Chrome 65 arrives with Material Design extensions page and new developer features

Google today launched Chrome 65 for Windows, Mac, Linux, and Android. Additions in this release include Material Design changes and new developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

Chrome 65 comes with a few visual changes. The most obvious is related to Google’s Material Design mantra. The extensions page has been completely reamped to follow it:

Chrome will soon also be getting updated Material design dialogues. You can test out the changes yourself by enabling the flag #secondary-ui-md in chrome://flags, or just wait until it launches in Chrome 66.

Next on the visual changes are favicons that appear next to website addresses in omnibox suggestions. This is supposed to make it easier to identify websites:

I say “supposed to” as I couldn’t get this feature to work. My dropdown menu is still full of search icon and document icons. Your mileage will vary, and this tweak will likely take a while to roll out completely.

Next up, Chrome 65 replaces the Email Page Location link in Chrome for Mac’s File menu with a Share submenu. As you might expect, Mac users can use this submenu to share the URL of a current tab via installed macOS Share Extensions.

Speaking of Macs, Chrome 65 is also the last release for OS X 10.9 users. Chrome 66 will require OS X 10.10 or later.

But one of the biggest improvements to Chrome still hasn’t arrived. Chrome 64 was supposed to stop sites from autoplaying content with sound. The feature was not turned on for that release and still has not been turned on today with Chrome 65’s launch, even though it does work in non-stable versions.

Chrome 64 included an option to completely disable audio for whole sites, which was originally scheduled for Chrome 63. Google appears to be running behind schedule — we’ll let you know when Chrome disables all autoplaying content with sound.

Moving on to developer features, Chrome 65 includes the CSS Paint API, which allows developers to programmatically generate an image, and the
Server Timing API, which allows web servers to provide performance timing information via HTTP headers. At the time of publishing, Google did not share any major changes for end users, but we’ll update you if that changes.

The CSS Paint API, also known as CSS Custom Paint, means developers can now use the new paint() function to reference a paint worklet that will draw the image. Google suggests using the API to make the DOM tree smaller and transferring significantly less data compared to an image.

The Server Timing API gives developers a more complete performance picture that includes the speed of both the client and the server. Until now, developers interested in measuring the performance of their web applications could use the Navigation Timing and Resource Timing APIs to request timing data for the document and its resources, but had no way to query the server for details about its response time to the client.

Developers will also want to know that Chrome 65 includes an update to the V8 JavaScript engine: version 6.5. The release includes an untrusted code mode, support of streaming compilation for WebAssembly code, and speed improvements. Check out the full list of changes for more information.

Other developer features in this release (some are mobile-specific):

• Developers can now use the :any-link pseudo-selector to apply CSS properties to all unvisited or visited hyperlink elements.
• The syntax for specifying HSL/HSLA and RGB/RGBA coordinates for the color property now match the CSS Color 4 spec.
• Developers can use display:contents to generate boxes for an element’s children and pseudo-elements without generating the parent box.
• To complement assignedNodes(), the <slot> element now has an assignedElements() method, which returns only the element nodes assigned to a given slot.
• Chrome now supports the HTMLAnchorElement.relList property to indicate the relationship between the resource represented by the <a> element and the current document. Thanks to Samsung for this contribution!
• Developers can now use the sync-xhr feature policy to selectively enable and disable the use of Synchronous XMLHttpRequest.
• To match compatibility with the TLS spec, Chrome now supports the draft-23 version of the TLS 1.3 protocol.
• Developers can use Request.destination to evaluate which resource their service worker is fetching.
• As WebIDL was deprecated, PerformanceResourceTiming, PerformanceLongTaskTiming, and TaskAttributionTiming now support the toJSON method to convert objects to JSON.
• To protect users against cross-origin information leakage, Chrome will ignore the presence of the download attribute on anchor elements with cross-origin attributes.
• To match compatibility with the HTML spec, document.all is no longer overwritable.
• As previously announced, Chrome 65 will not trust certificates issued from Symantec’s Legacy PKI after December 1st, 2017, and will result in interstitials. This will only affect site operators who explicitly opted-out of the transition from Symantec’s Legacy PKI to DigiCert’s new PKI, and does not apply to the previously disclosed independent sub-CAs from this infrastructure.

For a full rundown of what’s new, check out the Chrome 65 milestone hotlist.

Chrome 65 also implements 45 security fixes. The following ones were found by external researchers:

• [$ 5000][758848] High CVE-2018-6058: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
• [$ 5000][758863] High CVE-2018-6059: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
• [$ 3000][780919] High CVE-2018-6060: Use after free in Blink. Reported by Omair on 2017-11-02
• [$ 3000][794091] High CVE-2018-6061: Race condition in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-12-12
• [$ 1000][780104] High CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous on 2017-10-31
• [$ N/A][789959] High CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-11-30
• [$ N/A][792900] High CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-12-07
• [$ N/A][798644] High CVE-2018-6064: Type confusion in V8. Reported by lokihardt of Google Project Zero on 2018-01-03
• [$ N/A][808192] High CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand of Google Project Zero on 2018-02-01
• [$ 4000][799477] Medium CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa on 2018-01-05
• [$ 2000][779428] Medium CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30
• [$ 2000][798933] Medium CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. Reported by Luan Herrera on 2018-01-04
• [$ 1500][799918] Medium CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu & Yangkang(@dnpushme) of Qihoo360 Qex Team on 2018-01-08
• [$ 1000][668645] Medium CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu on 2016-11-25
• [$ 1000][777318] Medium CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous on 2017-10-23
• [$ 1000][791048] Medium CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen of OUSPG on 2017-12-01
• [$ 1000][804118] Medium CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair on 2018-01-20
• [$ 1000][809759] Medium CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi (@qab) on 2018-02-06
• [$ 500][608669] Medium CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti De Ceukelaire (intigriti.com) on 2016-05-03
• [$ 500][758523] Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. Reported by Mateusz Krzeszowiec on 2017-08-24
• [$ 500][778506] Medium CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani on 2017-10-26
• [$ 500][793628] Medium CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani on 2017-12-10
• [$ TBD][788448] Medium CVE-2018-6079: Information disclosure via texture data in WebGL. Reported by Ivars Atteka on 2017-11-24
• [$ N/A][792028] Medium CVE-2018-6080: Information disclosure in IPC call. Reported by Gal Beniamini of Google Project Zero on 2017-12-05
• [$ 1000][797525] Low CVE-2018-6081: XSS in interstitials. Reported by Rob Wu on 2017-12-24
• [$ N/A][767354] Low CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-09-21
• [$ N/A][771709] Low CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04
• [819271] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $ 34,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Google releases a new version of its browser every six weeks or so. Chrome 66 will arrive by mid-April.

Chrome 65 for Android was also released today with the following changelog:

• Set language preferences for web content in Settings > Languages
• Turn on the prompt for simplified view for all supported articles in Settings > Accessibility settings
• Share and delete downloads more easily on the Downloads page

That update is rolling out gradually over the next few weeks via Google Play.