Chrome 71 arrives with an expanded ad blocker
Google today launched Chrome 71 for Windows, Mac, and Linux. The release includes an expanded ad blocker, warnings for unclear mobile billing services, support for relative times, and plenty more developer-specific features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often must make an effort to stay on top of everything available — as well as what has been deprecated or removed — most notably, Chrome 71 removes the inline install API for extensions.
Expanded ad blocker
With Chrome 71, Google is cracking down on “abusive experiences” — buttons designed to intentionally mislead and trick users into taking action on the web — by having the browser’s ad blocker cut off revenue for sites that create these abusive experiences.
Google last year joined the Coalition for Better Ads, a group that offers specific standards for how the industry should improve ads for consumers. In February, Chrome started blocking ads (including those owned or served by Google) on websites that display non-compliant ads, as defined by the coalition. When a Chrome user navigates to a page, the browser’s ad filter checks if that page belongs to a site that fails the Better Ads Standards. If so, network requests on the page are checked against a list of known ad-related URL patterns and any matches are blocked, preventing ads from displaying on the page.
Now Google is using the same strategy for abusive experiences. These ads trick users into clicking on them by pretending to be system warnings or contain “close” buttons that do not actually close the ad. In some cases, they can even steal personal information.
Google didn’t say how many sites this crackdown will affect — the company only said it sees a “small number of sites with persistent abusive experiences.”
If you’re a site owner or administrator, use Google Search Console’s Abusive Experiences Report to check if your site contains abusive experiences that need to be corrected or removed. If any are found, you will have 30 days to fix them before Chrome starts blocking ads on your site.
Android and iOS
Chrome 71 for Android isn’t out quite yet, but it should arrive soon over on Google Play. Chrome 71 for iOS meanwhile is available on Apple’s App Store with the following changelog:
- You can now long-press on an image and save to clipboard and paste in other apps.
- Fixes … authentication issues caused by using out-of-date cookies. Let us know if you encounter any issues with signing in to or out of websites.
- Autofill now works better on sites with iframes (embedded pages).
The first one, the only feature addition, probably should have been added ages ago. The other two are just fixes and improvements.
Security fixes and improvements
As promised, Google’s browser on mobile and desktop, as well as in Android WebView, now displays a warning if it detects a webpage with unclear mobile billing services. If there is insufficient mobile subscription information available to the user, Chrome will let you know.
Chrome 71 also implements 43 security fixes. The following were found by external researchers:
- [$N/A][905940] High CVE-2018-17480: Out of bounds write in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 via Tianfu Cup on 2018-11-16
- [$6000][901654] High CVE-2018-17481: Use after frees in PDFium. Reported by Anonymous on 2018-11-04
- [$5000][895362] High CVE-2018-18335: Heap buffer overflow in Skia. Reported by Anonymous on 2018-10-15
- [$5000][898531] High CVE-2018-18336: Use after free in PDFium. Reported by Huyna at Viettel Cyber Security on 2018-10-24
- [$3000][886753] High CVE-2018-18337: Use after free in Blink. Reported by cloudfuzzer on 2018-09-19
- [$3000][890576] High CVE-2018-18338: Heap buffer overflow in Canvas. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-09-29
- [$3000][891187] High CVE-2018-18339: Use after free in WebAudio. Reported by cloudfuzzer on 2018-10-02
- [$3000][896736] High CVE-2018-18340: Use after free in MediaRecorder. Reported by Anonymous on 2018-10-18
- [$3000][901030] High CVE-2018-18341: Heap buffer overflow in Blink. Reported by cloudfuzzer on 2018-11-01
- [$3000][906313] High CVE-2018-18342: Out of bounds write in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-11-17
- [$1000][882423] High CVE-2018-18343: Use after free in Skia. Reported by Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-10
- [$TBD][866426] High CVE-2018-18344: Inappropriate implementation in Extensions. Reported by Jann Horn of Google Project Zero on 2018-07-23
- [$TBD][900910] High To be allocated: Multiple issues in SQLite via WebSQL. Reported by Wenxiang Qian of Tencent Blade Team on 2018-11-01
- [$8000][886976] Medium CVE-2018-18345: Inappropriate implementation in Site Isolation. Reported by Masato Kinugawa and Jun Kokatsu (@shhnjk) on 2018-09-19
- [$2000][606104] Medium CVE-2018-18346: Incorrect security UI in Blink. Reported by Luan Herrera (@lbherrera_) on 2016-04-23
- [$2000][850824] Medium CVE-2018-18347: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2018-06-08
- [$2000][881659] Medium CVE-2018-18348: Inappropriate implementation in Omnibox. Reported by Ahmed Elsobky (@0xsobky) on 2018-09-07
- [$2000][894399] Medium CVE-2018-18349: Insufficient policy enforcement in Blink. Reported by David Erceg on 2018-10-11
- [$1000][799747] Medium CVE-2018-18350: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu (@shhnjk) on 2018-01-06
- [$1000][833847] Medium CVE-2018-18351: Insufficient policy enforcement in Navigation. Reported by Jun Kokatsu (@shhnjk) on 2018-04-17
- [$1000][849942] Medium CVE-2018-18352: Inappropriate implementation in Media. Reported by Jun Kokatsu (@shhnjk) on 2018-06-06
- [$1000][884179] Medium CVE-2018-18353: Inappropriate implementation in Network Authentication. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-14
- [$1000][889459] Medium CVE-2018-18354: Insufficient data validation in Shell Integration. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-26
- [$500][896717] Medium CVE-2018-18355: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
- [$TBD][883666] Medium CVE-2018-18356: Use after free in Skia. Reported by Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-13
- [$TBD][895207] Medium CVE-2018-18357: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 of Bilibili Security Team on 2018-10-15
- [$TBD][899126] Medium CVE-2018-18358: Insufficient policy enforcement in Proxy. Reported by Jann Horn of Google Project Zero on 2018-10-26
- [$TBD][907714] Medium CVE-2018-18359: Out of bounds read in V8. Reported by cyrilliu of Tencent Zhanlu Lab on 2018-11-22
- [$500][851821] Low To be allocated: Inappropriate implementation in PDFium. Reported by Salem Faisal Elmrayed on 2018-06-12
- [$500][856135] Low To be allocated: Use after free in Extensions. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-06-25
- [$500][879965] Low To be allocated: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2018-09-03
- [$500][882270] Low To be allocated: Inappropriate implementation in Navigation. Reported by Jesper van den Ende on 2018-09-09
- [$500][890558] Low To be allocated: Insufficient policy enforcement in Navigation. Reported by Ryan Pickren (ryanpickren.com) on 2018-09-29
- [$TBD][895885] Low To be allocated: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 of Bilibili Security Team on 2018-10-16
- [911706] Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $59,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Developer features
Chrome 71 introduces Intl.RelativeTimeFormat(), which brings phrases such as “yesterday” or “in three months” to the JavaScript engine. Such phrases are not part of built-in date and time APIs because that would require downloading lists of customary words or phrases for each supported language, increasing a library’s bundle size and download time. The Intl.RelativeTimeFormat API can also retrieve information for multiple languages, dealing with parts of a date or time individually (in other words, formatToParts()).
Chrome 71 updates the V8 JavaScript engine to version 7.1. It includes memory improvements, performance tweaks, structured cloning of Wasm modules, and new JavaScript language features. Check out the full changelog for more information.
Other developer features in this release include:
- Add FullscreenOptions: The
Element.requestFullscreen()
method can now be customized on Android using an optional options parameter. ItsnavigationUI
parameter allows you to choose between making the navigation bar visible versus a completely immersive mode where no user agent controls are shown until a gesture is performed. Possible values are"auto"
,"show"
, and"hide"
. This value expresses an application preference, with"auto"
meaning no preference. The UI may overrule this vale in any case. - Add ‘persistent-storage’ property to the Permission API: The
"persistent-storage"
property is a new permission for the Permission API. The permission state can already be queried withnavigator.storage.persisted()
, with this changenavigator.permissions.query({name:"persistent-storage"})
can be used as well. - Async touchpad pinch zoom events: Async touchpad pinch zoom events are for improving the page pinch zoom performance. Currently, the touchpad pinch zoom exposes a control wheel event that allows JS to cancel it. With this change, if the user doesn’t make a pinch action on the touchpad, effectively canceling the control wheel event, then following control wheel events are not cancelable. But JavaScript does not know which ctrl wheel is the first one in the sequence, so if you want to cancel pinch zoom, you need to cancel all of them.
- COLR/CPAL font support: Chrome now supports COLR/CPAL fonts which are a type of OpenType color font composed of layers of vector outline glyphs and color palette information into the final colored glyph. With this change, Chrome supports three color font formats cross-platform, the other two being CBDT/CBLC and SBIX. Because they are vector based, COLR/CPAL fonts provide for faster downloads and require less storage. An example of a COLR/CPAL font is the Twemoji color font.
- CSS gradient color stop double-position syntax: Support is added for the stop position syntax from the CSS Image Values and Replaced Content Module Level 4 spec. Currently, repeating colors require explicit positions.
- Implement ‘left’ and ‘right’ values for ‘text-underline-position’: Currently, in vertical flow for Chinese and Japanese, which side the underline appears on is not the same across browsers. To fix this, Chrome is adding support for
'left'
and'right'
values of the'text-underline-position'
property. This property is part of the CSS3 Text Decoration spec which adds properties that implement new text decoration styling features such as lines, color, and style, including'text-underline-position'
. - JavaScript Modules: Credentials mode defaults to “same-origin”: The default credentials mode for module script requests is changing from
"omit"
to"same-origin"
, providing credentials to same-origin module script requests and their descendant scripts (static and dynamic imports). The current behavior can be surprising in that it’s misaligned with other high-level features like the Fetch API, and in the web platform’s current architecture, causes a second server connection. This is undesirable for developers looking to reduce latency. - TextEncoderStream and TextDecoderStream APIs: Text encoding and decoding supports streams to enable you to easily convert streams of binary data to text and vice-versa. An example of its usefulness is with readable streams. With a non-stream Response object,
response.body.text()
returns text. There is no equivalent for theReadableStream
returned byResponse.Body
, which can only return bytes. With the new API a streaming response body may be converted to text as so:Response.Body.pipeThrough(new TextDecoderStream())
. - Unprefixed Fullscreen API: The Fullscreen API has features for entering, and exiting fullscreen mode as well as event handlers for monitoring such changes. A prefixed version of the API has been supported since Chrome 15. This update adds an unprefixed version of the API.
- MediaElement and MediaStream nodes defined only for AudioContext: Chrome now only allows creation of
MediaElementAudioSourceNode
,MediaStreamAudioSourceNode
, andMediaStreamAudioDestinationNode
elements using anAudioContext
. Previously these could be created using anOfflineAudioContext
, but that does not comply with the spec. The behavior with anOfflineAudioContext
is not well-defined and contrary to the real-time nature of the nodes themselves. - Call capture event listeners in capturing phase at shadow hosts: To be interoperable with other browsers, Chrome now calls capture event listeners in the capturing phase at shadow hosts. Previously this was done in the bubbling phase on Chrome. A complete discussion may be read on the WHATWG repo on GitHub.
- Improve :host, :host-context, and ::slotted specificity: Chrome now calculates the specificity for the
:host()
and:host-context()
pseudo classes as well as for the arguments for::slotted()
. This brings it into compliance with the Shadow DOM v1 spec. Shipping this will ensure interoperability between browsers since other browsers have or are about to ship this in their stable releases.
Source: VentureBeat
To Read Our Daily News Updates, Please visit Inventiva or Subscribe Our Newsletter & Push.