chromium 52 chrome 各个版本发布功能列表(58-84)

chromium Features 58-84

chromium58 Features:41

'allow-top-navigation-by-user-activation' <iframe sandbox> keyword

Adds a new keyword named "allow-top-navigation-by-user-activation" for iframe sandbox, which requires a user activation (or gesture) being processed to trigger a top-level navigation. This change would enable more use cases of sandboxing untrusted third-party contents (eg., ads) by allowing top navigation while blocking malicious auto-redirecting, and thus help building a safer internet (eg., a safer ads ecosystem in which all ads could be sandboxed to prevent malicious auto-redirecting).

<abbr> and <acronym> have underline by default

<abbr> and <acronym> should have dotted underline by default according to the HTML standard.

Allowing autoplay unmuted in WebAPK manifest scope

In WebAPK mode, frames that are within the WebAPK manifest scope will be allowed to autoplay media unmuted.

ClipboardEvent Constructor

This entry tracks exposing ClipboardEvent constructor.

Create Workers from data: URLs

HTML specifies that data: URLs can be used to create workers with opaque origins. We should support this as a first step towards defining a sandboxing mechanism for Workers (and parity with other browsers).

EME: Make navigator.requestMediaKeySystemAccess() spec compliant

Require that one of 'audioCapabilities' and 'videoCapabilities' be specified in the configuration passed to navigator.requestMediaKeySystemAccess(), and require that the contentType strings used as part of the entries to 'audioCapabilities' and 'videoCapabilities' include the desired codec as part of the MIME type. This item covers two bugs though only one is listed under the status section: https://crbug.com/605661, https://crbug.com/616233

INPUT element: selectionDirection, selectionStart, and selectionEnd attribute getters should not throw

For input types which don't support text selection API, we have thrown InvalidStateError. The specification was changed so that null is returned in such case.

IndexedDB 2.0

IndexedDB 2.0 introduces a few APIs that optimize some database access patterns and improve programming ergonomics. Chrome will support the full standard by shipping the following features:

support for binary keys, object store and index renaming, getKey() on IDBObjectStore, getPrimaryKey() on IDBIndex.

Intervention: Offline Previews

When users are on slow connections, Chrome will show an offline copy of a page if there is an offline version of the page available on the user's device. Users will be shown a lite mode UI in the omnibox.

If Chrome determines the network has 2G speeds and there's an offline page stored, Chrome shows the offline page. Chrome's offline pages are based on MHTML snapshots. An intervention report is sent when this optimization occurs.

Long Task API

A performance API to enable applications to detect presence of "long tasks" that monopolize the UI thread for extended periods of time and block other critical tasks from being executed - e.g. reacting to user input.

Mouse on Android stops firing TouchEvents

A mouse on an Android M (or later) device:

(a) will no longer fire TouchEvents, and

(b) will fire a consistent sequence of MouseEvents with appropriate buttons & other properties.

Before this change, a low-level mouse events in Android reached blink as a touch event, hence fired a touch event then a compat mouse event if the touch event went uncanceled.

Native media controls customization

We propose extending the "controls" attribute of the HTMLMediaElement so that the website could enable/disable certain media controls without having to implement all the controls on its own. A "controlsList" property will be added reflecting the current value of "controls" similar to the "class" and "classList" on HTMLElement.

Pause autoplaying muted video by attribute when invisible (Android)

As a muted video with autoplay attribute only starts playing when it's becoming visible, it's reasonable to pause them when invisible to reduce power usage.

PointerEvent.getCoalescedEvents

An API to return all the coalesced events of the received events in javascript. This API enables apps like drawing app to draw smoother curves using the precise history of points.

RTCPeerConnection.getStats

This is a spec-compliant version of RTCPeerConnection.getStats returning a promise resolved with RTCStatsReport, a maplike containing RTCStats dictionaries.

Stats are being implemented according to the spec in a continuous effort for coverage to become good enough that the old getStats method can be deprecated.

The old getStats (taking a callback as argument) is very different from the spec and riddled with goog-prefixed things.

RTCPeerConnection.setConfiguration

Implement setConfiguration according to WebRTC 1.0 and JSEP. This API allows an application to change the set of ICE servers, ICE candidate policy, and ICE candidate pool size without creating a new RTCPeerConnection.

Selection API: addRange() ignores additional Ranges

In a case where document already has text selection and Selection.addRange() is called, Blink merges the Range and the existing text selection into one if they have overlap, and does nothing otherwise.

We'll change it so that Blink always ignore the Range. It matches to Edge.

Selection API: getRangeAt() returns a Range registered by addRange()

Blink had a bug that getRangeAt() always returns a new Range with position normalization. It didn't match to Edge, Firefox, and Selection API specification.

Selection API: removeRange() function

Selection interface should support removeRange() function to remove the specified Range.

Selection API: setBaseAndExtent() throws IndexSizeError for too large offsets

setBaseAndExtent() silently clamped too large offset values. IndexSizeError should be thrown for such values to match to Firefox, Edge, and the specification.

Selection API: setBaseAndExtent(), extend(), and collapse() throw InvalidNodeTypeError for DOCTYPE

These function silently normalized the specified position with DOCTYPE. However, they should throw InvalidNodeTypeError to match to Edge, Firefox, and the specification.

Ship PointerEvent.tangentialPressure and PointerEvent.twist

Adding support of tangentialPressure and twist attributes in the pointer events API on Mac. They are supported by some stylus devices and are already used in numerous painting apps.

Strict Secure Cookies

This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.

Trailing comma in JavaScript function parameter lists

A small modification to JavaScript syntax allows trailing comma in formal parameter lists and in argument lists. For example, all the following become valid:

function f(a, b,) { return a + b }

let g = (a, b,) => a + b

f(1, 2,) + g(3, 4,)

This is expected to be available by default in Chrome 58.

Unprefix CSS 'line-break' property

The CSS 'line-break' property specifies the strictness of line-breaking rules. The exact definition of the strictness depends on languages.

Our implementation relies on ICU (see doc link) which supports East Asian writing systems and Finnish.

WebAudio: Add buffering/latency hint via latencyHint

Currently, WebAudio will use the lowest latency possible for the audio device for the best interactive behavior. However, for some use-cases such as media playback, this causes unnecessary power and/or CPU utilization.

The latencyHint is a hint from the developer that such a latency is not required. The latencyHint is either an AudioContextLatencyCategory value or a double specifying the desired numeric latency. This is a hint to Chrome.

WebAudio: AudioBuffer constructor only takes one argument

Currently the AudioBuffer constructor takes two arguments: the context, and the AudioBufferOptions. The context argument is removed so that only AudioBufferOptions is required. In addition the sampleRate member of AudioBufferOptions is now required.

XSS Auditor violation report MIME type.

The XSS Auditor's violation reports are now sent with a MIME type of application/xss-auditor-report (as opposed to application/json).

color-gamut media query

Expose the approximate range of colors supported by the user agent and the output device in a CSS Media Query.

display: flow-root

display: flow-root generates a block container box, and lays out its contents using flow layout. It always establishes a new block formatting context for its contents.

CSS class name: Apple-interchange-newline, Apple-converted-space, Apple-paste-as-quotation, Apple-style-span, and Apple-tab-span

These non-standard CSS classes are used to differentiate the span elements added by Blink itself in editing.

Remove "reset" and "document" as valid zoom values

There are two special values for the CSS zoom property that are inconsistently documented: "reset" and "document".

They set the element's zoom to 1.0 regardless of parent element zoom status and prevent page zoom from affecting the element's size.

We're removing them.

Deprecate and Remove case-insensitive matching for usemap attribute

"Compatibility caseless" had been applied to usemap attribute matching. The specification was updated so that case-sensitive matching is applied. https://github.com/whatwg/html/commit/6acdb2122298d2bb7bb839c0a61b4e1f9b0f9bc9 A deprecation warning is printed to the console starting in Chrome 57.

Deprecate and Remove: setting Event.cancelBubble to false

According to https://github.com/whatwg/dom/issues/211, setting cancelBubble to true is considered as an alias to stopPropagation(), and the spec indicates setting cancelBubble to false should do nothing.

Legacy caller for HTMLEmbedElement and HTMLObjectElement

That an interface has a legacy caller means that an instance can be called as a function. This used to be the case for HTMLEmbedElement and HTMLObjectElement but is being removed. Calling will instead throw an exception. This was deprecated in Chrome 57.

Remove EME from Unsecure Contexts

Per https://w3c.github.io/webappsec-secure-contexts/, we are deprecating and then removing EME from insecure contexts. EME is a powerful feature that exposes DRM implementations that involve access to persistent unique identifiers, are not open source, and/or run unsandboxed or with privileged access. The risks are increased when exposed via insecure HTTP, because they could be attacked by anyone on the channel. This was deprecated in Chrome 44.

Remove pre-standard ChaCha20-Poly1305 ciphers

In 2013, Chrome 31 deployed new TLS cipher suites based on Prof. Dan Bernstein's ChaCha20 and Poly1305 algorithms. This was later standardized, with small tweaks, at the IETF as RFC 7539 and RFC 7905. We shipped the standardized variant early in 2016 with Chrome 49. We are now removing the pre-standard variants.

Support for commonName matching in Certificates

RFC 2818 describes two methods to match a domain name against a certificate - using the available names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName.

The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly.

VTTRegion-related bits of TextTrack

The interface elements regions, addRegion() and removeRegion() have been removed from the WebVTT spec and will be removed from Chrome. The VTTCue.region property was added and the VTTRegion interface was updated to match a late version of the specification.

WebAudio: Remove AudioSourceNode interface

Remove the AudioSourceNode interface. This interface is not part of the WebAudio specification, is not constructible, and has no attributes so it basically has no user-accessible functionality.

webkitdropzone global attribute

The dropzone global attribute was introduced by the HTML5 drag and drop specification as a declarative method for specifying an HTML element's willingness to be the target of a drag-and-drop operation, the content types that can be dropped onto the element, and the drag-and-drop operation (copy/move/link).

No browser has implemented the unprefixed version. Blink and WebKit implement a prefixed form of the attribute, webkitdropzone. We would like to remove the prefixed attribute.

chromium59 Features:33

Animated PNG

Support for animated PNG images

CSP hash expressions can match external scripts.

CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba', <script integrity="sha256-abc123" ...></script> will be allowed.

CSP3: The 'worker-src' directive

The 'worker-src' directive restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker. It falls back to 'child-src' (which, in turn, falls back to 'default-src').

04 .CSP: report-sample property in violation reports

The report-sample property attempts to reach consensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive.

CSS Box Alignment shorthands

Shorthand properties to control the alignment behavior along block and inline axes in a single declaration.

DIALOG element has display:block style by default

The default display style of a DIALOG element is changed from inline to block.

DeviceOrientationEvent and DeviceMotionEvent constructors

The DeviceOrientationEvent and DeviceMotionEvent constructors are defined by the DeviceOrientation Event Specification but were not were not implemented in Chrome. Firefox has already shipped these constructors as specified.

Fetch API: Request#url includes the URL fragment

Request#url now includes the URL fragment, as per the spec. Before Chrome 59, the fragment was stripped out.

This means service workers can see the URL fragment in the 'fetch' event handler.

Headless mode

Headless mode allows running Chromium in a headless/server environment. Expected use cases include loading web pages, extracting metadata (e.g., the DOM) and generating bitmaps from page contents -- using all the modern web platform features provided by Chromium and Blink.

To use headless, start Chrome with a command line flag:

$ chrome --headless --remote-debugging-port=9222 https://chromium.org

MediaError.message

The MediaError.message DOMString field provides, if available, any additional vendor-specific error message detail to assist web authors debugging media player errors. The format and content of the string is left to vendors, though it's commonly in the form of a vendor-specific error code followed optionally by a ":" and further detail about the error. It is populated at the time of MediaError creation.

MediaStream Image Capture

Enable taking pictures from an Image/Video Capture Device.

Navigation preload for service workers

An API that enables the browser to send "preload" network requests for navigations before executing the fetch event handler in the service worker that intercepts the target URL. The worker has access to the preload response inside the fetch event handler. Common use cases would be to respond with the preload response directly, or use it to populate the response.

Partial RTCRtpReceiver and RTCRtpContributingSource support

The parts of the RTC Media API (https://w3c.github.io/webrtc-pc/#rtp-media-api) that allow keeping track of contributing sources for receiving tracks. RTCPeerConnection extension: getReceivers(). RTCRtpSender support: track, getContributingSources(). RTCRtpContributingSource support: timestamp, source.

Feature for the rest of the API:

https://www.chromestatus.com/feature/5347809238712320

Presentation API: Receiver API

This is implementing the receiving side of the API in order to allow a web page to be presented and interact with the presenting web page. This is also called 1-UA mode because that mode would allow the browser to render both presenting and receiving pages locally.

RTCConfiguration.iceCandidatePoolSize

Normally, ICE candidates are only gathered after RTCPeerConnection.setLocalDescription is called, because this is the point at which the PeerConnection knows how many ports it needs. The iceCandidatePoolSize member of RTCConfiguration instructs the PeerConnection to gather ICE candidates before this occurs, as a performance optimization. Thus, if setting the local description is delayed (by signaling, for example), interactions with STUN/TURN servers can occur in parallel.

RTCPeerConnection.onicegatheringstatechange

This feature adds the icegatheringstatechange event and the onicegatheringstatechange event handler to RTCPeerConnection.

Referrer Policy Header for CSS

Add the ability for CSS stylesheets to specify their own referrer policy via the HTTP header.

Response.redirected and a new security restriction

Add .redirected attribute to Response class of Fetch API. Web developers can check it to avoid untrustworthy responses.
To avoid the risk of open redirectors (https://cwe.mitre.org/data/definitions/601.html) introduce a new security restriction which disallows service workers to respond to requests with a redirect mode different from "follow".

Screen.colorDepth and Screen.pixelDepth can return other value than 24

The Screen object is no longer required to return 24 for colorDepth and pixelDepth. It enables websites to have a better idea of the number of bits being used to display a color on the screen.

Streams API: Piping

ReadableStream's pipeTo() is the standard way to compose readable and writable streams. It reads data from the ReadableStream and writes it to a WritableStream while respecting backpressure.

pipeThrough() is a simple wrapper around pipeTo() that provides elegant syntax for chaining multiple streams.

Streams API: WritableStream

WritableStream is part of the Streams API for creating, composing, and consuming streams of data. It is the writable counterpart to ReadableStream, which is already shipping in Chrome. It provides a standard abstraction for writing streaming data to a sink, with built-in backpressure and queuing. This is expected to be on by default in Chrome 59.

WebAudio: decodeAudioData detaches ArrayBuffer

According to the spec, decodeAudioData detaches the given ArrayBuffer before decoding. This means that the ArrayBuffer no longer has any contents and can't be reused or examined.

If it's important to keep the data, user ArrayBuffer.slice(0) to make a copy for decodeAudioData.

rAF Aligned Touch Input

Align touchmove events so that they occur close to requestAnimationFrame() as possible.

self.origin

self.origin returns the Unicode serialization of the origin of the settings object of the global represented by "self" (a Window or WorkerGlobalScope). This gives scripts a consistent way of getting their origin in both situations. Note that unlike location.origin this represents the actual origin of the global, not the origin of the URL it's loaded from. The difference can be substantial in the case of sandboxing, for example.

Deprecate and Disable SDCH

SDCH is a shared dictionary compression mechanism developed by Google but not standardized. It's use in chrome is being discontinued.

Intent to deprecate thread: https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/SDCH|sort:relevance/blink-dev/nQl0ORHy7sw/HNpR96sqAgAJ

Deprecate SVGTests.requiredFeatures attribute

In SVG2, hasFeature always return true.

So requiredFeatures attribute not doing anything useful.

It has been removed from the spec:

https://github.com/w3c/svgwg/commit/9a30d01f6410dc516c5f874d71e957230a3448cd

This was deprecated in Chrome 54/Opera 41.

Deprecate and remove -internal-media-controls-cast-button

-internal-media-controls-cast-button selector exposes Blink internal shadow DOM to the web content. Authors that want to have a custom cast button should use custom controls and implement a cast button with the Remote Playback API.

Deprecate and remove -internal-media-controls-text-track-list*

-internal-media-controls-text-track-list* selectors expose Blink internal shadow DOM to the web content. Authors that want to have a custom text track picking interface should use custom controls.

Drop support for embedded credentials in subresource requests.

We should block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hunter2@example.com/yay.tiff"). Such resources would be handled as network errors.

Drop support for subresources with legacy protocols.

We should block requests from HTTP/HTTPS documents that target "legacy" schemes (e.g. "ftp://my-awesome-ftp-server.com/yay.tiff"). That is, the ftp:// image referenced in https://jsbin.com/petonig/edit?html,output would not load, as the document itself is not served from ftp://.

Remove "on-demand" value for hover/any-hover media queries.

Remove the support for "hover: on-demand" and "any-hover: on-demand" media queries. The "on-demand" value used to satisfy for the pointing devices that, for example, "can't normally hover, but will activate hover on a long press".

The "on-demand" value for hover/any-hover media queries has been removed from the spec in early 2016.

Remove FileReaderSync from service workers

The Service Worker spec has always had the (non-normative) note that "any type of synchronous requests must not be initiated inside of a service worker", to avoid blocking the service worker (as blocking the service worker would block all network requests from controlled pages). However synchronous APIs such as FileReaderSync were still available in service workers. So we'd like to fix that by removing this API from service workers. This was deprecated in Chrome 57.

Temporarily stop permission requests after 3 dismissals

Temporarily stop an origin from requesting a permission following the third dismissal of a permission prompt. The stop will be lifted after some amount of time has passed (initially 1 week), after which the origin may request the permission again. A further dismissal will apply the temporary stop again.

For web developers who are testing features, the block can also be removed by changing the permission's setting in the lock icon's page info dialog, or by clearing your browsing data.

chromium60 Features:43

CSS line-height-step property

The CSS line-height-step property provides an ability to round the heights of line boxes to the multiple of the specified length. This property allows authors to control vertical rhythm.

createElementNS() : Throw InvalidCharacterError instead of NamespaceError on validating a qualified name

createElementNS() should now throw only InvalidCharacterError, not NamespaceError.

Validating a qualified name should only throw InvalidCharacterError, not NamespaceError,

after:

https://github.com/whatwg/dom/issues/319

https://github.com/w3c/web-platform-tests/issues/5161

https://github.com/whatwg/dom/issues/423

Latest spec:

https://dom.spec.whatwg.org/#validate

rAF Aligned Mouse Events

Align continuous mouse events (mousemove, mousewheel) so that they occur close to requestAnimationFrame() as possible.

Historical events can be accessed via getCoalescedEvents (see https://w3c.github.io/pointerevents/extension.html#extensions-to-the-pointerevent-interface)

Android Payment Apps

Web payments is a W3C standard API for e-commerce websites to collect payment information from users with user consent. This feature lets users pay using native Android payment apps.

CSS font-display

Adds the @font-face descriptor and a corresponding property for controlling how a downloadable font renders before it is fully loaded.

CSS font-stretch

Add support the the CSS font-stretch property.

CSS4 :focus-within pseudo-class

The :focus-within pseudo-class applies to elements for which the :focus pseudo class applies.

An element also matches :focus-within if one of its descendants in the flat tree (including non-element nodes, such as text nodes) matches the conditions for matching :focus.

Client.type

The type read-only property of the Client interface indicates the type of client the service worker is controlling.

Constructor for DataTransfer

The new asynchronous clipboard API makes use of DataTransfer objects and has a need to be able to construct new ones. For example (with new clipboard api):

var data = new DataTransfer();

data.items.add("(°o°)/", "text/plain");

navigator.clipboard.write(data).then(function() {

console.log("Copied to clipboard successfully! ᕕ( ᐛ )ᕗ");

}, function() {

console.error("Unable to write to clipboard. (╯ಠ_ಠ)╯︵ ┻━┻");

});

Credential Management API - CredentialsContainer.create

This feature introduces the CredentialsContainer.create method to the Credential Management API. This method allows for asynchronous creation of Credential objects.

Document constructor

Support new Document() to create a Document instance.

Don't load tiny cross-origin plugin content

Remove tiny content exception for "Detect and run important plugin content" setting. This means that cross-origin plugin content that is 5x5 or smaller will not load under the default setting.

Drop SiteBoundCredential concept in favor of a CredentialUserData mixin in CM API

This change drops the SiteBoundCredential interface in

favor of a CredentialUserData mixin. This change was introduced in the

Credential Manager API specification with commit

a43865bd8aa9842dbc8d8e688d5668c087677eac

(https://github.com/w3c/webappsec-credential-management/commit/a43865bd8aa9842dbc8d8e688d5668c087677eac).

Expose passwords to JavaScript in Credential Management API

This change exposes passwords to JavaScript in the Credential Management API by providing the corresponding attribute on PasswordCredential. Furthermore it deprecates the previously existing PasswordCredential attributes and the custom fetch() credential infrastructure.

Feature Policy

Allow site authors to selectively enable and disable use of various browser features and APIs.

Fetch API: Request/Response.formData

Allows multipart/form-data and application/x-www-form-urlencoded fetch requests and responses to be consumed and parsed into FormData objects.

First Paint Timing API

API to enable developers to measure time for First Paint (FP) & First Contentful Paint (FCP) -- the first key moments in loading that they care about. These moments are added as 'paint' entries in the Performance Timing API.

InputEvent

InputEvent allows user input to be managed by script and help interactive with IME.

New VP9 codec string and Profile 2 support

VP9 is an open and royalty-free video codec that has been supported in Chromium since 2013. This update adds a new string format for describing the encoding properties, such as the profile, level, etc. Such properties are common in video codecs but are not exposed in the current VP9 string format. In addition, this update includes using the new format to advertise support for VP9 Profile 2. The string format is accepted by media-related APIs

Object rest/spread properties

This introduces rest properties for object destructuring assignment and spread properties for object literals.

PaymentDetailsInitId

Add a free-form identifier for payment request. This will be set using PaymentDetailsInit and reflected through PaymentRequest and PaymentResponse and to payment apps. If no identifier is specified a unique identifier will be created.

PaymentRequest.complete result "unknown"

Replace the PaymentRequest.complete enum value "" with the more descriptive "unknown".

Push API: support for ietf-webpush-encryption-08

Chrome currently supports encrypted push message payloads encrypted with the aesgcm content encoding (draft 03). A series of substantial changes were made to the encryption drafts, yielding a new content coding: aes128gcm (draft 08). We'll continue to accept aesgcm for received push messages as well.

PushManager.supportedContentEncodings

Static property containing the supported content encodings developers can use for encrypting push messages.

PushSubscription.expirationTime

Property indicating the time at which, if any, the subscription won't be valid anymore. The user agent will attempt to fire a pushsubscriptionchange event with a new subscription before this happens.

Chrome will always return NULL, until we support subscription refreshes.

Remove navigator.vibrate without user gesture

Calls to navigator.vibrate will immediately return 'false' if user hasn't tapped on the frame or any embedded frame yet. The Vibrate API is being abused by malicious sites. This extends what we do for cross-origin iframes to all frames including top-level page. See https://www.chromestatus.com/features/5682658461876224.

Rename requireUserMediation to preventSilentAccess in Credential Management API

This change renames CredentialsContainer.requireUserMediation to CredentialsContainer.preventSilentAccess in the Credential Management API.

Replace CredentialRequestOptions.unmediated flag with CredentialRequestOptions.mediation enum in Credential Management API

This feature introduces an CredentialMediationRequirement enum argument to the CredentialRequestOptions of CredentialsContainer.get() that is intended to replace the currently existing boolean flag CredentialRequestOptions.unmediated. The enum will have three states ("silent", "optional", "required") with "silent" and "optional" directly mapping to the existing boolean states, "required" is a novel option.

Support VP9 in ISO-BMFF

VP9 is an open and royalty free video coding format.

ISO-BMFF (MP4) is an industry standard container and is broadly accepted and used in the industry.

Chrome already supports the VP9 codec (currently only in WebM container) and the ISO-BMFF container. This enables them to be used together.

Support for collecting payer's name for PaymentRequest.

If the requestPayerName flag was set to true in the PaymentOptions passed to the PaymentRequest constructor, then UA should collect and return the payer's name as part of the payment request.

For example, this would be set to true to allow merchant to make a booking in the payer's name.

This option has been behind a flag on mobile since Chrome 55. On desktop, it's shipping in Chrome 60 with the rest of Payment Request API.

Web payment manifests

For every payment method, there must be a corresponding JSON manifest file describing how that method participates in the web payments ecosystem.

X-Frame-Options: SAMEORIGIN matches all ancestors.

Currently, XFO performs a same origin check only against the top-level frame in a document's ancestor chain. As lcamtuf notes in 1, "Any site that allows a rogue ad to be displayed in an IFRAME; or that frames third-party content for other reasons (e.g., iGoogle, Image Search results, Facebook gadgets), is effectively not protected)." We should check all ancestors instead.

getElementsByTagName accepts qualified names

getElementsByTagName() used to accept only local names. The DOM specification was updated to accept qualified names.

window.open() throws on an invalid URL parameter

Currently, we only log a message to the console. For consistency with other APIs, the WhatWG spec now requires that window.open throws a DOMException "SyntaxError" instead.

Remove Headers.prototype.getAll()

Headers.prototype.getAll() is removed from the Fetch API specification.

Remove IndexedDB: webkitGetDatabaseNames

The API asynchronously returns a list of existing database names in an origin, which seemed sensible enough.

The design is flawed, in that the results may be obsolete as soon as they are returned, so it can really only be used for logging, not serious application logic. Not implemented in other browsers. https://github.com/w3c/IndexedDB/issues/31 tracks/links to previous discussion on flaws and possible alternatives.

Remove WEBKIT_KEYFRAMES_RULE and WEBKIT_KEYFRAME_RULE

Remove non-standardize APIs from CSS Rule and Developer can use KEYFRAMES_RULE and KEYFRAME_RULE instead

Remove document.createEvent('WebKitTransitionEvent')

Remove non-standard 'WebKitTransitionEvent' support of document.createEvent().

Remove: Content initiated top frame navigations to data URLs

We intend to block web pages from loading data: URLs in the top frame using <A> tags, window.open, window.location and similar mechanisms.

Pseudo URLs such as data: are generally a source of confusion for users. Because of their unfamiliarity, these schemes are widely being used in spoofing and phishing attacks. Users browsing the web ideally should only ever end up on the two well known schemes (http and https).

Deprecated in M58

Removal in M60

Remove: NodeFilter.prototype

Correctly implement window.NodeFilter. It should not have .prototype, and NodeIterator.filter and TreeWalker.filter should not wrap JavaScript objects.

Remove: document.createEvent('WebKitAnimationEvent')

Remove non-standard 'WebKitAnimationEvent' support of document.createEvent().

Budget API

This specification describes an API that can be used to retrieve the amount of budget an origin has available for resource consuming background operations, as well as the cost associated with doing such an operation.

Require user gesture for beforeunload dialogs

The beforeunload dialog will only be shown if the frame attempting to display it has received a user gesture or user interaction (or if any embedded frame has received such a gesture). (There will be no change to the dispatch of the beforeunload event, just a change to whether the dialog is shown.)

chromium61 Features:32

Blocking resources whose URLs contain both \n and < characters.

As discussed in https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. <img src='https://evil.com/? eats the page until the next '). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful.

CSP: Embedded Enforcement

CSP's Embedded enforcement defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself. We should prototype an implementation to see if it's something that solves real problems in a way we can ship.

CSP: Hardened nonce content attribute.

We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example.

To mitigate these attacks, we'll hide the attribute from these side-channels, and only expose the value to script.

CSSOM View smooth scroll API

Adds an optional argument to existing scroll APIs that specifies whether scrolling should be smooth. Also adds a CSS property for this.

Clear-Site-Data header

A 'Clear-Site-Data' HTTP header prompts the user agent to clear browsing data associated with the requesting website. The supported browsing data types are cookies, storage (i.e. "site data"), and cache.

This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to 'reset' itself to a clean state.

DOMTokenList replace()

Add the replace() function to DOMTokenList interface. We can use it like element.classList.replace('inactive', 'active').

Expect-CT header

Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.

Geometry interfaces

This specification describes several geometry interfaces for the representation of points, rectangles, quadrilaterals and transformation matrices with the dimension of 3x2 and 4x4.

SVGPoint, SVGRect and SVGMatrix will be aliased to new interfaces. Their old methods will be maintained and some new methods are introduced.

In the near future, CSS transform will be updated so they can work directly with the new objects. This avoid parsing on the js side.

HTMLIFrameElement.allowpaymentrequest

Returns a Boolean indicating whether the Payment Request API may be invoked on a cross-origin iframe.

HTTP Client Hints: Device-Memory

Client header to expose the device Memory to web applications.

Interoperable body/documentElement scroll behavior

Update Blink to match the CSSOM View spec's behavior around element scrolling APIs for documentElement and body, i.e.: scrollTop, scrollLeft, scrollWidth, scrollHeight and Document.scrollingElement

Intervention: Passive Event Listener for type == "mousewheel" && target == window && function_name == "ssc_wheel"

The smoothscroll.js code is largely broken and is preventing us from shipping scroll top interop. With the scroll top interop behavior activated sites fail to scroll at all with the wheel event. This library was corrected a few years ago but the web continues to clone the broken version and we have been blocked in shipping this long implemented fix for interop.

Smooth scroll has been enabled in Chrome for a number of releases so using custom smooth scrolling is not necessary anymore.

JavaScript modules: <script type=module>

JavaScript modules allow a program to be divided into multiple sequences of statements and declarations. Each module explicitly identifies declarations it uses that need to be provided by other modules and which of its declarations are available for use by other modules.

<script type=module> allows loading of JavaScript modules inside web pages.

MediaStream Image Capture - getPhotoSettings() method

This chrome feature tracks adding the method getPhotoSettings() 1 to the currently landed ImageCapture object $2$ . It's a trivial follow up to the MediaStream Image Capture API shipped in 59 $3$ .

1 https://w3c.github.io/mediacapture-image/#dom-imagecapture-getphotosettings

$2$ https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/imagecapture/ImageCapture.idl?q=imagecapture.idl\&sq=package:chromium\&dr

$3$ https://www.chromestatus.com/features/4843864737185792

MediaStreamTrack.getSettings()

Returns the current settings of a MediaStreamTrack, including information such as (for video) width, height or framerate.

Network Information

The Network Information API enables web applications to access the underlying connection information of the device.

PaymentRequest

An API that allows browsers to act as an intermediary between the three key parties in a financial transaction: the merchant (e.g. an online web store), the buyer (e.g. the user buying from the online web store), and the Payment Method (e.g. credit card). Information necessary to process and confirm a transaction is passed between the Payment Method and the merchant via the browser with the buyer confirming and authorizing as necessary across the flow.

RTCCertificate.getFingerprints()

RTCCertificate is supposed to have a getFingerprints() method.

Referrer policies 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin'

The Referrer Policy specification includes three policy values that Chrome doesn't yet implement.

same-origin: Send full referrers same-origin, no referrers cross-origin.
strict-origin: Strip referrers to the origin, but strip them when downgrading from HTTPS to HTTP.
strict-origin-when-cross-origin: Send full referrers same-origin, and the origin when cross-origin, but strip referrers when downgrading from HTTPS to HTTP.

Resource Timing & Navigation Timing: add nextHopProtocol property

nextHopProtocol has been in the spec for RT & NT but was not implemented in chrome yet.

It is now landed and will ship in M61

Storage quota estimate() API

navigator.storage.estimate() - returns a Promise which resolves with {usage, quota} values in bytes.

SyncManager interface exposed to all workers

Historically the SyncManager interface was only exposed to the window and service workers. This feature exposes the interface to all workers.

URLSearchParams: sort() method

Sorts all name-value pairs stored in a URLSearchParams. Proposed at https://github.com/whatwg/url/issues/26 to improve cache hit rate easily.

URLSearchParams: updated constructor

URLSearchParams' constructor has been changed in https://github.com/whatwg/url/pull/175. It is now possible to create a new URLSearchParams by passing it any object (e.g. new URLSearchParams({'foo': 'bar'})).

Update colSpan max value to 1000

Update colSpan max value from 8190 to 1000 as per spec change.

https://html.spec.whatwg.org/#dom-tdth-colspan

https://html.spec.whatwg.org/#dom-col-span

https://html.spec.whatwg.org/#dom-colgroup-span

WebUSB API

The web platform API to support programming USB devices.

asm.js

Validate asm.js code and use type information to optimize the low-level subset of JavaScript.

getAttributeNames() of Element interface

getAttributeNames() is a function to rerun a list of attribute names of an element.

onwheel in GlobalEventHandlers

Previously we had onwheel attributes as part of the Element. Now we are moving them to GlobalEventHandlers to make them consistent with the other on'event' attributes.

visualViewport API

Exposes information about the visual viewport to the page.

Deprecate and remove Presentation API on insecure contexts

In aligning with Blink's intention to remove powerful features on insecure origins, we plan to deprecate and remove support for the Presentation API on insecure contexts. PresentationRequest and PresentationReceiver where deprecated on insecure origins in Chrome 61. Removal is anticipated in Chrome 72 (February 2019).

JavaScript dialogs exit HTML5 fullscreen

If a page shows a JavaScript dialog while it is in fullscreen (the HTML5 kind), it is exited from fullscreen.

chromium62 Features:28

document.rootScroller

Allow a non-document (or <body>) element to hide URL bar, generate overscroll glow, etc. on scrolling, effects normally reserved for "viewport scrolling" only.

<data> element

<data> element

<time> element

<time> element

API for customizing HTMLMediaElement.seekable for Media Source live streams

This API lets MediaSource apps more effectively customize the HTMLMediaElement.seekable range logic by providing (or removing) a single seekable range that is union'ed with the current buffered ranges to result in a single seekable range which fits both, when media duration is infinite.

Accept 8 (#RRGGBBAA) and 4 (#RGBA) value hex colors

Update the CSS color parser to support 8/4-digit hex color. Legacy HTML attribute color parsing, per the "rules for parsing a legacy colour value" of the HTML micro syntax (http://bit.ly/1WF2Yre), will not be changed (see http://bit.ly/1UEDbiO), nor will the CSS hashless color quirk (https://quirks.spec.whatwg.org/#the-hashless-hex-color-quirk).

Accept-Language Headers Fix

We want to fix an issue in how Chrome generates the Accept-Language HTTP headers from user language preferences. As websites sometimes only accept languages without region (i.e. "en" vs "en-AU"), a user could receive websites in an unexpected language. We plan to add the base language in the correct position so that users receive webpages in their preferred language.

Dispatch mouse transition events after layout

Mouse events are not sent when the nodes under the mouse change during layout.

This then represents an incorrect state in that the hover state of where the mouse actually doesn't match the current hover state of the document.

To fix a variety of issues we will start dispatching mouse transitional events and update the hover state shortly after layout has been executed.

This will match Firefox behavior.

Feature Policy: Fullscreen

Allow developers to selectively enable and disable use of Fullscreen through the Feature-Policy HTTP header or the <iframe> "allow" attribute. The identifier for the feature in policies is "fullscreen". By default, fullscreen is allowed in all top-level documents, and in same-origin frames. This is similar to the existing <iframe> "allowfullscreen" attribute, but allows control over which origins will be allowed to use the feature when hosted inside of the frame.

Implement visibility:collapse for table rows and row-groups

visibility:collapse is supposed to hide table rows while preserving their contribution to column widths. Right now blink treats visibility:collapse as visibility:hidden, which merely skips painting the rows, leaving blank space in their place instead of allowing their space to be used for other content.

Intervention: Image replacement for Data Saver users on slow connections

If a Data Saver user is on a 2G-speed or slower network according to the NetInfo API, Chrome replaces images with placeholders and sends an intervention header on every resource request. Placeholders are the same dimensions as the original image to maintain site layout. Users are shown a Lite Mode UI in the omnibox. Users can load the image by long-pressing on the placeholder, or load all images by tapping "Show original" in the UI. An intervention report is sent when this optimization occurs.

Loosen up escape sequence restrictions in template literals

The restriction on escape sequences in template literals has been loosened. This enables new use cases for template tags, such as writing a LaTeX processor.

Media Capture from HTML Media Element (<video>/<audio>)

"Media Capture from DOM Elements" document by W3C defines captureStream() method that allows the capture of a <video>/<audio> element in the form of a MediaStream. We want to implement the necessary Blink and Chromium sections that would create this stream by accessing the <video>/<audio> output according to the given play back constraints.

Network Information: Network Quality signals

This API provides network performance information to developers, as perceived by the UA, in a format that's easy to consume and act upon: UA monitors latency and throughput of recent requests and provides estimates for effective RTT, throughput, and connection type that developers should optimize for - e.g. if the recently observed latency and/or throughput is low, the effective connection type will be mapped to a "low" value like 2G or 3G, regardless of the underlying network technology.

OpenType variable font support

OpenType variable fonts integration in the layout engine affects at least the following aspects:

Axis value assignments from font-variation-settings
Integration of variable fonts axis parameters into layout operations
Font matching for:
- Matching based on canonical scalable axes such as width or weight or optical sizing.
- Matching named instances
Feature resolution of CSS props, feature-settings and variation settings

PaymentDetailsModifier.data

Need to support modifiers with the same identifier but different data. One use case for this is to support card payments with different modifiers for credit vs. debit cards. This change adds the PaymentDetailsModifier.data field to supply the different data.

Performance.timeOrigin

Performance.timeOrigin was defined in High Resolution Time 3. The attribute is useful for developers to be able to compare timings of objects (like windows or workers) with different time origins.

RegExp dotAll mode / s flag

The new s flag for ECMAScript regular expressions makes . match any character, including line terminators.

RegExp lookbehind assertions

Lookarounds are zero-width assertions that match a string without consuming anything. ECMAScript has lookahead assertions that does this in forward direction, but the language is missing a way to do this backward which the lookbehind assertions provide. With lookbehind assertions, one can make sure that a pattern is or isn't preceded by another, e.g. matching a dollar amount without capturing the dollar sign.

Support FLAC in ISO-BMFF with MSE

FLAC is a lossless audio coding format, already supported in regular Chrome HTML5 playback. This feature adds support for FLAC in ISO-BMFF to Chrome HTML5 Media Source Extensions (MSE).

Update ol.start default value as 1

As per the spec,

"The start IDL attribute must reflect the content attribute of the same name, with a default value of 1.

This means that the start IDL attribute does not necessarily match the list's starting value, in cases where the start content attribute is omitted and the reversed content attribute is specified."

WebAudio: OfflineAudioContext constructor with dictionary

The constructor for an OfflineAudioContext now accepts a dictionary argument to specify the options needed to construct the context. This is an addition to the existing constructor that takes three arguments.

visualViewport attribute event handlers

Adding attribute event handlers to visualViewport.

i.e. visualViewport.onresize and visualViewport.onscroll

(This is a minor fix to the shipped implementation)

PaymentMethodData.supportedMethods should not be a sequence

PaymentMethodData is used in the PaymentRequest constructor, the PaymentRequestEvent, and the CanMakePaymentEvent. It's supportedMethods property holds and identifier indicating the payment methods a merchant accepts. Currently, this property takes either a string or array. After this change, it will only take a string.

Deprecate SVGPathElement.getPathSegAtLength

This interface is removed from the spec.

https://svgwg.org/svg2-draft/paths.html#InterfaceSVGPathElement.

RTCPeerConnection.getStreamById

The getStreamById method on RTCPeerConnection is being removed. See https://crbug.com/698163#c10 for a replacement if you depend on this.

Remove Insecure usage of Notifications

Remove access to the Notifications API on insecure origins. This will prevent sites from requesting notification permission or creating non-persistent local notifications over HTTP.

Sites using the Notification API for web push must already be on secure origins due to the requirement for a service worker. Removal is anticipated in Chrome 62.

Remove Usage of Notifications from iFrames

Remove the ability to call Notification.requestPermission() from non-main frames.

This change will align the requirements for notification permission with that of push notifications, easing friction for developers. It allows us to unify notification and push permissions.

SharedWorker: Remove workerStart

SharedWorker.workerStart has been deprecated for a while in the spec, and is not supported by other major browsers.

chromium63 Features:21

Async Iteration / Async Generators

Async Generator functions and a new iteration protocol (used by for-await-of loops and yield* expressions), to streamline consumption or implementation of streaming data sources.

CSS 'q' length unit

support 'q' absolute length unit.

1q is equivalent to 1/40th of 1cm.

CSS font-variant-east-asian

Add support for font-variant-east-asian and respective mapping for the font: shorthand and the font-variant: shorthand.

CSS overscroll-behavior

CSS overscroll-behavior allows developers to decide the browser's behavior once a scroller has reached its full extent. The unused delta can be propagated to the parent causing scroll chaining, create a glow/bounce effect without chaining, or just get consumed silently. This would be a standardization of "-ms-scroll-chaining" with some modification.

Device Memory JS API

JS API to expose the device Memory to web applications.

EventTarget.addEventListener/removeEventListener throws a TypeError

EventTarget.addEventListener/removeEventListener throws a TypeError when the second argument |callback| is neither of EventListener nor Null nor Undefined.

Historically Blink had not been reporting a TypeError for the second argument of EventTarget.{add,remove}EventListener, but reports a TypeError since M63.

HTMLAllCollection and HTMLCollection's named properties are no longer enumerable

Blink now follows the DOM and HTML specs and declares HTMLAllCollection, HTMLCollection, HTMLFormControlsCollection and HTMLOptionsCollection with the $LegacyUnenumerableNamedProperties$ extended attribute. Its named properties are no longer marked as enumerable, being left out of calls to e.g. Object.keys() and for-in loops.

Interface properties with a Promise type no longer throw exceptions

Interface properties that return a Promise now reject (meaning they'll invoke a catch block) instead of throwing an exception. This has already been done for functions.

Intl.PluralRules

Intl.PluralRules is a new API which exposes language-dependent data on pluralization forms of numbers. Given a locale and a number, Intl.PluralRules outputs a category, which can then be used for selection of the pluralization form of surrounding text.

JavaScript module import()

This JavaScript feature adds a "function-like" import() module loading syntactic form to JavaScript.

The existing syntactic forms for importing modules are static declarations. However, it's also desirable to be able to dynamically load parts of a JavaScript application at runtime.

Make /deep/ behave like the descendant combinator " " in CSS live profile (in css file or inside of <style>)

Make /deep/ behave like the descendant combinator " " in CSS live profile; effectively no-op.

See "Intent to Remove" thread for more details: https://groups.google.com/a/chromium.org/d/topic/blink-dev/HX5Y8Ykr5Ns/discussion

https://www.w3.org/TR/selectors-4/#profiles

CSS live profile = CSS selector used in CSS file or inside of <style>.

CSS snapshot profile = CSS selector used in JS, such as querySelector(...)

MediaStreamTrack.applyConstraints

applyConstraints() allows changing the constraints associated with a MediaStreamTrack.

This is useful to change settings such as video resolution or frame rate.

applyConstraints() was previously released with support for ImageCapture (https://w3c.github.io/mediacapture-image/).

This feature includes adding support for the main spec (https://w3c.github.io/mediacapture-main/).

No State Prefetch

A mechanism for speculative prefetching of webpages and their subresources that are on a critical path of page loading without executing any JavaScript or creating a complex state of the web platform. This system is not purely "no state" because HTTP cache allows to create cookies and other state related to validating cache entries.

It is important to note that the "NoState Prefetch" is not an API.

Server side detection: https://bugs.chromium.org/p/chromium/issues/detail?id=796855

Promise.prototype.finally

This finally method is used for registering a callback to be invoked when a promise is settled (either fulfilled, or rejected).

Web Storage: Anonymous getter may return null

Blink used to add an anonymous named property getter to the Storage interface (used by sessionStorage and localStorage) that behaved slightly differently from the getItem() method. The anonymous getter has been removed, and getItem() is now used behind the scenes instead. One visible consequence is that attempting to access a key that does not exist via the getter will return null instead of undefined.

Web Storage: Methods are now enumerable

The methods belonging to the Storage IDL interface (available via sessionStorage and localStorage), such as getItem(), clear() and removeItem() are now enumerable as mandated by the HTML spec.

They are not returned by Object.keys(), but do appear in e.g. for-in loops.

beforeprint and afterprint events

'beforeprint' event is dispatched before starting printing, and 'afterprint' event is dispatched after finishing printing. They are useful to build printing-only content, and clean it up.

display:minimal-ui

Support the minimal-ui display mode as defined in the Web App Manifest.

This property will result in Chrome displaying a "Chrome Custom Tab"-like UI.

navigator.webdriver

The Webdriver specification defines a navigator.webdriver property to indicate if UA is controlled by automation. This property is defined and returns true when running Chrome with the --headless flag.

Shadow-Piercing descendant combinator, '/deep/'

The /deep/ combinator was a part of Shadow DOM v0, which has been deprecated and removed. Starting in M63, the /deep/ combinator was treated as a no-op, equivalent to a space " " combinator. As the code for all of Shadow DOM v0 was removed completely in M89, /deep/ will now throw exceptions in some JS operations, such as querySelectorAll. Simply replace it with " " to get pre-M89 behavior back.

macOS: rounded borders for buttons in User-Agent stylesheet

Only for macOS.

The default stylesheet for <button>, <input type=button>, <input type=reset>, <input type=submit>, a button in <input type=file> was changed in order to match OS-native buttons.

Background-color, border, border-radius, and padding were changed.

chromium64 Features:32

Media Capabilities: encoding

This is an API for querying the user agent about a device's encoding capabilities for the purpose of recording or transmitting.

Network Information: saveData

The saveData attribute is a boolean that indicates a client's explicit opt-in for reduced data usage, due to high transfer costs, slow connection speeds, or other reasons. It's use allows JavaScript to make decisions that result in reduced data use, such as to load smaller images and video resources, or reduce buffering or predictive actions.

This is expected to be enabled by default in Chrome 65.

Animation for offset-path CSS property

Authors using CSS Motion Path can now animate the path that an element moves along by animating the offset-path property

CSS transform-box

The transform-box property allows defining which reference box to use when computing 'transform' and 'transform-origin'. It currently only has an effect on SVG elements.

CSS4 text-decoration-skip-ink

CSS Text Decoration 4: property controls how overlines and underlines are drawn when they cross over a glyph.

With the initial, default value "auto" decoration lines skip over where glyphs are drawn: interrupt the decoration line to let the shape of the text show through where the text decoration would otherwise cross over a glyph. The UA must also skip a small distance to either side of the glyph outline.

To disable this behavior, use text-decoration-skip-ink: none

Constructible & Subclassable EventTarget

Make EventTarget constructor callable, allowing them to be constructed on their own or be subclassed.

Deprecate and remove chrome.loadTimes

chrome.loadTimes() is a non-standardized API that enables collecting loading related metrics to understand performance in the real world. However the metrics there are now available as standardized APIs, so this API will be deprecated and removed.

Deprecate on-by-default Permissions in Cross-origin Iframes

It's proposed that by default the following permissions cannot be requested or granted to content contained in cross-origin iframes:

Geolocation

Midi

Encrypted media extensions

Microphone and Camera

In order for a cross-origin frame to get access to these permissions, the embedding page must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe, the embedder could specify the iframe tag as:
<iframe src="..." allow="geolocation">

Feature Policy: Autoplay

Allows developers to selectively enable and disable use of autoplay through the feature policy HTTP header or the <iframe> "allow" attribute.

By default we will allow autoplay on same origin iframes. If developers have cross origin iframes they will be able to enable autoplay on those frames by enabling the "autoplay" feature.

Fetch API: Request.cache

A property which represents the cache mode of a Request. This feature includes RequestInit.cache which sets the property.

Fractional coordinates in PointerEvents of type mouse

Make the coordinates in PointerEvents of pointerType=mouse fractional, in order to include the full precision provided by the underlying platform.

Image Decode API: img.decode()

This change allows web developers to request to decode an img element. The call to a new HTML <img> element's decode() function returns a promise, which, when fulfilled, ensures that the image can be appended to the DOM without causing a decoding delay on the next frame.

Image decoding attribute

This feature allows developers to specify decoding attribute on HTMLImageElement and SVGImageElement which would have one of two states:

"async": This indicates that the developer prefers responsiveness and performance over atomic presentation of image and non-image content.

"sync": This indicates that the developer prefers atomic presentation of content over responsiveness.

"auto": This indicates a default state where the user-agent can select the behavior.

Intl.NumberFormat.prototype.formatToParts()

Intl.NumberFormat.prototype.formatToParts() is scheduled to be added to the ECMAScript Internationalization API specification (Ecma 402). It adds a method to format a number to a list of tokens and their types (e.g. minusSign, integer, decimal, fraction, currency, percentSign, etc).

See also the corresponding DateTimeFormat feature here: https://www.chromestatus.com/feature/6319456309477376

Media preload defaults to metadata

Set the default preload value for video and audio elements to "metadata".

Note that the preload attribute's hint is still ignored when a MediaSource is attached to the media element.

Notifications to be displayed in the platform's Notification Center

Most platforms ship with a notification center of their own - on mobile devices this may be more prominent than on desktops, but they do exist. We're in progress of moving notifications shown by Chrome to be included in those centers as well.

Android (shipped in Chrome 42)
Mac OS X (shipped in 59)
Linux (planned to ship in 64)
Windows (being prototyped)

Other browsers already use native notification centers where available.

Numeric character reference fallback for file upload characters not representable in form-charset

Change <input type="file"> filename encoding in multipart/form-data uploads in forms with non-Unicode accept-charset to use HTML numeric character references rather than '?' when a filename the user selects contains characters not representable in the target character encoding.

This change would align our behavior with the existing behavior of Firefox and Edge. It is hoped that this behavior can eventually achieve cross-browser consensus and standardization.

Prevent scrolling in HTMLElement.focus()

Adds an optional argument to existing focus APIs that disable the scroll triggered by focus.

RTCRtpSender

This feature tracks RTCPeerConnection methods getSenders(), addTrack(), removeTrack() and the essentials of interface RTCRtpSender.

RegExp named captures

Named captures for ECMAScript regular expressions allow developers to create and refer to named capture groups.

Remove window.event for Shadow DOM

The contex is: https://github.com/whatwg/dom/issues/334

We are trying to standardize certain Microsoft event extensions. One of them is window.event. Blink supports window.event.

In the discussion, we agreed that window.event should be undefined if an Event's target is in a shadow tree.

That is effectivery equivalent to removing window.event for Shadow DOM.

Resize Observer

The Resize Observer API can be used to observe changes to size of Element's content rect.

Stronger popup blocker on sites with abusive experiences

On sites with very abusive experiences (see documentation link below), Chrome will start enforcing a more aggressive popup blocker. This will invoke Chrome's popup blocking UI for new windows or tabs regardless of whether there is a user gesture.

Throw NotSupportedError when media playbackRate is unsupported

Throw a NotSupportedError DOM exception when a media element's playbackRate is set to an unsupported value.

Unicode property escapes in regular expressions

The Unicode Standard assigns various properties and property values to every symbol. For example, to get the set of symbols that are used exclusively in the Greek script, search the Unicode database for symbols whose Script property is set to Greek.

Unicode property escapes are a new type of escape sequence available in regular expressions that have the u flag set. They enable querying the Unicode database for certain properties and values.

E.g. /\p{Script=Greek}/u.test('π') === true

X-Content-Type-Options: nosniff

The X-Content-Type-Options: nosniff header allows a server to assert that its resources may only be executed as script or applied as style if they're delivered with appropriate Content-Type headers.

import.meta

The import.meta meta-property provides a host-defined object which exposes context-specific metadata to a JavaScript module (e.g. the enclosing module's URL or associated <script> element).

install event for Web App Manifest

An event handler to tell a site that it has been installed or added to home screen.

Multiple Shadow Roots

Enable elements to host more than one Shadow Roots.

Dropping this feature from the spec is the resolution at Web Components f2f meeting (https://www.w3.org/wiki/Webapps/WebComponentsApril2015Meeting) This was deprecated in Chrome 45. Removal is anticipated in Chrome 64.

This was deprecated in Chrome 45.

Remove getMatchedCSSRules

getMatchedCSSRules is a webkit-only API to get a list of all the style rules applied to a particular element.

It has been deprecated since 2014.

window.alert() will not activate parent page

If a document in a background tab calls window.alert() then the call to alert() will return immediately; the dialog will be shown to the user when they switch to the tab. A UI indicator will be set so the user is aware of the pending alert dialog. This removes the ability to use window.alert() to bring a tab to the front against the user's will.

Stop showing ads on websites that are not compliant with the Better Ads Standards.

Stop showing ads (including ads owned or served by Google) on sites that do not comply with the betterads.org/standards

Feature Intro:

https://blog.chromium.org/2017/06/improving-advertising-on-web.html

How Chrome's ad filter works

https://blog.chromium.org/2018/02/how-chromes-ad-filtering-works.html

Filtering began on sites globally in July 2019.

https://blog.chromium.org/2019/01/building-better-world-wide-web.html

Ad Experience Report Info

https://support.google.com/webtools/answer/7159932

chromium65 Features:25

CSP's prefetch-src directive.

CSP allows developers to control the set of resources which can be preloaded by specifying a prefetch-src directive. The directive has the same format as other fetch directives; developers write an allowlist which defines the set of hosts from which resources can be preloaded. If prefetch-src is not specified, default-src will apply.

Block cross-origin <a download>

To avoid what is essentially user-mediated cross-origin information leakage, Blink will start to ignore the presence of the download attribute on anchor elements with cross origin attributes.

CSS Color 4 HSL/HSLA syntax

Update parsing of HSL() and HSLA() to the syntax described in CSS Color 4. The functions were synonymized, along with allowing whitespace to separate the parameters instead of commas, introducing a backslash as a new way to separate the alpha parameter, allowing angles to be specified as the hue, and allowing percent values for the alpha parameter.

CSS Color 4 RGB/RGBA syntax

Update parsing of RGB() and RGBA() to the syntax described in CSS Color 4. The functions were synonymized, along with allowing whitespace to separate the channels instead of commas, introducing a backslash as a new way to separate the alpha parameter, and allowing percent values for the alpha parameter.

CSS Paint API (Houdini)

CSS Paint API defines a new callback which is designed to allow developers to write code which produces a CSS <image> during the paint phase of the rendering engine.

CSS Selectors 4 Pseudo-Class :any-link

The :any-link pseudo-class represents an element that acts as the source anchor of a hyperlink.

Do not create layout objects for elements inside display:none iframes.

The original HTML/CSS specifications were unclear about the intended behavior for elements inside display:none iframes. $Do they get CSS boxes? Are they rendered?$ This has led to a divergence in behavior between UAs. The specs are in the process of being clarified, and the new spec matches the behavior of Edge and Gecko $which do not perform box construction or layout$ . Note that Chrome's current behavior has negative performance implications.

https://github.com/whatwg/html/issues/1813

Feature Policy: control Synchronous XMLHttpRequest

Allows developers to selectively enable and disable use of Synchronous XMLHttpRequest requests through the feature policy HTTP header or the <iframe> "allow" attribute. The identifier for the feature in policies is "sync-xhr". By default, synchronous XHR is allowed in all frames. If developers wish to disable this on any page, they can include a header like:

Feature-Policy: sync-xhr 'none'

Or embed content in an frame with sync XHR disabled like:
<iframe src="..." allow="sync-xhr 'none'">

KeyboardEventInit keyCode, charCode support

Add support for initializing keyCode, charCode via KeyboardEventInit.

NTLMv2

Support NTLMv2 authentication. Currently on non-Windows platforms only NTLMv1 is used.

PerformanceObserver takeRecords()

The takeRecords method returns a copy of the performance entries in the PerformanceObserver's buffer, and also clears this buffer. This aligns PerformanceObserver with other *Observer implementations, like MutationObserver and IntersectionObservers, which have similar methods.

RTCRtpSender and RTCRtpReceiver extensions to RTCPeerConnection

This feature encapsulates the addition of the following methods to RTCPeerConnection:

getSenders(),

getReceivers(),

addTrack(MediaStreamTrack track, MediaStream... streams),

and removeTrack(RTCRtpSender sender).

The RTCRtpSender and RTCRtpReceiver objects will initially be limited to supporting the "track" attribute, with RTCRtpSender also supporting "replaceTrack(MediaStreamTrack withTrack)".

RTCRtpSender.replaceTrack

This allows you to seamlessly change which track is being sent without having to renegotiate at the expense of another offer/answer cycle.

For example, you might want to switch which video to send or to temporarily not send video, without any disruption in audio or at the cost of an RTT delay. It can also be used to control whether or not to send with replaceTrack(null).

Request.destination

The Request.destination getter enables Service Worker code knowledge regarding which type of resource it is fetching.

ServerTiming API

Add the PerformanceServerTiming Interface which makes Server-Timing header timing values available to JavaScript running in the browser.

Support HTMLAnchorElement.relList property

The HTMLAnchorElement.relList read-only property reflects the rel attribute. It is a live DOMTokenList containing the set of link types indicating the relationship between the resource represented by the <a> element and the current document.

Support HTMLAreaElement.relList property

The HTMLAreaElement.relList read-only property reflects the rel attribute. It is a live DOMTokenList containing the set of link types indicating the relationship between the resource represented by the <area> element and the current document.

TLS 1.3 (draft versions)

The latest version of the Transport Layer Security (TLS) protocol. For M65, draft-23 of the protocol will be rolled out to Chrome users via a field trial.

Wheel scroll latching and async wheel events

Latch to a single element for the duration of a wheel scroll. Only the first wheel event in a scrolling sequence is cancel-able.

Worklets

Worklets define a new javascript execution context which is designed to allow developers to write code which is intended to be run synchronously within the rendering engine, however independent of the main user javascript.

This feature was released in two stages. Worklets for paint were released in Chrome 65/Opera 52. Worklets for audio were released for Chrome 66/Opera 53.

assignedElements on <slot>

Add assignedElements on <slot>, similar to assignedNodes(), but returning Element nodes only. The method returns elements that are assigned to a given slot.

display: contents

"display: contents" allows you to control the box generation of an element.

The element with "display: contents" won't generate any box, but its children and pseudo-elements will still do it as normal.

It's like the element has been replaced by its children and pseudo-elements.

document.all is no longer $Replaceable$ .

It has been possible for web developers to overwrite document.all for a long time, but according to the web standard, document.all will be no longer overwritable, i.e. it will be readonly.

before the change

document.all = 42;

console.log(document.all);

// prints 42

after the change

document.all = 42;

console.log(document.all);

// prints a HTMLAllCollection

toJSON for Performance and PerformanceEntry

Ever since serializer was deprecated in favor of toJSON 1, the Performance and PerformanceEntry specs added a mandatory toJSON method. This method should just call the default toJSON operation $2$ .

1 https://github.com/w3c/resource-timing/issues/112

$2$ https://heycam.github.io/webidl/#default-tojson-operation

The following interfaces will have toJSON added:

PerformanceResourceTiming

PerformanceLongTaskTiming

TaskAttributionTiming

<meta http-equiv="set-cookie" ...>

<meta http-equiv="set-cookie" ...> provides a mechanism for manipulating a host's cookies via markup. Ideally, we would require access to a host's HTTP headers, or script-execution capabilities to modify this data.

chromium66 Features:35

Add and update MHTML headers to support sharing of MHTML pages

To support sharing of MHTML pages, a new header Snapshot-Content-Location will be added. The existing Subject header will be updated to support encoding of non-printable ASCII characters.

Add autocomplete attribute to <textarea> and <select>

Add autocomplete attribute to <textarea> and <select> as per spec.

https://html.spec.whatwg.org/multipage/form-elements.html#the-select-element, https://html.spec.whatwg.org/multipage/form-elements.html#the-textarea-element

Aligning U2F attestation with webauthn

Chrome has never supported the FIDO U2F API directly1. However, it does ship with an internal extension and it's possible to implement the U2F API by using postMessage to send messages to this extension.

(Description continued in comments.)

1 https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html

Array.prototype.values

The values() method returns a new Array Iterator object that contains the values for each index in the array.var

Asynchronous Clipboard API

A modern, asynchronous Clipboard API based on Promises.

Text-only APIs (clipboard.readText and clipboard.writeText):

Behind a flag in M62
Enabled by default in M66

Support for images and other data types is still under development.

Autocapitalize support on all editable elements and on <form> elements

Improve compatibility with Safari's implementation of autocapitalize by:

Supporting autocapitalize attribute on any contenteditable element
Allow specifying the autocapitalize attribute on a <form> element to have it apply to all child form fields

CSS Typed OM (Houdini)

The new CSSOM provides typed style access for developers. This will generally improve performance primarily by removing the need to do lots of string parsing. In addition to this, it will enable performant development of various new Houdini specifications (including custom properties, layout and paint).

Only a subset of CSS properties are supported for now:

https://chromium.googlesource.com/chromium/src/+/master/third_party/WebKit/Source/core/css/cssom/README.md

CSS calc() in media queries

According to the CSS Values 4 spec, math functions such as calc() should be allowed wherever individual CSS values such as numbers are allowed. However, calc() expressions are not currently parsed in media queries. This change would introduce support for parsing calc() expressions inside of media queries.

Do not throw on unimplemented but valid keyframe-specific composite values.

By spec, the following should not throw even if additive/accumulative animations are not yet supported by the browser:

// Currently throws on Chrome - should not!

element.animate(