Posted by March 3, 2021
on Excellent news - Chrome 89 was released today by Google. Once we read the news, we rushed to install it to our virtual browser platform. You can start testing your applications in the new version starting now.
What's New in Chrome 89
- WebHID, WebNFC, and Web Serial are now available.
- Closed a loophole a few developers used to skirt the PWA installability checks.
- The arrival of Web Share and Web Share Target.
- Chrome now allows top level await within JavaScript modules.
- Updated icon shown in the omnibox for installable PWAs.
- Allowed users to sign up for the Digital Goods API origin trial if they have used a Trusted Web Activity to make their PWA available in the Play Store for Chrome OS.
- Removal of legacy prefixed events (webkitprerenderstart, webkitprerenderstop, webkitprerenderload, and webkitprerenderdomcontentloaded) dispatched on <link rel=prerender>.
- Stopped cloning sessionStorage for windows opened with noopener number.
- Dropped support for older x86 processors that don't support SSE3.
Detailed Changes in Chrome 89
- SameParty cookie attribute - Allows sites to indicate which cookies are allowed to be set or sent in contexts where all ancestor frames belong to the same First-Party Set.
- CSS keywords 'disclosure-open' and 'disclosure-closed' - CSS property 'list-style-type' supports two new keywords 'disclosure-open' and 'disclosure-closed'. In an element with
display:list-item
, thedisclosure-open
keyword shows a symbol indicating a widget like <details> is opened. Thedisclosure-closed
keyword shows a symbol indicating a widget like <details> is closed. - Use 'display: list-item' for <summary> by default - The default value of CSS
display
property for <summary> is changed tolist-item
fromblock
. - Encode CBR audio files with
MediaRecorder
- Adds support for hard constant bitrate (CBR) mode of the Opus encoder when CBR mode is used for MediaRecorder. Without this change it is impossible to encode compressed constant bitrate audio files with the MediaRecorder. - Always fallback to network in AppCache controlled pages - All AppCache manifests are treated as if they contain "*" in their network section. This effectively means that we will always fallback to the network if a resource is not otherwise specified in the AppCache manifest.
- CSS ::target-text pseudo-element - Added a highlight pseudo-element to allow authors to style scroll-to-text fragments different from the default UA highlighting.
- CSS flow-relative corner rounding properties - Added support for the flow-relative corner-rounding properties following CSS logical properties and values spec. The following logical properties are now included: border-start-start-radius, border-start-end-radius, border-end-start-radius, and border-end-end-radius.
- Cross-origin opener policy reporting API - Adds a reporting API to help developers deploy cross-origin opener policy.
- Element Reflection - This feature allows for ARIA relationship attributes to be reflected in IDL as element references rather than DOMStrings.
- Expose ReadableStreamDefaultController interface - The Streams APIs provide ubiquitous, interoperable primitives for creating, composing, and consuming streams of data. Chrome now exposes the ReadableStreamDefaultController interface on the global object, as with the other ReadableStream-related classes. This will align Blink with the current version of the Streams API Standard and consensus among the developer community.
- Federated Learning of Cohorts - The FLoC API would enable ad-targeting based on the user's general browsing interest, without the websites knowing their exact browsing history. In today's web, people's interests are typically inferred based on observing what sites or pages they visit, which relies on tracking techniques like third-party cookies. User privacy could be better protected if this can be accomplished without needing to collect a particular individual's exact browsing history.
- First-party sets - Introduces a mechanism by which a set of registrable domains (a "First-Party Set") can declare themselves to be the same "party" or entity, such as web properties owned by the same company, or domains with different ccTLDs used by the same website. A First-Party Set applies to all HTTPS origins with a registrable domain that is the owner or a member element of the set. This proposal is for a simplified initial prototype.
- Forced colors mode - Adds the 'forced-colors' media feature, which is used to detect if the user agent has enabled a forced colors mode where it enforces a user-chosen limited color palette on the page. Adds the 'forced-color-adjust' property, which allows authors to opt particular elements out of forced colors mode, restoring full control over the colors to CSS.
- Import maps - Import maps allows control over what URLs get fetched by JavaScript import statements and import() expressions.
- Network State Partitioning - Partition network state by the network partition key (which consists of top frame site and possibly frame site), to protect against cross-site tracking through the use of side channels. "Network State" here includes connections (H1, H2, H3, websocket), the DNS cache, ALPN/H2 support data, TLS/H3 resumption information, Reporting/NEL configuration and uploads, and Expect-CT information.
- Remove prefixed events for <link rel=prerender> - Remove legacy prefixed events (webkitprerenderstart, webkitprerenderstop, webkitprerenderload, and webkitprerenderdomcontentloaded) dispatched on <link rel=prerender>.
- Schemeful same-site - Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example,
http://site.example
andhttps://site.example
will now be considered cross-site to each other. - Sec-CH-UA Client Hints - The set of
Sec-CH-UA-*
client hints aims to deprecate and replace the User-Agent header in order to reduce the passive fingerprinting surface we expose via HTTP requests. - Stop cloning sessionStorage for windows opened with noopener - When a window is opened with noopener, Chrome should not clone the sessionStorage of its opener; it should instead start from an empty sessionStorage namespace.
- Streams API: Byte Streams - The streams APIs provide ubiquitous, interoperable primitives for creating, composing, and consuming streams of data. For streams representing bytes, an extended version of the readable stream is provided to handle bytes efficiently, in particular by minimizing copies.
- Support for full 'filter' property syntax on SVG elements - Allows the full syntax of the 'filter' property to be used on SVG elements which previously only supported single
url(...)
references. This allows filter functions such asblur(...)
,sepia(...)
, andgrayscale(...)
to apply to SVG elements as well as non-SVG elements. It makes the platform support for 'filter' more uniform and allows for easier application of some "canned" effects. - Top-level await - Allow the
await
keyword at the top-level within JavaScript modules. - Web NFC - Web NFC aims to provide sites the ability to read and write to NFC tags when they are brought in close proximity to the user's device (usually 5-10 cm, 2-4 inches). The current scope is limited to NDEF, a lightweight binary message format. Low-level I/O operations (e.g. ISO-DEP, NFC-A/B, NFC-F) and Host-based Card Emulation (HCE) are not supported within the current scope.
- Web Serial API - The Serial API provides an interface for connecting to serial devices, either through a serial port on the user's system or removable USB and Bluetooth devices that emulate a serial port. This API has been requested by the hardware developer community, especially developers building educational tools, as a companion to the WebUSB API because operating systems require applications to communicate with USB-based serial ports using their higher-level serial API rather than the low-level USB API.
- Web Share API - Web Share is an API for sharing data (text, URLs, images) from the web to an app of the user's choosing.
- Web Share API Level 2 - Web Share API Level 2 allows sharing of files from the web to an app of the user's choosing. The API enables web developers to build share buttons that display the same system share dialog boxes used by native applications. Level 1 enabled system share dialogs; however only text and urls could previously be shared.
- Web Share Target - Web Share Target allows websites to receive shared data (text, URLs, images) and register to be choosable by the user as targets from sharing contexts, including (but not limited to) Web Share.
- Web Share Target Level 2 - Installed web applications can now receive file shares, e.g. images. Using the manifest, the web application can declare which MIME types and/or file extensions it accepts.
- WebAuthentication API: ResidentKeyRequirement and credProps extension - Adds support for the AuthenticatorSelectionCriteria.residentKey property to specify during Web Authentication API (WebAuthn) credential registration whether a client-side discoverable credential should be created. Also adds support for the WebAuthn "credProps" extension, which indicates to the Relying Party whether a created credential is client-side discoverable.
- WebHID (Human Interface Device) - Enables web applications to interact with human interface devices (HIDs) other than the standard supported devices (mice, keyboards, touchscreens, and gamepads). However, there are many other HID devices that are currently inaccessible to the web. This API allows web applications to request access to these devices, send and receive HID reports, and retrieve information about the report descriptor.
- Value navigator.webdriver is false when automation is not enabled. - Prior to this change, Chromium only exposed
navigator.webdriver
when the browser was being automated. However, other browsers expose it unconditionally per the spec, with the valuefalse
in case the browser is not being automated. - New web manifest field 'display_override' - Adds a new advanced field to the web manifest, "display_override", where a developer with special requirements can specify an explicit display fallback chain they would like applied.
- Add performance.measureUserAgentSpecificMemory() - The feature adds a performance.measureUserAgentSpecificMemory() function that estimates the memory usage of the web page. The website needs to be cross-origin isolated to use the API.
Security Fixes in Chrome 89 Release
- High CVE-2021-21159: Heap buffer overflow in TabStrip (reported by Khalil Zhani).
- High CVE-2021-21160: Heap buffer overflow in WebAudio (reported by Marcin 'Icewall' Noga).
- High CVE-2021-21161: Heap buffer overflow in TabStrip (reported by Khalil Zhani).
- High CVE-2021-21162: Use after free in WebRTC (reported by Anonymous).
- High CVE-2021-21163: Insufficient data validation in Reader Mode (reported by Alison Huffman).
- High CVE-2021-21164: Insufficient data validation in Chrome for iOS (reported by Muneaki Nishimura).
- High CVE-2021-21165, 21166: Object lifecycle issue in audio (reported by Alison Huffman).
- Medium CVE-2021-21167: Use after free in bookmarks (reported by Leecraso and Guang Gong).
- Medium CVE-2021-21168: Insufficient policy enforcement in appcache (reported by Luan Herrera).
- Medium CVE-2021-21169: Out of bounds memory access in V8 (reported by Bohan Liu and Moon Liang).
- Medium CVE-2021-21170: Incorrect security UI in Loader (reported by David Erceg).
- Medium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation (reported by Irvan Kurniawan).
- Medium CVE-2021-21172: Insufficient policy enforcement in File System API (reported by Maciej Pulikowski).
- Medium CVE-2021-21173: Side-channel information leakage in Network Internals (reported by Tom Van Goethem).
- Medium CVE-2021-21174: Inappropriate implementation in Referrer (reported by Ashish Gautam Kamble).
- Medium CVE-2021-21175: Inappropriate implementation in Site isolation (reported by Jun Kokatsu).
- Medium CVE-2021-21176: Inappropriate implementation in full screen mode (reported by Luan Herrera).
- Medium CVE-2021-21177: Insufficient policy enforcement in Autofill (reported by Abdulrahman Alqabandi).
- Medium CVE-2021-21178: Inappropriate implementation in Compositing (reported by Japong).
- Medium CVE-2021-21179: Use after free in Network Internals (reported by Anonymous).
- Medium CVE-2021-21180: Use after free in tab search (reported by Abdulrahman Alqabandi).
- Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG (reported by Sean Campbell).
- Medium CVE-2021-21181: Side-channel information leakage in autofill (reported by Xu Lin, Panagiotis Ilia, and Jason Polakis).
- Low CVE-2021-21182: Insufficient policy enforcement in navigations (reported by Luan Herrera).
- Low CVE-2021-21183, 21184: Inappropriate implementation in performance APIs (reported by Takashi Yoneuchi and James Hartig).
- Low CVE-2021-21185: Insufficient policy enforcement in extensions (reported by David Erceg).
- Low CVE-2021-21186: Insufficient policy enforcement in QR scanning (reported by Dhirajkumarnifty).
- Low CVE-2021-21187: Insufficient data validation in URL formatting (reported by Kirtikumar Anandrao Ramchandani).
- Low CVE-2021-21188: Use after free in Blink (reported by Woojin Oh).
- Low CVE-2021-21189: Insufficient policy enforcement in payments (reported by Khalil Zhani).
- Low CVE-2021-21190: Uninitialized Use in PDFium (reported by Zhou Aiting).
Have fun cross-browser testing in Chrome 89!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!