Chrome 64 has been released today. It took the Chrome team a little longer than a month to release it. We updated it in our browser testign cloud and you can test your webapps in it already.

Chrome 64 Version

Try it yourself right away!

What's new in Chrome 64?

  • Support for ResizeObservers, will notify you when an element’s content rectangle has changed its size.
  • Modules can now access to host specific metadata with import.meta.
  • The pop-up blocker gets stronger.
  • window.alert() no longer changes tab focus.
  • Chrome now supports named captures in regular expressions.
  • The default preload value for
  • You can now use Request.prototype.cache to view the cache mode of a Request and determine whether a request is a reload request.
  • Using the Focus Management API, you can now focus an element without scrolling to it with the preventScroll attribute.
  • A number of fixes and improvements.

For Android:

  • Prevents sites with abusive ad experiences from opening new windows or tabs without your permission.
  • Stability and performance improvements.

iOS version:

  • You can now disable Article Suggestions without also disabling omnibox suggestions by going to Chrome Settings
  • If you previously turned off "Search and Site Suggestions" to disable Article Suggestions and would like to turn back on your Search Suggestions in the omnibox, you can do that from Chrome Settings > Privacy.
  • Support for iPhone X.
  • Now requires iOS 10 or later.

Performance Monitor

This tool will give you a real-time view of both page load and runtime performance. You can use it to monitor CPU usage, JavaScript heap size, total number of DOM nodes and more. So if your customers or users are reporting that your app feels slow, now you can see how and why for yourself easily.

Chrome 64 Perf Monitor

To use the Performance Monitor:

  1. Open the Command menu
  2. Start typing Performance then select Show Performance Monitor.

Console Sidebar

Usually sites make up too large of a traffic for the small sized console and you get spammed with messages that are of no interest to you. The Console Sidebar is useful to reduce the noise so that you are focused on what is important in the particular case.

Chrome 64 Console Sidebar

As you can see in the image above, the Console Sidebar can be used to display errors only. The sidebar is hidden by default, so you got to press Show Console Sidebar - this little icon: Chrome 64 Show Console Sidebar to show it. You can very well use it to display contextually similar error messages putting them in groups.

Developer features and updates in Chrome 64

  • Animation for offset-path CSS property - Authors using CSS Motion Path can now animate the path that an element moves along by animating the offset-path property.
  • CSS transform-box - The transform-box property allows defining which reference box to use when computing transform and transform-origin. It currently only has an effect on SVG elements.
  • CSS4 text-decoration-skip-ink - CSS Text Decoration 4: property controls how overlines and underlines are drawn when they cross over a glyph. With the initial, default value "auto" decoration lines skip over where glyphs are drawn: interrupt the decoration line to let the shape of the text show through where the text decoration would otherwise cross over a glyph. The UA must also skip a small distance to either side of the glyph outline. To disable this behavior, use text-decoration-skip-ink: none.
  • Constructible & Subclassable EventTarget - Make EventTarget constructor callable, allowing them to be constructed on their own or be subclassed.
  • Deprecate and remove chrome.loadTimes - chrome.loadTimes() is a non-standardized API that enables collecting loading related metrics to understand performance in the real world. However the metrics there are now available as standardized APIs, so this API will be deprecated and removed.
  • Fetch API: Request.cache - A property which represents the cache mode of a Request. This feature includes RequestInit.cache which sets the property.
  • Fractional coordinates in PointerEvents of type mouse - Make the coordinates in PointerEvents of pointerType=mouse fractional, in order to include the full precision provided by the underlying platform.
  • Image Decode API: img.decode() - This change allows web developers to request to decode an img element. The call to a new HTML element’s decode() function returns a promise, which, when fulfilled, ensures that the image can be appended to the DOM without causing a decoding delay on the next frame.
  • Intl.NumberFormat.prototype.formatToParts() - Intl.NumberFormat.prototype.formatToParts() is scheduled to be added to the ECMAScript Internationalization API specification (Ecma 402). It adds a method to format a number to a list of tokens and their types (e.g. minusSign, integer, decimal, fraction, currency, percentSign, etc). It is implemented and disabled by default by Firefox. See also, the corresponding DateTimeFormat feature here.
  • Media preload defaults to metadata - Set the default preload value for video and audio elements to “metadata”. Note that the preload attribute's hint is still ignored when a MediaSource is attached to the media element.
  • Multiple Shadow Roots - Enable elements to host more than one Shadow Roots. Dropping this feature from the spec is the resolution at Web Components f2f meeting (link) This was deprecated in Chrome 45. Removal is anticipated in Chrome 64. This was deprecated in Chrome 45.
  • Network Information: saveData - The saveData attribute is a boolean that indicates a client’s explicit opt-in for reduced data usage, due to high transfer costs, slow connection speeds, or other reasons. It's use allows JavaScript to make decisions that result in reduced data use, such as to load smaller images and video resources, or reduce buffering or predictive actions. This is expected to be enabled by default in Chrome 65.
  • Notifications to be displayed in the platform's Notification Center - Most platforms ship with a notification center of their own - on mobile devices this may be more prominent than on desktops, but they do exist. We're in progress of moving notifications shown by Chrome to be included in those centers as well. - Android (shipped in Chrome 42) - Mac OS X (shipped in 59) - Linux (planned to ship in 64) - Windows (being prototyped) Other browsers already use native notification centers where available.
  • Prevent scrolling in HTMLElement.focus() - Adds an optional argument to existing focus APIs that disable the scroll triggered by focus.
  • RTCRtpSender - This feature tracks RTCPeerConnection methods getSenders(), addTrack(), removeTrack() and the essentials of interface RTCRtpSender.
  • RegExp named captures - Named captures for ECMAScript regular expressions allow developers to create and refer to named capture groups.
  • Remove getMatchedCSSRules - getMatchedCSSRules is a webkit-only API to get a list of all the style rules applied to a particular element. It has been deprecated since 2014.
  • Resize Observer - The Resize Observer API can be used to observe changes to size of Element's content rect.
  • Stop showing ads on websites that are not compliant with the Better Ads Standards. - Stop showing ads (including those owned or served by Google) on websites that are not compliant with the Better Ads Standards(link). Introduction to this feature.
  • Stronger popup blocker on sites with abusive experiences - On sites with very abusive experiences, Chrome will start enforcing a more aggressive popup blocker. This will invoke Chrome's popup blocking UI for new windows or tabs regardless of whether there is a user gesture.
  • Throw NotSupportedError when media playbackRate is unsupported - Throw a NotSupportedError DOM exception when a media element’s playbackRate is set to an unsupported value.
  • Unicode property escapes in regular expressions - The Unicode Standard assigns various properties and property values to every symbol. For example, to get the set of symbols that are used exclusively in the Greek script, search the Unicode database for symbols whose Script property is set to Greek. Unicode property escapes are a new type of escape sequence available in regular expressions that have the u flag set. They enable querying the Unicode database for certain properties and values. E.g. /\p{Script=Greek}/u.test('Ï€') === true
  • import.meta - The import.meta meta-property provides a host-defined object which exposes context-specific metadata to a JavaScript module (e.g. the enclosing module's URL or associated <script> element).
  • window.alert() will not activate parent page - If a document in a background tab calls window.alert() then the call to alert() will return immediately; the dialog will be shown to the user when they switch to the tab. A UI indicator will be set so the user is aware of the pending alert dialog. This removes the ability to use window.alert() to bring a tab to the front against the user’s will.

Bug fixes

High-threat bug fixes

  • CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
  • CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
  • CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09

Medium-threat bug fixes

  • CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein ( on 2017-11-12
  • CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
  • CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK's National Cyber Security Centre (NCSC) on 2017-11-30
  • CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09
  • CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
  • CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
  • CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26
  • CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
  • CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
  • CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
  • CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
  • CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
  • CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08

Low-threat bug fixes:

  • CVE-2018-6048: Referrer policy bypass in Blink (reported by Jun Kokatsu).
  • CVE-2017-15420: URL spoofing in Omnibox (reported by Drew Springall).
  • CVE-2018-6049: UI spoof in Permissions (reported by WenXu Wu of Tencent's Xuanwu Labs).
  • CVE-2018-6050: URL spoof in OmniBox (reported by Jonathan Kew).
  • CVE-2018-6051: Referrer leak in XSS Auditor (reported by Antonio Sanso).
  • CVE-2018-6052: Incomplete no-referrer policy implementation (reported by Tanner Emek).
  • CVE-2018-6053: Leak of page thumbnails in New Tab Page (reported by Asset Kabdenov).
  • CVE-2018-6054: Use after free in WebUI (reported by Rob Wu).


Have fun cross-browser testing your apps with Chrome 64 and Browserling!