Google has launched Chrome 63 for Windows, Mac, and Linux. Additions in this release include dynamic module imports, async iterators and generators, Device Memory API, among other developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.
Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
First up, the addition of dynamic module imports means the import(specifier) syntax now allows developers to dynamically load code into modules and scripts at runtime. This can be used for lazy-loading a script only when it’s needed — importing JavaScript modules was completely static until now, meaning developers could not import modules based on runtime conditions.
Async generator functions can help developers streamline the consumption or implementation of streaming data sources, while async iterators can be used in for loops and also to create custom async iterators through async iterator factories. This should lead to more elegant code — see the async iteration proposal for more information.
Chrome 63 also implements the Device Memory API, which helps developers create one user experience that can work across all devices. This new API uses the total RAM on a user’s machine to provide insights into device constraints and tailors content at runtime in accordance with hardware limitations. Developers can use it to serve a “lite” app to users on low-end devices or to add context to metrics, such as the amount of time a task takes to complete in JavaScript.
Developers will also want to know that Chrome 63 includes an update to the V8 JavaScript engine: version 6.3. You can expect speed improvements, slightly lower memory consumption, and new ECMAScript language features. Check out the summary of API changes for more information.
Chrome 63 was supposed to add a new option to completely disable audio for individual sites. It doesn’t appear to be included for whatever reason, but we’ll update you if that changes.
Other developer features in this release (some are mobile-specific):
- To improve interoperability, a TypeError is now thrown for EventTarget.addEventListener and removeEventListener when the callback passed is not an EventListener, null, or undefined.
- Developers can now make pixel-level adjustments using the new Q length unit, which is especially useful on small viewports.
- Developers can now prevent apps from using Chrome’s pull-to-refresh feature or create custom effects using overscroll-behavior, which allows changing the browser’s behavior once the scroller has reached its full extent.
- font-variant-east-asian is now supported, allowing developers to control the usage of alternate glyphs for East Asian languages like Japanese and Chinese.
- To improve interoperability, Chrome will fire beforeprint and afterprint events as part of the printing standard, allowing developers to to annotate the printed copy and edit the annotation after the printing command is done executing.
- Using Promise.prototype.finally, a callback can now be registered to be invoked after a Promise has been fulfilled or rejected.
- The Intl.PluralRules API allows developers to build applications that understand pluralization of a given language by indicating which plural form applies for a given number and language.
- MediaStreamTrack.applyConstraints() is now supported for local video MediaStreamTracks, including tracks obtained from getUserMedia(), capture from media elements or screen capture.
- Version 2 of NT LAN Manager (NTLM) API is now shipped, enabling applications to authenticate remote users and provide session security when requested by the application.
- Thanks to contributors from engineers at Intel, an Origin Trial is now available that exposes the following sensors via the new Generic Sensors API syntax: Accelerometer, LinearAccelerationSensor, Gyroscope, AbsoluteOrientationSensor, and RelativeOrientationSensor.
- The localStorage and sessionStorage APIs now use getItem() rather than an anonymous getter, so attempting to access a key using getItem() will now return null rather than undefined. Thanks to Intel for the contribution!
- To improve developer experience, the methods on sessionStorage and localStorage such as getItem(), removeItem(), and clear() are now enumerable. Thanks to Intel for making this happen!
- display: minimal-ui is now supported by Chrome on Android, enabling developers to display a UI similar to Chrome Custom Tabs for users.
- To improve interoperability, instance properties with a Promise type now return a rejected promise instead of throwing an exception.
- The /deep/ or >>> selector, as well as ::shadow, are now removed from CSS dynamic profile, following their deprecation in Chrome 45.
- To improve interoperability, HTMLAllCollection, HTMLCollection, HTMLFormControlsCollection, and HTMLOptionsCollection are no longer enumerable, so they are now left out of calls to Object.keys() or for-in loops.
For what’s new in the browser’s DevTools, check out the release notes.
Chrome 63 also implements 37 security fixes. The following ones were found by external researchers:
- [$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
- [$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-09-06
- [$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
- [$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
- [$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
- [$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
- [$500][766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
- [$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
- [$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
- [$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
- [$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet’s FortiGuard Labs on 2017-09-15
- [$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
- [$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-23
- [$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
- [$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
- [$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
- [$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-08-17
- [$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-08-18
- [$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan (fb.me/junaid.farhan.54) on 2017-09-26
- [792099] Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $46,674 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Google releases a new version of its browser every six weeks or so. Chrome 64 will arrive by late January.
In related news, Google released Chrome 63 for Android yesterday. In addition to performance and stability fixes, you can enjoy improvements to autocompletion in the address bar and permission requests presented as modal dialogs (which Google claims reduces the overall number of permission prompts by 50 percent).
