Chromium Blog
News and developments from the open source browser project
Getting your app discovered in the Chrome Web Store with new promotional assets.
Thursday, August 25, 2011
Yesterday we made a small change in Chrome Web Store’s app upload flow: when you upload new apps and extensions to the
Chrome Web Store
, or edit one of your existing items, you'll be prompted to provide us with new promotional image assets. We are asking you for these assets so that we can highlight your apps and extensions in a brand new store layout that our team is working on.
What's new:
(Required) You’ll need to provide us with a large rectangular image to identify your app, in addition to assets you already provide - your app icon and at least one screenshot.
(Optional) You can provide us with an even larger rectangular image format as well.
What's different
The screenshot dimensions have grown larger with a wider aspect ratio.
The (optional) marquee image dimensions have also grown larger.
What's the same
The specification and dimensions for the icon file
To make things easier, we only require screenshots in the new dimensions going forward -- we'll automatically scale them as needed to make them visible in the current store layout. You can read the details about the new requirements on our
image guidelines page
. If you have any questions on these changes, feel free to reach us at our
discussion group
.
Posted by Shannon Guymon, Product Manager
Register now for New Game, the conference for HTML5 game developers
Thursday, August 25, 2011
Cross posted at the
Google Code blog
This post almost wasn’t written.
I’ve been a bit too busy playing and testing new browser-based games such as
Monster Dash
,
Angry Birds
, and the newly released
SONAR
. Bigger and better games are coming to the browser rapidly (and just wait until
Native Client with 3D lands in Chrome
), and it’s hard to keep up with the technology and scene. So what better way to bring everyone together to share stories and keep up to date than to hold a conference dedicated to HTML5 game development?
New Game
, the first North American conference for HTML5 game developers, is now open for
registration
. You are invited to join hundreds of HTML5 game developers for two days of technical sessions and case studies from developers and publishers who brought their games to the open web platform. The event will take place November 1-2, 2011 at the beautiful Yerba Buena Center for the Arts in San Francisco, CA.
This year, New Game looks at what is possible in the browser
today
. Sessions will focus on the technologies that have elevated the browser-based gaming experience, such as WebGL, Canvas, and JavaScript performance techniques. In addition, the conference will feature sessions exploring and analyzing lessons-learned from recent HTML5 game launches.
New Game is honored to have Rich Hilleman, EA’s Chief Creative Officer, keynote the event. The
schedule
also includes sessions from Mozilla, Spil, Opera, Google, Bocoup, GameSalad, Moblyng, and others. After the first day, we’ll network with our colleagues and share high scores at the New Game party, open to all registered attendees.
For more information on New Game, including session and speaker details, please visit
www.newgameconf.com
and follow
@newgameconf
for the latest news. Google, the premier sponsor, and conference director
Bocoup
invite you to take advantage of
early bird registration pricing
, available for a limited time.
The future of gaming is in your browser, so I’ll see you at New Game! Now if you’ll excuse me, it’s time to get back to my
SONAR
tab.
Posted by Seth Ladd, Developer Advocate
Native Client Brings Sandboxed Native Code to Chrome Web Store Apps
Thursday, August 18, 2011
Wouldn’t it be great if you could create web apps using your existing C and C++ code?
Native Client
lets you do just that, and it is now enabled for Chrome Web Store apps in Google Chrome’s
beta channel
.
Native Client apps live on the web platform, so you don’t need to create separate versions of your app for each operating system. Rather than relying on OS-specific APIs, Native Client apps use Pepper, a set of interfaces that provide C and C++ bindings to the capabilities of HTML5. This means that once you’ve ported your code to Native Client, it will work across different operating systems, and you only need to maintain one code base.
Today Native Client supports the Pepper APIs for 2D graphics, stereo audio, URL fetching, sandboxed local file access (
File API
), and asynchronous message passing to and from JavaScript. In future releases we will be adding support for hardware accelerated 3D graphics (OpenGL ES 2.0), fullscreen mode, networking (
WebSockets
and peer-to-peer connections), and much more. As new capabilities are added to HTML5 and Pepper, they will become available to Native Client.
This functionality does not come at the expense of security. To ensure that Native Client is as safe as JavaScript, Native Client code is isolated from the operating system by two nested security sandboxes: the
Native Client sandbox
and the
Chrome sandbox
. And unlike NPAPI plugins or ActiveX controls, Native Client apps do not have access to the underlying OS APIs.
We encourage you to start developing apps with Native Client. You can download the SDK and find tutorials, examples, API documentation, and our
FAQ
on the
Native Client site
. Once version 14 of Chrome hits stable channel, you’ll be able to upload your Native Client apps to the Chrome Web Store, where you can reach Chrome’s 160 million users.
The next milestone for Native Client is architecture independence:
Portable Native Client
(PNaCl) will achieve this by using
LLVM
bitcode as the basis for the distribution format for Native Client content, translating it to the actual target instruction set before running. Until then the Chrome Web Store will be the only distribution channel for Native Client apps. This will help us ensure that all Native Client apps are updated to PNaCl when it’s ready – and in the meantime avoid the spread of instruction set architecture dependent apps on the web. We’ll be providing updates on the progress of PNaCl on this blog.
Posted by Christian Stefansen, Product Manager
Connecting Web Apps with Web Intents
Thursday, August 4, 2011
In today’s browser ecosystem, web apps are completely disconnected or require the use of complicated APIs in order to make use of a third-party service, e.g., posting a comment to Twitter from your custom publishing domain. What if we could give sites the ability to leverage these services without any knowledge of the chosen service, except that it provides some set of predefined functionality?
Android OS addresses this problem with Intents, a facility for late run-time binding between components in the same or different applications. In the Intents system, the client application requests a generic action, e.g. share, and specifies the data to pass to the selected service application. The user is given a list of applications which have registered that they can handle the requested intent. The user-selected application is created in a new context and passed the data sent from the client, the format of which is predefined for each specific intent type.
We are hard at work designing an analogous system for the web: Web Intents. This web platform API will provide the same benefits of Android Intents, but better suited for web applications. When designing the system, we have first and foremost been interested in creating a simple, easy-to-use API. With Web Intents, you will be able to connect your web app to a service with as little as two lines of code! Chrome will perform the heavy lifting for you. As with Android, Web Intents documents an initial set of intent actions (edit, view, share, etc.) that likely cover the majority of use cases on the web today; however, as the web grows and sites provide more functionality, new intent actions will be added by services that document these intents, some more popular than others. To foster development and use of intents, we plan to create a site to browse existing intents and add new intents.
Consider an online photo storage site run by a cash-strapped startup: the developers don’t have the resources to add image editing abilities to their app, but they feel the site won’t be a hit without it. The Web Intent system will make it easy for them to offer this with little effort.
var intent = new Intent(Intent.EDIT, ‘image/png’, getImageDataURI());
window.navigator.startActivity(intent, loadEditedImage);
// This callback will be called when the service replies with the edited
// image data.
function loadEditedImage(data) {
var image = document.getElementById(‘image’);
setImageData(image, data);
}
When the user visits her favorite memegen service, the site will request registration to handle the EDIT intent for files of type ‘image/*’ using the following declaration:
<intent
action=”http://webintents.org/edit”
type=”image/*”
/>
When the user initiates the EDIT action, this service is presented to the user, along with other registered image editors. Once the user selects Meme Generator, the referenced site is opened in a new context and is able to load the image data from the intent payload:
var intent = window.intent;
memeImg.src = intent.data;
memegenForm.onsubmit = function() {
// Transform the image - meme it.
addMemeTaglines(memeImg, memeTopText, memeBottomText);
// Send the generated meme back to the client.
intent.postResult(getImageData(memeImg));
};
Once
postResult()
is called, the Meme Generator context is closed and the output data is sent back to the client via the callback passed to
startActivity()
.
Mozilla is also actively
exploring
this problem space. In fact we’re working closely with Mozilla engineers to unify our two proposals into one simple, useful API. Visit the
examples
page to try out the feature in any current browser. To explore using the API in your site, check out out the
JavaScript shim
, which provides an implementation of the API for browsers that have not implemented this feature. We are rapidly prototyping this feature, so check back soon for an announcement when Web Intents is available behind a flag in Chrome.
Posted by James Hawkins, Software Engineer
New WebSocket Protocol: Secure and Extensible
Monday, August 1, 2011
The WebSocket protocol specification is now largely stable, having solved previous
security concerns
. As such, we’ve updated Chromium to support the latest version (
draft-ietf-hybi-thewebsocketprotocol-10
) on the dev channel (14.0.835.2). Given that the specification is now in “last-call” and and no further breaking changes are expected, it should now be safe to use WebSockets for production application development.
Please note that the new protocol is incompatible with one which Chromium previously supported (
draft-ietf-hybi-thewebsocketprotocol-00
), so existing WebSocket-based services may break. Please upgrade your servers to ones which support HyBi 10. Existing JavaScript code still works once the protocol version used by the browser and server match.
The new protocol introduces some exciting new features like binary message support and compression support, but these are not quite ready yet in Chrome and will come shortly - hang tight!
See the specs and discussion at W3C and WHATWG (
spec
,
whatwg list
) and IETF (
spec
,
HyBi list
) for more detail about the new protocol.
We’re more than happy to hear your feedback, and encourage you to file any bugs you find on our
issue tracker
.
Posted by Takeshi Yoshino, Software Engineer
Chrome Web Store: Now with more international support and with In-App Payments
Monday, August 1, 2011
Since Google I/O, we’ve been working hard to make the Chrome Web Store available to
more users around the world
as well as to provide
additional monetization opportunities
for developers. Today, we're happy to share progress in both of these areas.
We
recently launched
the much awaited
In App Payments API
in the US. This API provides a simple and effective way to monetize your apps in the Chrome Web Store, allowing you to complete transactions with buyers from 140 countries. Integration is simple - all you need is to do is to insert a few lines of code. An even more exciting feature of the API is the 5% flat transaction fee pricing. To learn more about In-App Payments, check out our
docs
and a
sample app complete with source code
or watch
our short video
. We look forward to expanding this service to additional developer locations as quickly as possible.
With our in-store payments, developers in Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Hong Kong, Italy, Japan, Netherlands, New Zealand, Norway, Portugal, Singapore, Spain, Sweden, Switzerland, United Kingdom can now complete merchant account sign up and start adding their paid apps to the Chrome Web Store. Paid apps will be published to international users later this year. In the meantime, you can
localize your app listing
to make it accessible to more people and be eligible for promotion in local store fronts.
We’ve also added the ability to target or exclude specific markets. In this launch, Chrome Web Store developers can publish their apps to the following regions: Argentina, Australia, Austria (new), Belgium (new), Brazil, Canada, Czech Republic (new), Denmark (new), Finland (new), France, Germany, Hong Kong (new), India, Indonesia (new), Israel (new), Italy, Japan, Mexico, Netherlands, New Zealand (new), Norway (new), Philippines (new), Poland, Portugal, Russia (new), Singapore (new), Spain, Sweden (new), Switzerland (new), United Kingdom and United States. Our users will only see apps that were published for their market. We also added support for our various featured lists to be targeted by market, allowing users to see the best apps for their market.
If you have additional questions, please join our
developer discussion group
.
Posted by Elvin Lee, Software Engineer
Writing Extensions More Securely
Friday, July 22, 2011
Extensions are powerful pieces of software in modern browsers, and as such, you should help ensure that your extensions are not susceptible to security exploits. If an attacker manages to exploit a vulnerability in an extension, it’s serious business because they may gain access to the same privileges that the extension has.
The Chrome extensions system has a number of
built-in protections
to make it more difficult to introduce exploitable code, but certain coding patterns can still open up the risk of exploits like a cross-site scripting (XSS) attack. Many of these mistakes are common to web programming in general, so it wouldn’t be a bad idea to check out one of the
many
good
articles
on the net about XSS bugs. Here are some of our recommendations for writing healthier extensions.
Minimize your permissions
The most important thing to consider is whether you’re declaring the minimal set of permissions that you need to function. That way, if you do have a security bug in your code, the amount of permissions you’re exposing to the attacker is minimal as well. Avoid requesting
(*/*) permissions for hosts if you only need to access a couple, and don’t copy and paste your manifest from example code blindly. Review your manifest to make sure you’re only declaring what you need. This applies to permissions like tabs, history, cookies, etc. in addition to host permissions. For example, if all you’re using is
chrome.tabs.create
, you don’t actually need the tabs permission.
Use content_security_policy in your manifest
Starting in Chrome 14, we will begin supporting
Content Security Policy
in extensions via the
content_security_policy
manifest field. This allows you to control where scripts can be executed, and it can be used to help reduce your exposure to cross-site scripting vulnerabilities. For example, to specify that your extension loads resources only from its own package, use the following policy:
"content_security_policy": "default-src 'self'"
If you need to include scripts from specific hosts, you can add those hosts to this property.
Don’t use <script src> with an HTTP URL
When you include javascript into your pages using an HTTP URL, you’re opening your extension up to man-in-the-middle (MITM) attacks. When you do so in a content script, you have a similar effect on the pages you’re injected into. An attacker on the same network as one of your users could replace the contents of the script with content that they control. If that happens, they could do anything that your page can do.
If you need to fetch a remote script, always use HTTPS from a trusted source.
Don’t use eval()
The eval() function is very powerful and you should refrain from using it unless absolutely necessary. Where did the code come from that you passed into eval()? If it came from an HTTP URL, you’re vulnerable to the same issue as the previously mentioned <script> tag. If any of the content that you passed into eval() is based on content from a random web page the user visits, you’re vulnerable to escaping bugs. For example, let’s say that you have some code that looks like this:
function displayAddress(address) { // address was detected and grabbed from the current page
eval("alert('" + address + "')");
}
If it turned out that you had a bug in your parsing code, the address might wind up looking something like this:
'); dosomethingevil();
There’s almost always a better alternative to using eval(). For example, you can use JSON.parse if you want to parse JSON (with the added benefit that it runs faster). It’s worth the extra effort to use alternatives like this.
Don’t use innerHTML or document.write()
It’s really tempting to use innerHTML because it’s much simpler to generate markup dynamically than to create DOM nodes one at a time. However, this again sets you up for bugs in escaping your content. For example:
function displayAddress(address) { // address was detected and grabbed from the current page
myDiv.innerHTML = "<b>" + address + "</b>");
}
This would allow an attacker to make an address like the following and once again run some script in your page:
<script>dosomethingevil();</script>
Instead of innerHTML, you can manually create DOM nodes and use innerText to insert dynamic content.
Beware external content
In general, if you’re generating dynamic content based on data from outside of your extension (such as something you fetched from the network, something you parsed from a page, or a message you received from another extension, etc.), you should be extremely careful about how you use it. If you use this data to generate content within your extension, you might be opening your users up to increased risk.
You can also read a
few more
examples of the issues discussed here in our extension docs. We hope these recommendations help you create better and safer extensions for everyone.
Posted by Erik Kay, Software Engineer
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
23
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2025
Oct
Jul
Jun
May
Jan
2024
Dec
Aug
Jun
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.
