chromium 52 chrome 各个版本发布功能列表(58-84)

chromium Features 58-84

From https://chromestatus.com/features

chromium58 Features:41

1. 'allow-top-navigation-by-user-activation' <iframe sandbox> keyword

Adds a new keyword named "allow-top-navigation-by-user-activation" for iframe sandbox, which requires a user activation (or gesture) being processed to trigger a top-level navigation. This change would enable more use cases of sandboxing untrusted third-party contents (eg., ads) by allowing top navigation while blocking malicious auto-redirecting, and thus help building a safer internet (eg., a safer ads ecosystem in which all ads could be sandboxed to prevent malicious auto-redirecting).

2. <abbr> and <acronym> have underline by default

<abbr> and <acronym> should have dotted underline by default according to the HTML standard.

3. Allowing autoplay unmuted in WebAPK manifest scope

In WebAPK mode, frames that are within the WebAPK manifest scope will be allowed to autoplay media unmuted.

4. ClipboardEvent Constructor

This entry tracks exposing ClipboardEvent constructor.

5. Create Workers from data: URLs

HTML specifies that data: URLs can be used to create workers with opaque origins. We should support this as a first step towards defining a sandboxing mechanism for Workers (and parity with other browsers).

6. EME: Make navigator.requestMediaKeySystemAccess() spec compliant

Require that one of 'audioCapabilities' and 'videoCapabilities' be specified in the configuration passed to navigator.requestMediaKeySystemAccess(), and require that the contentType strings used as part of the entries to 'audioCapabilities' and 'videoCapabilities' include the desired codec as part of the MIME type. This item covers two bugs though only one is listed under the status section: https://crbug.com/605661, https://crbug.com/616233

7. INPUT element: selectionDirection, selectionStart, and selectionEnd attribute getters should not throw

For input types which don't support text selection API, we have thrown InvalidStateError. The specification was changed so that null is returned in such case.

8. IndexedDB 2.0

IndexedDB 2.0 introduces a few APIs that optimize some database access patterns and improve programming ergonomics. Chrome will support the full standard by shipping the following features:

support for binary keys, object store and index renaming, getKey() on IDBObjectStore, getPrimaryKey() on IDBIndex.

9. Intervention: Offline Previews

When users are on slow connections, Chrome will show an offline copy of a page if there is an offline version of the page available on the user's device. Users will be shown a lite mode UI in the omnibox.

If Chrome determines the network has 2G speeds and there's an offline page stored, Chrome shows the offline page. Chrome's offline pages are based on MHTML snapshots. An intervention report is sent when this optimization occurs.

10. Long Task API

A performance API to enable applications to detect presence of "long tasks" that monopolize the UI thread for extended periods of time and block other critical tasks from being executed - e.g. reacting to user input.

11. Mouse on Android stops firing TouchEvents

A mouse on an Android M (or later) device:

(a) will no longer fire TouchEvents, and

(b) will fire a consistent sequence of MouseEvents with appropriate buttons & other properties.

Before this change, a low-level mouse events in Android reached blink as a touch event, hence fired a touch event then a compat mouse event if the touch event went uncanceled.

12. Native media controls customization

We propose extending the "controls" attribute of the HTMLMediaElement so that the website could enable/disable certain media controls without having to implement all the controls on its own. A "controlsList" property will be added reflecting the current value of "controls" similar to the "class" and "classList" on HTMLElement.

13. Pause autoplaying muted video by attribute when invisible (Android)

As a muted video with autoplay attribute only starts playing when it's becoming visible, it's reasonable to pause them when invisible to reduce power usage.

14. PointerEvent.getCoalescedEvents

An API to return all the coalesced events of the received events in javascript. This API enables apps like drawing app to draw smoother curves using the precise history of points.

15. RTCPeerConnection.getStats

This is a spec-compliant version of RTCPeerConnection.getStats returning a promise resolved with RTCStatsReport, a maplike containing RTCStats dictionaries.

Stats are being implemented according to the spec in a continuous effort for coverage to become good enough that the old getStats method can be deprecated.

The old getStats (taking a callback as argument) is very different from the spec and riddled with goog-prefixed things.

16. RTCPeerConnection.setConfiguration

Implement setConfiguration according to WebRTC 1.0 and JSEP. This API allows an application to change the set of ICE servers, ICE candidate policy, and ICE candidate pool size without creating a new RTCPeerConnection.

17. Selection API: addRange() ignores additional Ranges

In a case where document already has text selection and Selection.addRange() is called, Blink merges the Range and the existing text selection into one if they have overlap, and does nothing otherwise.

We'll change it so that Blink always ignore the Range. It matches to Edge.

18. Selection API: getRangeAt() returns a Range registered by addRange()

Blink had a bug that getRangeAt() always returns a new Range with position normalization. It didn't match to Edge, Firefox, and Selection API specification.

19. Selection API: removeRange() function

Selection interface should support removeRange() function to remove the specified Range.

20. Selection API: setBaseAndExtent() throws IndexSizeError for too large offsets

setBaseAndExtent() silently clamped too large offset values. IndexSizeError should be thrown for such values to match to Firefox, Edge, and the specification.

21. Selection API: setBaseAndExtent(), extend(), and collapse() throw InvalidNodeTypeError for DOCTYPE

These function silently normalized the specified position with DOCTYPE. However, they should throw InvalidNodeTypeError to match to Edge, Firefox, and the specification.

22. Ship PointerEvent.tangentialPressure and PointerEvent.twist

Adding support of tangentialPressure and twist attributes in the pointer events API on Mac. They are supported by some stylus devices and are already used in numerous painting apps.

23. Strict Secure Cookies

This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.

24. Trailing comma in JavaScript function parameter lists

A small modification to JavaScript syntax allows trailing comma in formal parameter lists and in argument lists. For example, all the following become valid:

function f(a, b,) { return a + b }

let g = (a, b,) => a + b

f(1, 2,) + g(3, 4,)

This is expected to be available by default in Chrome 58.

25. Unprefix CSS 'line-break' property

The CSS 'line-break' property specifies the strictness of line-breaking rules. The exact definition of the strictness depends on languages.

Our implementation relies on ICU (see doc link) which supports East Asian writing systems and Finnish.

26. WebAudio: Add buffering/latency hint via latencyHint

Currently, WebAudio will use the lowest latency possible for the audio device for the best interactive behavior. However, for some use-cases such as media playback, this causes unnecessary power and/or CPU utilization.

The latencyHint is a hint from the developer that such a latency is not required. The latencyHint is either an AudioContextLatencyCategory value or a double specifying the desired numeric latency. This is a hint to Chrome.

27. WebAudio: AudioBuffer constructor only takes one argument

Currently the AudioBuffer constructor takes two arguments: the context, and the AudioBufferOptions. The context argument is removed so that only AudioBufferOptions is required. In addition the sampleRate member of AudioBufferOptions is now required.

28. XSS Auditor violation report MIME type.

The XSS Auditor's violation reports are now sent with a MIME type of application/xss-auditor-report (as opposed to application/json).

29. color-gamut media query

Expose the approximate range of colors supported by the user agent and the output device in a CSS Media Query.

30. display: flow-root

display: flow-root generates a block container box, and lays out its contents using flow layout. It always establishes a new block formatting context for its contents.

31. CSS class name: Apple-interchange-newline, Apple-converted-space, Apple-paste-as-quotation, Apple-style-span, and Apple-tab-span

These non-standard CSS classes are used to differentiate the span elements added by Blink itself in editing.

32. Remove "reset" and "document" as valid zoom values

There are two special values for the CSS zoom property that are inconsistently documented: "reset" and "document".

They set the element's zoom to 1.0 regardless of parent element zoom status and prevent page zoom from affecting the element's size.

We're removing them.

33. Deprecate and Remove case-insensitive matching for usemap attribute

"Compatibility caseless" had been applied to usemap attribute matching. The specification was updated so that case-sensitive matching is applied. https://github.com/whatwg/html/commit/6acdb2122298d2bb7bb839c0a61b4e1f9b0f9bc9 A deprecation warning is printed to the console starting in Chrome 57.

34. Deprecate and Remove: setting Event.cancelBubble to false

According to https://github.com/whatwg/dom/issues/211, setting cancelBubble to true is considered as an alias to stopPropagation(), and the spec indicates setting cancelBubble to false should do nothing.

35. Legacy caller for HTMLEmbedElement and HTMLObjectElement

That an interface has a legacy caller means that an instance can be called as a function. This used to be the case for HTMLEmbedElement and HTMLObjectElement but is being removed. Calling will instead throw an exception. This was deprecated in Chrome 57.

36. Remove EME from Unsecure Contexts

Per https://w3c.github.io/webappsec-secure-contexts/, we are deprecating and then removing EME from insecure contexts. EME is a powerful feature that exposes DRM implementations that involve access to persistent unique identifiers, are not open source, and/or run unsandboxed or with privileged access. The risks are increased when exposed via insecure HTTP, because they could be attacked by anyone on the channel. This was deprecated in Chrome 44.

37. Remove pre-standard ChaCha20-Poly1305 ciphers

In 2013, Chrome 31 deployed new TLS cipher suites based on Prof. Dan Bernstein's ChaCha20 and Poly1305 algorithms. This was later standardized, with small tweaks, at the IETF as RFC 7539 and RFC 7905. We shipped the standardized variant early in 2016 with Chrome 49. We are now removing the pre-standard variants.

38. Support for commonName matching in Certificates

RFC 2818 describes two methods to match a domain name against a certificate - using the available names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName.

The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly.

39. VTTRegion-related bits of TextTrack

The interface elements regions, addRegion() and removeRegion() have been removed from the WebVTT spec and will be removed from Chrome. The VTTCue.region property was added and the VTTRegion interface was updated to match a late version of the specification.

40. WebAudio: Remove AudioSourceNode interface

Remove the AudioSourceNode interface. This interface is not part of the WebAudio specification, is not constructible, and has no attributes so it basically has no user-accessible functionality.

41. webkitdropzone global attribute

The dropzone global attribute was introduced by the HTML5 drag and drop specification as a declarative method for specifying an HTML element's willingness to be the target of a drag-and-drop operation, the content types that can be dropped onto the element, and the drag-and-drop operation (copy/move/link).

No browser has implemented the unprefixed version. Blink and WebKit implement a prefixed form of the attribute, webkitdropzone. We would like to remove the prefixed attribute.

chromium59 Features:33

1. Animated PNG

Support for animated PNG images

2. CSP hash expressions can match external scripts.

CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba', <script integrity="sha256-abc123" ...></script> will be allowed.

3. CSP3: The 'worker-src' directive

The 'worker-src' directive restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker. It falls back to 'child-src' (which, in turn, falls back to 'default-src').

04 .CSP: report-sample property in violation reports

The report-sample property attempts to reach consensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive.

5. CSS Box Alignment shorthands

Shorthand properties to control the alignment behavior along block and inline axes in a single declaration.

6. DIALOG element has display:block style by default

The default display style of a DIALOG element is changed from inline to block.

7. DeviceOrientationEvent and DeviceMotionEvent constructors

The DeviceOrientationEvent and DeviceMotionEvent constructors are defined by the DeviceOrientation Event Specification but were not were not implemented in Chrome. Firefox has already shipped these constructors as specified.

8. Fetch API: Request#url includes the URL fragment

Request#url now includes the URL fragment, as per the spec. Before Chrome 59, the fragment was stripped out.

This means service workers can see the URL fragment in the 'fetch' event handler.

9. Headless mode

Headless mode allows running Chromium in a headless/server environment. Expected use cases include loading web pages, extracting metadata (e.g., the DOM) and generating bitmaps from page contents -- using all the modern web platform features provided by Chromium and Blink.

To use headless, start Chrome with a command line flag:

$ chrome --headless --remote-debugging-port=9222 https://chromium.org

10. MediaError.message

The MediaError.message DOMString field provides, if available, any additional vendor-specific error message detail to assist web authors debugging media player errors. The format and content of the string is left to vendors, though it's commonly in the form of a vendor-specific error code followed optionally by a ":" and further detail about the error. It is populated at the time of MediaError creation.

11. MediaStream Image Capture

Enable taking pictures from an Image/Video Capture Device.

12. Navigation preload for service workers

An API that enables the browser to send "preload" network requests for navigations before executing the fetch event handler in the service worker that intercepts the target URL. The worker has access to the preload response inside the fetch event handler. Common use cases would be to respond with the preload response directly, or use it to populate the response.

13. Partial RTCRtpReceiver and RTCRtpContributingSource support

The parts of the RTC Media API (https://w3c.github.io/webrtc-pc/#rtp-media-api) that allow keeping track of contributing sources for receiving tracks. RTCPeerConnection extension: getReceivers(). RTCRtpSender support: track, getContributingSources(). RTCRtpContributingSource support: timestamp, source.

Feature for the rest of the API:

https://www.chromestatus.com/feature/5347809238712320

14. Presentation API: Receiver API

This is implementing the receiving side of the API in order to allow a web page to be presented and interact with the presenting web page. This is also called 1-UA mode because that mode would allow the browser to render both presenting and receiving pages locally.

15. RTCConfiguration.iceCandidatePoolSize

Normally, ICE candidates are only gathered after RTCPeerConnection.setLocalDescription is called, because this is the point at which the PeerConnection knows how many ports it needs. The iceCandidatePoolSize member of RTCConfiguration instructs the PeerConnection to gather ICE candidates before this occurs, as a performance optimization. Thus, if setting the local description is delayed (by signaling, for example), interactions with STUN/TURN servers can occur in parallel.

16. RTCPeerConnection.onicegatheringstatechange

This feature adds the icegatheringstatechange event and the onicegatheringstatechange event handler to RTCPeerConnection.

17. Referrer Policy Header for CSS

Add the ability for CSS stylesheets to specify their own referrer policy via the HTTP header.

18. Response.redirected and a new security restriction

• Add .redirected attribute to Response class of Fetch API. Web developers can check it to avoid untrustworthy responses.
• To avoid the risk of open redirectors (https://cwe.mitre.org/data/definitions/601.html) introduce a new security restriction which disallows service workers to respond to requests with a redirect mode different from "follow".

19. Screen.colorDepth and Screen.pixelDepth can return other value than 24

The Screen object is no longer required to return 24 for colorDepth and pixelDepth. It enables websites to have a better idea of the number of bits being used to display a color on the screen.

20. Streams API: Piping

ReadableStream's pipeTo() is the standard way to compose readable and writable streams. It reads data from the ReadableStream and writes it to a WritableStream while respecting backpressure.

pipeThrough() is a simple wrapper around pipeTo() that provides elegant syntax for chaining multiple streams.

21. Streams API: WritableStream

WritableStream is part of the Streams API for creating, composing, and consuming streams of data. It is the writable counterpart to ReadableStream, which is already shipping in Chrome. It provides a standard abstraction for writing streaming data to a sink, with built-in backpressure and queuing. This is expected to be on by default in Chrome 59.

22. WebAudio: decodeAudioData detaches ArrayBuffer

According to the spec, decodeAudioData detaches the given ArrayBuffer before decoding. This means that the ArrayBuffer no longer has any contents and can't be reused or examined.

If it's important to keep the data, user ArrayBuffer.slice(0) to make a copy for decodeAudioData.

23. rAF Aligned Touch Input

Align touchmove events so that they occur close to requestAnimationFrame() as possible.

24. self.origin

self.origin returns the Unicode serialization of the origin of the settings object of the global represented by "self" (a Window or WorkerGlobalScope). This gives scripts a consistent way of getting their origin in both situations. Note that unlike location.origin this represents the actual origin of the global, not the origin of the URL it's loaded from. The difference can be substantial in the case of sandboxing, for example.

25. Deprecate and Disable SDCH

SDCH is a shared dictionary compression mechanism developed by Google but not standardized. It's use in chrome is being discontinued.

Intent to deprecate thread: https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/SDCH|sort:relevance/blink-dev/nQl0ORHy7sw/HNpR96sqAgAJ

26. Deprecate SVGTests.requiredFeatures attribute

In SVG2, hasFeature always return true.

So requiredFeatures attribute not doing anything useful.

It has been removed from the spec:

https://github.com/w3c/svgwg/commit/9a30d01f6410dc516c5f874d71e957230a3448cd

This was deprecated in Chrome 54/Opera 41.

27. Deprecate and remove -internal-media-controls-cast-button

-internal-media-controls-cast-button selector exposes Blink internal shadow DOM to the web content. Authors that want to have a custom cast button should use custom controls and implement a cast button with the Remote Playback API.

28. Deprecate and remove -internal-media-controls-text-track-list*

-internal-media-controls-text-track-list* selectors expose Blink internal shadow DOM to the web content. Authors that want to have a custom text track picking interface should use custom controls.

29. Drop support for embedded credentials in subresource requests.

We should block requests for subresources that contain embedded credentials (e.g. "http://ima_user:[email protected]/yay.tiff"). Such resources would be handled as network errors.

30. Drop support for subresources with legacy protocols.

We should block requests from HTTP/HTTPS documents that target "legacy" schemes (e.g. "ftp://my-awesome-ftp-server.com/yay.tiff"). That is, the ftp:// image referenced in https://jsbin.com/petonig/edit?html,output would not load, as the document itself is not served from ftp://.

31. Remove "on-demand" value for hover/any-hover media queries.

Remove the support for "hover: on-demand" and "any-hover: on-demand" media queries. The "on-demand" value used to satisfy for the pointing devices that, for example, "can't normally hover, but will activate hover on a long press".

The "on-demand" value for hover/any-hover media queries has been removed from the spec in early 2016.

32. Remove FileReaderSync from service workers

The Service Worker spec has always had the (non-normative) note that "any type of synchronous requests must not be initiated inside of a service worker", to avoid blocking the service worker (as blocking the service worker would block all network requests from controlled pages). However synchronous APIs such as FileReaderSync were still available in service workers. So we'd like to fix that by removing this API from service workers. This was deprecated in Chrome 57.

33. Temporarily stop permission requests after 3 dismissals

Temporarily stop an origin from requesting a permission following the third dismissal of a permission prompt. The stop will be lifted after some amount of time has passed (initially 1 week), after which the origin may request the permission again. A further dismissal will apply the temporary stop again.

For web developers who are testing features, the block can also be removed by changing the permission's setting in the lock icon's page info dialog, or by clearing your browsing data.

chromium60 Features:43

1. CSS line-height-step property

The CSS line-height-step property provides an ability to round the heights of line boxes to the multiple of the specified length. This property allows authors to control vertical rhythm.

2. createElementNS() : Throw InvalidCharacterError instead of NamespaceError on validating a qualified name

createElementNS() should now throw only InvalidCharacterError, not NamespaceError.

Validating a qualified name should only throw InvalidCharacterError, not NamespaceError,

after:

https://github.com/whatwg/dom/issues/319

https://github.com/w3c/web-platform-tests/issues/5161

https://github.com/whatwg/dom/issues/423

Latest spec:

https://dom.spec.whatwg.org/#validate

3. rAF Aligned Mouse Events

Align continuous mouse events (mousemove, mousewheel) so that they occur close to requestAnimationFrame() as possible.

Historical events can be accessed via getCoalescedEvents (see https://w3c.github.io/pointerevents/extension.html#extensions-to-the-pointerevent-interface)

4. Android Payment Apps

Web payments is a W3C standard API for e-commerce websites to collect payment information from users with user consent. This feature lets users pay using native Android payment apps.

5. CSS font-display

Adds the @font-face descriptor and a corresponding property for controlling how a downloadable font renders before it is fully loaded.

6. CSS font-stretch

Add support the the CSS font-stretch property.

7. CSS4 :focus-within pseudo-class

The :focus-within pseudo-class applies to elements for which the :focus pseudo class applies.

An element also matches :focus-within if one of its descendants in the flat tree (including non-element nodes, such as text nodes) matches the conditions for matching :focus.

8. Client.type

The type read-only property of the Client interface indicates the type of client the service worker is controlling.

9. Constructor for DataTransfer

The new asynchronous clipboard API makes use of DataTransfer objects and has a need to be able to construct new ones. For example (with new clipboard api):

var data = new DataTransfer();

data.items.add("(°o°)/", "text/plain");

navigator.clipboard.write(data).then(function() {

console.log("Copied to clipboard successfully! ᕕ( ᐛ )ᕗ");

}, function() {

console.error("Unable to write to clipboard. (╯ಠ_ಠ)╯︵ ┻━┻");

});

10. Credential Management API - CredentialsContainer.create

This feature introduces the CredentialsContainer.create method to the Credential Management API. This method allows for asynchronous creation of Credential objects.

11. Document constructor

Support new Document() to create a Document instance.

12. Don't load tiny cross-origin plugin content

Remove tiny content exception for "Detect and run important plugin content" setting. This means that cross-origin plugin content that is 5x5 or smaller will not load under the default setting.

13. Drop SiteBoundCredential concept in favor of a CredentialUserData mixin in CM API

This change drops the SiteBoundCredential interface in

favor of a CredentialUserData mixin. This change was introduced in the

Credential Manager API specification with commit

a43865bd8aa9842dbc8d8e688d5668c087677eac

(https://github.com/w3c/webappsec-credential-management/commit/a43865bd8aa9842dbc8d8e688d5668c087677eac).

14. Expose passwords to JavaScript in Credential Management API

This change exposes passwords to JavaScript in the Credential Management API by providing the corresponding attribute on PasswordCredential. Furthermore it deprecates the previously existing PasswordCredential attributes and the custom fetch() credential infrastructure.

15. Feature Policy

Allow site authors to selectively enable and disable use of various browser features and APIs.

16. Fetch API: Request/Response.formData

Allows multipart/form-data and application/x-www-form-urlencoded fetch requests and responses to be consumed and parsed into FormData objects.

17. First Paint Timing API

API to enable developers to measure time for First Paint (FP) & First Contentful Paint (FCP) -- the first key moments in loading that they care about. These moments are added as 'paint' entries in the Performance Timing API.

18. InputEvent

InputEvent allows user input to be managed by script and help interactive with IME.

19. New VP9 codec string and Profile 2 support

VP9 is an open and royalty-free video codec that has been supported in Chromium since 2013. This update adds a new string format for describing the encoding properties, such as the profile, level, etc. Such properties are common in video codecs but are not exposed in the current VP9 string format. In addition, this update includes using the new format to advertise support for VP9 Profile 2. The string format is accepted by media-related APIs

20. Object rest/spread properties

This introduces rest properties for object destructuring assignment and spread properties for object literals.

21. PaymentDetailsInitId

Add a free-form identifier for payment request. This will be set using PaymentDetailsInit and reflected through PaymentRequest and PaymentResponse and to payment apps. If no identifier is specified a unique identifier will be created.

22. PaymentRequest.complete result "unknown"

Replace the PaymentRequest.complete enum value "" with the more descriptive "unknown".

23. Push API: support for ietf-webpush-encryption-08

Chrome currently supports encrypted push message payloads encrypted with the aesgcm content encoding (draft 03). A series of substantial changes were made to the encryption drafts, yielding a new content coding: aes128gcm (draft 08). We'll continue to accept aesgcm for received push messages as well.

24. PushManager.supportedContentEncodings

Static property containing the supported content encodings developers can use for encrypting push messages.

25. PushSubscription.expirationTime

Property indicating the time at which, if any, the subscription won't be valid anymore. The user agent will attempt to fire a pushsubscriptionchange event with a new subscription before this happens.

Chrome will always return NULL, until we support subscription refreshes.

26. Remove navigator.vibrate without user gesture

Calls to navigator.vibrate will immediately return 'false' if user hasn't tapped on the frame or any embedded frame yet. The Vibrate API is being abused by malicious sites. This extends what we do for cross-origin iframes to all frames including top-level page. See https://www.chromestatus.com/features/5682658461876224.

27. Rename requireUserMediation to preventSilentAccess in Credential Management API

This change renames CredentialsContainer.requireUserMediation to CredentialsContainer.preventSilentAccess in the Credential Management API.

28. Replace CredentialRequestOptions.unmediated flag with CredentialRequestOptions.mediation enum in Credential Management API

This feature introduces an CredentialMediationRequirement enum argument to the CredentialRequestOptions of CredentialsContainer.get() that is intended to replace the currently existing boolean flag CredentialRequestOptions.unmediated. The enum will have three states ("silent", "optional", "required") with "silent" and "optional" directly mapping to the existing boolean states, "required" is a novel option.

29. Support VP9 in ISO-BMFF

VP9 is an open and royalty free video coding format.

ISO-BMFF (MP4) is an industry standard container and is broadly accepted and used in the industry.

Chrome already supports the VP9 codec (currently only in WebM container) and the ISO-BMFF container. This enables them to be used together.

30. Support for collecting payer's name for PaymentRequest.

If the requestPayerName flag was set to true in the PaymentOptions passed to the PaymentRequest constructor, then UA should collect and return the payer's name as part of the payment request.

For example, this would be set to true to allow merchant to make a booking in the payer's name.

This option has been behind a flag on mobile since Chrome 55. On desktop, it's shipping in Chrome 60 with the rest of Payment Request API.

31. Web payment manifests

For every payment method, there must be a corresponding JSON manifest file describing how that method participates in the web payments ecosystem.

32. X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in 1, "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

33. getElementsByTagName accepts qualified names

getElementsByTagName() used to accept only local names. The DOM specification was updated to accept qualified names.

34. window.open() throws on an invalid URL parameter

Currently, we only log a message to the console. For consistency with other APIs, the WhatWG spec now requires that window.open throws a DOMException "SyntaxError" instead.

35. Remove Headers.prototype.getAll()

Headers.prototype.getAll() is removed from the Fetch API specification.

36. Remove IndexedDB: webkitGetDatabaseNames

The API asynchronously returns a list of existing database names in an origin, which seemed sensible enough.

The design is flawed, in that the results may be obsolete as soon as they are returned, so it can really only be used for logging, not serious application logic. Not implemented in other browsers. https://github.com/w3c/IndexedDB/issues/31 tracks/links to previous discussion on flaws and possible alternatives.

37. Remove WEBKIT_KEYFRAMES_RULE and WEBKIT_KEYFRAME_RULE

Remove non-standardize APIs from CSS Rule and Developer can use KEYFRAMES_RULE and KEYFRAME_RULE instead

38. Remove document.createEvent('WebKitTransitionEvent')

Remove non-standard 'WebKitTransitionEvent' support of document.createEvent().

39. Remove: Content initiated top frame navigations to data URLs

We intend to block web pages from loading data: URLs in the top frame using <A> tags, window.open, window.location and similar mechanisms.

Pseudo URLs such as data: are generally a source of confusion for users. Because of their unfamiliarity, these schemes are widely being used in spoofing and phishing attacks. Users browsing the web ideally should only ever end up on the two well known schemes (http and https).

Deprecated in M58

Removal in M60

40. Remove: NodeFilter.prototype

Correctly implement window.NodeFilter. It should not have .prototype, and NodeIterator.filter and TreeWalker.filter should not wrap JavaScript objects.

41. Remove: document.createEvent('WebKitAnimationEvent')

Remove non-standard 'WebKitAnimationEvent' support of document.createEvent().

42. Budget API

This specification describes an API that can be used to retrieve the amount of budget an origin has available for resource consuming background operations, as well as the cost associated with doing such an operation.

43. Require user gesture for beforeunload dialogs

The beforeunload dialog will only be shown if the frame attempting to display it has received a user gesture or user interaction (or if any embedded frame has received such a gesture). (There will be no change to the dispatch of the beforeunload event, just a change to whether the dialog is shown.)

chromium61 Features:32

1. Blocking resources whose URLs contain both \n and < characters.

As discussed in https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. <img src='https://evil.com/? eats the page until the next '). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful.

2. CSP: Embedded Enforcement

CSP's Embedded enforcement defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself. We should prototype an implementation to see if it's something that solves real problems in a way we can ship.

3. CSP: Hardened nonce content attribute.

We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example.

To mitigate these attacks, we'll hide the attribute from these side-channels, and only expose the value to script.

4. CSSOM View smooth scroll API

Adds an optional argument to existing scroll APIs that specifies whether scrolling should be smooth. Also adds a CSS property for this.

5. Clear-Site-Data header

A 'Clear-Site-Data' HTTP header prompts the user agent to clear browsing data associated with the requesting website. The supported browsing data types are cookies, storage (i.e. "site data"), and cache.

This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to 'reset' itself to a clean state.

6. DOMTokenList replace()

Add the replace() function to DOMTokenList interface. We can use it like element.classList.replace('inactive', 'active').

7. Expect-CT header

Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.

8. Geometry interfaces

This specification describes several geometry interfaces for the representation of points, rectangles, quadrilaterals and transformation matrices with the dimension of 3x2 and 4x4.

SVGPoint, SVGRect and SVGMatrix will be aliased to new interfaces. Their old methods will be maintained and some new methods are introduced.

In the near future, CSS transform will be updated so they can work directly with the new objects. This avoid parsing on the js side.

9. HTMLIFrameElement.allowpaymentrequest

Returns a Boolean indicating whether the Payment Request API may be invoked on a cross-origin iframe.

10. HTTP Client Hints: Device-Memory

Client header to expose the device Memory to web applications.

11. Interoperable body/documentElement scroll behavior

Update Blink to match the CSSOM View spec's behavior around element scrolling APIs for documentElement and body, i.e.: scrollTop, scrollLeft, scrollWidth, scrollHeight and Document.scrollingElement

12. Intervention: Passive Event Listener for type == "mousewheel" && target == window && function_name == "ssc_wheel"

The smoothscroll.js code is largely broken and is preventing us from shipping scroll top interop. With the scroll top interop behavior activated sites fail to scroll at all with the wheel event. This library was corrected a few years ago but the web continues to clone the broken version and we have been blocked in shipping this long implemented fix for interop.

Smooth scroll has been enabled in Chrome for a number of releases so using custom smooth scrolling is not necessary anymore.

13. JavaScript modules: <script type=module>

JavaScript modules allow a program to be divided into multiple sequences of statements and declarations. Each module explicitly identifies declarations it uses that need to be provided by other modules and which of its declarations are available for use by other modules.

<script type=module> allows loading of JavaScript modules inside web pages.

14. MediaStream Image Capture - getPhotoSettings() method

This chrome feature tracks adding the method getPhotoSettings() 1 to the currently landed ImageCapture object [2]. It's a trivial follow up to the MediaStream Image Capture API shipped in 59 [3].

1 https://w3c.github.io/mediacapture-image/#dom-imagecapture-getphotosettings

2\] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/imagecapture/ImageCapture.idl?q=imagecapture.idl\&sq=package:chromium\&dr \[3\] https://www.chromestatus.com/features/4843864737185792 15. MediaStreamTrack.getSettings() Returns the current settings of a MediaStreamTrack, including information such as (for video) width, height or framerate. 16. Network Information The Network Information API enables web applications to access the underlying connection information of the device. 17. PaymentRequest An API that allows browsers to act as an intermediary between the three key parties in a financial transaction: the merchant (e.g. an online web store), the buyer (e.g. the user buying from the online web store), and the Payment Method (e.g. credit card). Information necessary to process and confirm a transaction is passed between the Payment Method and the merchant via the browser with the buyer confirming and authorizing as necessary across the flow. 18. RTCCertificate.getFingerprints() RTCCertificate is supposed to have a getFingerprints() method. 19. Referrer policies 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin' The Referrer Policy specification includes three policy values that Chrome doesn't yet implement. * same-origin: Send full referrers same-origin, no referrers cross-origin. * strict-origin: Strip referrers to the origin, but strip them when downgrading from HTTPS to HTTP. * strict-origin-when-cross-origin: Send full referrers same-origin, and the origin when cross-origin, but strip referrers when downgrading from HTTPS to HTTP. 20. Resource Timing \& Navigation Timing: add nextHopProtocol property nextHopProtocol has been in the spec for RT \& NT but was not implemented in chrome yet. It is now landed and will ship in M61 21. Storage quota estimate() API navigator.storage.estimate() - returns a Promise which resolves with {usage, quota} values in bytes. 22. SyncManager interface exposed to all workers Historically the SyncManager interface was only exposed to the window and service workers. This feature exposes the interface to all workers. 23. URLSearchParams: sort() method Sorts all name-value pairs stored in a URLSearchParams. Proposed at https://github.com/whatwg/url/issues/26 to improve cache hit rate easily. 24. URLSearchParams: updated constructor URLSearchParams' constructor has been changed in https://github.com/whatwg/url/pull/175. It is now possible to create a new URLSearchParams by passing it any object (e.g. `new URLSearchParams({'foo': 'bar'})`). 25. Update colSpan max value to 1000 Update colSpan max value from 8190 to 1000 as per spec change. https://html.spec.whatwg.org/#dom-tdth-colspan https://html.spec.whatwg.org/#dom-col-span https://html.spec.whatwg.org/#dom-colgroup-span 26. WebUSB API The web platform API to support programming USB devices. 27. asm.js Validate asm.js code and use type information to optimize the low-level subset of JavaScript. 28. getAttributeNames() of Element interface getAttributeNames() is a function to rerun a list of attribute names of an element. 29. onwheel in GlobalEventHandlers Previously we had onwheel attributes as part of the Element. Now we are moving them to GlobalEventHandlers to make them consistent with the other on'event' attributes. 30. visualViewport API Exposes information about the visual viewport to the page. 31. Deprecate and remove Presentation API on insecure contexts In aligning with Blink's intention to remove powerful features on insecure origins, we plan to deprecate and remove support for the Presentation API on insecure contexts. PresentationRequest and PresentationReceiver where deprecated on insecure origins in Chrome 61. Removal is anticipated in Chrome 72 (February 2019). 32. JavaScript dialogs exit HTML5 fullscreen If a page shows a JavaScript dialog while it is in fullscreen (the HTML5 kind), it is exited from fullscreen. ### [chromium62 Features:28](https://chromestatus.com/features#milestone%3D62) 1. document.rootScroller Allow a non-document (or ``) element to hide URL bar, generate overscroll glow, etc. on scrolling, effects normally reserved for "viewport scrolling" only. 2. `` element `` element 3. `` element `` element 4. API for customizing HTMLMediaElement.seekable for Media Source live streams This API lets MediaSource apps more effectively customize the HTMLMediaElement.seekable range logic by providing (or removing) a single seekable range that is union'ed with the current buffered ranges to result in a single seekable range which fits both, when media duration is infinite. 5. Accept 8 (#RRGGBBAA) and 4 (#RGBA) value hex colors Update the CSS color parser to support 8/4-digit hex color. Legacy HTML attribute color parsing, per the "rules for parsing a legacy colour value" of the HTML micro syntax (http://bit.ly/1WF2Yre), will not be changed (see http://bit.ly/1UEDbiO), nor will the CSS hashless color quirk (https://quirks.spec.whatwg.org/#the-hashless-hex-color-quirk). 6. Accept-Language Headers Fix We want to fix an issue in how Chrome generates the Accept-Language HTTP headers from user language preferences. As websites sometimes only accept languages without region (i.e. "en" vs "en-AU"), a user could receive websites in an unexpected language. We plan to add the base language in the correct position so that users receive webpages in their preferred language. 7. Dispatch mouse transition events after layout Mouse events are not sent when the nodes under the mouse change during layout. This then represents an incorrect state in that the hover state of where the mouse actually doesn't match the current hover state of the document. To fix a variety of issues we will start dispatching mouse transitional events and update the hover state shortly after layout has been executed. This will match Firefox behavior. 8. Feature Policy: Fullscreen Allow developers to selectively enable and disable use of Fullscreen through the Feature-Policy HTTP header or the `