Chromium Blog
News and developments from the open source browser project
Chrome 56 Beta: “Not Secure” warning, Web Bluetooth, and CSS position: sticky
Thursday, December 8, 2016
Unless otherwise noted, changes described below apply to the newest Chrome
Beta
channel release for Android, Chrome OS, Linux, Mac, and Windows.
“Not Secure” warning for HTTP password and credit card pages
To help users browse safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Starting in version 56, Chrome will
mark
HTTP pages
that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. The feature will roll out gradually over the next few weeks.
To avoid being labeled insecure, sites should
secure their traffic with HTTPS
and follow
general security guidelines
.
Chrome ‘Not Secure’ warning appearing in the URL bar for a site with an HTTP connection
Web Bluetooth
Sites can now interact with Bluetooth Low Energy (BLE) devices using the
Web Bluetooth API
o
n
A
n
d
r
o
i
d
,
C
h
r
o
m
e
O
S
,
a
n
d
Mac.
The Web Bluetooth API uses the
GATT protocol
, which enables web developers to
connect to bluetooth devices
such as
printers and LED displays
with just a few lines of JavaScript. Web Bluetooth can also be combined with
Physical Web
beacons to discover and control nearby devices. To get started, check out these
samples
and
demos
on GitHub.
An Android device connecting to a BLE-enabled heart rate monitor via the web (
source
)
CSS position: sticky
Chrome now supports CSS
position: sticky
, a new way to position elements. A
position: sticky
element is relatively-positioned, but becomes
position: fixed
after the user reaches a certain scroll position.
Previously, building content headers that scrolled normally until sticking to the top of the viewport required listening to scroll events and switching an element’s position from
relative
to
fixed
at a specified threshold. This solution was difficult to synchronize, resulting in small visual jumps. Now, users can achieve the desired effect by simply positioning their elements as
sticky
.
Other features in this release
The new
Remote Playback API
on Android
enables sites to initiate and control playback of an
HTMLMediaElement
on smart TVs and speakers
.
The
WebVR API
is available on Android as an
origin trial
, allowing developers to create virtual reality experiences on the web.
The
WebGL 2.0 API
is enabled by default on desktop platforms, providing
OpenGL ES 3.0
level rendering capabilities via the
<canvas>
element.
Support for Adobe Flash will no longer be advertised in
navigator.plugins
and
navigator.mimetypes
if the user has not
substantially interacted
with a site, though users can re-enable Flash experiences on a per-site basis.
Sites can now experiment with
taking photos and configuring camera settings like zoom
using the
Image Capture
origin trial
.
When content changes above the viewport, Chrome now automatically adjusts the
scroll position
to keep content in the viewport fixed unless the CSS
overflow-anchor
property is set.
The
Notifications API
now allows sites to
include an image in notifications
by setting the
image
property.
The
PaymentRequest API
has a variety of
new features
including
requestPayerName
and JSON serialization.
Showing and hiding the URL bar on mobile no longer
resizes
the initial containing block or elements sized with viewport units such as
vh
.
Text input elements such as
<input type="text">
now have spell-checking enabled by default on Android devices with at least 512 MB of memory and a system dictionary.
The generic font family used to fit content within the UI has been standardized and renamed as
system-ui
on all platforms.
The new
Referrer-Policy HTTP
header allows sites to forward site traffic by URL without leaking the user’s session identifier or other private information.
KeyboardEvent.isComposing()
allows sites to
determine
if the user is typing based on recent
KeyboardEvents
, without monitoring keyboard events directly.
Chrome for Android now sets the default
preload
attribute for videos to
metadata
on cellular connections, showing a preview image and time information to match other mobile browsers.
Chrome now supports
TLS 1.3
and includes 1-RTT based on
draft-18
.
Sites can use
ImageBitmapRenderingContext
to reduce memory consumption and compositing overhead by rendering pixel data in the form of an
ImageBitmap
.
Sites can respond to pinch gestures using the
pinch-zoom
CSS
touch-action
property.
ConstantSourceNode
is a new audio source node that produces a constant output mixed with an
AudioParam
.
Two Web Audio
ChannelSplitterNode
Interface
attributes are now read-only:
channelCount
, which is defined by
numberOfOutputs
in
createChannelSplitter()
, and
channelCountMode
, which is set to explicit.
PannerNode.rolloffFactor
now clamps to the nominal range of a
PannerNode’s
distance model to describe the volume reduction rate as the source moves away from the listener.
window.prompt()
will no longer focus its parent tab if the page is not currently in the foreground, and the dialog will be automatically dismissed.
To match behavior on Windows, Chrome Extensions can now override default search, startup, and homepage settings on Mac with the Chrome
Settings Overrides API
.
Support for
FLAC
is enabled within the FLAC and
Ogg
containers for the
<audio>
tag and
decodeAudioData()
.
OPUS
can now be used with
decodeAudioData()
, expanding the variety of audio codecs supported by the
WebAudio API
.
Deprecations and interoperability improvements
The WebAudio API no longer includes the deprecated Doppler API, including
speedOfSound
,
dopplerFactor
, and
setVelocity
.
To improve standards conformance,
RTCPeerConnection
now accepts
iceTransportPolicy
as an
RTCConfiguration
parameter as well as
iceTransports
.
RTCPeerConnection
is now available without a webkit prefix, though
webkitRTCPeerConnection
still remains.
Non-whitespace unicode control characters will now be rendered according to the
specification
, rather than being ignored.
The
reflected-xss
directive has been removed from
Content Security Policy 2
since it was solely a wrapper for the
X-XSS-Protection
header and provided no additional functionality.
Support for the
MediaStreamTrack.getSources()
method has been removed in favor of
MediaDevices.enumerateDevices()
.
The CSP
referrer
directive is no longer supported in favor of the new
Referrer-Policy
header.
ShadowDOM’s
slotchange
events bubble, but no longer re-fires, at a
slot
's
assignedSlot
.
Legacy CBC-mode
ECDSA
cipher suites
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
and
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
have been removed in favor of modern ciphers such as
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
.
ECDSA with both SHA-1 and SHA-512 have been removed to reduce dependencies on SHA-1 and align with TLS 1.3's new ECDSA handling.
Chrome no longer allows opening of pop-ups during inputs which represent a touch scroll, such as
touchstart
and
touchmove
.
Sites will no longer initiate fetches for scripts with invalid
type
or
language
attributes, such as
type="python"
, unless triggered by declarative fetches using
link
preload
.
MIDIMessageEvent.receivedTime
has been deprecated in favor of
Event.timeStamp
, since
Event.timeStamp
now supports high-resolution monotonic time instead of epoch time.
Posted by
Vincent Scheib, Web Bluetooth Orthodontist
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
23
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2024
Aug
Jun
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.