or the <iframe> "allow" attribute. Slow and inefficient CSS animations add delays to paint/draw intervals. With the use of this policy-controlled feature, a developer may restrict the use of certain animations on their own web page or certain third party origins in embedded contents.
  • Fetch API: Credentials mode default to "same-origin" - A Request object’s credentials mode defaults to “omit” in Chrome right now. A spec change recently changed the default to “same-origin”, thus providing credentials to same-origin requests instead of omitting them.
  • GamePad API vibration extension - Update the Standard Gamepad spec to include a rumble-style haptic feedback device and extend the Gamepad API to support vibration effects.
  • Gamepad polling at 250Hz - Chrome's gamepad polling behavior adds approximately 8 ms of avoidable latency due to the lack of synchronization between the internal polling loop and requestAnimationFrame, where gamepad state is typically used. Increasing the internal polling rate to 250 Hz reduces the added latency to approximately 2 ms when the application also increases its polling rate.
  • High Resolution Time Stamp for Gamepad - Change Gamepad.timestamp to use a DOMHighResTimeStamp, a high resolution monotonic time with microsecond resolution. Timestamps are measured as offsets from the navigationStart attribute of the PerformanceTiming interface.
  • Improve Cache Management for Service Worker Scripts - The HTTP cache will be ignored when requesting updates to the service worker. Requests for importScripts will still go through the HTTP cache. But this is just the default. A new registration option, ServiceWorkerRegistration.updateViaCache is available that offers control over this behavior.
  • Keyboard Lock - While in fullscreen, this API allows apps to receive keys that are normally handled by the system or the browser like Cmd/Alt-Tab, or Esc. Users can escape keyboard lock (and fullscreen) by holding the Esc key for two seconds.
  • Make PointerEvent.fromElement and PointerEvent.toElement null - PointerEvents won't report non-standard and inconsistent values for fromElement and toElement fields. Instead, they will always report null (like Edge and Firefox). In MouseEvents (from which PointerEvents inherit these fields), .fromElement and .toElement are non-standard, and have been inconsistent among major browsers for many years. Moreover, we have standard and consistent alternatives already: .target and .relatedTarget. Recently the PointerEvents spec has been updated accordingly.
  • Page Lifecycle API - With large numbers of web apps (and tabs) running, critical resources such as memory, CPU, battery, network etc easily get oversubscribed, leading to a bad end user experience. Web lifecycle is a proposal to enable system initiated Tab Discarding and CPU Stopping -- to effectively manage resources for optimal user experience. See explainer.
  • Payment Handler API - The API helps to develop new payment apps in web standard ways (e.g. service worker). If using them, payment app providers can provide simplified payment methods and user experiences.
  • RTCRtpSender: get/setParameters() - The get/setParameters() methods return or update the RTCRtpSender object's current parameters for how the RTCRtpSender.track property is encoded and transmitted to a remote RTCRtpReceiver. These methods enable you to change encoding parameters for WebRTC streams such as the maximum transmission bitrate without doing any SDP munging or renegotiation.
  • Remove Document#selectedStylesheetSet/preferredStylesheetSet - The Document.selectedStylesheetSet/preferredStylesheetSet attributes will be removed because they are non-standard and only implemented by Chrome and WebKit. The standard versions of these attributes were removed from the spec in 2016.
  • Remove document.createTouch - Remove document.createTouch Using new Touch({...}) has been supported in Chrome since M48.
  • Require user gesture for framebusting in cross-origin iframes - Summary Content in an <iframe> can generally navigate the top level browsing context unless explicitly forbidden by the sandbox attribute (sometimes called 'framebusting'). Restrict this ability to content that is processing a user gesture, unless it is same-origin to the parent. Motivation Framebusting was originally used by content that wanted to prevent being placed in an <iframe> but it's being abused. There are other, more specific tools to accomplish the original use case.
  • Support 'x' as a resolution unit - CSS Values and Units Module Level 4 defines a new resolution unit called 'dot per pixel' for support of high-resolution displays. This change adds 'x' as a synonym for the existing abbreviation, 'dppx'.
  • Unified touch adjustment - Touch adjustment will adjust the TouchEvent and the corresponding PointerEvent target to a best target within the touch area. TouchEvent coordinates will not be changed.
  • Unprefix CSS "grab" and "grabbing" Values for Cursor Property - These values change the mouse cursor to an open hand or closed hand to indicate that something can be grabbed or is currently grabbed. Prefixed versions of these properties have been supported since Chrome 1, with Windows support added in Chrome 22. With this change Chrome will support the standard, unprefixed versions of these values.
  • User activation through long-press gesture - The long-press gesture should be considered a user activation because it indicates user's interaction with the page. This would allow a web app to call restricted APIs like navigator.vibrate() on long-press to match native behavior.
  • WEBGL_compressed_texture_atc - This extension provided the AMD_compressed_ATC_texture formats to the web. Hardware support has dwindled to near-zero, so the extension has been deprecated/rejected by the WebGL Working Group. Support for this extension has always been small (as it is hardware-dependent), so no existing applications should be relying on its presence.
  • WebAudio: Add User Selectable Automation Rate for AudioParams - Gives each AudioParam a new attribute, automationRate that allows the user to select whether the AudioParam is either "a-rate" or "k-rate". Most but not all AudioParams allow changing the rate (as given in the spec). For example, BiquadFilterNode with default "a-rate" automation is very expensive to compute due to the complex relationship between the parameters and the filter coefficients. If this fast automation is not needed (the most typical case), the parameters can be set to "k-rate".
  • customElements.upgrade() - This function upgrades undefined custom elements explicitly. If a custom element is created with the innerHTML setter and its parent node is not connected to a document, the custom element is not upgraded until it's connected. Upgrading such elements explicitly allows developers to handle them in a single way regardless of connectedness.

Bug fixes

High-threat bug fixes:

  • CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07
  • CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01
  • CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-11
  • CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-10
  • CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-07

Medium-threat bug fixes:

  • CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-09
  • CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-04-26
  • CVE-2018-6160: URL spoof in Chrome on iOS. Reported by evi1m0 of Bilibili Security Team on 2018-05-04
  • CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun Kokatsu (@shhnjk) on 2018-03-27
  • CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair on 2018-01-21
  • CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-06-04
  • CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-06-01
  • CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-05-30
  • CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-21
  • CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-15
  • CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y. Huang of Princeton University, Frank Li of UC Berkeley on 2018-04-03
  • CVE-2018-6169: Permissions bypass in extension installation . Reported by Sam P on 2014-07-16
  • CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous on 2018-07-10
  • CVE-2018-6171: Use after free in WebBluetooth. Reported by amazon@mimetics.ca on 2018-06-12
  • CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-28
  • CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-04-25
  • CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-04-20
  • CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-26
  • CVE-2018-6176: Local user privilege escalation in Extensions. Reported by Jann Horn of Google Project Zero on 2016-11-18

Low-threat bug fixes:

  • CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron Masas (Imperva) on 2018-03-27
  • CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani on 2018-03-19
  • CVE-2018-6179: Local file information leak in Extensions. Reported by Anonymous on 2018-02-26
  • CVE-2018-6044: Request privilege escalation in Extensions . Reported by Rob Wu on 2017-12-23
  • CVE-2018-4117: Cross origin information leak in Blink. Reported by AhsanEjaz - @AhsanEjazA on 2017-12-03

[source]


Have fun cross-browser testing in Chrome 68 and Browserling!