In the last couple of days Chrome 67 was released for Windows, Linux, iOS and for Android. We just enabled auto-update via "Help > About Chrome" on our browser cloud and deployed this new version to all our users.

Chrome 67 Version

Try it yourself here!

What's new in Chrome 67?

The most notable features are as follows:

  • Progressive Web Apps are coming to the desktop.
  • The generic sensor API makes it way easier to get access to device sensors like the accelerometer, gyroscope and more.
  • BigInt's make dealing with big integers way easier.
  • Credential Management API provides a framework for creating, retrieving and storing credentials.
  • The Web Authentication API adds a third credential type, PublicKeyCredential, which allows browsers to authenticate a user with a private/public key pair generated by an authenticator.
  • A number of fixes and improvements.

For iOS:

  • Improved handling of boarding passes, movie tickets, etc. in Wallet.
  • Updated app selection UI when you tap on an email link.
  • Improved support for external keyboards.
  • Improved issue reporting: now you can draw on screenshots you are sending with feedback reports to obscure private data.
  • A fix has been provided for autofill issue.

Desktop PWAs

The so anticipated Progressive Web Apps on the Desktop are becoming reality. In fact they are already available in Chrome OS and soon, they will be available in Windows and Mac as well. The sudden emphasis on desktop application usage may seem weird at first, since mobile application usage grows rapidly, but experts claim that desktop application usage grows too.

Chrome 67 PWA

Generic Sensor API

Thanks to the Generic Sensor API Chrome 67 now supports access to device sensors like accelerometer, gyroscope, orientation sensor, and motion sensor. This extends the opportunity to create more realistic games and experiences like Virtual Reality or Augmented Rality. Intel already has put together several demos and a sample code, and they’ve also updated the Sensors for the Web! post from September with everything you need to know which might turn handy. The API consists of a base Sensor interface with a set of concrete sensor classes built on top. It is very easy to use! Take a look at how tiny is the gyro class:

const sensor = new Gyroscope({frequency: 500});

sensor.onreading = () => {
    console.log("X-axis " + sensor.x);    
    console.log("Y-axis " + sensor.y);    
    console.log("Z-axis " + sensor.z);


BigInts are a new numeric primitive in JavaScript that can represent integers with arbitrary precision. Large integer IDs and high-accuracy timestamps can’t be safely represented as Numbers in JavaScript, which often leads to real-world bugs (because of which we often end up representing such numbers as strings instead). With BigInts, we can safely store and perform integer arithmetic without overflowing.

Developer features and updates in Chrome 67

  • 'formdata' event - The 'formdata' event enables any objects to provide form data. It helps avoid creating representing application state, or making submittable custom elements.
  • -webkit-box-flex-group, -webkit-box-lines, % values of -webkit-line-clamp - -webkit-box-flex-group - This property has virtually zero usage based on the UseCounter on stable. % values of -webkit-line-clamp - There is interest in finding a standards based solution to the number values usecase, but we haven’t seen demand for the %-based values. -webkit-box-lines - This property was never fully implemented. It was originally intended such that a “vertical”/”horizontal” -webkit-box can have multiple rows/columns.
  • <foreignObject> will be a stacking context - SVG2 specifies that <foreignObject> to be a stacking context (*). Previously, Chrome did not follow the SVG2 spec. Making <foreignObject> a stacking context allows developers to place HTML content underneath a <foreignObject> without confusion. For example, it wouldn't make much sense to place content at z-index:1 above the containing SVG. Gecko and Edge already implement this behavior.
  • Accept-CH-Lifetime support for requesting client hints - Client Hints enables user agents to provide device-specific preferences in the HTTP request headers. Accept-CH-Lifetime adds a client hint that allow origins to persist their opt-in policy for a specified period so they can receive client hints on main frame requests. Additionally, on the first page load, this feature provides hints for all subresources of the page. This is expected to be enabled by default in Chrome 67.
  • BigInt: arbitrary-precision integers - JavaScript gets a new numeric primitive that provides support for arbitrary-precision integers. Numbers in JavaScript are represented as double-precision floats, giving them limited precision. BigInts, on the other hand, can safely store and operate on large integers even beyond the safe integer limit for Numbers.
  • Boolean return value of DOMTokenList replace() - The DOM specification was updated so that DOMTokenList replace() returns a boolean value. This is useful for code which takes different paths depending on whether a replacement occurred, avoiding the need for an extra condition using contains().
  • CSS Selectors 4 Pseudo-Class :focus-visible - The :focus-visible pseudo-class makes it easier for developers to create focus styles that appropriately match the user's input modality. It is designed to help prevent a common anti-pattern where developers remove focus outlines for mouse users, and inadvertently make their sites inaccessible to keyboard users.
  • Cross-Origin Read Blocking (CORB) - Cross-Origin Read Blocking (CORB) is an algorithm that can identify and block dubious cross-origin resource loads in web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks like Spectre.
  • Customized built-in elements - Authors can now create custom elements which inherit from the semantics of native, built-in elements. This is helpful when web authors want to add features to their custom elements, but they cannot be implemented in CSS or JavaScript though the features are available in built-in elements.
  • Fixes to modifier flags on AltGraph-shifted keydown/keypress/keyup events under Windows. - In Windows the right-hand Alt key serves as AltGraph (ISO-Level-3-Shift) on some layouts (for example, many European language layouts), to allow generating additional printable characters. Internally the key generates Ctrl+Alt modifiers, so that Chrome reports all of Control, Alt and AltGraph in the flags for these keys. In this change, Chrome distinguishes AltGraph from Ctrl+Alt under Windows for consistency with modifiers on other platforms. See the comments for how this helps developers.
  • Motion sensors APIs based on Generic Sensor API - Motion sensors extends the Generic Sensor API to expose a set of low-level and fusion sensors. This feature includes JS interfaces representing accelerometers, linear acceleration sensors, gyroscopes, absolute orientation sensors and relative orientation sensors.
  • RTCRtpSender/RTCRtpReceiver.getStats and RTCPeerConnection.getStats(MediaStreamTrack?) - New WebRTC implementations provided a filtered view of the statistics returned by getStats() in RTCRtpSender, RTCRtpReceiver, and RTCPeerConnection, returning only stats that are relevant to the sender, receiver, or track. This change adds convenience for developers by requiring less code for filtering. Because this is based on the spec it increases cross-browser compatibility.
  • Send mouse back/forward buttons to javascript - Web pages can now process mouse events (mousedown, auxclick, mouseup) for back and forward buttons on mice with five or more buttons. This allows back and forward mouse buttons to be prevented by applications that wish to override them. For example they may be useful for games.
  • Slots in a flat tree - The <slot> element can now participate in a flat (layout) tree, with UA style: display: contents. Before this change, applying a CSS selector to a <slot> element had no effect. Not only is this fixed, when selectors are applied to a <slot> element, it's children inherit its styles.
  • Streams API: TransformStream - TransformStream is part of the Streams API for creating, composing, and consuming streams of data. It enables transforming data in stream form. It is typically used in a pipe between a ReadableStream and a WritableStream.
  • User Activation v2 - Browsers control access to "abusable" of APIs (e.g. opening popups or vibrating) through user activation (or "user gesture"). However, the web exposed behavior vary widely among major browsers. To unify the web, this feature defines a new user activation model that is simple enough for cross-browser implementation. The main changes introduced by this model are: (a) there is no concept of token passing, and (b) activation visibility changes from stack-scoped to frame-scoped.
  • Web Authentication API for Chrome - The Credential Management API (Chrome 51 and later) defined a framework for retrieving credentials, including semantics for creating, getting, and storing them. It did this through two credential types: PasswordCredential and FederatedCredential. The Web Authentication API adds a third credential type, PublicKeyCredential, which allows web applications to create and use strong, cryptographically attested, and application-scoped credentials to strongly authenticate users.
  • WebXR Device API - Provides access to input and output capabilities commonly associated with Virtual Reality (VR) and Augmented Reality (AR) functionality. This API is intended to completely replace the WebVR API. It has been designed to address the issues found in the prior API based on developer, web platform, hardware manufacturer, and implementer feedback. An origin trial is expected to start in Chrome 67.

Bug fixes in Chrome 67

High-threat bug fixes:

  • CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22
  • CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07
  • CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05
  • CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18
  • CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15
  • CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09
  • CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01
  • CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30
  • CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27

Medium-threat bug fixes:

  • CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04
  • CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28
  • CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23
  • CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19
  • CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12
  • CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith ( on 2018-04-21
  • CVE-2018-6138: Overly permissive policy in Extensions. Reported by François Lajeunesse-Robert on 2018-02-08
  • CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24
  • CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01
  • CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2017-12-19
  • CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28
  • CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15

Low-threat bug fixes:

  • CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02
  • CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25
  • CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02


Have fun cross-browser testing with Chrome 67 and Browserling!