Chrome 77 comes with new performance metrics, new form features, and original tests.

by



[ad_1]

Google launched today Chrome 77 for Windows, Mac, Linux, Android and iOS. This release includes new performance metrics, new features, and Origin tests. You can now upgrade to the latest version with the help of Chrome's built-in update program, or download it directly from google.com/chrome.

With more than one billion users, Chrome is both a browser and a major platform that Web developers must take into account. In fact, with the usual additions and changes to Chrome, developers often have to master everything that's available, as well as what's been deprecated or deleted. Chrome 77, for example, removes credit card issuer networks as payment method names (such as "amex", "mastercard", and "visa").

Performance measures, forms and tests of origin

Google is obsessed with accelerating the Web and Chrome is its main tool. Chrome 77 introduces two new performance metrics to help developers measure how quickly the main content of a web page loads and is visible to users.

The first addition is Largest Contentful Paint, which attempts to provide more meaningful data by using the largest content element as a proxy when the main content of the page is likely to be visible to users.

The second is the PerformanceEventTiming interface, which provides timing information on the latency of the first discrete user interaction. Specifically, Chrome measures a key down, a mouse down, a click, or the combination of a low and a high pointer. It is a subset of the EventTiming API, but can be exposed in advance to help measure and optimize responsiveness.

Chrome 77 also added two new features that support custom form controls. the Form data event, which is added to the form element, allows sites to use JavaScript instead of hidden elements to add data to a form. The past event includes a Form data object containing the submitted data, which can now be modified.

Finally, Chrome 77 also introduces Origin Trial that allows you to try out new features and provide information on the usability, convenience and efficiency of the Web standards community. The first new feature is the Contact Picker API, an on-demand selector that allows users to select entries from their contact list and share limited details of selected entries with a website.

Business Features

Chrome 77 includes site isolation enhancements to protect cross-site data, such as cookies and HTTP resources, in attacker-controlled websites. Site isolation will now also be enabled on some Android devices for sites where mobile users enter passwords.

IT administrators can now set the URL of an XML file that will never trigger a browser change with the help of the BrowserSwitcherExternalGreylistUrl policy. There is also a new chrome: // browser-switch / internals page to verify that the Legacy Browser support rules are followed.

Chrome 77 also offers a first update to set up new users with the most popular Google services (Gmail, YouTube, Google Maps, News, and Google Translate). It also prompts you to set Chrome as the default browser. You can disable the new feed with the PromotionalTabsEnabled policy.

The new version also allows you to start the default guest browsing using the -guest command-line flag or the new BrowserGuestModeEnforced policy. With the navigation as a guest, the navigation activity is not written to disk and does not persist between browser sessions.

Android and iOS

Chrome 77 for Android is slowly settling on Google Play, but the full changelog is not yet available.

Chrome 77 for iOS is being deployed on the Apple App Store. It includes four improvements:

  • A new language settings page, giving you greater control over the languages ​​for which Chrome offers translations.
  • You can erase your browsing data from a specific time range, such as the hour or the past day.
  • Omnibox suggestions are easier to read with thumbnails and added icons.
  • Easily close tabs that maliciously display JavaScript dialogs.

Make sure that only languages ​​that you do not understand are translated should be convenient for polyglots. For all others, there are more granular controls for clearing browser data.

Security patches

Chrome 77 implements 52 security patches. The following researchers discovered:

  • [$TBD][999311] Critical CVE-2019-5870: Use after release in the media. Reported by Guang Gong of Alpha Team, Qihoo 360, 2019-08-29
  • [$7500][990570] High CVE-2019-5871: Heap overflow in Skia. Posted by Anonymous on 2019-08-03
  • [$3000][981492] High CVE-2019-5872: Use after release in Mojo. Reported by Zhe Jin Luyao Liu (路遥) from Chengdu Security Response Center at Qihoo 360 on 2019-07-05
  • [$3000][989497] High CVE-2019-5873: Spoofing the address bar on iOS. Posted by Khalil Zhani on the 2019-07-31
  • [$3000][989797] High CVE-2019-5874: External URIs can trigger other browsers. Posted by James Lee (@Windowsrcer) on the 2019-08-01
  • [$2000][979443] High CVE-2019-5875: Spoofing the URL bar via download redirection. Posted by Khalil Zhani on the 2019-06-28
  • [$TBD][997190] High CVE-2019-5876: Use after free support. Reported by Man Yue Mo of the Semmle Security Research Team on 2019-08-23
  • [$TBD][999310] High CVE-2019-5877: Access out of bounds in the V8. Reported by Guang Gong of Alpha Team, Qihoo 360, 2019-08-29
  • [$TBD][1000217] High CVE-2019-5878: Use after after in V8. Reported by Guang Gong of the Alpha Team, Qihoo 360 on 2019-09-03
  • [$3000][986043] Medium CVE-2019-5879: An extension can bypass the same original policy. Posted by Jinseo Kim on the 2019-07-20
  • [$2000][831725] Medium CVE-2019-5880: SameSite cookie bypass. Posted by Jun Kokatsu (@shhnjk) on the 2018-04-11
  • [$2000][980816] Medium CVE-2019-5881: Arbitrary reading in SwiftShader. Reported by Zhe Jin Luyao Liu (路遥) from the Chengdu Security Response Center at Qihoo 360 on 2019-07-03
  • [$1000][868846] Medium CVE-2019-13659: Spoof URL. Posted by Lnyas Zhang on 2018-07-30
  • [$1000][882363] Medium CVE-2019-13660: Overlapping full-screen notifications. Posted by Wenxu Wu (@ ma7h1as) from Tencent Security Xuanwu Lab on 2018-09-10
  • [$1000][882812] Medium CVE-2019-13661: Parody notification in full screen. Posted by Wenxu Wu (@ ma7h1as) from Tencent Security Xuanwu Lab on 2018-09-11
  • [$1000][967780] Medium CVE-2019-13662: CSP bypass. Posted by David Erceg on 2019-05-28
  • [$500][863661] Medium CVE-2019-13663: IDN parody. Posted by Lnyas Zhang on 2018-07-14
  • [$500][915538] Medium CVE-2019-13664: bypassing CSRF. Posted by thomas "zemnmez" shadwell on 2018-12-16
  • [$500][959640] Medium CVE-2019-13665: Workaround for protection against downloading multiple files. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research 2019-05-05
  • [$500][960305] Medium CVE-2019-13666: Lateral channel using an estimate of storage size. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2019-05-07
  • [$500][973056] Medium CVE-2019-13667: The URI bar is falsified when using URI from external applications. Posted by Khalil Zhani on the 2019-06-11
  • [$500][986393] Medium CVE-2019-13668: Leakage of the global window via the console. Posted by David Erceg on the 2019-07-22
  • [$N/A][968451] Medium CVE-2019-13669: HTTP authentication spoofing. Posted by Khalil Zhani on the 2019-05-30
  • [$N/A][980891] Medium CVE-2019-13670: V8 memory corruption in regex. Reported by Guang Gong of the Alpha Team, Qihoo 360, 2019-07-03
  • [$TBD][696454] Medium CVE-2019-13671: The dialog box does not indicate the origin. Reported by xisigr from Xuanwu Lab of Tencent on 2017-02-27
  • [$TBD][997925] Medium CVE-2019-13673: Crossed Information Leakage Using Devtools. Posted by David Erceg on 2019-08-26
  • [$500][896533] Low CVE-2019-13674: IDN spoofing. Posted by Khalil Zhani on 2018-10-18
  • [$500][929578] Low CVE-2019-13675: Extensions can be disabled at the end of a slash. Posted by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-07
  • [$TBD][875178] Low CVE-2019-13676: The Google URI is indicated for the certificate warning. Posted by Wenxu Wu (@ ma7h1as) from Tencent Security Xuanwu Lab on 2018-08-17
  • [$TBD][939108] Low CVE-2019-13677: The origin of the online store Chrome must be isolated. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-06
  • [$TBD][946633] Low CVE-2019-13678: spoofing the dialog box. Posted by Ronni Skansing on 2019-03-27
  • [$TBD][968914] Low CVE-2019-13679: User gesture required for printing. Reported by Conrad Irwin, superhuman on 2019-05-31
  • [$TBD][969684] Low CVE-2019-13680: Spoofing IP Addresses with Servers. Posted by Thijs Alkemade from Computest on 2019-06-03
  • [$TBD][970378] Low CVE-2019-13681: Bypass download restrictions. Posted by David Erceg on the 2019-06-04
  • [$TBD][971917] Low CVE-2019-13682: Bypassing the site. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-06-07
  • [$TBD][987502] Low CVE-2019-13683: Exceptions disclosed by devtools. Posted by David Erceg on the 2019-07-25
  • [1002279] Various correctives resulting from internal audits, fuzzing and other initiatives

Google has spent at least $ 33,500 in bug pay for this release. As always, security patches alone should provide sufficient incentive for the upgrade.

Developer features

Other development features in this release include:

  • Enter tip: The enterkeyhint content attribute is an attribute listed for
    elements that specify the label of the action (or icon) to present as an Enter key on virtual keyboards. This allows authors to customize the presentation of the Enter key to make it more useful for users. The attribute takes one of the enter, completed, go, following, previous, search, or to send.
  • Feature Policy Control on Document.domain: The Document Domain Policy governs access to document.domain. It is enabled by default and, if disabled, attempts to define document.domaine will throw an error.
  • Layout Instability Monitoring: add the LayoutShift Performance API interface, allowing developers to monitor changes to the on-screen position of a DOM element.
  • Limit the length of the "referent" header to 4 KB: Strips the referring the header to an origin when its size exceeds 4 KB.
  • Limit the argument of the registerProtocolHandler () argument to http / https: registerProtocolHandler () now only accepts URLs with http or https schemas.
  • New Features for Intl.NumberFormat: This Change Improves Intl.NumberFormat adding support for units of measure, rules for displaying currencies and signs, as well as scientific and compact notations.
  • Logic handles of scrolling behavior inlaid: Adding CSS relative flow properties to control overflight behavior through logical dimensions. relative flow the properties are those that are interpreted with respect to the content flow. The new properties are Sweat-behavior-inline and overcroll-behavior-block.
  • Performance BufferInit Buffered Flag: adds a buffered flag to observer.observer () so that PerformanceObserver can receive entries created before the call is executed.
  • RTCPeerConnection.onicecandidateerror adds the incecandidateerror event providing detailed information about WebRTC ICE candidate collection failures, including those defined by STUN (RFC5389) and TURN (RFC5766).
  • RTCPeerConnection.restartIce () adds a method to trigger an ICE restart that allows a WebRTC connection to reconnect. This feature is already available in Chrome by passing the iceRestart argument to createOffer (). restartIce () is a version of this method that works regardless of signaling state.
  • Preserve request priorities through the technician: Keeps the initial priority of a request when it passes through a technician. Previously, all requests to a service technician were given priority "High".
  • HTTP Basic Authentication: Supports Service Operators: Displays HTTP authentication dialogs even if the request came from a service operator. This displays the native login dialog displayed when an HTTP 401 response is received.
  • Stop Action for Media Sessions: Adds stop like a MediaSessionAction for calls to MediaSession.setActionHandler (). An action is an event specifically related to a common multimedia function such as pause or playback. the stop The action manager is called when the site should stop reading and clear the status, if any.
  • Web Payments: Issues a TypeError error on invalid "base" data. the Payment request builder now throws a Standard error when invalid supported networks or supported types are specified for basic card payment.

For a complete recap of what's new, check out the Chrome 77 Milestone Hotlist.

Google publishes a new version of its browser every six weeks or so. Chrome 78 will arrive at the end of October.

[ad_2]

Source link