Today, Google released the 90th version of its Chrome browser. We just installed it on our browser cloud and you can already start testing in it. In this post, we'll summarize the latest features in this new browser version.

Chrome 90 Version

What's New in Chrome 90

  • A new value for the CSS overflow property.
  • The Feature Policy API has been renamed to Permissions Policy.
  • A new way to implement and use Shadow DOM directly in HTML.
  • Chrome's address bar now uses https:// by default.
  • AV1 encoder that is specifically optimized for video conferencing with WebRTC integration.
  • Removal of Content Security Policy directive plugin-types.
  • Removal of WebRTC RTP data channels.
  • Return of empty for navigator.plugins and navigator.mimeTypes.
  • And as always, a number of tiny fixes and improvements.

Detailed Changes in Chrome 90

  • AV1 Encoder - This feature ships an AV1 encoder in Chrome desktop, specifically optimized for video conferencing with WebRTC integration. AV1 encode is requested by a number of RTC applications, including Duo, Meet, and Webex. The primary benefits of AV1 are better compression, better quality on low bandwidth connections, efficient screen sharing compared to VP9 and other codecs.
  • AbstractRange superclass - The bits shared between StaticRange and Range objects are put on a shared superclass named AbstractRange.
  • Add support for CSS properties "overflow: clip" and "overflow-clip-margin" - Adds two CSS features. The 'clip' value results in a box's content being clipped to the box's overflow clip edge. In addition, no scrolling interface is provided, and the content can not be scrolled by the user or programmatically. The overflow-clip-margin property enables specifying how far outside the bounds an element is allowed to paint before being clipped.
  • Block HTTP port 554 - Connections to HTTP, HTTPS or FTP servers on port 554 will fail. This is a mitigation for the NAT Slipstream 2.0 attack. It helps developers by keeping the web platform safe for users.
  • CSS aspect-ratio interpolation - The aspect-ratio property allows automatically computing the other dimension if only one of width and height is specified on any element. This property was originally launched as non-interpolable (meaning that it would snap to the target value) when animated.
  • Clipboard: read-only files support - This proposes to expose read-only files on the clipboard to renderers using a similar approach to drag-and drop. Renderers will have access to read file paths from the clipboard, but not write paths to the clipboard. For file paths on the clipboard, renderers will have read-only access.
  • Custom state pseudo class - The feature lets custom elements expose their states via the :state() CSS pseudo class.
  • Declarative Shadow DOM - A declarative API to allow the creation of #shadowroot's using only HTML and no Javascript.
  • Protect application/x-protobuffer via Cross-Origin-Read-Blocking - Protect application/x-protobuffer from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. The application/x-protobuf is already protected as a never sniffed mime type and it's another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library.
  • Read Chrome device attributes - Device Attributes Web API is a subset of Device Web API, that provides to web applications the capability to query device information (device ID, serial number, location, etc).
  • Remove Content Security Policy directive 'plugin-types' - The directive 'plugin-types' allows developer to restrict which types of plugin can be loaded via <embed> or <object> html elements. The main point was to allow developer to block Flash in their pages. But Flash support has been discontinued, so there is not much point in this anymore.
  • Remove WebRTC RTP data channels - Removes support for the non-standard RTP data channels in WebRTC. Users should use the standard SCTP-based data channels instead.
  • Remove clamping of setTimeout(fn, 0) - Calls to setTimeout(fn, 0) were previously clamped to a 1 ms timeout, instead of resulting in a callback as soon as possible.
  • Seeking past the end of a file in the File System Access API - Rather than rejecting when trying to write past the end of a file, require extending a file with some number of 0x00 (NUL) bytes instead. This enables creating sparse files and greatly simplifies saving content to a file when the data to be written is received out of order.
  • StaticRange constructor - Currently, Range is the only constructible range type available to web authors. However, Range objects are "live" and maintaining them can be expensive. For every tree change, all affected Range objects need to be updated. StaticRange objects are not live and represent a lightweight range type that is not subject to the same maintenance cost as Range. By making StaticRange constructible, we will allow web authors to use them for ranges that do not need to be updated on every DOM tree change.
  • Support specifying width/height on <source< elements for <picture< - This feature allows specifying a width and height on <source> elements that are used in <picture>, which allows the image to compute an aspect ratio from these attributes.
  • New restrictions for file URLs - Aligns behavior with the standard in edge cases when changing the URL protocol to or from "file". Previously, attempting to change the protocol of a URL with credentials or a port to "file" would lead to an invalid URL. Similarly, attempting to change a URL with no host from "file" to "http" would lead to an invalid URL. Now the invalid change will be ignored for consistency with other browsers. This affects the "protocol" attribute on the URL API, location, and <a> and <area> elements.
  • Use focus-visible in the default UA style sheet - Change the Chromium default UA style sheet to use :focus-visible instead of :focus pseudo-class to paint the focus indicator (outline). This will avoid that elements show a focus indicator (because they're focused and match :focus) while they don't match :focus-visible.
  • WebAssembly Exception Handling - This feature is adding exception support to WebAssembly. Exception handling allows code to break control flow when an exception is thrown. The exception can be any exception known by the WebAssembly module, or it may be an unknown exception that was thrown by a called imported function.
  • OscillatorOptions.periodicWave in WebAudio is not nullable - It is no longer possible to set the periodicWave member of OscillatorOptions to null. The WebAudio spec doesn't allow this, so we're aligning Chrome with the spec and also Firefox, which has implemented this correctly for 4 years.
  • WebXR AR Lighting Estimation - Allows sites to query for estimates of the environmental lighting conditions within WebXr sessions. This exposes both spherical harmonics representing the ambient lighting, as well as a cubemap texture representing "reflections". Adding Lighting Estimation can help to make your models feel more natural and like they "fit" better with the user's environment. This can make them feel more "real" or "natural".
  • WebXR Depth API - The Depth API is an extension to WebXR Device API that allows applications access to depth buffer information that conveys information about the user's environment, with primary focus on Augmented Reality scenarios. By leveraging the depth API, web applications could offer more immersive AR experiences to their users.

Security Fixes in Chrome 90 Release

  • High CVE-2021-21201: Use after free in permissions (reported by Gengming Liu and Jianyu Chen).
  • High CVE-2021-21202: Use after free in extensions (reported by David Erceg).
  • High CVE-2021-21203, 21204: Use after free in Blink (reported by Asnine, Chelse Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander).
  • High CVE-2021-21205: Insufficient policy enforcement in navigation (reported by Alison Huffman).
  • High CVE-2021-21221: Insufficient validation of untrusted input in Mojo (reported by Guang Gong of Alpha Lab).
  • Medium CVE-2021-21207: Use after free in IndexedDB (reported by Koocola and Nan Wang).
  • Medium CVE-2021-21208: Insufficient data validation in QR scanner (reported by Ahmed Elsobky).
  • Medium CVE-2021-21209: Inappropriate implementation in storage (reported by Tom Van Goethem).
  • Medium CVE-2021-21210: Inappropriate implementation in Network (reported by Bananabr).
  • Medium CVE-2021-21211: Inappropriate implementation in Navigation (reported by Akash Labade).
  • Medium CVE-2021-21212: Incorrect security UI in Network Config UI (reported by Hugo Hue and Sze Yiu Chau).
  • Medium CVE-2021-21213: Use after free in WebMIDI (reported by Raven).
  • Medium CVE-2021-21214: Use after free in Network API (reported by Anonymous).
  • Medium CVE-2021-21215, 21216: Inappropriate implementation in Autofill (reported by Abdulrahman Alqabandi).
  • Low CVE-2021-21217, 21218, 21219: Uninitialized Use in PDFium (reported by Zhou Aiting).

Have fun cross-browser testing in Chrome 90!