Skip to main content

Chrome 61 arrives with JavaScript modules and WebUSB support

Image Credit: Google

Google has launched Chrome 61 for Windows, Mac, and Linux. Additions in this release include JavaScript modules and WebUSB support, among other developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.

Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

Chrome now supports JavaScript modules natively via the new <script type=module> element, letting developers declare a script’s dependencies. Modules are already popular in third-party build tools, which use them to bundle only the required scripts. Native support means the browser can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page, and ensuring the script executes in the correct order, all without a build step. Google recommends these two blog posts for more information: ECMAScript modules in browsers and ES6 Modules in Depth.

Speaking of JavaScript, Chrome 61 also upgrades the browser’s V8 JavaScript engine to version 6.1. Developers can expect performance improvements and a binary size reduction.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web (translation: this new API will be exploited one day).

Other developer features in this release include:

  • The Network Information API is now available on desktop as well as Android, enabling sites to access the underlying connection information of a device.
  • Developers can now specify scrolling smoothness via a new optional parameter in existing Scroll APIs or with the scroll-behavior CSS property.
  • The CSSOM View Smooth Scroll API brings native smooth scrolling to the platform through the scroll-behavior: smooth CSS property or by using the window.scrollTo() DOM scroll method, eliminating the need to implement this behavior with JavaScript.
  • CSS color values can now be 8- and 4-digit hex colors of the format #RRGGBBAA and #RGBA.
  • Sites can now access the relative positions of the screen content with the Visual Viewport API, exposing complex functionality like pinch-and-zoom in a more direct way.
  • The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.
  • When navigating from an installed web app to a site outside the initial web app’s scope, the new site now automatically loads in a Custom Chrome Tab.
  • For video using native controls, Chrome will now automatically expand video to fullscreen when a user rotates their device in an orientation that matches a video playing on the screen.
  • nextHopProtocol is now available in Resource Timing and Navigation Timing, providing access to the network protocol used to fetch a resource.
  • Sites can now require embedded third-party content to enforce a given Content Security Policy via the new csp attribute on <iframe> elements.
  • The DOMTokenList interface now supports replace() to easily change all identical tokens to a new one, such as active to inactive on expiration.
  • To access a list of attribute names of an element, getAttributeNames() is now supported and gives developers a more direct mechanism than going through the attributes collection.
  • To increase security, sites will now automatically exit full screen if a JavaScript dialog opens.
  • Sites can now access an estimate for the disk space used by a given origin and quota in bytes via the Storage API’s new navigator.storage.estimate() function.
  • To improve the browser’s cache hit rate, URLSearchParams now supports sort() to list all stored name-value pairs.
  • The URLSearchParams constructor has been updated to accept any object as a parameter instead of only other URLSearchParams instances.
  • To prevent the use of mis-issued certificates going unnoticed, sites can use the new Expect-CT HTTP header, which will enable automated reporting and/or enforcement of Certificate Transparency requirements.
  • Chrome will no longer decode frames for videos using Media Source in background tabs.
  • “Non-Live” camera settings, such as photo resolution, red eye reduction, and flash mode can now be retrieved with ImageCapture.getPhotoSettings().
  • Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.

For what’s new in the browser’s DevTools, check out the release notes.

Chrome 61 also implements 22 security fixes. The following ones were found by external researchers:

  • [$5000][737023]High CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-06-27
  • [$5000][740603]High CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein (www.trapkit.de) on 2017-07-10
  • [$5000][747043]High CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous on 2017-07-20
  • [$3500][752829]High CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-08-07
  • [$3000][744584]High CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini on 2017-07-17
  • [$TBD][759624]High CVE-2017-5116: Type confusion in V8. Reported by Anonymous on 2017-08-28
  • [$1000][739190]Medium CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein (www.trapkit.de) on 2017-07-04
  • [$1000][747847]Medium CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-07-24
  • [$N/A][725127]Medium CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous on 2017-05-22
  • [$N/A][718676]Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu (@general_nfs) on 2017-05-05
  • [762099] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $23,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Speaking of security, this release also removes trust in WoSign and StartCom certificates. Back in October 2016, Google unveiled its plan for the process, starting with only trusting certificates issued prior to October 21 2016 in Chrome 56, restricting trust to a set of whitelisted hostnames based on the Alexa Top 1 million, and then reducing the size of the whitelist over the course of several Chrome releases. In Chrome 61, the whitelist has been removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.

Google releases a new version of its browser every six weeks or so. Chrome 62 will arrive by mid-October.

Update at 7:30 p.m. Pacific: Google also released Chrome 61 for Android today. In addition to performance and stability fixes, you can expect two new features: Translate pages with a more compact toolbar and pick images with an improved image picker.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.