Chromium Blog
News and developments from the open source browser project
Freezing Chrome for Ice Cream Sandwich
Tuesday, March 3, 2015
Posted by Aurimas Lutikas, Software Engineer
It seems like yesterday that Chrome was first introduced on mobile devices to users running Android 4.0 Ice Cream Sandwich (ICS). Since then, twenty-four new Chrome releases and three new Android versions (Jellybean, Kitkat and Lollipop) have shipped. We’ve worked hard to make sure each version was faster, simpler and more secure than the last.
In the last year, we’ve seen the number of Chrome users running ICS drop by thirty percent. Developing new features on older phones has become increasingly challenging, and supporting ICS takes time away from building new experiences on the devices owned by the vast majority of our users. So, with Chrome’s 42nd release, we’ll stop updating Chrome on ICS devices. After Chrome 42, users on ICS devices can continue to use Chrome but won’t get further updates.
We’re excited to sharpen our focus on moving the web forward. If you’re interested in learning more about this change, please see the
FAQ's
.
Pwnium V: the never-ending* Pwnium
Tuesday, February 24, 2015
[Cross-posted on the
Google Online Security Blog
]
Posted by
Tim Willis, Hacker Philanthropist, Chrome Security Team
Around this time each year we announce the rules, details and maximum cash amounts we’re putting up for our
Pwnium competition
. For the last few years we put a huge pile of cash on the table (last year it was
e million
) and gave researchers one day during
CanSecWest
to present their exploits. We’ve received some great entries over the years, but it’s time for something bigger.
Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.
For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*.
We’re making this change for a few reasons:
Removing barriers to entry:
At Pwnium competitions, a security researcher would need to have a
bug chain
in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the
Chrome Vulnerability Reward Program
(VRP) whenever they find them.
Removing the incentive for bug hoarding:
If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
Our researchers want this:
On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.
Logistically, we’ll be adding Pwnium-style bug chains on Chrome OS to the
Chrome VRP
. This will increase our top reward to $50,000, which will be on offer all year-round. Check out our
FAQ
for more information.
Happy hunting!
* Our lawyercats wouldn’t let me say “never-ending” or “infinity million” without adding that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Check out the reward eligibility requirements on the
Chrome VRP page
.
Beta Channel for the Android WebView
Friday, February 13, 2015
[Cross-posted on the
Android Blog
]
Many Android apps use a
WebView
for displaying HTML content. In Android 5.0 Lollipop, Google has the ability to update WebView independently of the Android platform. Beginning today, developers can use a new beta channel to test the latest version of WebView and provide feedback. WebView updates bring numerous bug fixes, new web platform APIs and updates from Chromium. If you’re making use of the WebView in your app, becoming a beta channel tester will give you an early start with new APIs as well as the chance to test your app before the WebView rolls out to your users. The first version offered in the beta channel will be based on Chrome 40 and you can find a full list of changes on the chromium
blog
entry. To become a beta tester, join the
community
which will enable you to sign up for the Beta program; you’ll then be able to install the beta version of the WebView via the Play Store. If you find any bugs, please file them on the
Chromium issue tracker
.
Posted by
Richard Coles - Software Engineer, Google London
Hello HTTP/2, Goodbye SPDY
Monday, February 9, 2015
HTTP
is the fundamental networking protocol that powers the web. The majority of sites use version 1.1 of HTTP, which was defined in 1999 with
RFC2616
. A lot has changed on the web since then, and a new version of the protocol named
HTTP/2
is well on the road to standardization. We plan to gradually roll out support for HTTP/2 in Chrome 40 in the upcoming weeks.
HTTP/2’s primary changes from HTTP/1.1 focus on improved performance. Some
key features
such as multiplexing, header compression, prioritization and protocol negotiation evolved from work done in an earlier open, but non-standard protocol named
SPDY
. Chrome has supported SPDY since Chrome 6, but since most of the benefits are present in HTTP/2, it’s time to say goodbye. We plan to remove support for SPDY in early 2016, and to also remove support for the TLS extension named
NPN
in favor of
ALPN
in Chrome at the same time. Server developers are strongly encouraged to
move to
HTTP/2 and ALPN.
We’re happy to have contributed to the open standards process that led to HTTP/2, and hope to see wide adoption given the broad industry engagement on standardization and implementation. We also look forward to further advancements in fundamental Internet protocols that lead to a faster and more secure Internet for everyone.
Update: Beginning May 15, Chrome will
no longer support SPDY
.
Update: To better align with Chrome's release cycle, SPDY and NPN support will be removed with the release of Chrome 51
.
Posted by Chris Bentzel, Multiplexing Manager and Bence Béky, HTTP/2 Enabler
Chrome 41 Beta: New ES6 Features and Improved DevTools for Service Workers and Web Animations
Thursday, January 22, 2015
Today’s Chrome
Beta
channel release includes new Javascript ES6 features and improved workflows for debugging
Service Workers
and
Web Animations
. Unless otherwise noted, changes described below apply to Chrome for Android, Windows, Mac, Linux, and Chrome OS.
ES6 Template Literals
There are many pitfalls of working with strings on the modern web. The Javascript we know today lacks basic string formatting features, doesn’t support multi-line strings, and makes it difficult to protect users from
XSS attacks
when inserting user-generated content into pages.
Template Literals
, introduced in this release, aims to solve these problems. Its basic form adds string formatting into Javascript by providing syntactic sugar for concatenating strings, variables, and the results of functions. Specifically, expressions can be embedded directly into strings when using the backtick operator (`).
var name = "John";
var message = `Hello, ${name}!`; // Expected result: "Hello John!"
Any code contained within the braces and preceded by the dollar sign will automatically be evaluated and inserted into place.
var message = `1 + 1 = ${1 + 1}!`; // Expected result: "1 + 1 = 2!"
Besides accepting multi-line strings, Template Literals also introduces the concept of tagged templates which are useful for escaping HTML to prevent XSS attacks and when internationalizing a site.
New features in Chrome Developer Tools
Chrome 36 added Web Animations, unifying several of the animation APIs on the web. This release makes visual debugging easier by allowing developers to slow down playback of their animations on the fly within DevTools.
In Chrome 40 we shipped
Service Workers
, enabling developers to make their sites load faster and work offline by intercepting network requests to deliver programmatic or cached responses. Until now, developers had to inspect their Service Worker’s cache manually by printing out its contents to the console, making debugging slow. Today’s Beta includes a new section in DevTools for viewing Service Worker caches which can be found by inspecting a Service Worker on chrome://serviceworker-internals.
Other updates in this release
ES6 Lexical Declarations
cause variables declared with the 'let' keyword to be scoped to their containing block instead of being hoisted to the top of their containing function, giving developers more control over Javascript's tricky scoping rules.
The new CSS value
image-rendering: pixelated
allows scaled images to appear to be composed of very large pixels, trading smooth results for faster image scaling.
CSS Media Queries now support
any-pointer
and
any-hover
, which function similarly to
pointer
and
hover
but can be triggered by any input device, not only the primary one.
The
Web Audio API
now allows developers to temporarily
suspend an AudioContext
when it’s not in use, improving power consumption.
StereoPannerNode
is also now supported, enabling left-right panning of an incoming audio stream while maintaining equal power.
HTTPS sites that have certificate chains using SHA-1 that are valid past January 1st, 2017 will be treated as “affirmatively insecure” in Chrome UI from this release onwards as part of our
plan to gradually sunset SHA-1
.
Update February 13th
: The new CSS values
mix-blend-mode
and
isolation
provide control over how an HTML or SVG element blends with the content behind it.
As always, visit
chromestatus.com/features
for a complete overview of Chrome’s developer features, and circle
+Google Chrome Developers
for more frequent updates.
`Posted by ${"Erik Arvidsson"}, Software Engineer`
Chrome 40 Beta: Powerful Offline and Lightspeed Loading with Service Workers
Thursday, December 4, 2014
The newest Chrome
Beta
channel release includes several new developer features to help you make richer, more compelling web content and apps, especially for mobile devices. Unless otherwise noted, changes described below apply to Chrome for Android, Windows, Mac, Linux, and Chrome OS.
Service Workers
This release adds
service workers
, a powerful new API that allows developers to make sites work offline by intercepting network requests to deliver programmatic or cached responses. Besides enabling a rich offline experience, developers can also use the API to achieve dramatic performance improvements by caching UI and other common resources between page loads.
A before and after comparison of a repeat visitor loading a site that uses Service Workers.
Unlike other web technologies, the lifetime of a service worker is independent of the page that installed it. This lays the foundation for a new class of web applications with rich background capabilities. For example, future APIs like
Push
and
Background Sync
could do their work even after the page is closed, provided the user has given permission.
This release includes two new APIs for use only within service workers. The
Fetch API
allows service workers to make network requests—including cross-origin—and return the responses to pages they control. The
Cache API
can save fetched responses and then return them directly the next time the same resource is requested, bypassing the latency-prone network and the eviction-prone HTTP cache.
These APIs are still under active development and we are committed to keeping our implementation in sync with the specifications as they evolve. This release supports a subset of the Cache API, but developers can use a
polyfill
for full compatibility. If you’re interested in more in-depth information, check out
HTML5 Rocks
or our
collection
of useful service worker “recipes.”
Other updates in this release
This release brings support for
the new directives
introduced in Content Security Policy (CSP) Level 2.
The new
reportValidity
method causes Chrome to draw the user’s attention to form fields with
validation
errors, saving developers from needing to implement this feature manually in JavaScript.
Chrome now supports the
minlength attribute
, a
validation
feature that allows developers to declare a lower bound on the number of characters a user can input.
Thanks to a collaboration with
Intel's Open Source Technology Center
, Chrome on Mac now uses
HarfBuzz
for text shaping which improves performance and rendering of non-Latin text, brings new optimizations, and unifies the font system across all platforms.
Developers can use the
theme-color meta tag
to customize their toolbar color in the
app switcher
on Android Lollipop.
As always, visit
chromestatus.com/features
for a complete overview of Chrome’s developer features, and circle
+Google Chrome Developers
for more frequent updates.
Posted by Dominic Cooney and Joshua Bell, Software Engineers at your service
The Final Countdown for NPAPI
Monday, November 24, 2014
Last September we
announced
our plan to remove NPAPI support from Chrome, a change that will improve Chrome’s security, speed, and stability as well as reduce complexity in the code base. Since our
last update
, NPAPI usage has continued its decline. Given this usage data, we will continue with our deprecation plan.
Monthly Plug-in Launch Percentage
Sept 13
May 14
Oct 14
Silverlight
15%
13.3%
11%
Google Talk
8.7%
8.7%
7%
Java
8.9%
7.2%
3.7%
Facebook
6%
4.2%
3.0%
Unity
9.1%
3.1%
1.9%
Google Earth
9.1%
0.1%
0.1%
Currently Chrome supports NPAPI plugins, but they are blocked by default unless the user chooses to allow them for specific sites (via the
page action UI
). A small number of the most popular plugins are whitelisted and allowed by default. In January 2015 we will remove the whitelist, meaning all plugins will be blocked by default.
In April 2015 NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet. We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to
temporarily
re-enable NPAPI while they wait for mission-critical plugins to make the transition.
In September 2015 we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins.
For more details on the timeline, including guidance for NPAPI plugin developers, see the
NPAPI deprecation guide
. With each step in this transition, we get closer to a safer, more mobile-friendly web.
Posted by Justin Schuh, Software Engineer and Plug-in Retirement Planner
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
21
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2024
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.