Chromium Blog
News and developments from the open source browser project
Protecting Windows users from malicious extensions
Thursday, November 7, 2013
Extensions are a great way to enhance the browsing experience; whether users want to quickly post to social networks or to stay up to date with their favorite sports teams. Many services
bundle
useful companion extensions, which causes Chrome to ask whether you want to install them (or not). However, bad actors have abused this mechanism, bypassing the prompt to silently install malicious extensions that
override browser settings
and alter the user experience in undesired ways, such as replacing the New Tab Page without approval. In fact, this is a leading cause of
complaints
from our Windows users.
Since these malicious extensions are not hosted on the Chrome Web Store, it’s difficult to limit the damage they can cause to our users. As part of our
continuing security efforts
, we’re announcing a stronger measure to protect Windows users: starting in January on the Windows stable and
beta
channels, we’ll require all extensions to be hosted in the Chrome Web Store. We’ll continue to support local extension installs during
development
as well as installs via Enterprise
policy
, and Chrome Apps will also continue to be supported normally.
If your extensions are currently hosted outside the Chrome Web Store you should
migrate
them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed. You could keep the extensions hidden from the Web Store listings if you like. And if you have a dedicated installation flow from your own website, you can make use of the existing
inline installs
feature.
Protecting our users is a key priority, and we believe this change will help those whose browser has been compromised by unwanted extensions. If you have questions, please get in touch with us on the
Chromium extensions group
.
Erik Kay, Engineering Director
Announcing Octane 2.0
Wednesday, November 6, 2013
We created the
Octane Benchmark Suite
to measure how JavaScript engines perform on tasks that matter to users as well as motivate our own performance work on the V8 JavaScript engine. Today we’re releasing version 2.0 of the suite including a new focus on reducing latency, new benchmarks that target use cases like
asm.js
and updates to existing benchmarks.
Traditional benchmarks simply measure how quickly JavaScript can be executed. Octane 2.0 additionally measures
latency
, which is another important aspect of performance that is concerned with the smoothness of execution. In modern JavaScript engines like V8, latency comes from two main sources: compiling JavaScript to machine instructions so it can run faster, and garbage collecting memory that is no longer used. These tasks are computationally intensive and if they run for too long can be visible to users as small hiccups and freezes of JavaScript programs. We've added a modified version of our
Mandreel
and
Splay
benchmarks to measure how well JavaScript engines can minimize these pauses.
We’ve also added two new performance tests that target important use cases. One new test is based on the
Typescript
compiler from Microsoft, a heavy and complex JavaScript application. Its execution stresses raw execution speed, code parsing and the memory subsystem. We've also included the
zlib
benchmark, an asm.js test from the Mozilla
Emscripten
suite. Both new benchmarks help measure an engine’s ability to deal with heavy and complex workloads, which are increasingly common in today's web applications.
Finally, we fixed three existing benchmarks to help ensure that they measure what they were intended to:
Regexp
: verify that regexp calculations give the correct results.
GameBoy Emulator
: code that was supposed to run in strict mode now actually runs in strict mode.
CodeLoad
: make sure the code loaded is different on every iteration.
Octane 2.0 represents one more step in our continuing quest to deliver the best possible performance for users. You can run
Octane 2.0
in your browser or read the
documentation
for an in-depth look at the new benchmarks.
Posted by Hannes Payer, Software Engineer and Latency Buster
Introducing Chromium-powered Android WebView
Friday, November 1, 2013
The
Android 4.4, KitKat
release contains a new WebView implementation built on Chromium open source technology.
The Chromium WebView is a complete overhaul of the Android
WebView
API. It means that the same rendering engine and software stack that powers Chrome is available for use by app developers targeting Android 4.4 KitKat, helping power games, social networks, news and blog readers, in-app ads, and of course complete web browsers. With it comes support for the latest HTML5 and CSS features and a dramatic upgrade of V8 for top-end JavaScript performance.
Chromium WebView is present on all devices running Android 4.4 and applications using WebView will transition to it automatically, no user intervention required. We’ve aimed to make the transition simple for developers too, while also paving the way to increased open web standards convergence. Most applications will continue to function unaltered, and we've prepared an Android 4.4
WebView migration guide
to walk developers through the important changes.
With
DevTools remote debugging support for WebView
, developing and analyzing web content inside native Android applications is as easy as debugging a web page on desktop Chrome, offering a productivity boost to developers.
Best of all, it’s entirely open source, and is available in the Android 4.4 KitKat
AOSP release
built on a snapshot of the latest stable Chromium source tree. We're looking forward to working with the broader Chromium community to continue improving WebView. Watch
dev.chromium.org/developers
and the chromium-dev mailing list for future updates on getting involved in the Chromium WebView development. In the meantime, you can check out the
Chromium WebView FAQ
.
Happy developing from all of the Chromium WebView team!
Posted by Jonathan Dixon and Ben Murdoch, Ambassadors of Chocolate Treats
Connecting Chrome apps and extensions with native applications
Tuesday, October 15, 2013
We
recently announced
the deprecation of
NPAPI
plug-in support in Chrome. One of the main use cases for NPAPI plugins in Chrome apps and extensions was to connect with native applications installed on the same computer. For example, a native password management application that a user has already installed on the system may want to connect with a Chrome extension to synchronize passwords. To support such use cases without the need for NPAPI, we’ve recently added the
Native Messaging API
.
To use this API, native applications must register a native messaging host that Chrome apps and extensions can connect to. This is done by installing a
special manifest file
that defines a name and path to the native messaging host binary, as well as set of app and extension IDs that can connect to it. Once a native messaging host manifest is installed, Chrome apps and extensions can connect to it using simple API:
var port = chrome.extension.connectNative( "org.chromium.native_messaging_example");
The parameter passed to
chrome.extension.connectNative()
is the name used to identify the native messaging host. When a native messaging port is created Chrome starts the host in a separate process and communicates with it over the standard input and output streams. The app or extension can send and receive messages from the native application using this simple API:
// Register handler for incoming messages.
port.onMessage.addListener(function(msg) {
console.log("Received " + msg);
});
// Send a message.
port.postMessage({text: "Hello!"})
It's also possible to send one-off messages without creating a port:
chrome.extension.sendNativeMessage(
"org.chromium.native_messaging_example",
{messageField: "field value"},
function(response) {
console.log("Received response" + response);
});
For details on how to create and register a native messaging host please refer to the
API documentation
and check out our
sample application
, which also includes a simple native messaging host.
The Native Messaging API is available on Windows, OS X and Linux starting from Chrome 29. To learn about other NPAPI alternatives, check out the
NPAPI deprecation Chromium wiki page
.
Posted by Sergey Ulanov, Software Engineer and Message Dispatcher
Chrome 31 Beta: Android Application Shortcuts, requestAutocomplete(), and PNaCl
Thursday, October 3, 2013
The developer updates in today’s Chrome
Beta
enable a seamless Android web app experience, smoother web payment flows, and portable native code in desktop Chrome. Unless otherwise noted, changes apply to desktop versions of Chrome and Chrome for Android.
Application shortcuts in Chrome for Android
Application shortcuts
allow users to add website shortcuts to their Android home screen. Sites launched in this way will open in a normal Chrome for Android window, unless they include the
mobile-web-app-capable
meta tag. Those sites will instead open in a special fullscreen Chrome for Android window that doesn't display tabs, buttons, menus, or the Omnibox. Try adding a shortcut to
weight.aerotwist.com
to see this in action:
UPDATE, November 13th: Application shortcuts will now be launching in Chrome 32, not 31.
Payment requestAutocomplete() on Chrome for Android, Windows, Chrome OS
requestAutocomplete()
makes it easier for users to fill out online forms by offering web developers programmatic access to the browser’s autocomplete information (with the user’s explicit permission).
For this first release, we’ve made it work for web payments. On sites with requestAutocomplete(), users will be able to either use their existing payment data stored with the browser or enter new details through a browser-provided interface. As a developer, you can continue processing payments with your existing payment processor.
This feature will be rolling out to Beta users in Android, Windows, and Chrome OS in the coming days. A Mac version will be included in a future release.
PNaCl on desktop versions of Chrome
Over the last few years, web applications have benefited tremendously from more powerful processors and faster browsers. For developers looking to improve performance even further,
Portable Native Client
(PNaCl) now offers the ability to execute native code in the browser. Developers can compile C/C++ code--even complex existing code bases--into a single executable that runs across all desktop versions of Chrome and Chrome OS, no user installation required. PNaCl combines the portability of the web with the performance of native code. For more information, check out
gonacl.com
.
New Chrome Apps APIs
With
URL handlers for apps
,
Chrome App
developers can now specify URLs to be handled by a Chrome App. For example, a document link on a website could open a document editor Chrome App. This gives users more seamless entry points into their favorite Chrome Apps.
Directory access for Apps
allows Chrome Apps to access and write to user-approved folders. This feature can be used to share files between a Chrome App and a native app. For example, a Chrome App code editor could modify files managed by a native Git client. Check out
the demo
to see it in action.
Other new features in this release
SCTP
for WebRTC Data Channel allows P2P data transfers between browsers to be either best effort, reliable, or semi reliable, opening up use cases such as gaming.
Alpha channel support for WebM video
enables transparency masking (a.k.a. green screen effects) in WebM videos.
Speech recognition with the JavaScript Web Speech API
is now supported on Chrome for Android.
window.devicePixelRatio
now takes full-page zoom (but not pinch zoom) into account.
Support for
{ alpha: false }
in
getContext('2d')
lets you create an
opaque canvas
. This is similar to existing WebGL functionality and can improve the rendering performance of your app.
The
Media Source API
has been unprefixed and is now supported on Chrome for Android. It allows JavaScript to generate media streams for playback, addressing use cases like adaptive streaming and time shifting live streams.
2D canvas
now supports the "ellipse" method.
Support for several
Mutation Events
has been removed. Consider using
MutationObserver
instead.
Visit
chromestatus.com
for a complete overview of Chrome’s developer features, and circle
+Google Chrome Developers
for more frequent updates. We hope you enjoy this Beta release as much as we’ve enjoyed working on it!
Posted by Dan Alcantara, Software Engineer and Screen Real Estate Agent
Saying Goodbye to Our Old Friend NPAPI
Monday, September 23, 2013
The Netscape Plug-in API (
NPAPI
) ushered in an early era of web innovation by offering the first standard mechanism to extend the browser. In fact, many modern web platform features—including video and audio support—first saw mainstream deployment through NPAPI-based plug-ins.
But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year.
We feel the web is ready for this transition. NPAPI isn’t supported on mobile devices, and Mozilla plans to make
all plug-ins except the current version of Flash click-to-play by default
. Based on
anonymous Chrome usage data
, we estimate that only six NPAPI plug-ins were used by more than 5% of users in the last month. Still, we appreciate that it will take time to transition away from NPAPI, so we will be rolling out this change in stages.
Starting in January 2014, Chrome will block webpage-instantiated NPAPI plug-ins by default on the Stable channel. To avoid disruption to users, we will temporarily whitelist the most popular NPAPI plug-ins that are not
already blocked
for security reasons. These are:
Silverlight (launched by 15% of Chrome users last month)
Unity (9.1%)
Google Earth (9.1%)
Java (8.9%) *
Google Talk (8.7%)
Facebook Video (6.0%)
*
Already
blocked
by default for security reasons.
In the short term, end users and enterprise administrators will be able to whitelist specific plug-ins. Eventually, however, NPAPI support will be completely removed from Chrome. We expect this to happen before the end of 2014, but the exact timing will depend on usage and user feedback. Note that the built-in Flash plug-in and PDF viewer will be unaffected because
they don’t use NPAPI
.
The Chrome Web Store will also be phasing out NPAPI support. Starting today, no new Apps or Extensions containing NPAPI-based plug-ins will be allowed in the Web Store. Developers will be able to update their existing NPAPI-based Apps and Extensions until May 2014, when updates will be blocked. Also in May, listings for NPAPI-based Apps and Extensions will be removed from the Web Store home page, search results, and category pages. In September 2014, all existing NPAPI-based Apps and Extensions will be unpublished. Existing installations will continue to work until Chrome fully removes support for NPAPI.
There are several alternatives to NPAPI. In cases where standard web technologies are not yet sufficient, developers and administrators can use
NaCl
,
Apps
,
Native Messaging API
, and
Legacy Browser Support
to transition from NPAPI. Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI.
UPDATES
November 2013: For more details about NPAPI deprecation, see the
NPAPI Deprecation Developer Guide
.
April 2014: NPAPI support was
removed
from Chrome for Linux in release 35.
April 2014: Developers will be able to update Apps and Extensions that use NPAPI until their listings are unpublished in September. This deviation from the original schedule is to allow for security updates.
July 2014: Chrome 37 has switched to a
harder-to-bypass blocking UI
for NPAPI.
Justin Schuh, Security Engineer and Plug-in Retirement Planner
Chrome App Launcher Developer Preview for Mac OS X
Thursday, September 5, 2013
Chrome Apps
now bring the best of productivity, games and more to your desktop. The Chrome App Launcher is available for Windows and Chrome OS, and today we're unveiling the launcher for Mac OS X on the
Chrome Developer Channel
.
The launcher provides an easy way to find and launch your
Chrome Apps
, while at the same time integrating closely with the operating system so that your Chrome Apps behave and feel just like regular native ones. For example, on Macs you can find your Chrome Apps in the launcher, Applications folder, in the Dock and when you do a Spotlight search—just like any other Mac app that you already use.
To get the launcher, just install a Chrome App from the
Chrome Web Store
, such as this
text editor
or
note-taking app
. The first time you install an app, the launcher will show up as an icon in the Dock. Chrome Packaged Apps for the Mac are available in the dev channel of Chrome and will be launched to stable channel soon.
In the meantime, you can
build
your own packaged app,
upload
it to the Chrome Web Store and give all of your users access to it via a direct link. Have questions about this or any other Chrome Apps features? We always welcome your feedback on
Stack Overflow
, our
G+ Developers page
, or our
developer forum
.
Posted by Joe Marini, Chrome Developer Advocate and Apps Aficionado
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
21
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2024
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.