SecurityTLS 1.3 is an overhaul of the TLS protocol with a simpler, less error-prone design that improves both efficiency and security. The new design reduces the number of round-trips required to establish a connection and removes legacy insecure options, making it easier to securely configure a server. It additionally encrypts more of the handshake and makes the resumption mode more resilient to key compromise.
The <rp> element defaults to display:none
CSSThe default style of the <rp> element is changed to “display:none” instead of “display:inline” even if it is not inside the <ruby>element as defined in HTML specification. This behavior is implemented in the UA style sheet, but the web author can override it.
Behavior in other browsers:
– Edge: display:inline (outside <ruby>), display:none (inside <ruby>)
– Firefox: display:none
– Safari: display:inline, display:none (inside <ruby>)
The ontouch* APIs default to disabled on desktop
DOMTo avoid confusion on touch feature detection, ontouch* members on window, document, and element are disabled by default on desktop devices (Mac, Windows, Linux, ChromeOS). Note that this is not disabling touches, and usage such as `addEventListener(“touchstart”, …)` is not being affected.
Update behavior of CSS Grid Layout percentage row tracks and gutters
CSSThis updates the behavior of percentage row tracks and gutters in grid containers with indefinite heights. Previously, these were behaving similarly to percentage heights in regular blocks, but the CSS WG has resolved to make them behave the same as for columns, making them symmetric. Percentages are now ignored when computing intrinsic height and resolved afterwards against that height. That way both column and row axes will have symmetric behavior to resolve percentages tracks and gutters.
WebUSB on Dedicated Workers
DeviceWebUSB is enabled inside dedicated worker contexts. This allows developers to perform heavy I/O and processing of data from a USB device on a separate thread to reduce the performance impact on the main thread.
Network / ConnectivityPriority Hints provide developers a way to indicate a resource’s relative importance to the browser, allowing more control over the order resources are loaded.
Many factors influence a resource’s priority in browsers. These include type, visibility, and preload status of a resource. Priority Hints introduces a developer-set “importance” attribute allowing developers to influence the computed priority of a resource. Supported importance values are auto, low, and high.
Web RTCThis change implements getConfiguration() according to the WebRTC 1.0. Specifically it returns the last configuration applied via setConfiguration(), or if setConfiguration() hasn’t been called, the configuration the RTCPeerConnection was constructed with.
Remove AppCache from non-secure contexts
SecurityAppCache is now removed from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS.
This feature was deprecated in Chrome 67.
Remove HTMLFrameSetElement’s anonymous getter.
DOMDeprecate and remove HTMLFrameSetElement’s anonymous getter which is non-standard.
Remove OS build number from user-agent string
Network / ConnectivityThe OS build number (for example, “NJH47F” or “OPM4.171019.021.D1” on Android) has been removed from the user-agent identification (User-Agent header and navigator.userAgent) on Android and on iOS. The iOS change follows Safari’s implementation and freezes the build number as “15E148” instead of removing it.
This will prevent abuses of that information such as exploit targeting and fingerprinting. It’ll also bring Chrome closer in line with RFC 7231 section 5.5.3.
Shadow DOM v0
Web ComponentsChrome and other browsers implemented the new version, see https://www.chromestatus.com/features/4667415417847808.
V0 is deprecated at M70, and will be removed in M73, around, April 2019.
If you are still using this consider migrating to the new API or upgrading your Polymer library. Use –disable-blink-features=ShadowDOMV0 for testing if your site works without Shadow DOM V0 APIs.
For more info: https://groups.google.com/a/chromium.org/d/msg/blink-dev/h-JwMiPUnuU/sl79aLoLBQAJ
Shape Detection API
MultimediaPhotos and images constitute the largest chunk of the Web, and many include recognisable features, such as human faces, text, or QR codes. Detecting these features is computationally expensive, but, particularly on mobile devices, hardware manufacturers have long been supporting these features. This API allows accessing hardware-accelerated detectors where available. This is expected to be in origin trials in Chrome 70.
Support Opus in mp4 (ISO-BMFF) with Media Source Extensions (MSE)
MultimediaOpus is an audio codec already supported by the HTML5 src attribute on <url> elements. This applies to mp4, ogg, and webm containers as well as in webm containers using Media Source Extensions. This change adds support for the Opus codec in the mp4 container to MSE.
Support codec and container switching with MSE using SourceBuffer.changeType()
MultimediaThis change adds the SourceBuffer.changeType() method to improve cross-codec or cross-bytestream transitions during playback with Media Source Extensions.
‘name’ attribute for dedicated workers