Chromium Blog
News and developments from the open source browser project
Show off Your Security Skills: Pwn2Own and Pwnium 3
Monday, January 28, 2013
Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes. That’s why we’ve continued to engage with the security research community to help us find and fix vulnerabilities. Recently, HP’s
Zero Day Initiative
(ZDI) announced details for the annual
Pwn2Own competition
, to be held at the
CanSecWest
security conference taking place March 6-8 in Vancouver, BC. This year we’ve teamed up with ZDI by working together on the Pwn2Own rules and by underwriting a portion of the winnings for all targets. The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards.
Today we’re announcing our third Pwnium competition—Pwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS.
We’ll issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD:
$110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
$150,000: compromise with device persistence -- guest to guest with interim reboot, delivered via a web page.
We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.
The attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack. For those without access to a physical device, note that the
Chromium OS developer’s guide
offers assistance on getting up and running inside a virtual machine.
Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits.
Pwnium 3 will take place on-site at the CanSecWest conference on March 7.
Posted by Chris Evans, Google Chrome Security Team
Native Client support on ARM
Tuesday, January 22, 2013
Native Client
(NaCl) enables Chrome to run high-performance apps compiled from your C and C++ code. One of the main
goals
of Native Client is to be architecture-independent, so that all machines can run NaCl content. Today we’re taking another step toward that goal: our
Native Client SDK
now supports ARM devices, from
version 25
and onwards.
If your app uses Native Client and newlib, you’ll now be able to reach users on ARM devices by simply adding an ARM
.nexe
to your app and making a small adjustment to the Native Client
manifest
. Just get the newest SDK, and you’ll have all the tools you need.
While this will help provide more apps to users with ARM devices, we’re far from done. In 2013 the next generation of Native Client, called
Portable Native Client
, will introduce true architecture-independence by using
LLVM
bitcode as the wire format. With Portable Native Client, we’ll be able to support not just today’s architectures, but also those of tomorrow – and developers won’t have to recompile their app.
We look forward to your technical questions on
Stack Overflow
as well as comments in the discussion
forum
.
Posted by David Sehr, Software Engineer
Google Search in Chrome gets more secure
Friday, January 18, 2013
Today, when users are signed in to Google, Chrome sends their searches from the Chrome address bar (“
omnibox
”) over
Secure Sockets Layer
(SSL). Starting with Chrome 25 (currently in the Dev and Beta channels), we’re doing the same thing for Chrome omnibox searches performed by users who aren’t signed in to Google.
Serving content over SSL provides users with a more secure and private search experience. It helps ensure that malicious actors who might intercept people’s internet traffic can’t see their queries. Many major sites have begun serving content over SSL by default, such as Gmail in early 2010, Twitter in February 2012, and Facebook in November 2012. Search has also been moving toward encryption. Google introduced Encrypted Search in May 2010 and made encryption the default for signed-in users starting in October 2011. Firefox announced a switch to SSL for all Google searches in July 2012, and Safari did the same thing in September 2012. Chrome is continuing this trend.
Users shouldn’t notice any changes. If anything, their searches will be slightly faster due to Chrome’s implementation of the
SPDY protocol
, but there should be no other user-visible effect.
Posted by Adam Langley, Software Engineer
Chrome 25 Beta: Content Security Policy and Shadow DOM
Monday, January 14, 2013
Earlier today
we released Chrome 25 on the
Beta channel
, and last week we introduced
the Beta channel for Chrome for Android
. To kick off the new year, we’ve packed these releases full of developer features. You’ll find all the updates described here in both the desktop and Android releases unless otherwise noted.
Unprefixed support for Content Security Policy
Content Security Policy
(CSP) helps you reduce the risk of cross-site scripting and other content injection attacks. Starting in today’s Beta release, you can use the
unprefixed
Content-Security-Policy
HTTP header to define a whitelist of trusted content sources. The browser will only execute or render resources from those sources. For example:
Prefixed support for Shadow DOM
Web Components
is a set of cutting edge standards that will make it possible to build reusable widgets for the web. Shadow DOM is a key part of Web Components that enables DOM tree encapsulation. Without it, widgets may inadvertently break pages by using conflicting CSS selectors, class or id names, or JavaScript variables.
To get started, try the prefixed
webkitCreateShadowRoot
API available in today’s Beta release. Here’s an example from the
HTML5 Rocks Shadow DOM Tutorial
:
We think Shadow DOM is an important step forward for the web, so we've submitted a comprehensive
test suite
to the W3C to help ensure compatibility between implementations.
Other platform features
In addition to the highlights above, today’s Beta release introduces various other web platform features:
The
JavaScript Web Speech API
enables speech-to-text on the desktop web. Check out this cool
tutorial and demo
to learn how to add speech to your webpages.
For speed junkies, the
Resource Timing API
exposes detailed timing information to JavaScript about subresources loaded by the page, and the
User Timing API
provides access to high-precision timestamps to help measure web app performance.
Chromium's IndexedDB implementation now supports
concurrent transactions
. Some web apps may
inadvertently rely on sequential transactions
, so be sure to test yours in today’s Beta.
Various IndexedDB features have been updated to match the spec:
setVersion
has been
replaced
with the new
upgradeneeded
API, and a few
old constants
have been removed.
The
Web Audio API
now exposes an
OfflineAudioContext
constructor, and a few
AudioContext method names
have been updated to match the latest spec. Note that Chrome for Android doesn’t support the Web Audio API yet.
The
::cue
pseudo-element
lets you
style WebVTT cues
such as HTML5 video subtitles.
Last week’s Beta
release
of Chrome for Android also brought many features already available on other Chrome versions to Android as well. These features are described in detail in the
announcement
on the Chromium blog.
DevTools
Chrome
Developer Tools
help you debug the web. We’re rolling out several updates to desktop DevTools in today’s Beta release:
console.clear()
helps keep your console clean.
The top toolbar is icon-free, though icons can be re-enabled in settings.
A timeline setting was added: “Show CPU activity on the ruler.” console.log formatting accepts multiple styles. For example:
console.log("%cblue! %cgreen!", "color: blue;", "color: green;")
.
The docking toggle switches between most recent modes; “Dock to Right” is now the default alternative.
Emulate the media type to view print stylesheets and @media blocks.
The CodeMirror editor, replacing the default DevTools editor in Sources Panel, was updated to v3.
Stay in the loop
Visit
chromestatus.com
for a complete overview of Chrome’s developer features, and circle
+Google Chrome Developers
for more frequent updates.
We’ll update this post if things change, but at this point all these features are expected to land in the next
Stable release
. We’ve got a lot more in store for you this year, so get coding!
Posted by Eric Bidelman, Chrome Developer Advocate and Web Platform Enthusiast
Beta Channel Arrives for Android Phones and Tablets
Thursday, January 10, 2013
Starting today, you can install Chrome Beta channel for phones and tablets on Android 4.0+ from
Google Play
. This release includes some of the biggest developer updates to Chrome for Android since
its launch last year
, bringing many features available on other Chrome versions to Android as well:
With prefixed support for
CSS Filters
you can apply visual effects like grayscale, blur, and contrast adjustment to the mobile web. Try
this demo
on Chrome for Android to see filters in action.
The new
Flexible Box Layout Module
simplifies the styling of complex layouts.
The dynamic
viewport units
vw, vh, and vmin can now be used for responsive design.
The
<track> element for video
provides a simple, standardized way to add subtitles, captions, screen reader descriptions, and chapters. Note that it doesn’t work for fullscreen video on Chrome for Android yet.
The
CSS calc()
function can be used anywhere a length is required by a CSS properties. It allows mathematical expressions with addition (‘+’), subtraction (‘-’), multiplication (‘*’), and division (‘/’) to be used as component values.
The
@sandbox
and
@srcdoc
attributes of the <iframe> element give you more control over inline frames.
Unprefixed
IndexedDB
gives you access to fast, structured client-side storage.
Our technique to make desktop web pages more readable on mobile screens (now called
Text Autosizing
) has been improved and is more consistent with other browsers.
V8 has been updated to 3.15 bringing a big speed boost; performance on the
Octane
benchmark improved on average by 25-30%.
Lastly, the new beta comes with an updated stack of Developer Tools. Expect big improvements in measuring your mobile performance with the Timeline's frames mode and easily navigate and edit your active scripts in the revised Sources panel.
You can report any issues you find within the app or at
mcrbug.com/new
. We’ll be pushing periodic updates so you can test out our latest work as soon as it’s ready. Even better, you can
install the Beta
alongside your current version of Chrome for Android
Posted by Peter Beverloo, Software Engineer and Mobile Web Maestro
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
23
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2024
Dec
Aug
Jun
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.