Today Google Chrome 72 was released we just installed it on our cross-browser testing platform. It's available now for your testing needs.
Try it yourself right away!
What's new in Chrome 72?
The most notable features are as follows:
- Creating public class fields in JavaScript is now much cleaner.
- New User Activation API.
- Localizing lists becomes way easier with the
Intl.format()
API. - Chrome 72 changes the behavior of
Cache.addAll()
to better match the spec. - Requests for favicons are now handled by the service worker, as long as the request URL is on the same origin as the service worker.
- Pages may no longer use
window.open()
to open a new page during unload. - Removal of HTTP-Based Public Key Pinning.
- Removal of rendering FTP resources.
- Deprecation of TLS 1.0 and TLS 1.1.
- Deprecation of
PaymentAddress.languageCode
. - Now requires Android 4.4 or later.
- Support for more search engines.
- Fixed crashes on some page translations and added translations on previously untranslated websites.
- A Siri Shortcut to start a new search is available.
Visualize performance metrics, highlighting text nodes
DevTools now marks performance metrics like DOMContentLoaded
and First Meaningful Paint in the Timings section. When you hover over a text node in the DOM Tree, DevTools also highlights that text node in the viewport.
Picture-in-Picture (PiP) is now enabled by default
Picture-in-Picture is now enabled by default in Chrome for Windows, Mac and Linux. This feature lets you watch videos in a floating window (that is always on top of other windows) so that you can surf and watch at the same time. The Picture-in-Picture floating window works when a web page is using the Picture-in-Picture API.. For websites that does not support it, an extension can be used.
Deprecate TLS 1.0 and TLS 1.1
TLS (Transport Layer Security) is a protocol which secures HTTPS. It has a number of weaknesses. Supporting TLS 1.2 is a prerequisite to avoiding most problems. The TLS working group has deprecated v1.0 and 1.1 and Chrome has now deprecated these protocols as well. Complete removal is scheduled for Chrome 81.
Remove rendering FTP resources and HTTP-Based Public Key Pinning
HTTP-Based Public Key Pinning was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain, but it has very low adoption and even though it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning. So it is removed. Also FTP (non-securable legacy protocol rendering resources are deprecated.
Developer features and updates in Chrome 72
- Cache API: reject addAll() when requests would overwrite each other - The
Cache.addAll()
API allows multiple entries to be added to the cache at once. The spec requires that each request/response pair avoid overwriting another entry being added in the same call. Previously chrome would resolve such conflicts by storing the later entry and ignoring the earlier entry. This feature is to fix this behavior and properly reject with InvalidStateError. - Crash Reports - Crash reports are a new type of report available via the Reporting API. These reports indicate that a crash occurred on a page and possibly the reason it occurred (out of memory for example).
- Don't allow popups during page unload - Pages may not use the
window.open()
API to open a new page during its unload. - ECMAScript module namespace exports - This feature extends the existing syntax for module exports by the form "export as foo from "bar"", which is the analogue to the existing form "import as foo from "bar"".
- Feature Policy control over document.domain. - The document-domain policy governs access to document.domain. It is enabled by default, and, if disabled, attempting to set document.domain will throw an error.
- Feature Policy: Oversized images - Allows developers to selectively enable and disable the use of images whose sizes that are much bigger than the containers' through the Feature-Policy HTTP header or the
<iframe>
allow
attribute. - Feature Policy: Unoptimized images - Allows developers to selectively enable and disable the use of images with large byte-per-pixel ratio (compression ratio) through the Feature-Policy HTTP header or the
<iframe>
allow
attribute. - IndexedDB transaction explicit commit API call - An explicit
commit()
method will be added to the IndexedDB Transaction API according to the spec change authored by jsbell. This gives web developers the ability to explicitly commit open transactions rather than relying on the current IndexedDB autocommit functionality. - Interoperable File.webkitRelativePath property - The File.webkitRelativePath of the File interface previously returned a value different from other major browsers, now it returns the same value.
- Intl.ListFormat - returns the string "Alice, Bob, Charlie, and Delta" in English.
- JavaScript Modules: Credentials mode defaults to "same-origin" - The default credentials mode for module script requests is changing from "omit" to "same-origin", providing credentials to same-origin module script requests and their descendant scripts (static & dynamic imports). The current behavior can be surprising in that it's misaligned with other high-level features like the Fetch API, and in the web platform's current architecture, causes a second server connection. This is undesirable for developers looking to reduce latency.
- MediaStream.getDisplayMedia() - Captures a screen or application window to a MediaStream, for recording or sharing over the network.
- MediaStreamTrack resizeMode constraint - This property controls the method the browser uses to derive the resolution of a MediaStreamTrack. There are two supported values: "none": the track has the native resolution provided by the camera, its driver, or the OS, and "crop-and-scale": the browser may use cropping and rescaling to adjust the resolution of the video produced by the camera. This is useful for getting more consistent behavior across browsers, or if an application wants to make sure it gets only native resolutions.
- Navigator.languages and languagechange event on workers - The navigator.languages property exposes the Accept Language header and the languageevent, which is fired on the Window object to notifiy scripts of changes to this value. Both features allow web applications to handle i18n in the client and react to user language changes. This change makes these features available to workers. Specifically, navigator.languages is available on workers and languageevent is fired on workers as well as the main thread.
- Public class fields - This feature introduces public fields to classes in
ECMAScript
. - RTCPeerConnection.connectionState and RTCPeerConnection.onconnectionstatechanged -
RTCPeerConnection.connectionState
is a aggregate value computed from the transport states of the peerconnection's underlying ICE and DTLS transports. It's intended to provide a more complete overview of the connection state thanRTCPeerConnection.iceConnectionState
, which is only supposed to be based on the ICE transports. - Remove HTTP-Based Public Key Pinning - HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain.
- Rendering FTP resources - FTP is a non-securable legacy protocol. When even the linux kernel is migrating off of it, it's really time to move on. One step toward deprecation and removal is to deprecate rendering resources from FTP servers and instead download them. We'll still generate directory listings, but any non-directory listing could be downloaded rather than rendered in the browser.
- Sec-Metadata - This introduces a new HTTP request header that sends additional metadata about a request's provenance (is it cross-site, is it triggered from
<img>
, etc) to the server in order to allow it to make security decisions which might mitigate some kinds of attacks based on timing the server's response (cross-site search, and others). - Service worker: FetchEvent.resultingClientId -
FetchEvent.resultingClientId
, set on navigation requests or requests for workers, is the ID of the client, either a document or a worker that is created by the request. This is useful for associating the main resource request for a document with subsequent subresource requests from the document for logging and metrics purposes. - Service worker: FetchEvents for requests for same-origin favicons. - Previously, technical limitations prevented service workers from receiving FetchEvents for favicon requests. Now, service workers receive FetchEvents as long as the request URL is on the same-origin as the service worker.
- Support for U2F/CTAP2 FIDO BLE devices via the Web Authentication API - The Web Authentication API (Chrome 65 and later) lets web applications authenticate users via FIDO-defined U2F and CTAP2 devices. The implementation supports certain platform authenticators (like TouchID) and external devices communicating over USB. This feature adds supports for communicating with external devices over BLE, including a UI to guide users in pairing and using their devices for two factor authentication (for Mac and ChromeOS).
- TLS 1.0 and TLS 1.1 - Deprecate TLS 1.0 and 1.1, targeting removal in Chrome 81 (early 2020). During the deprecation period, sites using those protocols will show a warning in DevTools. After the deprecation period, in 2020, they will fail to connect if they have not upgraded to TLS 1.2 by then.
- Treat '#' as ending data URI body content - By spec, '#' characters in data URIs should not be treated as part of the URI body, and should instead only mark the start of the URI fragment component. Historically Chrome has not adhered to the spec, instead treating '#' characters as both fragment-starters and part of the body.
- User Activation Query API - Some APIs cannot be used with a user activation. Examples include
requestFullScreen()
, autoplay,window.open()
. This restriction is a powerful tool for preventing annoying behavior by web pages. Unfortunately, there is no way to determine if a user activation is active. The User Activation Query API adds this ability. - User Activation v2 - User activation is the mechanism to maintain active-user-interaction state that limits use of "abusable" APIs (e.g. opening popups or vibrating). The web exposed behavior varies widely among major browsers. To unify the web, this feature defines a new user activation model that is simple enough for cross-browser implementation. The main changes introduced by this model are: (a) there is no concept of token passing, and (b) activation visibility changes from stack-scoped to frame-scoped.
- WebRTC Unified Plan SDP -
RTCPeerConnections
generate and parse SDP according to the standardized format. Exchanging SDP is needed to set up calls in WebRTC. Following the standard is important for cross-browser interoperability. Unified Plan also enables theRTCRtpTransceiver
APIs. Changing from the old ("Plan B") to the new format can cause backwards-compatibility issues or break applications. - Well-formed JSON.stringify - A Stage 3
ECMAScript
proposal changesJSON.stringify
to prevent it from returning ill-formed Unicode strings. - Windows Web Authentication APIs - This feature integrates Chrome on Windows with the Windows WebAuthn platform APIs. This enables talking to FIDO U2F and CTAP authenticators for 2-factor authentication over USB, BLE, NFC via the Web Authentication API. This additionally adds support for the Windows Hello platform authenticator for 2-factor and user-verifying authentication.
- Worker unhandled exception propagation - For dedicated workers, if an error is not handled then it will be propagated up to the parent context and the error reporting process begins again one layer up (e.g., to the window's onerror handler). This allows for errors to be propagated up to the original document giving developers the freedom to choose when and how to handle worker errors.
Security fixes in Chrome 72
- CVE-2019-5754: Inappropriate implementation in QUIC Networking.
- CVE-2019-5782,5755: Inappropriate implementation in V8.
- CVE-2019-5756,5772: Use after free in PDFium.
- CVE-2019-5757: Type Confusion in SVG.
- CVE-2019-5758: Use after free in Blink.
- CVE-2019-5759: Use after free in HTML select elements.
- CVE-2019-5760,5764: Use after free in WebRTC.
- CVE-2019-5761: Use after free in SwiftShader.
- CVE-2019-5762: Use after free in PDFium.
- CVE-2019-5763: Insufficient validation of untrusted input in V8.
- CVE-2019-5765: Insufficient policy enforcement in the browser.
- CVE-2019-5785: Stack buffer overflow in Skia.
- CVE-2019-5766: Insufficient policy enforcement in Canvas.
- CVE-2019-5767: Incorrect security UI in WebAPKs.
- CVE-2019-5768: Insufficient policy enforcement in DevTools.
- CVE-2019-5769: Insufficient validation of untrusted input in Blink.
- CVE-2019-5770: Heap buffer overflow in WebGL.
- CVE-2019-5771: Heap buffer overflow in SwiftShader.
- CVE-2019-5773: Insufficient data validation in IndexedDB.
- CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing.
- CVE-2019-5775,5776,5777,5781: Insufficient policy enforcement in Omnibox.
- CVE-2019-5778: Insufficient policy enforcement in Extensions.
- CVE-2019-5779,5780: Insufficient policy enforcement in ServiceWorker.
- CVE-2019-5783: Insufficient validation of untrusted input in DevTools.
Have fun cross-browser testing in Chrome 72!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!