In September 2018, Chrome 69 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Finally, in January 2019, Chrome 72 will remove this accommodation and always block code injection.
While most software that injects code into Chrome will be affected by these changes, there are some exceptions. Microsoft-signed code, accessibility software, and IME software will not be affected. As with all Chrome changes, developers are encouraged to use Chrome Beta for early testing.
Fewer crashes means more happy users, and we look forward to continuing to make Chrome better for everyone.
Posted by Chris Hamilton, Chrome Stability Team
Updated 2018-06-21: Third-party software will be blocked from injecting code into Chrome on Windows starting in Chrome 69.
An example of a redirect being blocked on a test site. The iframes embedded in the site are attempting to navigate the page to an unintended destination, but Chrome prevents the redirect and shows an infobar. When the user interacts with content, things can also go wrong. One example that causes user frustration is when clicking a link opens the desired destination in a new tab, while the main window navigates to a different, unwanted page. Starting in Chrome 68 we'll also detect this behavior, trigger an infobar, and prevent the main tab from being redirected. This allows the user to continue directly to their intended destination, while also preserving the context of the page they came from. Finally, there are several other types of abusive experiences that send users to unintended destinations but are hard to automatically detect. These include links to third-party websites disguised as play buttons or other site controls, or transparent overlays on websites that capture all clicks and open new tabs or windows.
Two types of abusive experiences where a deceptive site control appears to do one thing, but has a different behavior when clicked. One looks like a play button on a video but sends the user to an unwanted download when clicked (left), and the other looks like a close button but instead opens unwanted pop-up windows (right). Similar to how Google Safe Browsing protects users from malicious content, starting in early January Chrome's pop-up blocker will prevent sites with these types of abusive experiences from opening new windows or tabs. To help site owners prepare for this change, today we're also launching the Abusive Experiences Report alongside other similar reports in the Google Search Console. Site owners can use the report to see if any of these abusive experiences have been found on their site and improve their user experience. Otherwise, abusive experiences left unaddressed for 30 days will trigger the prevention of new windows and tabs. Together, these protections will dramatically improve users' web browsing experiences while still allowing them access to all that the web has to offer. Posted by Ryan Schoen, Product Manager
Update 2018-06-07: The two protections described above that prevent unwanted redirects and unwanted tabs or windows are now scheduled to be released with Chrome 68. The timeline for expanding Chrome's pop-up blocker remains unchanged, as it already launched in January.
Currently, importing JavaScript modules is completely static, and developers cannot import modules based on runtime conditions, like whether a user is logged in. Starting in this release, the import(specifier)syntax now allows developers to dynamically load code into modules and scripts at runtime. This can be used for lazy loading a script only when it’s needed, which improves performance of the application. button.addEventListener('click', event => { import('./dialogBox.js') .then(dialogBox => { dialogBox.open(); }) .catch(error => { /* Error handling */ }); });
The code example above shows how to use the import(specifier) function to import JavaScript after an event.
Async iterators and generators
Writing code that does any sort of iteration with async functions can be inelegant. The new async generator functions using the async iterationprotocol are now available to help developers streamline the consumption or implementation of streaming data sources. Async iterators can be used in for loops and also to create custom async iterators through async iterator factories.
async function* getChunkSizes(url) { const response = await fetch(url); for await (const chunk of streamAsyncIterator(response.body)) { yield chunk.length; } }
The code example above shows how to use async iterators to writer cleaner code for streaming fetches, using the streamAsyncIterator function.
Device Memory API
It’s challenging for developers to create one user experience that can work across all devices, due to varying device capabilities. The new Device Memory JavaScript API helps developers with this challenge by using the total RAM on a user’s machine to provide insights into device constraints. This insight enables developers to tailor content at runtime in accordance with hardware limitations. For example, developers can serve a “lite” app to users on low-end devices, resulting in better experiences and fewer frustrations. The Device Memory API can also be used to add context to metrics, such as the amount of time a task takes to complete in JavaScript, through the lens of device memory.
Permissions UI changes
When websites need special permissions from a user, they trigger a permission request. Currently these permission requests appear in Chrome for Android as ignorable banners at the bottom of the screen, and developers often show them without considering whether the user has the appropriate context to grant the permission. This results in a distracting user experience, and users ignore or temporarily dismiss these permission prompts more than 90% of the time.
In Chrome 59, we started to address this problem by temporarily blocking a permission if the user dismisses the request three times. As a next step, in this release Chrome for Android now presents permission requests as modal dialogs. This change reduces the overall number of permission prompts by 50%. It also makes users 5 times more likely to accept or deny requests, rather than temporarily dismissing or repeatedly ignoring them. To ensure users understand the permission request, developers should present users with permission requests at an appropriate time, as we’ve found that users were 2.5 times more likely to grant permission to a site that ask for permissions with context.
Developers can now prevent apps from using Chrome’s pull-to-refresh feature or create custom effects using overscroll-behavior, which allows changing the browser’s behavior once the scroller has reached its full extent.
To improve interoperability, Chrome will fire beforeprint and afterprint events as part of the printing standard, allowing developers to to annotate the printed copy and edit the annotation after the printing command is done executing.
The Intl.PluralRules API allows developers to build applications that understand pluralization of a given language by indicating which plural form applies for a given number and language.
Version 2 of NT LAN Manager (NTLM) API is now shipped, enabling applications to authenticate remote users and provide session security when requested by the application.
Blink > Sensor
Thanks to contributors from engineers at Intel, an Origin Trial is now available that exposes the following sensors via the new Generic Sensors API syntax: Accelerometer, LinearAccelerationSensor, Gyroscope, AbsoluteOrientationSensor, and RelativeOrientationSensor.
Blink > Storage
The localStorage and sessionStorage API's now use getItem() rather than an anonymous getter, so attempting to access a key using getItem() will now return null rather than undefined. Thanks to Intel for the contribution!
To improve developer experience, the methods on sessionStorage and localStorage such as getItem(), removeItem(), and clear() are now enumerable. Thanks to Intel for making this happen!
The Network Infomation API has been available in previous versions of Chrome, but has only provided theoretical network speeds given the type of a user's connection. In this release, the API has been expanded to provide developers with network performance metrics as experienced by the client. Using the API, a developer can inspect the current expected round trip time and throughput and be notified of performance changes. To simplify application logic, the API also summarizes measured network performance as the cellular connection type (e.g. 2G) most similar to it, even if the actual connection is WiFi or Ethernet.
Using these network quality signals, developers can tailor content to network constraints. For example, on very slow connections, developers can serve a simplified version of the page to improve page load times. These signals will also soon be available as HTTP request headers and enabled via Client Hints.
OpenType Variable Fonts
OpenType Font Variations bring new typographic capabilities to the web. Previously, one font file contained just a single instance of a font family, including only one weight (Regular, Bold, Black…) or one stretch (Normal, Condensed, Expanded…).
With variable fonts, responsive design on the web now extends to typography. OpenType Variations provide a continuous spectrum of stylistic variations while saving space and bandwidth, since they all load from a single compact font file. Stretch, style, and weight can be adjusted using the respective updated CSS properties which now allow numeric values. Fine tuning of variation axis parameters, such as weight or width, is possible using the font-variation-settings CSS property.
Media Capture from DOM Elements
The W3C Media Capture from DOM Elements API now allows sites to live-capture content in the form of a MediaStream directly from HTMLMediaElements (i.e. <video> and <audio>). By invoking the captureStream() method on HTMLMediaElements, streamed content can be recorded and sent remotely using WebRTC, processed with WebAudio, or manipulated in various other ways.
Figure: A 3D rendering being live-captured and streamed to a peer connection using WebRTC.
DOM interfaces are now supported for the <data> and <time> HTML elements to give developers a native, machine-readable way to store client-side content.
Lookbehind assertions are now available in addition to lookaheads, so developers can use regular expressions to ensure that a pattern is or isn’t preceded by another, e.g. matching a dollar amount without capturing the dollar sign.
A new WebVR Origin Trial is now available, enabling developers to experiment with building rich Virtual Reality experiences on the web.
Following previous announcements, the “Not secure” warning will now be displayed when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
The `tabindex` attribute now enables the on-screen keyboard on Chrome for Android to more easily navigate between the next and previous fields within a form, thanks to a contribution from Samsung.
Developers can now use the s flag to enable dotAll mode in ECMAScript regular expressions, making “.” match any character, including line terminators.
Uploading images on Chrome for Android has an improved user experience and multi-select support that triggers on any site that invokes <input type="file"> with an accept attribute specifying that only images are accepted.
The new visibility:collapse CSS declaration now hides table rows while preserving their contribution to column widths, rather than treating it like visibility:hidden, which merely skips painting the rows.
Protected media can now be played offline through EME on Chrome for Android.
Chrome for Android now supports Widevine L1, allowing sites to play encrypted media in a secure way.
Loosened restrictions on escape sequences in template literals unlock new use cases for template tags, such as LaTeX processing.
In Android O, sites with notification permissions now appear as a Notification Channel in Android Settings under Chrome, affording users a simpler way to manage permissions.
Deprecations and interoperability improvements
Following an update to native button appearance on macOS, the appearance of <input> buttons and the <button> element have been similarly changed, affecting the default values for the background-color, border, border-radius, and padding CSS properties.
The ability to request permission to show notifications has been removed over HTTP connections and within cross-origin iframes, in line with our policy on restricting powerful features to only HTTPS.
To increase accuracy and ensure that users receive content in the language they expect, base language is now added immediately after language+region when generating accept-language headers from language settings.
To improve UX and browser consistency, transitional mouse events will now be dispatched, and hover states will now be updated more quickly after the intended layout has been modified.
OfflineAudioContext now accepts a dictionary argument, in addition to the existing constructor that takes three separate arguments.
In line with other browsers, the getStreamById method on RTCPeerConnection has now been removed.
SharedWorker.workerStart has been removed, following its deprecation and removal from other major browsers.
To better conform to spec, the default value of <ol>.start has been set to 1.
Posted by Ben Greenstein and Tarun Bansal, The Network’s Watch
