Good news! Chrome 65 was released today. Not only that, but we also installed it on our machines, ready to be used in a testing environment for your web apps. Its features are mostly oriented towards web developers. You will be happy to know that Chrome 65 features a lot of visual functionality (see details below). And this is a screenshot of exact Chrome 65 version running in Brwoserling:

Chrome 65 Version

Try it yourself on-spot!

What's new in Chrome 65?

  • New extension UI.
  • The CSS Paint API allows you to programmatically generate an image.
  • The Server Timing API allows web servers to provide performance timing information via HTTP headers.
  • The new CSS display: contents property can make boxes disappear.
  • Fixed a bug that affected some timestamps.
  • The syntax for specifying HSL and HSLA, and RGB and RGBA coordinates for the color property now match the CSS Color 4 spec.
  • There's a new feature policy that allows you to control synchronous XHRs through an HTTP header or the iframe allow attribute.
  • Last version available for OS X 10.9.
  • A number of fixes and improvements.

For Android:

  • Set language preferences for web content in Settings > Languages.
  • Turn on the prompt for simplified view for all supported articles in Settings > Accessibility settings.
  • Share and delete downloads more easily on the Downloads page.
  • Disable screen capture on incognite mode.

For iOS:

  • Fixed a bug that affected some streaming audio players.
  • Stability and performance improvements.


With this API you can automatically generate images that you can use for CSS properties like background-image and border-image. In a way, it is very similar to a canvas element, as you can use the new paint function to draw an image instead of referencing it. See this.

  .myElem {  background-image:  **paint(checkerboard);**  }  

Server Timing API

With the new Server Timing API you can allow the server to pass timing information to the browser, which will give you a better picture of your performance. Before this you have probably used the navigation and resource timing APIs. But now, the Server Timing API provides you an easy way for the server to report its performance timing. You can track as many metrics as you want: database read times, start-up time, or whatever is important to you, by adding a Server-Timing header to your response: Server-Timing': 'su=42;"Start-up",db-read=142;"Database Read"'. They are shown in DevTools, but you can also pull them out of the response header and save them with your other performance analytics.

Chrome 65 Server Timing API

display: contents

This is a new CSS property that once added to a container element, any children take its place in the DOM, and it essentially disappears. This is something that people call it a "CSS trick".

display: contents causes an element's children to appear as if they
were direct children of the element's parent, ignoring the element
itself. This can be useful when a wrapper element should be ignored
when using CSS grid or similar layout techniques.

Source: caniuse display: conents?

Developer features and updates in Chrome 65

Bug fixes

High-threat bug fixes

  • CVE-2017-11215: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
  • CVE-2017-11225: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
  • CVE-2018-6060: Use after free in Blink. Reported by Omair on 2017-11-02
  • CVE-2018-6061: Race condition in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-12-12
  • CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous on 2017-10-31
  • CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-11-30
  • CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-12-07
  • CVE-2018-6064: Type confusion in V8. Reported by lokihardt of Google Project Zero on 2018-01-03
  • CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand of Google Project Zero on 2018-02-01

Medium-threat bug fixes

  • CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa on 2018-01-05
  • CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30
  • CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. Reported by Luan Herrera on 2018-01-04
  • CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu & Yangkang(@dnpushme) of Qihoo360 Qex Team on 2018-01-08
  • CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu on 2016-11-25
  • CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous on 2017-10-23
  • CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen of OUSPG on 2017-12-01
  • CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair on 2018-01-20
  • CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi (@qab) on 2018-02-06
  • CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti De Ceukelaire ( on 2016-05-03
  • CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. Reported by Mateusz Krzeszowiec on 2017-08-24
  • CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani on 2017-10-26
  • CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani on 2017-12-10
  • CVE-2018-6079: Information disclosure via texture data in WebGL. Reported by Ivars Atteka on 2017-11-24
  • CVE-2018-6080: Information disclosure in IPC call. Reported by Gal Beniamini of Google Project Zero on 2017-12-05

Low-threat bug fixes:

  • CVE-2018-6081: XSS in interstitials. Reported by Rob Wu on 2017-12-24
  • CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-09-21
  • CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04


Have fun cross-browser testing your code in Chrome 65 and see you next time!