Chrome 70 comes with an option to disable linked connections, PWA on Windows and AV1 decoder

Google launched today Chrome 70 for Windows, Mac, and Linux. This release includes an option to disable the linking of connections to Google sites and Chrome, Progressive Web Apps on Windows, as well as the ability for users to restrict access of extensions to a custom list of sites, to an AV1 decoder, etc. You can now upgrade to the latest version with the built-in Chrome update program or download it directly from google.com/chrome.

With over a billion users, Chrome is both a browser and a major platform that Web developers must take into account. In fact, with regular additions and changes to Chrome, developers often have to strive to stay on top of everything available, as well as what has been deprecated or deleted.

Fix Chrome connection

The most important change in this version is probably where Google performs a backpedaling. In Chrome 69, Google has been trying to "simplify" Google site sign-up by also signing in to Chrome with the same account. If you sign out, either on Chrome or on a Google site, you're disconnected from both.

This caused a massive uproar among Chrome users, at least in part because of concerns that the change meant that synchronization with Chrome was enabled. Although this is not the case (you must always enable data synchronization such as browsing history, passwords and bookmarks to make it available on other devices), many n & # 39; Still, they do not like Google to automatically sign them in Chrome just because they are. connected to a Google site.

Chrome 70 brings three changes:

• An option (see above) that allows users to disable linking the web connection with the connection via a browser. If you disable this feature, connecting to a Google site will not connect to Chrome.
• An update of the user interface (see below) to better communicate the synchronization status of a user.
• Instead of keeping Google's authentication cookies to allow you to stay connected after deleting them, as does Chrome 69, the browser removes all cookies again.

Unfortunately, Google still has not understood it. The three changes are an improvement, but the first does not solve the main problem: the automatic connection is always enabled by default. Chrome users should not have to opt out automatic login if they use Google sites, but rather opt in they want the functionality.

PWA on Windows and AV1 decoders

In addition to trying to repair what has been broken, Google has added a host of new features in Chrome 70. The browser now supports Windows Progressive Web Applications (PWA). These applications can be started from the Start menu and run like any other installed application (without an address bar or tabs). Google killed Chrome apps earlier this year and is now focusing on PWAs.

If you're a developer, you need to check the standard PWA criteria verified by Chrome. If your PWA succeeds, Chrome will trigger the beforeinstallprompt event, which you can add to prompt ().

AV1 is a royalty-free codec developed by Alliance for Open Media. AV1 improves the compression efficiency by more than 30% compared to the VP9 codec, which is supposed to succeed.

Chrome 70 adds an AV1 decoder (no encoding feature is included) with MP4 as the supported container (ISO-BMFF). You can try it yourself by going to YouTube's TestTube page, selecting "Prefer AV1 for SD" or "Always Prefer AV1" and watching clips from the AV1 Beta Launch playlist. If you right-click on the video and select "Stats for nerds", you should see the above (note that the codec is av01).

Android and iOS

Chrome 70 for Android is not out yet, but it should arrive soon on Google Play. Chrome 70 for iOS is available on the Apple App Store, but the changelog is not too big:

• Bug fixes and design finish for the redesign.
• Updates on how Chrome launches other apps to improve reliability and security.
• Fixes authentication problems caused by the use of obsolete cookies. Let us know if you are having problems connecting to or closing websites.

Security patches and improvements

As promised, Google is attacking extensions. Chrome 70 allows users to limit the access of hosts to extensions to a custom list of sites or to configure extensions to require a click to access the current page.

Host permissions, which allow extensions to automatically read and edit data on websites, allow for various powerful and creative use cases, but Google says that they have also led to a wide range of malicious and unintentional uses. In future versions of Google Chrome, Google plans to further improve how its browser manages the user experience with host permissions. If your extension is requesting host permissions, review the transition guide and make the necessary changes in the next two weeks.

Chrome 70 also continues Google's war against HTTP sites.

HTTPS is a more secure version of the HTTP protocol used on the Internet to connect users to websites. Secure connections are generally considered a necessary step to reduce the risk of users being vulnerable to content injection (which can lead to eavesdropping, man-in-the-middle attacks, and other data changes). The data is protected against third parties and users may have more confidence in their ability to communicate with the appropriate website.

Google has been moving the Web to HTTPS for years, but it accelerated its efforts last year by modifying the Chrome user interface. Chrome 56, released in January 2017, began marking HTTP pages that collect passwords or credit cards as "unsecure". Chrome 62, released in October 2017, began tagging HTTP sites with data entered and all HTTP sites viewed in secure private browsing mode. "Chrome 68, released in July, marks all HTTP sites as" unsafe "directly in the address bar, and Chrome 69, released in September, removed the" Secure "label from HTTPS sites.

Now, with the release of Chrome 70, HTTP sites display a red "Not Safe" warning when users enter data:

The plan was always to mark all HTTP sites as "unsecure". In the long run, Google will change the icon next to the "Unsecured" label and make the text appear red to emphasize that you should not trust HTTP sites:

Chrome 70 also implements 23 security patches. The following were found by external researchers:

• [$N/A][888926] High CVE-2018-17462: Sandbox Escape in AppCache. Report by Ned Williamson and Niklas Baumstark working with Beyond Security's SecuriTeam Secure Disclosure Program on 2018-09-25
• [$N/A][888923] High CVE-2018-17463: Remote Code Execution in V8. Report by Ned Williamson and Niklas Baumstark working with Beyond Security's SecuriTeam Secure Disclosure Program on 2018-09-25
• [$3500][872189] CVE high to affect: buffer overflow in Little CMS in PDFium. Posted by Quang Nguyễn (@ quangnh89) by Viettel Cyber ​​Security on 2018-08-08
• [$3000][887273] High CVE-2018-17464: Spoof URL in Omnibox. Reported by Xisigr from Xuanwu Lab of Tencent on 2018-09-20
• [$3000][870226] High CVE-2018-17465: to use after release in V8. Posted by Lin Zuojian on 2018-08-02
• [$1000][880906] High CVE-2018-17466: Memory corruption in Angle. Posted by Omair on 2018-09-05
• [$3000][844881] Medium CVE-2018-17467: Spoof URL in Omnibox. Posted by Khalil Zhani on the 2018-05-19
• [$2000][876822] Medium CVE-2018-17468: Cross-URL disclosure in Blink. Posted by James Lee (@Windowsrcer) of Kryptos Logic on 2018-08-22
• [$1000][880675] Medium CVE-2018-17469: Overflow of the buffer in PDFium. Reported by Zhen Zhou of the NSFOCUS Security Team on 2018-09-05
• [$1000][877874] Medium CVE-2018-17470: Memory corruption in the internal components of the graphics processor. Reported by Zhe Jin Luyao Liu (路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-08-27
• [$1000][873080] Medium CVE-2018-17471: Occlusion of the Security UI in Full Screen Mode. Posted by Lnyas Zhang on 2018-08-10
• [$1000][822518] Medium CVE-2018-17472: Escape iframe sandbox on iOS. Posted by Jun Kokatsu (@shhnjk) on the 2018-03-16
• [$500][882078] Medium CVE-2018-17473: Spoof URL in Omnibox. Posted by Khalil Zhani on the 2018-09-08
• [$500][843151] Medium CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin Luyao Liu (路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-05-15
• [$500][852634] Low CVE-2018-17475: Fraudulent URL in Omnibox. Posted by Vladimir Metnew on the 2018-06-14
• [$500][812769] Bottom CVE-2018-17476: Occlusion of the security user interface in full screen mode. Posted by Khalil Zhani on the 2018-02-15
• [$500][805496] Low CVE-2018-5179: No limits on update () in ServiceWorker. Posted by Yannic Bonenberger on the 2018-01-24
• [$N/A][863703] Lower CVE-2018-17477: Spoofing the UI in Extensions. Reported by Aaron Muir Hamilton the 2018-07-14
• [895893] Various correctives resulting from internal audits, fuzzing and other initiatives

Google has spent at least $ 22,000 in bug bonuses for this release. As always, security patches alone should be a sufficient incentive to upgrade.

Developer features

Chrome 70 implements the Shape Detection API (available through an original Chrome evaluation version), which allows developers to identify faces, barcodes, and text contained in images "without using a destructive library". The API is composed of three APIs: a detection API face, a barcode detection API and a text detection API. With a bitmap or blob, the Face Detection API returns the location of faces and eyes, noses and mouths in these faces (you can limit the number of faces returned and give priority at speed compared to performance). The barcode detection API decodes barcodes and QR codes into strings (from simple numbers to multiline text). The Text Detection API reads Latin-1 text (according to ISO8859-1) in images.

The Web Authentication API now activates by default the TouchID fingerprint sensor for macOS and Android. They allow developers to access biometric credentials through the Identity Information Management API. PublicKeyCredential type.

Chrome 70 updates the V8 JavaScript engine to version 7.0. It includes built-in integrated elements across multiple platforms, an overview of WebAssembly threads, and new features in JavaScript. See the full list of changes for more information.

Other development features in this release include:

• The display of a dialog box results in the loss of full-screen pages: dialog boxes, especially authentication prompts, payments, and file selectors, require context for users make decisions. Full screen, by definition, is immersive and removes the context a user needs to make a decision. Chrome now quits full-screen mode whenever a page displays a dialog box.
• Add referrerpolicy support to