Exciting news! Chrome 73 just came out today. We rushed to install it on our cross-browser testing platform as we wanted you to be able to try it as soon as it become public.
Try it yourself right away!
What's new in Chrome 73?
The most notable features are as follows:
- Creating portable content is easier with signed HTTP exchanges.
- Dynamically changing styles becomes way easier with constructable style sheets.
- Support for Progressive Web Apps arrives on macOS, bringing support for PWAs to all desktop and mobile platforms.
matchAll()
is a new regular expression matching method on the string prototype, and returns an array containing the complete matches.- The
<link>
element now supports imagesrcset and imagesizes properties to correspond to srcset and sizes attributes ofHTMLImageElement
. - Blink's shadow blur radius implementation now matches Firefox and Safari.
- Dark mode is now supported on Mac, and Windows support is on the way.
- Removal of EXPLAIN and REINDEX support in WebSQL.
- Removal of isomorphic decoding of URL fragment identifier.
- Deprecation of 'drive-by downloads' in sandboxed iframes.
- Stoppage of support for external web extensions in CRX2 format, making CRX3 format required.
Chrome 73 Changes for Android:
- Offline Content on the Dino Page: easily browse suggested articles while offline.
- Lite pages: get optimized pages that save data and load faster.
Chrome 73 Changes for iOS:
- Tap on the icons above the keyboard and easily access your saved passwords, addresses and credit card information.
- Updated default search engines list.
- View JavaScript console messages.
Multi-platform support for PWAs
Chrome 73 comes with added support for progressive web apps on all desktop platforms - Mac, Chrome OS, Windows, Linux and even mobile, simplifying web app development. Users can take advantage of this feature from Chrome's context menu, or directly promote the installation experience using the beforeinstallprompt
event. Once installed a progressive web app integrates with the OS to behave like a native application.
Signed HTTP Exchanges
Signed HTTP Exchanges, which is part of an emerging technology called "Web Packages" is available in Chrome 73. This allows for creating "portable" content that can be delivered by other parties, and this is the key aspect, it retains the integrity and attribution of the original site.
Constructable Stylesheets
When using Shadow DOM, it is important to create and distribute reusable styles, which is why Chrome 73 introduces "Constructable style sheets". It's always been possible to create stylesheets using JavaScript. Create a <style>
element using document.createElement('style')
. Then access its sheet property to obtain a reference to the underlying CSSStyleSheet instance, and set the style. However this method tends to a style sheet bloat and even causes a flash of unstyled content. Constructable Stylesheets make it possible to define and prepare shared CSS styles, and then apply those styles to multiple Shadow Roots or the Document easily and without duplication. Getting started is simple, create a new instance of CSSStyleSheet
, then use either replace
or replaceSync
to update the stylesheet rules.
Developer features and updates in Chrome 73
Chrome 73 comes with 37 registered developer features and updates:
- ::part pseudo element on shadow hosts - This specification defines the
::part()
pseudo-element on shadow hosts, allowing shadow hosts to selectively expose chosen elements from their shadow tree to the outside page for styling purposes. - Auto Picture-in-Picture - Video in installed Progressive Web Apps (PWAs) will enter and exit picture-in-picture automatically when a document's visibility changes. Web apps for video meetings will benefit by allowing picture-in-picture when users switch back and forth between web apps and other applications or tabs. This is currently not possible because a user gesture is required to enter picture-in-picture.
- Badging API - Allows web apps (as defined by the Web App Manifest standard) to set an app-wide badge in operating-system-specific places such as the shelf or home screen. Additionally, it gives the app a small, visible place to notify the user of new activity that might require attention, without showing a full notification. It can show additional information, such as an unread count or event type. It allows the app to convey this information when its windows are closed.
- CSS: Use the response URL as the base URL - The base URL of stylesheets is now the response URL of the stylesheet rather than the request URL. These are only different if a service worker provided the response. If the service worker does respondWith(fetch(url)), the base URL becomes url. Also, to align with the specification, stylesheets that (a) failed to load due to network error, or (b) loaded via a redirect from cross-origin back to same-origin are considered cross-origin.
- CanvasRenderingContext2D.getContextAttributes() - This method allows web developers to read back the ContextAttributes consumed by the platform and compare them to what were requested. Shipping this method will allow lining up with WebGL's homonymous method.
- Constructible Stylesheets - The API provides a way to create CSSStyleSheet objects from script without needing
<style>
or<link>
elements. Script can optionally modify the stylesheet by adding, removing, or replacing rules in it. Each stylesheet object can then be adopted/used in multiple tree scopes (document/shadow roots). Not only does this reduce memory duplication, it also allows an element's styles to be modified in a single location. - Cross-Origin Resource Policy - Cross-Origin-Resource-Policy response header allows http servers to ask the browser to prevent cross-origin or cross-site embedding of the returned resource. It is complementary to the Cross-Origin Read Blocking feature and is especially valuable for resources not covered by CORB (which only protects HTML, XML and JSON). Cross-Origin-Resource-Policy is currently the only way to protect images against Spectre attacks or against compromised renderers.
- DOMMatrixReadOnly.scaleNonUniform() - This function post-multiplies a non-uniform scale transformation on the current matrix and returns the resulting matrix. It is being re-added to support legacy compatibility with SVGMatrix. Non-uniform scaling is a transformation in which at least one of the scaling factors is different from the others. For example, non-uniform scaling might turn a rectangle into a square or a parallelogram.
- EME Extension: HDCP Policy Check - This feature provides applications the ability to query whether a certain HDCP policy can be enforced so that playback can be started at the optimum resolution for the best user experience.
- EXPLAIN and REINDEX support in WebSQL - EXPLAIN's output is not guaranteed to be stable over SQLite versions, so developers cannot rely on it. REINDEX is only useful when collation sequence definitions change, and Chrome only uses the built-in collation sequences.
- Feature Policy violation reporting - Enable reporting of feature policy violations through the Reporting API.
- Flexbox: min-height: auto applies to nested flex boxes - We changed our rendering to match the flexbox specification and other browsers. In previous versions, Chrome did not implement the automatic minimum size for the specific case of a column flexbox containing a flex item that is itself a flexbox. We have now changed this so that such flex items do get the right minimum size. This can cause flex items to not shrink anymore when they used to; to avoid that, set min-height: auto on the flex item.
- GamePad API: GamepadButton touched attribute - Provides the touched state of a gamepad button, which indicates whether a finger is on a button independent of whether it's being pressed.
- Implicit Root Scroller - Allows viewport-filling scrollers (iframes, divs) to perform document-level scrolling actions. I.e. show/hide URL bar, overscroll glow, rotation anchoring, etc.
- Media Session - Enable websites to customize media metadata so they can control the notification and lock screen UI. Also allows control of media from outside a page, as well as using platform UIs and managing media keys.
- Object.fromEntries() -
Object.fromEntries()
turns a list of key-value pairs into an object. - Origin-Signed HTTP Exchanges - Allows sites to send HTTP request/response pairs (exchanges) that are authoritative for an origin, even when the server itself is not authoritative for that origin. This is part of Web Packaging, which will allow people to share web applications peer-to-peer, while offline, with proof that an app comes from its original author. This also shares some infrastructure with signature-based SRI.
- Per-media DSCP through RtpSender::SetParameters - Add a networkPriority field to
RtcRtpSender
Paremeters property to allow different senders' media to use differnt DSCP markings. This allows the client to accept configuration from administrators to work better in constrained network environments, or with wifi WMM prioritization. - PerformanceObserver supportedEntryTypes -
PerformanceObserver.supportedEntryTypes
provides a way to feature-detect the PerformanceEntry types that are implemented in a web browser. The types are sorted alphabetically. For example, a developer running this in Chrome could get something like this in the console:PerformanceObserver.supportedEntryTypes
, the output is:["longtask", "mark", "measure", "navigation", "paint", "resource"]
. - RTCConfiguration.offerExtmapAllowMixed - Adds a boolean property to
RTCConfiguration.offerExtmapAllowMixed()
to enable the extmap-allow-mixed attribute in a session description protocol (SDP) offer. The SDP attribute extmap-allow-mixed, as defined in RFC8285, will be included in the SDP offer if this property is set to true. The SDP attribute extmap-allow-mixed is supported from Chrome 71, but due to backwards compatibility problems it was not included in the SDP offer by default. - RTCQuicTransport & RTCQuicStream - A standalone API using the QUIC transport protocol to exchange arbitrary data with remote peers. This provides a generic multiple-way transport that doesn't use the full PeerConnection stack designed for media purposes. The base API is shared with WebTransport. The difference is the RTCQuicTransport is P2P and uses ICE.
- RTCRtpReceiver.getParameters() - The
getParameters()
method returns the RTCRtpReceiver object's track decoding parameters, which includes the codec and RTP header lists negotiated for the call, the RTCP information, and the layer count. This API is analog toRTCRtpSender.getParameters()
and presents similar information for a call, but on the receiver side. It does not allow modification of the call's parameters. - RTCRtpReceiver.getSynchronizationSources() - The
getSynchronizationSources()
method returns the latest playout timestamps of RTP packets for audio and video receivers. This is useful for determining in real time which streams are active, such as for the use case of audio meters or prioritizing displaying active participant streams in the UI. - RegExp String.prototype.matchAll() -
String.prototype.matchAll()
behaves similarly toString.prototype.match()
, but returns a full regexp result object for each match in a global or sticky regexp. This offers a simple way to iterate over matches when access to, for example, capture groups is needed. - Remove isomorphic decoding of URL fragment identifier - When Chrome opens a URL with a fragment id, it decodes %xx and applies isomorphic-decode to it, then tries to find an element with the decoding result as an ID in some cases. No other browsers do this, and it's not defined by the standard.
- Sending custom per-request user-agent to HTTP proxies in CONNECT requests - When establishing an HTTPS connection over an HTTP/HTTPS/H2/QUIC proxy, we send a CONNECT request with its own set of headers. Currently, if the original HTTPS request had a custom user-agent string, we would send that with the CONNECT request, rather than the default user-agent header. We plan to remove this behavior, and just use the configured global user-agent header.
- Skip Ad in Picture-in-Picture window - Show a Skip Ad button in Picture-in-Picture window that notifies websites when user interacts with it.
- Spec-compliant shadow blur-radius - Historically, Blink's blur-radius interpretation has been at odds with both the CSS and Canvas2D specs: Blink shadows cover about half the expected area (see linked bug). With this change Gaussian blur sigma is now computed as 1/2 blur-radius, as mandated by spec. Blink's shadow implementation now matches FireFox and Safari.
- Transform list interpolation - Chrome will improve how CSS transforms are handled to reduce cases where a matrix interpolation fallback is used. An interpolation is an intermediate transformation. Sometimes interpretation of the CSS rule requires falling back to a matrix to accomplish the interpolation, and this can produce visual results other than what the web developer intends. To mitigate this, the spec was changed to reduce the number of situations when this can occur.
- Treat Document Level Wheel/Mousewheel Event Listeners as Passive - The wheel/mousewheel event listeners that are registered on document level targets (window.document, window.document.body, or window) will be treated as passive if not specified as otherwise and calling preventDefault() inside such listeners will be ignored. This is the wheel version of the scrolling intervention which is shipped in Chrome 56.
- Turn RTCRtpContributingSource from an interface into a dictionary - The specification requires
RTCRtpContributingSource
to be a dictionary, but it was previously shipped as an interface. With this change RTCRtpContributingSource will no longer have a prototype andgetContributingSources()
will create a new set of objects with each call. - WebRTC audio jitter buffer RTX handling - Enables functionality in the audio jitter buffer in WebRTC to adapt the delay to retransmitted packets.
- Windows Web Authentication APIs - This feature integrates Chrome on Windows with the Windows WebAuthn platform APIs. This enables talking to FIDO U2F and CTAP authenticators for 2-factor authentication over USB, BLE, NFC via the Web Authentication API. This additionally adds support for the Windows Hello platform authenticator for 2-factor and user-verifying authentication.
- XHR: Use the response URL for responseURL and documents - XHR now uses the response URL rather than the request URL for responseURL and responseXML. These are only different if a service worker provided the response. If the service worker does
respondWith(fetch(url))
, then responseURL is url and responseXML.URL is url. - XSLT: Use the response URL as the base URL - The base URL of XSLT stylesheets is now the response URL of the stylesheet rather than the request URL. These are only different if a service worker provided the response. If the service worker does
respondWith(fetch(url))
, the base URL becomes url. - document.visibilityState set to hidden when WebContents is occluded - Thanks to the WebContents Occlusion feature in Chromium, the Page Visibility Web API will now reflect accurately the visibility state of web pages, especially when they are occluded. In other words, the
document.visibilityState
value will be hidden when browser tab/window is covered by one or multiple window(s). - imagesrcset and imagesizes attributes on link rel=preload - Add imagesrcset and imagesizes attributes to
<link rel=preload as=image>
, that correspond to the srcset and sizes attributes ofHTMLImageElement
. We are using imagesizes here instead of sizes because it already has a different meaning forHTMLLinkElement
in therel=icon
case.
Bug fixes in Chrome 73
- CVE-2019-5787: Use after free in Canvas.
- CVE-2019-5788: Use after free in FileAPI.
- CVE-2019-5789: Use after free in WebMIDI.
- CVE-2019-5790: Heap buffer overflow in V8.
- CVE-2019-5791: Type confusion in V8.
- CVE-2019-5792: Integer overflow in PDFium.
- CVE-2019-5793: Excessive permissions for private API in Extensions.
- CVE-2019-5794: Security UI spoofing.
- CVE-2019-5795: Integer overflow in PDFium.
- CVE-2019-5796: Race condition in Extensions.
- CVE-2019-5797: Race condition in DOMStorage.
- CVE-2019-5798: Out of bounds read in Skia.
- CVE-2019-5799: CSP bypass with blob URL.
- CVE-2019-5800: CSP bypass with blob URL.
- CVE-2019-5801: Incorrect Omnibox display on iOS.
- CVE-2019-5802: Security UI spoofing.
- CVE-2019-5803: CSP bypass with Javascript URLs.
- CVE-2019-5804: Command line command injection on Windows.
Have fun cross-browser testing in Chrome 73!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!