Chromium Blog
News and developments from the open source browser project
Next steps toward more connection security
Thursday, April 27, 2017
In January, we
began our quest
to improve how Chrome communicates the connection security of HTTP pages. Chrome now marks HTTP pages as “Not secure” if they have password or credit card fields. Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in
Incognito mode
.
Treatment of HTTP pages in Chrome 62
Our plan
to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the
change in Chrome 56
, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps.
Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.
Treatment of HTTP pages with user-entered data in Chrome 62
When users browse Chrome with Incognito mode, they likely have increased expectations of privacy. However, HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode.
Eventually, we plan to show the “Not secure” warning for
all
HTTP pages, even outside Incognito mode. We will publish updates as we approach future releases, but don’t wait to get started moving to HTTPS! HTTPS is
easier and cheaper than ever before
, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. Check out our
set-up guides
to get started.
Posted by Emily Schechter, Chrome Security Team
Real-world JavaScript performance
Wednesday, April 12, 2017
The V8 JavaScript engine is a cornerstone of fast browsing in Chrome. Over the course of the past year, the V8 team has developed a new method for measuring performance against snapshots of real web pages. Using insights from real-world measurements, the V8 team improved the speed of the average page load in Chrome by 10-20% over the course of the past year.
Historically, JavaScript engines such as V8 used benchmarks like Octane to improve the “peak” performance of JavaScript, or the performance of CPU-intensive script in
hot loops
. At the beginning of last year, the V8 team started to measure performance with higher fidelity by instrumenting snapshots of popular web pages such as Reddit, Twitter, Facebook, and Wikipedia. This analysis revealed that while peak performance benefits certain types of large web applications, browsing typical websites relies more on “startup” performance, or the speed it takes to start running script. Using insights gleaned from this real-world performance data, the V8 team implemented optimizations which improved mean page load between Chrome 49 and Chrome 56 by 10-20%, depending on CPU architecture.
The web page snapshots also enabled analysis of the differences between various benchmarks and real web workloads. Although no benchmark can be a representative proxy for all sites, the
Speedometer benchmark
is an approximation of many sites due to its inclusion of real web frameworks including React, Angular, Ember, and jQuery. This similarity can be seen in the startup optimizations above, which also yielded a 25-35% improvement in Chrome’s Speedometer score. Conversely, comparing page snapshots to Octane revealed that Octane was a poor approximation of most websites. Given the
plateau of Octane scores across web browsers
and the over-optimization of peak performance, we decided to
retire
the benchmark as a general-purpose measure of real-world JavaScript performance.
V8 performance optimizations improved Chrome's Speedometer score by 25-35% over the past year
Going forward, we plan to ship more JavaScript performance improvements for new patterns of script appearing on the web, including modern libraries,
frameworks
, and ES2015+
language features
. By measuring real-world websites rather than traditional benchmarks, we can better optimize JavaScript patterns that matter most to users and developers. Stay tuned for updates about our new engine architecture, designed for real-world performance.
Posted by Seth Thompson, V8 Track Commentator
Scroll anchoring for web developers
Tuesday, April 11, 2017
One of the strengths of the web is progressive loading, which means that there is no install step and users can start consuming content almost immediately while the site keeps loading. But progressive loading can also result in annoyances, such as an unexpected page jump when offscreen content loads and pushes down what’s currently on the screen. This can be even worse on mobile devices, since smaller screens mean more content is offscreen and page jumps are more likely.
Since its early days, Chrome has taken a stand against bad or abusive content. For instance,
Safe Browsing
warns users before they visit malicious websites, and
visual indicators on tabs
allow our users to quickly track down the source of unexpected noise. Similar to other features designed to protect our users from bad experiences, starting in version 56 Chrome prevents these unexpected page jumps with a new feature called scroll anchoring. This feature works by locking the scroll position on an on-screen element to keep our users in the same spot even as offscreen content continues to load.
Side by side comparison
of a web page with scroll anchoring disabled (left) and enabled (right).
Due to the expressiveness of the web, there might be some content for which scroll anchoring is either unwanted or misbehaving. For this reason, this feature ships alongside the
”overflow-anchor” CSS property
to override the functionality. To further minimize potential issues, scroll anchoring is disabled on complex interactive layouts via
suppression triggers
, and on back/forward navigations to allow for scroll restoration.
Today, scroll anchoring is preventing about three page jumps per page-view, but with your help it could be even better. Get involved by participating in the
scroll anchoring Web Platform Incubator Community Group
, submitting feedback via
g.co/reportbadreflow
, and designing your websites or services with a no-reflow mindset.
Posted by Steve Kobes, “The Unbouncer”
Chrome 58 Beta: IndexedDB 2.0, an improvement to iframe navigation, and immersive full screen for PWAs
Tuesday, March 21, 2017
Unless otherwise noted, changes described below apply to the newest Chrome
Beta
channel release for Android, Chrome OS, Linux, Mac, and Windows.
IndexedDB 2.0
The
IndexedDB 2.0
standard is now fully supported in Chrome, making it simpler to work with large data sets in the browser. IDB 2.0 features new schema management, bulk action methods, and more standardized handling of failures.
The structure of a site’s database has large performance impacts and can be difficult to change. To simplify updates,
object stores
and
indexes
can now be renamed in-place after a refactoring. Sites can also use more natural keys without worrying about a performance penalty thanks to
binary keys
, which allow compact representations for custom keys.
Data retrieval is easier with the
getKey()
and
openKeyCursor()
methods, which also provide better performance when only a database key is needed. The new
continuePrimaryKey()
cursor method makes it easier to divide large data access across transactions and page loads without worrying about duplicate primary keys. The
getAll()
and
getAllKeys()
methods allow bulk recovery of entire datasets without the need for a cursor.
An improvement to
iframe
navigation
Third-party content, such as advertising, that automatically redirects the page can annoy users and create security issues. Because of this, developers are able to put third-party content inside sandboxed
iframes
to prevent this behavior. However, in some cases this type of content needs to navigate the top-level page when clicked, like a standard advertisement.
To address this, Chrome 58 now supports the new
iframe
sandbox keyword
allow-top-navigation-by-user-activation
. This keyword gives sandboxed
iframes
the ability to navigate the top-level page when triggered by user interaction, while still blocking auto-redirects.
Immersive full screen for PWAs
When
Progressive Web Apps
(PWAs) are launched from the Android Home screen, they launch in a standalone app-like mode that hides the
omnibox
. This helps create an engaging user experience, and frees up screen space for content. However, for even more immersive experiences like games, video players, or other rich content, other mobile UI elements such as
the system bars
can still be a distraction.
Now PWAs can provide a fully immersive experience by setting
display: fullscreen
in their
web app manifest
, which hides non-app UI when the site is launched from the home screen.
A PWA launched from the home screen (left), launched from the home screen in
standalone
mode (middle), and launched from the home screen in
fullscreen
mode (right).
Other features in this release
Workers
and
SharedWorkers
can now be created using
data:
URLs, making development with Workers more secure by giving them an
opaque origin
.
PointerEvents.getCoalescedEvents()
allows developers to access all input events since the last time a
PointerEvent
was delivered, making it easier for drawing apps to create smoother curves using a precise history of points.
Developers can now
customize
Chrome’s native media controls such as the
download
,
fullscreen
and
remoteplayback
buttons using the new
ControlsList API
.
On Chrome for Android, sites installed using the
improved Add to Homescreen flow
will be allowed to autoplay audio and video served from origins included in the manifest’s scope without restrictions.
On Chrome for Android, videos using the
autoplay
attribute will be paused when offscreen and resumed when back in view to preserve consistency across browsers.
Sites can now
access
the approximate range of colors supported by Chrome and output devices using the
color-gamut
Media Query.
Instead of manually resetting multiple layout properties like
float
and
clear
, sites can now add a
new block-formatting context
using
display: flow-root
.
To improve JavaScript parsing time,
SVGPoint
,
SVGRect
, and
SVGMatrix
have been transferred to
new interfaces
outside of
Geometry
.
Using
removeRange()
, a new
Selection API
function, developers can now programmatically remove a specified text
Range
.
The
PointerEvent.tangentialPressure
and
PointerEvent.twist
attributes are now supported on Chrome for Mac to provide more information to stylus devices and painting apps.
To simplify developer experience, trailing commas are now
allowed
in JavaScript for formal parameter and argument lists.
The WebAudio API’s new
playback
AudioContextLatencyCategory
enables the developer to easily make conscious tradeoffs between latency, power, and CPU efficiency.
Deprecations and interoperability improvements
Apple-interchange-newline
,
Apple-converted-space
,
Apple-paste-as-quotation
,
Apple-style-span
, and
Apple-tab-span
have been deprecated as they are non-standard CSS classes.
usemap
attributes now use case-sensitive matching rather than
compatibility caseless
to better align with spec.
Sites must now use HTTPS when requesting notification permissions or creating non-persistent local notifications with the
Notifications API
, in accordance with Chrome's
policy
around powerful features.
To better align with spec,
cancelBubble
is now considered an alias to
stopPropagation()
when set to true, and does not do anything when set to false.
The
VTTRegion
interface functions,
addRegion()
and
removeRegion()
, have been removed from the
WebVTT
spec and are therefore being removed from Chrome.
Top-level navigations to
data:
URLs have been deprecated to further protect users from spoofing and phishing attempts.
An instance of
HTMLEmbedElement
or
HTMLObjectElement
can no longer be called as a function, since the legacy caller has been removed.
Pre-standard ChaCha20-Poly1305 ciphers have been removed following the standardization of these algorithms at the
IETF
as
RFC 7539
and
RFC 7905
, and the subsequent shipping of the standard versions in Chrome 41.
To improve interoperability,
Selection.addRange()
now ignores an additional range if it overlaps with an existing range, rather than merging the two ranges.
Encrypted Media Extensions transmitted over non-sec
ure origins has been deprecated per Chrome's
policy
around powerful features and in compliance with the spec.
The
AudioBuffer
constructor now accepts the
sampleRate
member of an
AudioBufferOptions
dictionary instead of a
context
argument, simplifying the interface and emphasizing that
AudioBuffers
can be shared between
AudioContexts
.
The synchronous
FileReaderSync API
has been deprecated in service workers, as the service worker spec requires all types of synchronous requests to be initiated outside of a service worker.
The
abbr
and
acronym
elements now have a dotted underline by default to align with the HTML standard.
The motion-path
,
motion-offset
, and
motion-rotation
CSS properties have been removed in favor of the new versions:
offset-path
,
offset-distance
,
offset-rotate
.
When accessing
Selection API
properties like
selectionDirection
,
selectionStart
, and
selectionEnd
, Chrome will now return
null
when it would have thrown an
InvalidStateError
DOMException
.
Rather than silently clamping offset values that were too large, the
Selection API’s
setBaseAndExtent()
now throws an
IndexSizeError
DOMException
to better align with spec.
Rather than silently failing for
DocumentType
node inputs, the
Selection API’s
setBaseAndExtent()
,
extend()
, and
collapse()
now throw
InvalidNodeTypeError
DOMException
to better align with spec.
To better align with spec,
getRangeAt()
now always returns a new
Range
with position normalization.
The
AudioSourceNode
interface has been removed as it was not part of the WebAudio spec.
The
webkitdropzone
attribute has been removed as it was not widely adopted.
Posted by Victor Costan, IndexedDB Interloper
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
23
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2024
Jun
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.