We are more than happy to announce that Chrome 70 was released today. This very new Chrome version was imediatelly installed on our cross-browser testing platform and you can start testing your webapps in it already!

Chrome 70 About Dialog

Try it right now in our browser cloud:

What's new in Chrome 70?

  • Desktop Progressive Web Apps on Windows.
  • The credential management API adds support for Public Key Credentials.
  • Named workers.
  • Web Bluetooth is now available in Windows 10.
  • Chrome can send intervention and deprecation messages to your servers using the Report-To HTTP Response header field or surface them in the ReportingObserver interface.
  • Support for AV1 video decoder.
  • A bunch of tiny speed and ui/ux improvements.
  • A number of important deprecations.

For Android:

  • "Stability and performance improvements."
  • Cleaner, more modern design.

For iOS:

  • Bug fixes and design polish for the redesign.
  • Updates to how Chrome launches other apps to improve reliability and security.
  • Fixes to authentication issues caused by using out-of-date cookies.

Progressive Web Apps on Windows and Linux

Do you know what the term "browserification" would mean? We think it would mean this. You can now install "progressive web apps" on the desktop and run them just like you run all other installed apps. They page will appear without address bar or tabs. The service workers are there for you to ensure that those apps are fast. They will very much resemble desktop apps.

chrome-70-spotify-on-windows

Public Key Credentials

The Credential Management API simplifies user sign in more than ever. This API allows your sites to interact directly with the browser's credential manager or federated account services like Google and Facebook to sign. Chrome now supports third type of credential "called Public Key Credential", which is there to allow web applications to utilize strong cryptographically attested, and application-scoped credentials to strongly authenticate users, including fingerprint identification.

Named workers

Workers are an easy way to move JavaScript from the main thread to the background to maintain responsiveness, keeping your site interactive as the main thread won't freeze when some heavy computations are running in it. In this release, workers now can have a name. With the name attribute which is specified by an optional argument on the constructor.

const url = '/scripts/my-worker.js';

const wNYC = new Worker(url, {name: 'NewYork'});

const oSF = {name: 'SanFrancisco'};
const wSF = new Worker(url, oSF);

This lets you distinguish dedicated workers by name when you have multiple workers with the same URL. You can also print the name in the DevTools console, making it much easier to know which worker you’re debugging!

New Developer Features in Chrome 70

  • 'name' attribute for dedicated workers - This feature allows specifying the worker’s name in an optional constructor argument. This lets you distinguish dedicated workers by name when you have multiple workers with the same URL. Developers can print ‘name’ in the DevTools console which will make it easier to debug workers. When the ‘name’ param is omitted, an empty string is used as the default value.
  • AV1 Decoder - AV1 is a next generation codec developed by the Alliance for Open Media. AV1 improves compression efficiency by 30% over the current state-of-the-art video codec, VP9. The AV1 decoder will be added to Chrome Desktop x86 devices (Windows, macOS, Linux, Chrome OS) based on the official bitstream specification. At this time, support is limited to “Main” profile 0 and does not include encoding capabilities. The supported container is ISO-BMFF (MP4).
  • CSS logical flow relative values and box model properties - Complete support for the following sections of CSS Logical Properties and Values spec: 2. Flow-Relative Values: block-start, block-end, inline-start, inline-end, 4. Flow-Relative Box Model Properties (except 4.6 Four-Directional Shorthand Properties: the margin, padding, border-width, border-style, and border-color shorthands).
  • Custom Elements V0 - Method for registering (creating) custom elements in script. V0 is deprecated at M70, and will be removed in M73, around, April 2019. The spec is superceded by Custom Elements V1 and Blink is the only engine that implements V0 APIs.
  • Deprecate and remove navigator.getGamepads().item(index) - This change deprecates and removes the legacy item() accessor method for the array of Gamepads returned by navigator.getGamepads(). This change improves compatibility with Firefox which is so far the only browser to implement GamepadList.
  • Displaying a dialog will cause pages to lose fullscreen - Dialogs (e.g. authentication prompts, payments, filepickers) require proper context for users to make decisions. Fullscreen, by definition is immersive, and removes the context that a user needs to make a decision. Therefore, whenever a page causes a dialog to be shown, that page will lose any HTML5 fullscreen that it has entered.
  • HTML Imports - Import HTML documents into other HTML documents. HTML Imports are deprecated at M70, and will be removed in M73, around, April 2019.
  • Intervention Reports - An intervention is when a user agent does not honor an application request for security, performance, or annoyance reasons. With this change, Chrome will both send the report to your servers using the Report-To HTTP Response header field and surface the report in the ReportingObserver interface.
  • Options dictionary for postMessage methods - An optional PostMessageOptions object is being added to the postMessage() function for 6 of the 7 interfaces where it’s supported, specifically, DedicatedWorkerGlobalScope, Worker, ServiceWorker, ServiceWorker, and Window. This gives the function a similar interface on its definitions and allows it to be extended in the future. Since broadcastChannel.postMessage() doesn't take additional arguments (such as transfer) it is not being changed.
  • Picture-in-Picture (PiP) - The Picture-in-Picture API allows websites to create a floating video window that is always on top of other windows so that users may continue consuming media while they interact with other sites or applications on their device. This change only applies to <video> elements.
  • Priority Hints - Priority Hints provide developers a way to indicate a resource's relative importance to the browser, allowing more control over the order resources are loaded. Many factors influence a resource's priority in browsers. These include type, visibility, and preload status of a resource. Priority Hints introduces a developer-set "importance" attribute allowing developers to influence the computed priority of a resource. Supported importance values are auto, low, and high.
  • RTCPeerConnection.getConfiguration() - This change implements getConfiguration() according to the WebRTC 1.0. Specifically it returns the last configuration applied via setConfiguration(), or if setConfiguration() hasn't been called, the configuration the RTCPeerConnection was constructed with.
  • Remove AppCache from non-secure contexts - AppCache is now removed from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS. This feature was deprecated in Chrome 67.
  • Remove HTMLFrameSetElement's anonymous getter. - Deprecate and remove HTMLFrameSetElement's anonymous getter which is non-standard.
  • Remove OS build number from user-agent string - The OS build number (for example, “NJH47F” or “OPM4.171019.021.D1” on Android) has been removed from the user-agent identification (User-Agent header and navigator.userAgent) on Android and on iOS. The iOS change follows Safari's implementation and freezes the build number as "15E148" instead of removing it. This will prevent abuses of that information such as exploit targeting and fingerprinting. It'll also bring Chrome closer in line with RFC 7231 section 5.5.3.
  • Shadow DOM v0 - Chrome and other browsers implemented the new version. V0 is deprecated at M70, and will be removed in M73, around, April 2019. If you are still using this consider migrating to the new API or upgrading your Polymer library. Use --disable-blink-features=ShadowDOMV0 for testing if your site works without Shadow DOM V0 APIs.
  • Shape Detection API - Photos and images constitute the largest chunk of the Web, and many include recognisable features, such as human faces, text, or QR codes. Detecting these features is computationally expensive, but, particularly on mobile devices, hardware manufacturers have long been supporting these features. This API allows accessing hardware-accelerated detectors where available. This is expected to be in origin trials in Chrome 70.
  • Support Opus in mp4 (ISO-BMFF) with Media Source Extensions (MSE) - Opus is an audio codec already supported by the HTML5 src attribute on elements. This applies to mp4, ogg, and webm containers as well as in webm containers using Media Source Extensions. This change adds support for the Opus codec in the mp4 container to MSE.
  • Support codec and container switching with MSE using SourceBuffer.changeType() - This change adds the SourceBuffer.changeType() method to improve cross-codec or cross-bytestream transitions during playback with Media Source Extensions.
  • Support for Touch ID as a platform authenticator via the Web Authentication API - This feature is a built-in Web Authentication/CTAP platform authenticator for Chrome on macOS based on the Touch ID fingerprint sensor and secure element in Macbook Pros with Touch bars. It allows users to use Touch ID for 2-factor authentication on sites that implement this via the Web Authentication API.
  • Symbol.prototype.description - A description property is being added to Symbol.prototype. This provides a more ergonomic way of accessing the description of a Symbol. Previously, the description could be only be accessed indirectly through the Symbol.protoype.toString().
  • TLS 1.3 - TLS 1.3 is an overhaul of the TLS protocol with a simpler, less error-prone design that improves both efficiency and security. The new design reduces the number of round-trips required to establish a connection and removes legacy insecure options, making it easier to securely configure a server. It additionally encrypts more of the handshake and makes the resumption mode more resilient to key compromise.
  • The <rp> element defaults to display:none - The default style of the element is changed to "display:none" instead of "display:inline" even if it is not inside the element as defined in HTML specification. This behavior is implemented in the UA style sheet, but the web author can override it. Behavior in other browsers: Edge: display:inline (outside ), display:none (inside <ruby>), Firefox: display:none, Safari: display:inline, display:none (inside <ruby>)
  • *The ontouch APIs default to disabled on desktop* - To avoid confusion on touch feature detection, ontouch members on window, document, and element are disabled by default on desktop devices (Mac, Windows, Linux, ChromeOS). Note that this is not disabling touches, and usage such as addEventListener("touchstart", ...) is not being affected.
  • Update behavior of CSS Grid Layout percentage row tracks and gutters - This updates the behavior of percentage row tracks and gutters in grid containers with indefinite heights. Previously, these were behaving similarly to percentage heights in regular blocks, but the CSS WG has resolved to make them behave the same as for columns, making them symmetric. Percentages are now ignored when computing intrinsic height and resolved afterwards against that height. That way both column and row axes will have symmetric behavior to resolve percentages tracks and gutters.
  • WebAssembly Worker Based Threads - The WebAssembly Threads feature allows multiple WebAssembly instances in separate Web Workers to share a single WebAssembly.Memory object. As with SharedArrayBuffers in JavaScript, this allows very fast communication between the Workers. This can be used to offload computation to another thread to keep the main thread and its UI responsive.
  • WebUSB on Dedicated Workers - WebUSB is enabled inside dedicated worker contexts. This allows developers to perform heavy I/O and processing of data from a USB device on a separate thread to reduce the performance impact on the main thread.

Bug fixes in Chrome 70

  • High CVE-2018-17463: Remote code execution in V8. Reported by Samuel Gross working with Beyond Security's SecuriTeam Secure Disclosure program.
  • High CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab.
  • High CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian.
  • High CVE-2018-17466: Memory corruption in Angle. Reported by Omair.
  • Medium CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani.
  • Medium CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee of Kryptos Logic.
  • Medium CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team.
  • Medium CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin?Luyao Liu from Chengdu Security Response Center.
  • Medium CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang.
  • Medium CVE-2018-17472: iframe sandbox escape on iOS. Reported by Jun Kokatsu.
  • Medium CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani.
  • Medium CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
  • Low CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew.
  • Low CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani.
  • Low CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger.
  • Low CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton.
  • Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyen.

Happy cross-browser testing in Chrome 70!