It’s important for users to know what extensions they have enabled since extensions can sometimes influence Chrome’s functionality and performance. Many users have installed extensions from the Chrome Web Store, but some users have extensions that were silently installed without their knowledge.

Read More

It’s important for users to know what extensions they have enabled since extensions can sometimes influence Chrome’s functionality and performance. Many users have installed extensions from the Chrome Web Store, but some users have extensions that were silently installed without their knowledge.

Until now, it has been possible to silently install extensions into Chrome on Windows using the Windows registry mechanism for extension deployment. This feature was originally intended to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application. Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgment from users.

Two new features in Chrome 25 will help users run only the extensions they want to use:

Extensions installed by third party programs using external extension deployment options will be disabled by default. When a third party program installs an extension, the Chrome menu will be badged, and users can click through the Chrome menu to see a dialog containing an option to enable the extension or to remove it from their computer.

In addition, all extensions previously installed using external deployment options will be automatically disabled. Chrome will show a one-time prompt to allow the re-enabling of any of the extensions.

Windows application developers should ask users to install Chrome extensions from within Chrome. A great way to allow users to install a Chrome extension related to your Windows application is to link users to your website and use inline installation.

If you have questions, please get in touch with us on the Chromium extensions group.

Posted by Peter Ludwig, Product Manager

Built on Web Components, and inspired by Model Driven Views, Dart's Web UI library is now ready for testing. This early release of Web UI supports dynamic templates, live one-way and two-way data binding, and custom DOM elements. Web UI also includes a compiler that makes these features available to all modern browsers today.

Read More

Built on Web Components, and inspired by Model Driven Views, Dart's Web UI library is now ready for testing. This early release of Web UI supports dynamic templates, live one-way and two-way data binding, and custom DOM elements. Web UI also includes a compiler that makes these features available to all modern browsers today.

Web UI helps you build declarative apps that have cleaner semantics and structure. You can build and use custom elements like <x-survey> that encapsulate their style, behavior, and structure to hide implementation details like deeply nested HTML tags. Just like HTML tags, these new tags (aka custom elements) can be nested, extended, and shared with other developers.

Web UI also automatically keeps the HTML page and data models in sync with one-way and two-way data binding. Simply declare, in the DOM itself, the bindings between Dart objects and page elements and let Web UI take care of the details.

Here is a small snippet from a simple TODO app that shows some of these features, including:

(1) linking to a custom element
(2) declarative event handling
(3) templates and iteration
(4) data binding with a custom element

To see Dart Web UI in action, we've ported the ubiquitous TodoMVC sample app:

Getting started and installing Web UI is easy with pub, the Dart package manager. Simply add the web_ui package to your list of dependencies and run pub install. Once installed, you can even configure Dart Editor to watch for changes and automatically recompile your Web UI apps for quick and easy edit and reload development cycles.

To learn more about Dart's Web UI package, you can read the docs and browse the summary of features. There's more work to do, and we look forward to your comments on our mailing list.

Posted by Siggi Cherem, Software Engineer

Since we launched Chrome, the team has continued to work on ways to make it fast and simple for people to use. To that end, we’re going to begin testing variations ...Read More

Since we launched Chrome, the team has continued to work on ways to make it fast and simple for people to use. To that end, we’re going to begin testing variations of Chrome’s New Tab page (NTP) in which a user’s default search provider will be able to add a search box or otherwise customize the NTP. While you can search straight from the omnibox in Chrome, we’ve found that many people still navigate to their search engine's home page to initiate a search instead. The goal is to save people time by helping them search and navigate the web faster.

We’ll also allow search engines to display the user’s search terms right in the omnibox, which avoids the need for a second search box on the results page. This new capability, along with other ways to improve search suggestions, are exposed in a new Embedded Search API, an extension of the existing SearchBox API. Search engines can implement any part of the specification if they’d like their users to experience a customized variation of the NTP experience.

Starting today, a small set of users on Dev channel on Windows and Chrome OS, who have Google selected as their search provider, will begin seeing variations of the new experience. Mac will be coming soon. We look forward to your feedback and bug reports, which you can file against the InstantExtended feature on crbug.com.

Posted by David Holloway, Software Engineer

Many popular applications today help users consume, share, manage, and edit media content, as evidenced by the rise of web apps like Google Play Music and YouTube. For Chrome packaged app developers ...Read More

Many popular applications today help users consume, share, manage, and edit media content, as evidenced by the rise of web apps like Google Play Music and YouTube. For Chrome packaged app developers, the new Media Galleries API introduces a simple way for apps to access media stored on a user’s device (with the user’s permission, of course).

To use the API, you first have to determine what kind of permission your app needs to access user’s media:

• read-only: allows media content to be read, but not modified 
• read-write: allows media content to be read and modified 
• add-files: allows media to be added to the galleries but prevents modifying existing media files. 

Currently, only read-only access is supported. Support for read-write and add-files will be introduced in a future release.

To retrieve media content, use getMediaFilesystems(). If this is the first time your app is accessing the user’s media libraries, the system will prompt the user to grant access:



You can also make your app explicitly ask the user to designate specific galleries. This is useful if, for example, your app is only interested in pictures. Once access is granted, your app can then retrieve a list of LocalFileSystem structures. At that point, you can use the W3C FileSystem API to access the media gallery content.



NOTE: The file system APIs will only return files that the Chrome platform natively supports, and only the asynchronous version of the FileSystem API is currently supported.

We’re eager to see what great applications you will build with the Media Galleries API and the Chrome Packaged Apps platform. To get started, clone our samples repository and look at the Media Galleries sample application. Have questions or comments? Subscribe to chromium-apps and follow us on our Google+ page!

Posted by Joe Marini, Developer Advocate

Sandboxing is a layer of security that Chrome places between attackers and their computer, aiming to isolate an attacker who has successfully exploited a vulnerability. When contained in a sandbox jail, an attacker will typically look for porous or fragile bits in the walls to throw rocks at. That is, he’ll try to gain additional privileges by taking advantage of other vulnerabilities. Our job is to make the virtual walls of the sandbox as strong and impenetrable as possible.Read More

Sandboxing is a layer of security that Chrome places between attackers and their computer, aiming to isolate an attacker who has successfully exploited a vulnerability. When contained in a sandbox jail, an attacker will typically look for porous or fragile bits in the walls to throw rocks at. That is, he’ll try to gain additional privileges by taking advantage of other vulnerabilities. Our job is to make the virtual walls of the sandbox as strong and impenetrable as possible.

One juicy target for attackers is the operating system’s kernel: a large and complex code base. The latest stable version of Chrome introduces a new layer of sandboxing of Chrome renderers for the 64-bit versions of Chrome OS and Linux, based on a new kernel feature called seccomp-bpf. With seccomp-bpf we’ll install a small filter in the kernel that will quickly reject many of the rocks thrown by an attacker. A simple example: if we know that Chrome renderers don’t need a system call such as vmsplice, or a facility such as “inotify”, we can just deny them completely. We use a broker process model to keep the list of allowed system calls small.

Installing this filter in the kernel improves the security of our users. But it is just the beginning: using this new facility, we’ll continue to make the sandbox safer.

This new sandbox layer is automatically baked into the latest version of Chrome OS. On Linux, you can check by going to chrome://sandbox and look for “Seccomp-BPF sandbox Yes”. If this is not available, ask your Linux distribution to include and enable seccomp-bpf in its kernel, as Ubuntu has done since version 12.04.


As always, you can report bugs and issues here, by clicking on “New issue”.

Posted by Julien Tinnes, Software Engineer

Whether your web app involves scrolling down a long list of news headlines or a game with flying birds and crumbling structures, you want your web app to look as smooth as native apps. It used to be tricky to chase down the cause of animation jitter and lag in user actions with ...Read More

Whether your web app involves scrolling down a long list of news headlines or a game with flying birds and crumbling structures, you want your web app to look as smooth as native apps. It used to be tricky to chase down the cause of animation jitter and lag in user actions with Chrome Developer Tools. This is why we’ve added the Frame Mode to our Timeline panel to help you pinpoint offending long frames and understand what’s causing them to run slowly.

So, what’s a frame? A frame includes all the tasks that the browser needs to perform in order to update the screen upon a user action or a tick of the animation timer. A complex, but not uncommon, sequence might be:

1. run JavaScript animations and other event handlers 
2. update CSS animations 
3. recalculate styles and lay out the elements in the DOM 
4. re-paint the updated layers of the page 
5. compose them and present to the user 

Delivering a butter-smooth animation means completing all of the above in less than 16.6ms (common 60Hz refresh rate). If you are not done by then, you’ll miss the frame and the animation will appear janky.

To see how using Timeline can help you, run your favorite browser-based game, then open Developer Tools and record the Timeline while the game is running some animation. The Timeline Frame mode will now show you colored bars, each representing a frame. The colors correspond to different types of timeline events:

• network activity and HTML parsing (blue) 
• running JavaScript (yellow) 
• performing style recalculation and layout (violet) 
• painting and compositing (green) 

You can zoom in by selecting several frames or by clicking on a particular frame of interest. Looking at a specific frame in detailed view will show you the frame duration, and you can find more detailed statistics by hovering on it.



Even if your web app doesn’t have animation in it, the notion of a frame is still useful because the browser performs a repeated sequence of actions while processing input events such as keypress, mouse actions, scrolling etc. Leaving enough time to process such events inside a frame makes your app more responsive and interactive, resulting in a better overall experience for users.

In large web applications with huge DOM trees, layout typically takes time and resources. Doing it in a loop makes things much worse. So we’ve added a warning mark on layouts that were forced, by requesting positional properties (e.g. offsetWidth and offsetHeight) of DOM elements from JavaScript. If you hover over the layout event, you can see two stacks -- one that invalidated the DOM and another that caused layout synchronously. You can also see the area that had to be re-laid highlighted on the screen.



Finally, don’t forget that the best practice for dealing with animations is to use the requestAnimationFrame API, which guarantees that Chromium will call back your animation code in sync with the display refresh.

You can learn more about optimizing rendering performance of a page in Tom Wiltzius’ article on html5rocks.com. Follow Google Chrome Developers on Google+ or @ChromiumDev on Twitter for more news on Chrome Developer Tools.

Posted by Andrey Kosyakov, Software Engineer

Even though Chrome extensions and legacy packaged apps are similar at a technical level, users have very different expectations for how extensions and apps should look and behave. Users expect extensions to interact with the whole browser, whereas they expect apps to act solely in their containing tab or window.Read More

Even though Chrome extensions and legacy packaged apps are similar at a technical level, users have very different expectations for how extensions and apps should look and behave. Users expect extensions to interact with the whole browser, whereas they expect apps to act solely in their containing tab or window.

Until now, all Chrome legacy packaged apps could request the same permissions and use the same APIs as extensions to interact with Chrome. In order to make the capabilities of legacy packaged apps more closely align with user expectations, we’ve decided to limit the extensions permissions that legacy packaged apps can request.

Beginning this week, you won’t be able to publish legacy packaged apps in the Chrome Web Store that request any of the following permissions:
(a) any host permissions, including "< all urls >" 
(b) the top-level "content_scripts" key 
(c) the "debugger", "devtools", "pageCapture", "plugin", "proxy", "tabs'", "history", "webNavigation" permissions 
(d) the top-level "npapi" key 

Existing legacy packaged apps in the Chrome Web Store will not be affected, and those existing apps can continue to be updated without being subject to these new restrictions. 

If you have questions, please get in touch with us on the Chromium extensions or Chromium apps groups.

Posted by Peter Ludwig, Product Manager

Earlier today we launched JAM with Chrome. JAM with Chrome is an interactive web application that enables friends in different locations to play music together in the Chrome browser on their computers.Read More

Earlier today we launched JAM with Chrome. JAM with Chrome is an interactive web application that enables friends in different locations to play music together in the Chrome browser on their computers.



JAM with Chrome was built with the latest browser technologies:

• Web Audio for high fidelity playback without resorting to lots of pre-recorded audio samples. 
• WebSockets is used to deliver immediate real-time playback across all the members of the band ensuring they stay in sync and playing from the same tab sheet. 
• Finally, CSS3, SVG and Canvas provide rich visuals and an immersive experience.

To learn more about how we built this experience, check out “How we made the Audio rock”. This is the first of three HTML5 Rocks articles that describes how the team used Web Audio to deliver an absorbing auditory experience. Stay tuned for more developer stories by following +Google Chrome Developers.

Enjoy playing music with friends at www.jamwithchrome.com and be sure to open Chrome’s developer tools to see what’s going on backstage!

Posted by Paul Kinlan, Developer Advocate

Today’s Chrome Beta channel release includes a slew of awesome new developer features.Read More

Today’s Chrome Beta channel release includes a slew of awesome new developer features.

Datalist support in date and time

datalist allows you to specify a list of suggested dates and times for input elements. Of course, users still have the freedom to enter arbitrary dates and times. One use case is helping users choose when their food should be ready for pickup:









MathML

Now you can write mathematical content in MathML and expect it to be consistently beautiful across the web. Special kudos to WebKit volunteer Dave Barton for implementing this on his own accord.




Other new features in this release

• CSS custom filters have landed behind a flag. They enable sweet cinematic effects like page flipping with just CSS and HTML. You can turn them on with chrome://flags. 
• Chromium now parses the autocomplete attribute according to spec. Use it to specify which type of saved user data the browser should use to prefill input elements. Examples are name and street-address. 
• A few brand new features landed with a prefix: -webkit-hyphens gives you more control over hyphenation at line breaks, and -webkit-clip-path enables you to clip DOM content to an SVG shape. 

Un-prefixed APIs 

APIs un-prefixed in today’s Beta release include:

• IndexedDB, a client-side storage API offering fast access to large amounts of structured data 
• Intl, which adds support for JavaScript internationalization of date format, number format, collation and non-standard segmentation, and more time zones 
• postMessage, a feature enabling cross-origin communication (including support for fast transferable objects) 
• requestAnimationFrame for silky smooth JavaScript animations 
• performance.now() for reliable, high-resolution timing 

Today’s Beta release supports these APIs in both their prefixed and un-prefixed forms. If you’re currently using the prefixed versions, you should switch to the un-prefixed versions after today’s Beta release reaches the Stable channel. At that point the prefixed versions will be deprecated, and future releases may not support them.

Experiments removed in this release 

As the web platform evolves, support for some experiments has been removed. The Blob constructor should now be used instead of the WebKitBlobBuilder API, and the Blob.webkitSlice() method is deprecated in favor of Blob.slice(). We also gathered a lot of valuable data and feedback from our experimental support for Web Intents and decided to disable the feature in today's Beta release.

Stay in the loop 

Visit chromestatus.com for a complete overview of Chrome’s developer features, and circle +Google Chrome Developers for more frequent updates.

We hope you enjoy this Beta release as much as we’ve enjoyed working on it!

Posted by Peter Beverloo, Software Engineer and Web Platform Enthusiast

Chrome packaged apps aim to deliver an app experience with the appearance and capabilities of native apps, but built using the growing capabilities of HTML5. These apps can access APIs for better filesystem handling, direct access to hardware devices, raw network communication and ...Read More

Chrome packaged apps aim to deliver an app experience with the appearance and capabilities of native apps, but built using the growing capabilities of HTML5. These apps can access APIs for better filesystem handling, direct access to hardware devices, raw network communication and many others. One of the new APIs that just landed in an experimental state is TCP Listen, which allows an app to accept incoming TCP connections.

Since the developer preview launch earlier this year, Chrome packaged apps have been able to connect to remote servers using TCP or UDP, and bind to a UDP port. For example, this Media Center application searches for and connects to media servers in the local network. Now, through the new TCP Listen API, a Chrome packaged app can also act as a TCP server itself and accept incoming connections on specified ports.

You can use this API, for example, to create a HTTP server on a development environment application, to automate a browser window for page load testing (see image below) or even to augment the Media Center application with a DLNA®/UPnP media server and show your PicasaWeb pictures on your DLNA® enabled television.



To get started, clone this GitHub repository and look at the webserver and the TCP server samples. You may also want to watch the Chrome Apps Office Hours where we specifically talk about the TCP Listen API.

We are curious to see what clever ideas you will come up with. Have questions or comments? Subscribe to chromium-apps and let us know!

Posted by Renato Mangini, Developer Advocate

Chrome Web Store developers can create and distribute apps and extensions that use NPAPI plug-ins. However, platforms such as ChromeOS and Windows 8 don’t support NPAPI. Today, we’re making the installation of apps and extensions that use NPAPI smarter, to help users avoid installing items that they can’t use on their particular platform.Read More

Chrome Web Store developers can create and distribute apps and extensions that use NPAPI plug-ins. However, platforms such as ChromeOS and Windows 8 don’t support NPAPI. Today, we’re making the installation of apps and extensions that use NPAPI smarter, to help users avoid installing items that they can’t use on their particular platform.

If a user visits the Chrome Web Store on a platform that doesn’t support NPAPI, the store will filter out all items that use it from the home page and the various category pages. These apps and extensions will still show up in search results, and can be visited from direct URL links, but the Details dialog for each item will display a message that the app or the extension in question cannot be installed and the Install button will be disabled.

If you are a developer whose apps or extensions use NPAPI but can still work without it, we’ve provided a way for you to prevent your items from being filtered out. In your manifest.json file under the requirements section, specify the “npapi” flag like this:

"requirements": {
   "plugins": {
       "npapi": false
    }
 }

This will allow your apps and extensions to continue to be available to users on platforms that don’t support NPAPI. If your plug-in doesn’t have any explicit dependencies on the underlying OS, then you should really consider porting it to Native Client, which provides improved portability and security and runs just great on Windows 8 and ChromeOS.

Have any questions or comments about NPAPI? You can reach us on our developer forum for all of your store-related questions.

Posted by Joe Marini, Developer Advocate

The Chrome Developer Tools team recently launched new features and made several UI changes to improve your development and debugging workflow.Read More

The Chrome Developer Tools team recently launched new features and made several UI changes to improve your development and debugging workflow.

Develop for mobile 

Since we launched Chrome for Android, you’ve been able to use Chrome Developer Tools to debug and profile mobile web pages and web apps.

Today, we take this feature one step further by introducing device emulation support in Chrome Developer Tools. Device emulation includes, among other things, native User Agent and dimension overriding. This allows developers to debug mobile browsers on different devices and operating systems via the Settings Menu. So, now, you can emulate the exact device metrics of devices like the Galaxy Nexus and the iPhone to test your media query-driven design.

Chrome Developer Tools also supports single touch event emulation to make it easier to debug mobile applications on the desktop.

Profile rendering performance 

The Timeline’s Frame Mode feature now allows you to profile Chrome’s rendering performance, remove the jank and deliver the silky smooth performance users expect from your apps. To learn more about this topic, check out the recent "Jank Busters" video from Google I/O.



Preview your log items

The console now prints a user-friendly snapshot of the object properties taken at log time, whereas by expanding the object manually, you can still see its live content. This is especially useful when logging an object in a loop and observing its mutation. With this change, we resolved a longstanding bug many of you prioritized on crbug.com.



Play with experimental features

You can now try new experimental features in Chrome Developer Tools by visiting chrome:flags and enabling them there. Once you do that, a new tab called “Experiments” will be visible in the settings menu, allowing you to enable and use any of the following experiments:

• Snippets (essentially multi-line console on steroids) 
• Source mapping support for SASS 
• Native memory profiling 
• Geolocation / orientation override 
• FileSystem inspection 
• Canvas inspection 
• CPU activity in Timeline 
• CSS Regions support 

Some of these experimental features are almost ready while others have just landed and need some more refining. In either case, we’d love your feedback before we bake these fully in Chrome Developer Tools. You can also read our recently updated contribution guide if you’re interested in helping us make the tools better.

To get more information on all of Chrome Developer Tools features, check out our “Chrome Developer Tools Evolution” talk at the I/O 2012. You can also follow Google Chrome Developers on Google+ or @ChromiumDev on Twitter for more news on changes landing in Chrome Developer Tools.

Posted by Stefano Cazzulani, Product Manager

To publish an app in the Chrome Web Store, developers need to prove they own the domain that hosts their application. Until recently, the only way to do this was through ...Read More

To publish an app in the Chrome Web Store, developers need to prove they own the domain that hosts their application. Until recently, the only way to do this was through Google’s Webmaster Tools. Today, we are simplifying the process further by allowing you use Google's site verification service to prove your association with a verified site.

Suppose you want to publish an app on the Chrome Web Store and have it associated with your company’s existing site, but you don’t have the ability to use any of the current verification methods e.g. you’re not allowed to upload a verification file to the root directory. The site verification service option in the edit page for each item listed in your Chrome Web Store developer dashboard allows you to request association of your app with your organization’s site:



When you choose an existing site from the drop-down menu or click “Add a new site”, the current registered owner for the site will receive a notification of your request to be associated. The owner can see who is making the request, and then approve or deny the request appropriately. That’s all there is to it! (Note: if this checkbox isn’t available, it may be because there’s no current owner of the site or you already have an outstanding association request).

We hope that this new feature will further streamline the process for publishing new apps on the Chrome Web Store, and allows you to focus more on developing your app and less on process. Have any questions or comments about using Google’s site verification service? You can reach us on our developer forum for store-related questions or head on over to the Webmaster Help forum.

Posted by Joe Marini, Developer Advocate

Native Client (NaCl) enables you to write high-performance apps that run your C and C++ code in the browser. With the new Native Client add-in for Microsoft Visual Studio and the new Native Client debugger it just got a lot easier.Read More

Native Client (NaCl) enables you to write high-performance apps that run your C and C++ code in the browser. With the new Native Client add-in for Microsoft Visual Studio and the new Native Client debugger it just got a lot easier.

The Visual Studio add-in makes it easy to set up, build, run, and debug your app as a Pepper plug-in and as a Native Client module. If you are porting an existing application to Native Client, building as a Pepper plug-in is a convenient intermediate stage for development enabling you to gradually rewrite the app to use the Pepper APIs (video).



The Native Client debugger, affectionately called nacl-gdb, works on Windows, Mac, and Linux and is now available in the SDK. So whatever your development platform, you can now spend more time coding features and less time chasing bugs with printf.

Following the Native Client philosophy of being OS-independent and open source, nacl-gdb is based on... well... gdb! For those of you who are not excited by a text interface, the Visual Studio add-in makes interacting with the debugger easier. If you use a different development environment that can interact with gdb, you can point it to nacl-gdb and use the same commands plus some additional NaCl-specific commands.



Whether you’re an existing Native Client developer or thinking about using Native Client for your next project, now is a great time to grab the SDK, write an amazing app, and quickly squash any bugs you find. We look forward to questions on Stack Overflow and ideas and comments in the discussion forum.

Posted by Christian Stefansen, Product Manager

A year ago we released a technology preview of Dart, a project that includes a modern language, libraries and tools for building complex web applications. Today, after plowing through thousands of bug reports and feature requests from the web community, a new, more stable and comprehensive version of Dart is now available and ready to use.Read More

A year ago we released a technology preview of Dart, a project that includes a modern language, libraries and tools for building complex web applications. Today, after plowing through thousands of bug reports and feature requests from the web community, a new, more stable and comprehensive version of Dart is now available and ready to use.

With this version of the Dart SDK, we’ve made several improvements and added many features:

• A faster Dart Virtual Machine that on some Octane tests outperforms even V8. 
• A new Dart to JavaScript translator that generates fast and compact output.
• An HTML library that works transparently on modern browsers.
• A library to interoperate with JavaScript code.
• An easy to use editor.
• Pub, a new package manager
• Dartium, a Chromium build with native Dart support.
• A server-side I/O library.
• A language specification describing the Dart semantics, including new features.

Over the following months, we will continue to work hard to evolve the SDK, improve Dart’s robustness and performance, and fine-tune the language while maintaining backwards compatibility.

You can download the Dart Editor from dartlang.org. It comes with a copy of the open-source SDK and Dartium. Thanks again for all your feedback - keep it coming.

Posted by Lars Bak, Software Engineer

If you are as obsessed with the speed of your web pages as we are, then you may have heard of mod_pagespeed, an Apache module that automatically optimizes your web pages for performance. Since ...Read More

If you are as obsessed with the speed of your web pages as we are, then you may have heard of mod_pagespeed, an Apache module that automatically optimizes your web pages for performance. Since we introduced mod_pagespeed in 2010, we’ve been focused on improving its functionality, to help developers increase the performance of their web pages. Today, after 18 releases, mod_pagespeed is now officially out of beta.



More than 120,000 sites are already using mod_pagespeed to take advantage of the latest performance optimization techniques. To learn more about mod_pagespeed and how to incorporate it in your site, watch our recent Google Developers Live session or visit the mod_pagespeed developer documentation site.

Posted by Ilya Grigorik, Developer Advocate

As part of our ongoing effort to reward exceptional vulnerability research in the security community, we hosted the Pwnium 2 competition at Hack in the Box 2012 in Kuala Lumpur yesterday.Read More

As part of our ongoing effort to reward exceptional vulnerability research in the security community, we hosted the Pwnium 2 competition at Hack in the Box 2012 in Kuala Lumpur yesterday.

We’re happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook.

One of Chrome’s most effective security defenses is our fast response time and ability to update users with critical patches, quickly. These bugs were no exception. We started analyzing the exploit as soon as it was submitted, and in fewer than 10 hours after Pwnium 2 concluded we were updating users with a freshly patched version of Chrome.

We’d like to thank Pinkie Pie for his hard work in assembling another great Pwnium submission. We’ll post an in-depth look at the bugs used and subsequent mitigations once other platforms have been patched.

Posted by Chris Evans, Software Engineer

Security is one of Chrome’s core principles, and we work closely with the security community to continually make the web safer for users. In that spirit, we're hosting Pwnium 2 ...Read More

Security is one of Chrome’s core principles, and we work closely with the security community to continually make the web safer for users. In that spirit, we're hosting Pwnium 2 at Hack in the Box 2012 in Kuala Lumpur this week.

Participants will be able to demonstrate their pwns against Chrome at 9 a.m. Wednesday local time (1 a.m. GMT for folks keeping track). We’ll be actively analyzing any submissions we receive, and will announce successful exploits and prizes during our talk at 5 p.m, Thursday (9 a.m. GMT) on the evolution of Chrome’s vulnerability rewards program.

Stay tuned!

Posted by Chris Evans, Software Engineer

 


Posted by Peter Lubbers, Program Manager Read More

Calling designers, web developers, and the creatively curious! Next week marks the launch of Google Developers Live Presents, a new series of exclusive programming from GDL.  Presents kicks off this month with Design Ignites the Web, a family of episodes that takes you on a journey from back-end to front-end, showing you how to create compelling projects in the browser. The series will feature exclusive interviews with the developers behind select Chrome Experiments, Chrome WebLab, Movi.Kanti.Revo, and DevArt.

So, what’s coming up?  

Make Web Magic: The Minds Behind the Most Popular Chrome Experiments | Tuesday, October 9 - Part 1, 1:00 PM PDT | 20:00 UTC [Event page] | Part II, 2:00 PM PDT | 21:00 UTC [Event page] | Part III, 3:00 PM PDT | 22:00 UTC [Event page] Using the latest open web technologies, the developers creating some of the most inspired Chrome Experiments showcase their latest web experiments and discuss how they are making the web faster, more fun, and open in this 3-episode hangout. Host: Paul Irish, Developer Advocate, Chrome Guests: Hakim: Google+, Website | Michael Deal: Google+, Website | Mark Danks: Google+, Website  

All the Web’s a Stage: Building a 3D Space in the Browser | Thursday, October 11 - 10:30 AM PDT | 17:30 UTC  [Event page] Meet the designers and creative team behind a new sensory Chrome experiment, Movi.Kanti.Revo, in a live, design-focused Q&A. Learn how Cirque du Soleil and Subatomic Systems worked to translate the wonder of Cirque into an environment built entirely with markup and CSS. Host: Pete LePage, Developer Advocate Guests: Gillian Ferrabee, Creative Director, Images & Special Projects, Cirque du Soleil | Nicole McDonald, Director/Creative Director, Subatomic Systems  

Van Gogh Meets Alan Turing: The Browser Becomes a Canvas with DevArt | Friday, October 19 - 10:00 AM PDT | 17:00 UTC  [Event page] How can art and daily life be joined together? Host Ido Green chats with creators Uri Shaked and Tom Teman about tackling this question with their “Music Room” – a case study in the power of Android – and with Emmanuel Witzthum on his project “Dissolving Realities,” which aims to connect the virtual environment of the Internet using Google Street View. Host: Ido Green, Developer Advocate Guests: Uri Shaked, Tom Teman, and Emmanuel Witzthum

Push the Limits: Building Extraordinary Experiences with Chrome | Week of October 29  [Event page] The experiments in Chrome Web Lab are pushing the limits of what developers can build in a browser. Explore the design and technical mastery that went into making extraordinary experiences, directly from the experiments’ home, the London Science Museum. Hosts: Pete LePage, Developer Advocate | Paul Kinlan, Developer Advocate Guests: Tellart & B-Reel representatives for Universal Orchestra, Sketchbot, Teleporter, LabTag, DataTracer  

If you can’t make the live show, you’ll still be able to see recordings of these and past sessions on our YouTube channel.  For more information on our monthly schedule, add +Google Developers to your circles and follow @googledevs on Twitter.

Posted by Peter Lubbers, Program Manager

Cross-posted on the Google Developers Blog

When you want to build something for the web, it's surprisingly difficult to find out how you can implement your vision across all browsers and operating systems. You often need to search across various websites and blogs to learn how certain technologies can be used. It's kind of like a scavenger hunt, except it's not any fun.Read More

Cross-posted on the Google Developers Blog

When you want to build something for the web, it's surprisingly difficult to find out how you can implement your vision across all browsers and operating systems. You often need to search across various websites and blogs to learn how certain technologies can be used. It's kind of like a scavenger hunt, except it's not any fun.

This scavenger hunt is soon coming to an end. Google along with the W3C and several leading internet and technology companies just announced the alpha release of Web Platform Docs. Web Platform Docs is a community-driven site that aims to become the comprehensive and authoritative source for web developer documentation.



The founding members of Web Platforms Docs have all already provided a lot of content for the site to help get this effort off to a strong start. However, collectively, we’ve barely scratched the surface. We decided that it would be better to open up Web Platform Docs to the community as early as possible, so that everyone--including you--can help expand and refine the documentation, and ultimately define the direction of the site.

If you have more questions about Web Platform Docs, you can find us on Twitter.

Posted by Alex Komoroske, Product Manager

In recent years, video has taken a central role on the web. Developers are using the latest web technologies to make it easier for users to access, watch, and create video content. Today’s ...Read More

In recent years, video has taken a central role on the web. Developers are using the latest web technologies to make it easier for users to access, watch, and create video content. Today’s Chrome Beta update includes more tools for developers to take video engagement to the next level.

Chrome now includes the PeerConnection API, which allows developers to create web apps with real-time audio and video calling without the need for a plug-in. Together, PeerConnection and the getUserMedia API represent the next steps in WebRTC, a new standard which aims to allow high quality video, audio, and data communications on the web. Check out this funky video chat demo to see how the PeerConnection API can be combined with other web technologies to create fun new video chat experiences. To start the video chat demo, send the url to a friend.

Today’s Chrome Beta update also includes track support for HTML5 video. Track support provides an easy, standard way to add subtitles, captions, descriptions, chapters, and metadata to videos. It can be used to make videos accessible, split videos into sections, and create new unique video experiences. Track provides developers with a unified, programmatic mechanism for doing all these things in the HTML DOM and Javascript. In the following demo, track is used to enhance a video of a bike ride with metadata including a Google Map showing the biker’s route and Google Street View from the biker’s location.

Last but not least, we’ve added the MediaSource API. It provides a video playback solution that adapts video quality based on changing computer and network conditions to prevent excessive buffering and startup delays for videos -- in other words, your video will play silky smooth for users with no annoying stutters. Watch how smooth this demo video plays despite fluctuations in your network speed.

To get your hands on all this tasty video goodness, download Chrome Beta.

Posted by Justin Uberti, Software Engineer and Trained Video Professional

Moving the web forward includes enabling new classes of applications. Today’s Chrome Stable release advances this effort with the inclusion of the Pointer Lock JavaScript API (often called Mouse Lock). Now, 3D applications such as first-person games can allow users to control their perspective naturally with the mouse, without moving outside the window or bumping into the edge of their screen. Try it out for yourself in this 3D ...Read More

Moving the web forward includes enabling new classes of applications. Today’s Chrome Stable release advances this effort with the inclusion of the Pointer Lock JavaScript API (often called Mouse Lock). Now, 3D applications such as first-person games can allow users to control their perspective naturally with the mouse, without moving outside the window or bumping into the edge of their screen. Try it out for yourself in this 3D, first-person shooter demo created by our friends at Mozilla.

While games are fun, these capabilities also empower other types of applications such as medical and scientific visualization, training, simulation, modeling, authoring packages, and more. We're excited to see recent web platform technologies such as WebGL, Web Audio, Fullscreen, WebSockets, Gamepad, and Pointer Lock combine to be greater than the sum of their parts. Game developers have an excellent platform on which they can deploy rich games with all the benefits of the instant-on, auto-updating, linkable, shareable, and searchable web.

As always, Chrome will automatically update itself to include these latest enhancements. If you haven’t tried Chrome yet, give it a spin!

Posted by Vincent Scheib, Software Engineer often overheard singing, "And we’re out of Beta. We’re releasing on time."

Earlier this year at Google I/O, we gave developers a sneak peek at Movi.Kanti.Revo, a new sensory Chrome experiment crafted by Cirque du Soleil and developed by Subatomic Systems that brings the magic of Cirque du Soleil to the web through modern web technologies. The full experiment, which allows users to follow a mysterious character through a beautiful world of Cirque du Soleil performances, was launched today at the ...Read More

Earlier this year at Google I/O, we gave developers a sneak peek at Movi.Kanti.Revo, a new sensory Chrome experiment crafted by Cirque du Soleil and developed by Subatomic Systems that brings the magic of Cirque du Soleil to the web through modern web technologies. The full experiment, which allows users to follow a mysterious character through a beautiful world of Cirque du Soleil performances, was launched today at the Big Tent event in New York City.



The experiment was created using just HTML5, and the environment is built entirely with markup and CSS. Like set pieces on stage, divs, images and other elements are positioned in a 3D space using CSS. To create movement, CSS animations and 3D transforms were applied making the elements appear closer and further away. Everything is positioned and scaled individually to create a highly realistic interactive environment. In addition, the experiment uses HTML5 <audio> to play music and sounds.

Movi.Kanti.Revo breaks with the tradition of keyboard or mouse navigation; instead users navigate through an interactive Cirque du Soleil world with their gestures. To accomplish this, the experiment asks users for permission to access their web cam using the new getUserMedia API. With this new API, the experiment renders the camera output to a small <video> element on the page. A facial detection JavaScript library then looks for movement and applies a CSS 3D transform to the elements on the page, making environment move with the user.

Because this experience was built using just markup, it works in the browser across all devices. The experiment takes advantage of the rich capabilities possible on mobile devices, like the accelerometer to navigate through the world.

To learn more about how this experiment was built, check out the new technical case study or join us for a special Google Developers Live Behind The Divs event on September 20th at 8:30am PDT /15:30 UTC where we’ll be talking to the engineers behind the project.

Head over to Movi.Kanti.Revo at www.movikantirevo.com to check things out, and be sure to open Chrome’s developer tools to see what’s going on behind the <div>s!

Pete LePage, Developer Advocate

Cross-posted on the Google Developers Blog

At Google, we are constantly looking at ways to make web pages load faster. One way to do this is by making web images smaller. This is especially important for mobile devices where smaller images save both bandwidth and battery life. Earlier this month, we released ...Read More

Cross-posted on the Google Developers Blog

At Google, we are constantly looking at ways to make web pages load faster. One way to do this is by making web images smaller. This is especially important for mobile devices where smaller images save both bandwidth and battery life. Earlier this month, we released version 0.2 of the WebP library that adds support for lossless and transparency modes to compress images. This version provides CPU and memory performance comparable to or better than PNG, yet results in 26% smaller files.

WebP’s improved compression comes from advanced techniques such as dedicated entropy codes for different color channels, exploiting 2D locality of backward reference distances and a color cache of recently used colors. This complements basic techniques such as dictionary coding, Huffman coding and color indexing transform. We think that we've only scratched the surface in improving compression. Our newly added support for alpha transparency with lossy images promises additional gains in this space, helping make WebP an efficient replacement for PNG.

The new WebP modes are supported natively in the latest Beta version of Chrome. The bit stream specification for these new WebP modes has been finalized and the container specification has been updated. We thank the community for their valuable feedback and for helping us evolve WebP as a new image compression format for the web. We encourage you to try these new compression methods on your favorite set of images, check out the code, and continue to provide feedback.

Posted by Jyrki Alakuijala - Software Engineer

The web is evolving and so should the JavaScript benchmarks that measure its performance. Today, we are releasing Octane, a JavaScript benchmark suite that aims to measure a browser’s performance when running the complex and demanding web applications that users interact with daily.Read More

The web is evolving and so should the JavaScript benchmarks that measure its performance. Today, we are releasing Octane, a JavaScript benchmark suite that aims to measure a browser’s performance when running the complex and demanding web applications that users interact with daily.

Most of the existing JavaScript benchmarks run artificial tests that were created on an ad-hoc basis to stress a specific JavaScript feature. Octane breaks with this tradition and extends the former V8 Benchmark Suite with 5 new benchmarks created from full, unaltered [1], well-known web applications and libraries. A high score in the new benchmarks directly translates to better and smoother performance in similar web applications.

Here is an overview of the new tests:

• Box2DWeb runs a JavaScript port of a popular 2D physics engine that is behind many well-known simulations and web games. 
• Mandreel puts a JavaScript port of the 3D Bullet Engine to the test with a twist: The original C++ source code for the engine is translated to JavaScript by Onan Games’ Mandreel compiler, which is also used in countless web-based games. 
• Pdf.js is based on Mozilla’s PDF reader and shows how Javascript applications can replace complex native browser plug-ins. It measures how fast the browser decodes a sample PDF document. 
• GB Emulator is derived from an open source emulator of a famous game console running a 3D demo. 
• CodeLoad measures how quickly a JavaScript engine can bootstrap commonly used JavaScript libraries and start executing code in them. The source for this test is derived from open source libraries (Closure, jQuery). 

Besides an expanded set of benchmarks, Octane also has an interface that makes it easier to read and that adapts automatically to tablet and mobile screens.



You can try out Octane yourself, browse the source code, or read more about each benchmark at the Octane site. Still have some questions? Have a look at the FAQ page.

[1] Beside glue logic and emulation of canvas / DOM interaction where necessary. 

Posted by Stefano Cazzulani, Product Manager