Posted by January 1, 2021
on Chrome 88 is here! It was just pushed to Google's browser update servers and we downloaded and installed it on our servers. You can start testing your websites in this new version. Here's what's new in Chrome 88.
What's New in Chrome 88
- Users can now upload extensions using manifest v3 to the Chrome Web Store.
- CSS aspect-ratio property.
- Heavy throttling of chained JavaScript timers.
- Play billing in Trusted Web Activity.
- To conform to a change in the HTML standard, anchor tags with
target="_blank"
will now implyrel="no-opener"
by default. - Pointer Lock API allows users to disable mouse acceleration.
- Function
addEventListener()
now takes an Abort Signal as an option. - No popups during page unload.
- Web Components v0 are removed.
- Dropped support for OS X Yosemite.
- FTP support is now disabled.
Detailed Changes in Chrome 88
- AbortSignal in addEventListener - This feature adds a new AbortSignal option, named "signal", to the options parameter of addEventListener(). The "signal" option must first be created by an AbortController by accessing the "signal" property on an AbortController instance. Once the signal is passed in to addEventListener, calling "abort()" on the AbortController will remove the event listener added with addEventListener.
- Anchor target=_blank implies rel=noopener by default - To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if
rel="noopener"
is set. A page wishing to opt out of this behavior may setrel="opener"
. - CSS automatic hyphenation for Windows/Linux/ChromeOS - Blink supports
manual
andnone
values of the CSShyphens
property since M55, butauto
, which enables the automatic hyphenation, is supported only on Android and Mac. - CSS selectors: pseudo-classes :is() and :where() - The matches-any pseudo-class,
:is()
, is a functional pseudo-class taking a selector list as its argument. It represents an element that is represented by its argument. - CSS selectors: complex :not() - Allows complex selectors inside the
:not()
pseudo class, such as:not(.a + .b .c)
. - CSS aspect-ratio property - Normally, only certain replaced elements have an aspect ratio, particularly images. For them, if only one of width and height is specified, the other can be computed from it using the intrinsic aspect ratio.
- Deprecate FTP support - Deprecate and remove support for FTP URLs. The current FTP implementation in Google Chrome has no support for encrypted connections (FTPS), nor proxies. Usage of FTP in the browser is sufficiently low that it is no longer viable to invest in improving the existing FTP client.
- Don't clear adoptedStyleSheets on adoption to/from <template> - When adopting a shadow root into a <template> document from a document that the <template> is in (or vice versa), we will no longer clear its adoptedStyleSheets.
- ElementInternals.shadowRoot attribute - A new attribute on ElementInternals, 'shadowRoot', allows custom elements to access their own ShadowRoot, regardless of open/closed status. Additionally, further restrictions are added to the attachInternals() API to ensure that custom elements get the first chance to attach the ElementInternals interface. With this change, the attachInternals() function will throw an exception if called prior to the custom element constructor being run.
- Flash player support - Remove support for Flash Player from Chromium in alignment with Adobe's planned end of life on January 12th, 2021.
- Limit characters allowed in extensions in File System Access API file pickers - To improve security, the File System Access API's showOpenFilePicker() and showSaveFilePicker() methods will limit what characters are allowed in extensions for accepted file types. Specifically only A-Z, a-z, 0-9, + and . will be allowed, extensions can't end in .local or .lnk, and can't be more than 16 characters long.
- Make "type" optional in WakeLock.request() - Make the "type" parameter in WakeLock.request() optional and defaulting to "screen", which is the only allowed value at the moment. In other words, the following two code snippets would do the exact same thing:
navigator.wakeLock.request()
andnavigator.wakeLock.request("screen")
. - Origin-keyed agent clusters - Origin-keyed agent clusters allows developers to opt in to giving up certain cross-origin same-site access capabilities - namely synchronous scripting via document.domain, and postMessage()ing WebAssembly.Module instances. This gives the browser more flexibility in implementation technologies. In particular, in Chrome, we will use this as a hint to put the origin in its own process, subject to resource or platform limitations.
- Permissions-Policy header - The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features. The header uses a structured syntax, and allows sites to more tightly restrict which origins can be granted access to features.
- Add RTCRtpTransceiver.stop() - Transceivers allow the sending and/or receiving of media in WebRTC. Stopping a transceiver makes it permanently inactive.
- Shared Array Buffers (SABs) on Android - Adds the JavaScript type SharedArrayBuffer to Android gated behind COOP/COEP. The concept of a SharedArrayBuffer is that a message to a worker, is posted but instead of copying the content of the array just a reference to it is shared, so that all have the same view on the shared chunk of data in the memory.
- WebAuthn: Large blob storage extension (largeBlob) - Adds support for the WebAuthn largeBlob client authenticator extension. This extension allows relying parties to store opaque data associated to a credential.
- WebXR dynamic viewport scaling - Applications can optionally render to a subset of the WebXR viewport, using a scale factor that can be changed every animation frame. This is intended to be more efficient than resizing the full framebuffer which requires reallocation, and the UA can supply a recommended scale factor based on internal heuristics.
- path() support in clip-path CSS property - So far clip-path only supported other basic shapes (circle, ellipse, polygon, url). This adds support for path() as a value.
Security Fixes in Chrome 88 Release
- Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome (reported by Rory McNamara).
- High CVE-2021-21118: Insufficient data validation in V8 (reported by Tyler Nighswander).
- High CVE-2021-21119: Use after free in Media (reported by Anonymous).
- High CVE-2021-21120: Use after free in WebSQL (reported by Nan Wang and Guang Gong).
- High CVE-2021-21121: Use after free in Omnibox (reported by Leecraso and Guang Gong).
- High CVE-2021-21122: Use after free in Blink (reported by Renata Hodovan).
- High CVE-2021-21123: Insufficient data validation in File System API (reported by Maciej Pulikowski).
- High CVE-2021-21124: Potential user after free in Speech Recognizer (reported by Chaoyang Ding).
- High CVE-2021-21125: Insufficient policy enforcement in File System API (reported by Ron Masas).
- High CVE-2020-16044: Use after free in WebRTC (reported by Ned Williamson).
- Medium CVE-2021-21126, 21127: Insufficient policy enforcement in extensions (reported by David Erceg and Jasminder Pal Singh).
- Medium CVE-2021-21128: Heap buffer overflow in Blink (reported by Liang Dong).
- Medium CVE-2021-21129, 21130, 21131: Insufficient policy enforcement in File System API (reported by Maciej Pulikowski)
- Medium CVE-2021-21132: Inappropriate implementation in DevTools (reported by David Erceg).
- Medium CVE-2021-21133: Insufficient policy enforcement in Downloads (reported by Wester0x01).
- Medium CVE-2021-21134: Incorrect security UI in Page Info (reported by Wester0x01).
- Medium CVE-2021-21135: Inappropriate implementation in Performance API (reported by ndevtk).
- Low CVE-2021-21136: Insufficient policy enforcement in WebView (reported by Shiv Sahni, Movnavinothan V, and Imdad Mohammed).
- Low CVE-2021-21137: Inappropriate implementation in DevTools (reported by bobblybear).
- Low CVE-2021-21138: Use after free in DevTools (reported by Weipeng Jiang).
- Low CVE-2021-21139: Inappropriate implementation in iframe sandbox (reported by Jun Kokatsu).
- Low CVE-2021-21140: Uninitialized Use in USB (reported by David Manouchehri).
- Low CVE-2021-21141: Insufficient policy enforcement in File System API (reported by Maciej Pulikowski).
Have fun cross-browser testing in Chrome 88!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!