Chrome 64 arrives with stronger pop-up blocker and new developer features

Google today launched Chrome 64 for Windows, Mac, and Linux. Additions in this release include a stronger pop-up blocker and a slew of developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.

Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

First up, Chrome 64 has a stronger pop-up blocker that prevents sites with abusive experiences from opening new tabs or windows. These include third-party websites disguised as play buttons, other site controls, or even transparent overlays on websites that capture all clicks. If you’re a site owner, you can use the Abusive Experiences Report in the Google Search Console to see if your site has been found with abusive experiences.

Chrome 64 also brings support for the Resize Observer API, which gives web applications finer control over changes to sizes of elements on a page. Responsive web apps currently use CSS media queries or window.onresize to build responsive components that adapt to different viewport sizes, but these are both global signals and require the overall viewport to change in order for the site to respond accordingly.

Chrome now also supports the import.meta property within JavaScript modules that expose the module URL via import.meta.url. This is useful to developers writing JavaScript modules who want access to host-specific metadata about the current module or library authors who want to access the URL of the module being bundled into the library.

Developers will also want to know that Chrome 64 includes an update to the V8 JavaScript engine: version 6.4. You can expect the usual speed and memory improvements, plus new ECMAScript language features. Check out the summary of API changes for more information.

Chrome 64 was supposed to stop sites from autoplaying content with sound. We tested this and it appears the feature has not been turned on, even though it does work in non-stable versions.

Chrome 63 was supposed to include an option to completely disable audio for whole sites. It didn’t make it into that version, but it is available in Chrome 64, so it’s possible Google might simply be running behind schedule. Presumably by Chrome 65, if not sooner, Google’s browser will disable all autoplaying content with sound.

Other developer features in this release (some are mobile-specific):

• The offset-path property can be used to animate an element by specifying the geometry of the path that an element moves along.
• Developers can now use the text-decoration-skip-ink CSS property to control how overlines and underlines are drawn when they cross over a glyph.
• Coordinates of PointerEvent with pointerType=mouse are now fractional, resulting in more precise mouse measurements.
• To improve developer experience, Chrome now supports named captures in regular expressions, allowing developers to assign meaningful names to portions of a string that a regular expression matches.
• Chrome now supports the Unicode property escapes \p{…} and \P{…} for regular expressions that have the u flag set, allowing developers to create more powerful Unicode-aware regular expressions.
• To assist with local-aware formatting of strings produced by internationalization formatters, developers can now use Intl.NumberFormat.prototype.formatToParts() to format a number to a list of tokens and their type. Thanks to Igalia for helping make this happen!
• Matching other browser implementations, Chrome now sets the default preload value for <video> and <audio> elements to metadata in order to reduce bandwidth and resource usage by only loading resource metadata and not the media resource itself.
• Chrome now supports HDR video playback when Windows 10 is in HDR mode, enabling developers to provide users with HDR VP9 Profile 2 10-bit videos.
• To support compatibility with the HTML Spec, Chrome now throws a “NotSupportedError” DOMException when a media element’s playbackRate is set to a value not supported by Chrome, like negative values.
• Chrome now supports the Media Capabilities API in Origin Trials, enabling developers to know whether an audio or video playback will be smooth and power-efficient based on previous performance statistics.
• To match the Media Capture and Streams spec, getUserMedia() returns a rejected Promise with DOMException or OverconstrainedError when there is an error.
• Developers can now use the cache option to specify the cache mode of a Request.
• Developers can now use Request.prototype.cache to view the cache mode of a Request and determine whether a request is a reload request.
• To better align with the Permissions API spec, the Permissions API can now be used to query the status of the camera and microphone permissions.
• In Focus Management APIs, developers can now focus an element without scrolling to it by using the preventScroll attribute.
• To allow developers to transform and change position of transformed SVG elements, Chrome now supports transform-box for SVG elements. Thanks to Opera for making this happen!
• AudioWorklet, an API that exposes low-level audio processing capability to support custom AudioNodes, is now available in origin trials and the experimental flag.
• To align with the WebRTC 1.0 spec, RTCPeerConnection now supports addTrack() for single stream use cases, as well as removeTrack(), getSenders(), ontrack, and a minimal version of the RTCRtpSender interface.
• To improve interoperability and end user experience, window.alert() no longer brings a backgrounded tab to the foreground but instead shows the alert when the user switches to the background tab.
• Similar to macOS, Chrome notifications sent through the Notifications API orcolor: black; font-family: chrome.notifications on Linux are now shown directly by the Linux native notification system.
• To align with the spec, getMatchedCSSRules has been removed and developers can use the Blink polyfill instead.
• Following the deprecation in Chrome 45, elements can no longer host more than oneShadow Root.
• To encourage adoption of standardized loading metrics API such as Navigation Timing 2, nextHopProtocol, and Paint Timing API, Chrome is deprecating the non-standardized chrome.loadTimes API.

For what’s new in the browser’s DevTools, check out the release notes.

Chrome 64 also implements x security fixes. The following ones were found by external researchers:

• [$ 3000][780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
• [$ 2000][787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
• [$ 1000][793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
• [$ 4000][784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12
• [$ 2500][797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
• [$ 2000][789952] Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK’s National Cyber Security Centre (NCSC) on 2017-11-30
• [$ 1000][753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09
• [$ 1000][774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
• [$ 1000][775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
• [$ 1000][778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-26
• [$ 500][760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
• [$ 500][773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
• [$ 500][785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
• [$ TBD][797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
• [$ TBD][798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
• [$ TBD][799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
• [$ 500][763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
• [$ 500][771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05
• [$ 500][774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-13
• [$ 500][774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
• [$ N/a][441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
• [$ N/A][615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
• [$ N/A][758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
• [$ N/A][797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24
• [805285] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $ 22,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Google releases a new version of its browser every six weeks or so. Chrome 64 will arrive by late January.

In related news, Google released Chrome 64 for Android yesterday. In addition to the usual performance and stability improvements, this version has the same stronger ad blocker as the desktop version that prevents sites with abusive ad experiences from opening new windows or tabs.