Chrome 61 was released today and are proud to announce that it is up in our systems, too. It took us just 7 minutes after Google's original announcement to add it to our browser cloud. This is how fast we are.

Google Chrome Version 61

Want to try it?

What's new in Chrome 61?

  • Native support for JavaScript modules.
  • A number of fixes and improvements.

For iOS:

  • Added a new button for scanning QR codes above the virtual keyboard.

For Android:

  • Addition of Web Share API.
  • Bug fixes and performance improvements.
  • Translate pages with a more compact and intuitive toolbar.
  • Pick images to post online with an improved image picker.

Web Share API

Regarding Chrome for Android, the Web Share API available today will allow you to easily integrate native sharing functionality to the user's device. That's right you won't have to include codes from 3rd party sites for this from now on. It is planned that this API will also be able to share to installed web apps. To use it, simply call navigator.share with the details of the page you want to share the system will take care for the rest. The Web Share API is a Promise-based, single method API.

  title: document.title,
  text: 'Hello',
  url: window.location.href
}).then(() => {
  console.log('Successful share');

Chrome 61 Web Share API

JavaScipt Modules

Chrome 61 provides native support for JavaScript modules via the <script type="module"> element. That way Chrome can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page and ensuring that script executes in the correct order.


Generic hardware peripherals such as printers, keyboards, gamepads and mice are supported by high-level APIs. But specialized USB devices working in the browsers has been a challenge, often requiring specialized drivers respectively. But not anymore, Chrome 62 has been given the WebUSB API, which allows web apps to communicate with USB devices as soon as the user has permitted to. If you are interested to that, take a llok at the WebUSB spec. This is how it looks to select and access Arduino boards through the web:

enter image description here

Developer features and updates in Chrome 61

  • Blocking resources whose URLs contain both \\n and < characters. - As discussed in here, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. <img src=' eats the page until the next '). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful.
  • CSP: Embedded Enforcement - CSP's Embedded enforcement defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself. We should prototype an implementation to see if it's something that solves real problems in a way we can ship.
  • CSSOM View smooth scroll API - Adds an optional argument to existing scroll APIs that specifies whether scrolling should be smooth. Also adds a CSS property for this.
  • Clear-Site-Data header - A ‘Clear-Site-Data’ HTTP header prompts the user agent to clear browsing data associated with the requesting website. The supported browsing data types are cookies, storage (i.e. “site data”), and cache. This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to ‘reset’ itself to a clean state.
  • DOMTokenList replace() - Add the replace() function to DOMTokenList interface. We can use it like element.classList.replace('inactive', 'active').
  • Deprecate and remove Presentation API on insecure contexts - In aligning with Blink’s intention to remove powerful features on insecure origins, we plan to deprecate and remove support for the Presentation API on insecure contexts. The initial milestone (M61) is for deprecation of PresentationRequest and PresentationReceiver. The target milestone for removal is M71 (December 2018).
  • Expect-CT header - Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.
  • Geometry interfaces - This specification describes several geometry interfaces for the representation of points, rectangles, quadrilaterals and transformation matrices with the dimension of 3x2 and 4x4. SVGPoint, SVGRect and SVGMatrix will be aliased to new interfaces. Their old methods will be maintained and some new methods are introduced. In the near future, CSS transform will be updated so they can work directly with the new objects. This avoid parsing on the js side.
  • HTMLIFrameElement.allowpaymentrequest - Returns a Boolean indicating whether the Payment Request API may be invoked on a cross-origin iframe.
  • HTTP Client Hints: Device-Memory - Client header to expose the device Memory to web applications.
  • Interoperable body/documentElement scroll behavior - Update Blink to match the CSSOM View spec’s behavior around element scrolling APIs for documentElement and body, i.e.: scrollTop, scrollLeft, scrollWidth, scrollHeight and Document.scrollingElement
  • Intervention: Passive Event Listener for type == \"mousewheel\" && target == window && function_name == \"ssc_wheel\" - The smoothscroll.js code is largely broken and is preventing us from shipping scroll top interop. With the scroll top interop behavior activated sites fail to scroll at all with the wheel event. This library was corrected a few years ago but the web continues to clone the broken version and we have been blocked in shipping this long implemented fix for interop. Smooth scroll has been enabled in Chrome for a number of releases so using custom smooth scrolling is not necessary anymore.
  • JavaScript dialogs exit HTML5 fullscreen - If a page shows a JavaScript dialog while it is in fullscreen (the HTML5 kind), it is exited from fullscreen.
  • JavaScript modules: <script type=module> - JavaScript modules allow a program to be divided into multiple sequences of statements and declarations. Each module explicitly identifies declarations it uses that need to be provided by other modules and which of its declarations are available for use by other modules. <script type=module> allows loading of JavaScript modules inside web pages.
  • MediaStream Image Capture - getPhotoSettings() method - This chrome feature tracks adding the method getPhotoSettings() [1] to the currently landed ImageCapture object [2]. It's a trivial follow up to the MediaStream Image Capture API shipped in 59 [3].
  • MediaStreamTrack.getSettings() - Returns the current settings of a MediaStreamTrack, including information such as (for video) width, height or framerate.
  • Network Information - The Network Information API enables web applications to access the underlying connection information of the device.
  • PaymentRequest - An API that allows browsers to act as an intermediary between the three key parties in a financial transaction: the merchant (e.g. an online web store), the buyer (e.g. the user buying from the online web store), and the Payment Method (e.g. credit card). Information necessary to process and confirm a transaction is passed between the Payment Method and the merchant via the browser with the buyer confirming and authorizing as necessary across the flow.
  • Referrer policies 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin' - The Referrer Policy specification includes three policy values that Chrome doesn't yet implement. - same-origin: Send full referrers same-origin, no referrers cross-origin. - strict-origin: Strip referrers to the origin, but strip them when downgrading from HTTPS to HTTP. - strict-origin-when-cross-origin: Send full referrers same-origin, and the origin when cross-origin, but strip referrers when downgrading from HTTPS to HTTP.
  • Resource Timing & Navigation Timing: add nextHopProtocol property - nextHopProtocol has been in the spec for RT & NT but was not implemented in chrome yet. It is now landed and will ship in M61
  • Storage quota estimate() API - - returns a Promise which resolves with {usage, quota} values in bytes.
  • SyncManager interface exposed to all workers - Historically the SyncManager interface was only exposed to the window and service workers. This feature exposes the interface to all workers.
  • URLSearchParams: sort() method - Sorts all name-value pairs stored in a URLSearchParams. Proposed at issues26 to improve cache hit rate easily.
  • URLSearchParams: updated constructor - URLSearchParams constructor has been changed in pull175. It is now possible to create a new URLSearchParams by passing it any object (e.g. new URLSearchParams({'foo': 'bar'})).
  • Update colSpan max value to 1000 - Update colSpan max value from 8190 to 1000 as per spec change. [1] [2]
  • Web Share API - Web Share is a proposed API for sharing data (text, URLs, images) from the web to an app of the user's choosing.
  • WebUSB API - The web platform API to support programming USB devices.
  • getAttributeNames() of Element interface - getAttributeNames() is a function to rerun a list of attribute names of an element.
  • onwheel in GlobalEventHandlers - Previously we had onwheel attributes as part of the Element. Now we are moving them to GlobalEventHandlers to make them consistent with the other on'event' attributes.
  • visualViewport API - Exposes information about the visual viewport to the page.

Bug fixes

High-threat bug fixes

  • CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyá»…n (@l4wio) of KeenLab, Tencent on 2017-06-27
  • CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein ( on 2017-07-10
  • CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous on 2017-07-20
  • CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-08-07
  • CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini on 2017-07-17
  • CVE-2017-5116: Type confusion in V8. Reported Guang Gong of Alpha Team, Qihoo 360 on 2017-08-28

Medium-threat bug fixes

  • CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein ( on 2017-07-04
  • CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-07-24
  • CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous on 2017-05-22

Low-threat bug fixes:

  • CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu (@general_nfs) on 2017-05-05


Have fun cross-browser testing with Chrome 61!