Google today launched Chrome 78 for Windows, Mac, Linux, Android, and iOS. The release includes the CSS Properties and Values API, Native File System API, new Origin Trials, and dark mode improvements on Android and iOS. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 78, for example, removes the XSS Auditor due to privacy concerns.
Windows, Mac, and Linux
Chrome 78 implements the CSS Properties and Values API to let developers register variables as full custom properties. That way, you can ensure they’re always a specific type, set a default value, or even animate them. The image below is a transition created with a CSS custom property. This transition is impossible to achieve without the new API, and it’s type safe.
The new Native File System API lets developers build web apps that interact with files on the user’s local device. That means IDEs, photo and video editors, text editors, and so on. After a user grants access, the API allows web apps to read or save changes directly to files and folders by invoking the platform’s own open and save dialog boxes.
Chrome 77, released in September, introduced Origin Trials that let you to try new features and provide feedback on usability, practicality, and effectiveness to the web standards community. Chrome 78 adds a few more, including Signed Exchanges and SMS Receiver API. The former allow a distributor to provide content signed by a publisher. The latter allows websites to access SMS messages that are delivered to the user’s phone.
Chrome 78 also includes a few features that are rolling out gradually. For example, Chrome users will soon be able to highlight and right-click a phone number link in Chrome and forward the call to their Android device. Some users might also see an option to share their clipboard content between their computers and Android devices. Clipboard sharing requires Chrome signed in on both devices with the same account, and Chrome Sync enabled. Google says the text is end-to-end encrypted, and that the company can’t see the contents.
Chrome is also getting Google Drive integration. From Chrome’s address bar, you will be able to search for Google Drive files that you have access to. Again, if you don’t see any of this in Chrome 78, don’t fret. They are rolling out gradually.
Android and iOS
Chrome 78 for Android is rolling out slowly on Google Play. The changelog is just one bullet point: “Dark theme for Chrome menus, settings, and surfaces. Find it in Settings > Themes.”
Chrome 78 for iOS is rolling out on Apple’s App Store. It includes three improvements:
- The ability to switch Chrome to dark mode if your device has been upgraded to iOS 13.
- Bookmarks, History, Recent Tabs and Reading List are now presented as cards on iOS 13.
- The ability to add a new credit card directly in Chrome from the settings page.
Clearly Google focused on dark mode for this mobile release.
Chrome 78 implements 37 security fixes. The following were found by external researchers:
- [$20000] High CVE-2019-13699: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-09-06
- [$15000] High CVE-2019-13700: Buffer overrun in Blink. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-28
- [$1000] High CVE-2019-13701: URL spoof in navigation. Reported by David Erceg on 2019-08-27
- [$5000] Medium CVE-2019-13702: Privilege elevation in Installer. Reported by Phillip Langlois ([email protected]) and Edward Torkington ([email protected]), NCC Group on 2019-08-06
- [$3000] Medium CVE-2019-13703: URL bar spoofing. Reported by Khalil Zhani on 2019-08-12
- [$3000] Medium CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-05
- [$2000] Medium CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera (@lbherrera_) on 2019-07-30
- [$2000] Medium CVE-2019-13706: Out-of-bounds read in PDFium. Reported by pdknsk on 2019-09-05
- [$1000] Medium CVE-2019-13707: File storage disclosure. Reported by Andrea Palazzo on 2018-07-01
- [$1000] Medium CVE-2019-13708: HTTP authentication spoof. Reported by Khalil Zhani on 2019-02-13
- [$1000] Medium CVE-2019-13709: File download protection bypass. Reported by Zhong Zhaochen of andsecurity.cn on 2019-09-18
- [$500] Medium CVE-2019-13710: File download protection bypass. Reported by bernardo.mrod on 2017-08-18
- [$500] Medium CVE-2019-13711: Cross-context information leak. Reported by David Erceg on 2019-07-20
- [$500] Medium CVE-2019-15903: Buffer overflow in expat. Reported by Sebastian Pipping on 2019-09-16
- [$N/A] Medium CVE-2019-13713: Cross-origin data leak. Reported by David Erceg on 2019-08-13
- [$2000] Low CVE-2019-13714: CSS injection. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-07-10
- [$500] Low CVE-2019-13715: Address bar spoofing. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-08-31
- [$500] Low CVE-2019-13716: Service worker state error. Reported by Barron Hagerman on 2019-09-19
- [$N/A] Low CVE-2019-13717: Notification obscured. Reported by xisigr of Tencent’s Xuanwu Lab on 2018-05-03
- [$N/A] Low CVE-2019-13718: IDN spoof. Reported by Khalil Zhani on 2018-07-20
- [$N/A] Low CVE-2019-13719: Notification obscured. Reported by Khalil Zhani on 2019-01-31
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $58,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Other developer features in this release include:
- Apply Opacity for the Default Style of INPUT/TEXTAREA placeholder: Changes the default style for ::placeholder from
rgba(0, 0, 0, 0.54).
- Extend Byte-for-Byte Update Check to all Service Worker importScripts() Resources: Byte-for-byte checks are now available for service worker scripts imported by
importScripts(). Currently, service workers update only when the service worker main script has changed. In addition to not conforming to the latest spec, this forces developers to build workarounds such as adding hashes to the imported script’s urls.
- Faster Web Sockets:
Chrome 78 improves the download speed of
ArrayBufferobjects when used with
WebSocketobjects on desktop. Results depend on network speed and hardware so your results may be vary. Google has seen download speeds that are 4.1 times faster on Windows, 7.8 times faster on macOS, and 7.5 times faster on Linux.
- More restrictive hasEnrolledInstrument() for Autofill Instruments: Improves the authorization of transactions by requiring unexpired cards and a billing address. This improves the quality of autofill data and increases the chances that
PaymentRequest.hasEnrolledInstrument()returns true. This improves the user experience on transactions that use autofill data.
- PaymentResponse.prototype.retry(): In cases where there is something wrong with the payment response’s data (for example, the shipping address is a PO box), the
retry()method of a
PaymentResponseinstance now allows you to ask a user to retry a payment.
- Percentage Opacity: Adds support for percentage values to the opacity properties, specifically,
shape-image-threshold. For example,
opacity: 50%is equivalent to
opacity: 0.5. This brings consistency and spec compliance. The
rgba()function already accepts percentage alpha value, for example
rgba(0, 255, 0, 50%).
- Redact Address in PaymentRequest.onshippingaddresschange Event: Removes fine-grained information from the shipping address before exposing it to a merchant website in the
PaymentRequest.onshippingaddresschangeis used to communicate the shipping address a user has selected to the merchant so they can make adjustments to the payment amounts such as shipping cost and tax. At this point, the user has not fully committed to the transaction, so the principle should be to return as little information as possible to the merchant. The redaction removes
phoneNumberfrom the shipping address because these are not typically needed for shipping cost and tax computation.
- Seeking: Adds a media session action handler for the
seektoaction. An action handler is an event tied specifically to a common media function such as pause or play. The
seektoaction handler is called when the site should move the playback time to a specific time.
- User Timing L3: Extends the existing User Timing API to enable two new use cases. Developers can pass custom timestamps to
performance.mark(), so as to conduct measurement across arbitrary timestamps. Developers can report arbitrary metadata with
performance.measure(), which provides rich data to analytics via a standardized API.
For a full rundown of what’s new, check out the Chrome 78 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 79 will arrive in early December.