Release: Google Chrome 56

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google has released version 56 of its web browser, based on the open-source Chromium web browser. There were 51 security-related bug fixes and one security researcher nabbed over thirty-thousand dollars ($30,000) for reporting some particularly nasty cross-site scripting (XSS) issues in Blink, Chrome’s rendering engine.

Here are the other new and fixed features:

For Users

  • WebGL 2.0 Support
  • HTML5 by Default
    • For all users the browser will now attempt to load HTML5 content over Flash and will only fall-back to Flash when it is absolutely necessary
    • Around October of this year Flash will require the user to explicitly approve its use
  • Built-in FLAC (Free Lossless Audio Codec) codec/support
  • The URL input bar now shows “Not Secure” next to the information icon for sites that are not encrypted and requesting username and passwords
  • Improved Bluetooth support via Bluetooth Low-Energy (BLE) and the Web Bluetooth API
  • Page reloading up to 28% faster

For Developers

  • Added “system-ui” font-family value that uses the operating system’s (OS’s) default font
  • Network
    • Support added for Referrer-Policy (CSP referrer) header
    • reflected-xss header deprecated
  • CSS
    • background-image-repeat: space value support added
      • Fills background with repeated tiles but no so much that it goes outside the container and will “space out” the tiles equally
    • position: sticky value support added
      • Works as “relative” until it reaches a maximum value, then works as “fixed”
    • offset-rotate motion path property now supported
    • Scroll anchoring support added, new overflow-anchor  with possible values of auto or none (to disable)
      • Locks the browser to a specific element so that content reflows do not force the browser away from the anchor element as images & other content load
      • touch-action: pinch-zoom property support added
  • SVG
    • SVGElement.currentView, SVGElement.useCurrentView, and SVGViewSpec interface deprecated
  • JavaScript
    • Chrome will no longer fetch the src (source) property of <script>  tags with non-script MIME types (suggests using the link preload element instead)
    • Removed deprecated MediaStreamTrack.getSources()
    • Shadow DOM: Will now dispatch synthetic events when target and relatedTarget event property values are identical/same
    • Showing/hiding the URL bar will no longer affect the page size or elements with vh units
      • overlay with “extra at the top” rather than pushing content around
    • KeyboardEvent.isComposing read-only value which returns true after compositionstart event has fired but before compositionend has
    • MediaStream Image Capture now allows for taking images/video from attached camera/imaging devices
    • Fixed attached mouse on Android devices incorrectly firing TouchEvent instead of MouseEvent
    • Large images now allowed to be sent as notification content via Notification API
    • OPUS audio codec support
    • PaymentRequest.canMakePayment() returns true or false if a payment can be accepted via Payment Request API
    • Remote Playback API support added
      • Android only, desktop support will be added in a later version – desktops currently report no available playback devices even when there is at least one available
      • Can control external devices’ (like Smart TVs, Chromecasts, Rokus, etc.) media playback
    • Shaddow DOM: slotchange events are no longer re-fired at slot’s assignedSlot (correct odd behavior and comply with specification change)
    • Streams API: WriteableStream is now supported
    • Added ImageBitmapRenderingContext
      • Provides low-level context for rendering an image on Canvas
    • Document-level TouchEvents are now passive by default
    • Web Bluetooth API supported
    • WebGL 2 supported
    • WebAudio API
      • Added ConstantSourceNode
      • ChannelSplitterNode channelCount and channelCountMode are constant
      • PannerNode.rolloffFactor clamps to nominal range
      • Removed deprecated Doppler API
  • Security
    • Added early support for TLS 1.3
    • Removed various ECDSA TLS cyphers
    • SHA-1 certificates are no longer trusted
    • Touch scroll events no longer allow popups to be opened
    • window.prompt() no longer brings background/inactive tabs to the foreground/active state
      • Background tabs will just not display a prompt
  • DOM
    • Rare case-insensitive matches for <input> group name are no longer done
    • Non-white-space Unicode control characters are now rendered in compliance with the specification
    • Delay running rendering pipeline (including requestAnimationFrame requests) inside iframes until all stylesheets have loaded
    • Allow any element below the body to be defined as the root scroller (which allows hiding URL bar, generate overscroll glow, etc.) via document.rootScroller

http://www.omgubuntu.co.uk/2017/01/google-chrome-56-flac-webgl-supprot

Chrome now reloads pages 28% faster

https://www.chromestatus.com/features#milestone%3D56

Chrome Changes: Encryption Notification

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google Chrome version 56 (based on the open-source Chromium web browser) is scheduled to be released at the end of the month. One of the major user-level changes is how sites without encryption will appear. Until now there has just been a lowercase letter “i” with a circle around it — this was typically an indicator to get more information about the site. In the upcoming version this symbol will be accompanied by a “not secure” message to indicate that the site is not secure:

The difference between Chrome 53 and Chrome 56 when a non-encrypted site is visited: The circled lowercase "i" will be accompanied by "Not secure"

 

Google has also indicated that future versions of Chrome will continue to make sites that are not encrypted appear with a more prominent warning symbol:

In future versions of Chrome the "Not secure" indicator will be red, have a triangle exclamation mark warning icon, and be much bolder.

 

Imminent: Non-HTTPS Sites Labeled “Not Secure” by Chrome

Google warned about this back in September of 2016.

Google Chrome 55 Released

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google has released version 55 of the Chrome web browser (based on the open-source Chromium browser) a few days early (was supposed to be released on the 6th). There was over $70,000 paid out to security experts, developers, and white-hat hackers for finding over 25 different security-related issues with the browser.

Noteworthy features:

async & wait functions

ES2016’s async and await function flags will be fully supported and allows making function calls that do not delay the main browser thread (asynchronous). Note that because IE does not support this (though can be mimicked using a settimeout polyfill; Edge has this feature behind an experimental flag) it will be awhile before it can be used cleanly. Babel (the ES6->ES5 JavaScript transpiler Node.js module) transpiles these for browsers that do not support it using the settimeout polyfill.

Pointer Events

Pointer Events API will be fully supported and allow capturing mouse and touch move, over, and leave/out events combined into a single event.

Persistent Storage

Persistent Storage will be supported. Note that pretty much all browsers support localStorage, but it is simply up to the browser when to remove the data. For instance, when hard drive space runs out, storage data gets wiped automatically to free up space. Persistent Storage provides a mechanism that allows the developer to request their data be kept unless clearing out all non-persistent data still does not free up enough storage space. It identifies whether or not their request was accepted or the browser is simply only accepting non-persistent storage.

Chrome 55 is expected to use significantly less memory. Chrome was the first browser to support per-tab processes – but has always been at the cost of using a fair bit more memory than other browsers. Now they have a goal to, eventually, reduce the memory usage enough that Chrome can be used easily on a computer with just 1GB of memory. Version 55 is the first step toward that goal as it both uses a fair bit less memory and has a rewritten garbage collector.

Chrome Security Update: 45.0.2454.101

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google has released a security update for it’s Chrome web browser. The new version, 45.0.2454.101, includes fixes for a reported cross-origin bypass that affects both the document object model (DOM) parser as well as the V8 JavaScript/ECMAScript engine.

It is recommended that you update your browser to this version to prevent possible exploits. You can do so by clicking the main menu icon (three dashes in the top right) and going to Help / About Google Chrome or by downloading from:

http://www.google.com/chrome/

Google’s Cell Service Play

Google Project fi logo - a green and blue lower-case "f" and yellow "i". The dot above the "i" is white and overlaps the cross of the "f".

Google likes to jump into a number of businesses that involve technology. They are heavily involved in robotics and are developing a self-driving car, conduct a number of research projects, jumped into the cloud computing ring, more recently became an ISP (Internet Service Provider) by rolling out fiber-optic internet to a number of cities across the United States, and develop the Andorid OS (operating system) that runs roughly half of the world’s cell phones. Now they are looking to take over your cell phone service as well. Google just announced Project Fi, their new mobile phone service.

Google Project fi logo - a green and blue lower-case "f" and yellow "i". The dot above the "i" is white and overlaps the cross of the "f".
Google’s Project fi Logo

The new service — currently only open to a few who request an invite — offers mobile phone service for $20 per month with data starting at $30 per month for 3 GB (gigabytes) — total of $50 per month. That is a little underwhelming given that other wireless carriers offer similarly-priced plans. It is not until you add in the discounts and features they it becomes mildly intriguing. First of all they refund you for the data you did not use. So you get refunded for the amount of data you don’t use under $3. So if you only use 1 GB in a month they will refund you $20 (data is charged at $10 per GB). There are no contracts.

One of the major drawbacks of this service is the phone selection. There is none. Currently you can only use the Motorola-produced Google Nexus 6. Sorry, no Apple iPhones here.

Where this show gets somewhat more interesting is how the service works: It uses 2 networks. Google partnered with Sprint and T-Mobile — both providers use similar technology in their networks — and the phone can simply hop onto the network that has the strongest signal. This probably increases the signal strength mildly since Sprint and T-Mobile are the smaller networks operating in the U.S. The other way to make calls is over a Wi-Fi network (including the many open networks available at restaurants, coffee shops, airports, and other offices and retail stores nationwide). However, even that is not new: T-Mobile already offers a service that allows for calls over a Wi-Fi connection.

On the plus side if you travel a lot it could be a sigh of relef. Some other mobile service providers make you jump through hoops, pay a little to a lot more for service and/or data, or simply don’t offer service in other countries. This new plan from Google works in more than 120 countries (since Sprint and T-Mobile use the same wireless technology the majority of service providers outside the U.S. use it is more compatible) though data speed is limited since only 3G connections will work. They also do not charge any more for data when traveling. It’s still the same $10 per GB. International calling rate of $0.20 per minute apply. No extra charges for texting internationally.

It’s an modest start — it’s not likely to cause a mass-exodus from other cell service providers — but will be interesting to see how their service evolves.

YouTube Has Gone Native!

HTML5 logo consisting of the word "HTML" at the top in bold black lettering. Below the title is a large orange "bent shield" design with a large white "5" in the center.

Today the Google-owned YouTube video-on-demand (VOD) and live streaming service that brought you kittens in teacups has switched to using the HTML5 native video tag by default. What does this mean? Up till now the majority of videos on YouTube have required the Adobe-produced Shockwave Flash plugin to play videos. However, over the years browser standards have evolved and now support playing video directly through the browser. Playing video through the browser without using a plugin is generally faster to load and faster to play. They have also introduced a few new standards to the mix to allow for encryption, protection, and streaming of content directly in the browser.

HTML5 logo consisting of the word "HTML" at the top in bold black lettering. Below the title is a large orange "bent shield" design with a large white "5" in the center.
The logo/badge developed by the World Wide Web Consortium (W3C) for HTML5.

Speed

Google bought On2 Technologies, the company that produced the VP9 video codec (and likely using Google’s WebM wrapper), back in 2009. Since then they have open-sourced it and have been pushing all browser developers to support it. VP9 is able to get similar visual quality to the popular H.264 codec while reducing file size moderately. The codec is also able to be loaded very quickly, especially within the browser. YouTube claims a 15-80% decrease in start-up time over using Flash and H.264 (note that the vast majority of the load time would be starting up the Flash plugin). YouTube also claims it will enable them to start delivering 4K video at 60FPS.

Encryption & Content Protection

YouTube is also using Encrypted Media Extensions and Common Encryption standards to deliver content securely and behind a pay-wall where necessary. Unlike alternatives such as Flash and Silverlight, these content protection standards are completly separate from the content. Which means you don’t need costly proprietary software to rewrite all or part of the content to create and store it. It is also not limited to one or two pieces of content protection software. Anyone can develop their own protection schemes using the standards and offer it for free or sell it on the open market. It will be interesting to see what happens as this becomes the de facto standard over time.

Real-Time Broadcasting?

Within the same announcement, YouTube engineers also hint at the possibility of using the WebRTC (Web Real-Time Communication) standard built into most modern browsers as part of a live video streaming stack (should OBS and XSplit be worried?). WebRTC is already being used in part by Google Hangouts and it is already known that YouTube has wanted to expand it’s live streaming video offerings. Could this be a foreshadowing? Very likely. We will have to wait and find out.

Native Adaptive Bitrate

Most video streaming is done using a couple of proprietary technologies and one standard. Software like Adobe’s Streaming Media Server deliver content using Real Time Messaging Protocol (RTMP) and Real Time Streaming Protocol (RTSP) which have become outdated and unsupported. They also cause problems with corporate firewalls that block unknown protocols for security reasons. Microsoft’s Smooth Streaming is a more recent entry but is meant specifically for their proprietary Internet Information Server (IIS) and for their Silverlight browser plugin. Adoption by anyone except large media conglomerates looking to protect their content while making it near-impossible to view on any other devices (and thereby pissing off their customers) has been lackluster at best. The HLS standard created by Adobe is the most popular and easiest to implement solution so far. It provides a specific layout for playlist files and how videos should be broken into pieces that can be downloaded more quickly and allows proper management software to determine the best bitrate to use depending on the user’s bandwidth limits.

In comes Media Source Extensions. This new standard is meant to allow the script embedded in all browser – JavaScript – to create it’s own media media streams without having to rely on any specific media type or how it is acquired from a server. It also allows the browser to manage much of the back-haul and caching without requiring a large, slow script to be produced by engineers and revered by everyone.

Obviously these new standards a fresh-off-the-press having just been released this month so they will undergo a number of months of commenting, scrutiny, and alterations before they are finalized.

Lastly, YouTube is changing over their embed codes. Gone are the old <object> tags that dominated the landscape. They are now replaced with shiny new iframe embeds. The “page-within-a-page” design of iframes allows them to load the technology that is needed for each user – be it HTML5 or Adobe’s Flash plugin.