Chromium Blog
News and developments from the open source browser project
Enabling new classes of applications with Pointer Lock
Tuesday, September 25, 2012
Moving the web forward includes enabling
new classes of applications
. Today’s
Chrome Stable release
advances this effort with the inclusion of the
Pointer Lock JavaScript API
(often called Mouse Lock). Now, 3D applications such as first-person games can allow users to control their perspective naturally with the mouse, without moving outside the window or bumping into the edge of their screen. Try it out for yourself in this 3D,
first-person shooter demo
created by our friends at Mozilla.
While games are fun, these capabilities also empower other types of applications such as medical and scientific visualization, training, simulation, modeling, authoring packages, and more. We're excited to see recent web platform technologies such as
WebGL
,
Web Audio
,
Fullscreen
,
WebSockets
,
Gamepad
, and
Pointer Lock
combine to be greater than the sum of their parts. Game developers have an excellent platform on which they can deploy rich games with all the benefits of the instant-on, auto-updating, linkable, shareable, and searchable web.
As always, Chrome will automatically update itself to include these latest enhancements. If you haven’t tried Chrome yet,
give it a spin
!
Posted by Vincent Scheib, Software Engineer often overheard singing, "And we’re out of Beta. We’re releasing on time."
Announcing Movi.Kanti.Revo, A New Chrome Experiment
Wednesday, September 19, 2012
Earlier this year at Google I/O, we gave developers a
sneak peek at Movi.Kanti.Revo
, a new sensory Chrome experiment crafted by Cirque du Soleil and developed by Subatomic Systems that brings the magic of Cirque du Soleil to the web through modern web technologies. The full experiment, which allows users to follow a mysterious character through a beautiful world of Cirque du Soleil performances, was launched today at the
Big Tent event
in New York City.
The experiment was created using just HTML5, and the environment is built entirely with markup and CSS. Like set pieces on stage, divs, images and other elements are positioned in a 3D space using CSS. To create movement,
CSS animations
and
3D transforms
were applied making the elements appear closer and further away. Everything is positioned and scaled individually to create a highly realistic interactive environment. In addition, the experiment uses HTML5 <audio> to play music and sounds.
Movi.Kanti.Revo breaks with the tradition of keyboard or mouse navigation; instead users navigate through an interactive Cirque du Soleil world with their gestures. To accomplish this, the experiment asks users for permission to access their web cam using the new
getUserMedia
API. With this new API, the experiment renders the camera output to a small <video> element on the page. A facial detection JavaScript library then looks for movement and applies a CSS 3D transform to the elements on the page, making environment move with the user.
Because this experience was built using just markup, it works in the browser across all devices. The experiment takes advantage of the rich capabilities possible on mobile devices, like the
accelerometer
to navigate through the world.
To learn more about how this experiment was built, check out the new
technical case study
or join us for a special Google Developers Live
Behind The Divs
event on September 20th at
8:30am PDT /15:30 UTC
where we’ll be talking to the engineers behind the project.
Head over to Movi.Kanti.Revo at
www.movikantirevo.com
to check things out, and be sure to open Chrome’s
developer tools
to see what’s going on behind the <div>s!
Pete LePage, Developer Advocate
Lossless and Transparency Modes in WebP
Thursday, August 30, 2012
Cross-posted on the
Google Developers Blog
At Google, we are constantly looking at ways to make web pages load faster. One way to do this is by making web images smaller. This is especially important for mobile devices where smaller images save both bandwidth and battery life. Earlier this month, we released
version 0.2 of the WebP library
that adds support for lossless and transparency modes to compress images. This version provides CPU and memory performance comparable to or better than PNG, yet results in
26% smaller files
.
WebP’s improved compression comes from advanced techniques such as dedicated
entropy codes
for different color channels, exploiting 2D locality of
backward reference distances
and a color cache of recently used colors. This complements basic techniques such as
dictionary coding
,
Huffman coding
and
color indexing transform
. We think that we've only scratched the surface in improving compression. Our newly added support for
alpha transparency
with lossy images promises additional gains in this space, helping make WebP an efficient replacement for PNG.
The new WebP modes are supported natively in the latest Beta version of Chrome. The
bit stream specification
for these new WebP modes has been finalized and the
container specification
has been updated. We thank the community for their valuable feedback and for helping us evolve WebP as a new image compression format for the web. We encourage you to try these new compression methods on your favorite set of images, check out the code, and continue to provide
feedback
.
Posted by Jyrki Alakuijala - Software Engineer
Octane: the JavaScript benchmark suite for the modern web
Tuesday, August 21, 2012
The web is evolving and so should the JavaScript benchmarks that measure its performance. Today, we are releasing
Octane
, a JavaScript benchmark suite that aims to measure a browser’s performance when running the complex and demanding web applications that users interact with daily.
Most of the existing JavaScript benchmarks run artificial tests that were created on an ad-hoc basis to stress a specific JavaScript feature. Octane breaks with this tradition and extends the former V8 Benchmark Suite with 5 new benchmarks created from full, unaltered [1], well-known web applications and libraries. A high score in the new benchmarks directly translates to better and smoother performance in similar web applications.
Here is an overview of the new tests:
Box2DWeb
runs a JavaScript port of a popular
2D physics engine
that is behind many well-known simulations and web games.
Mandreel
puts a JavaScript port of the 3D Bullet Engine to the test with a twist: The original C++ source code for the engine is translated to JavaScript by Onan Games’
Mandreel
compiler, which is also used in countless web-based games.
Pdf.js
is based on
Mozilla’s PDF reader
and shows how Javascript applications can replace complex native browser plug-ins. It measures how fast the browser decodes a sample PDF document.
GB Emulator
is derived from an
open source emulator
of a famous game console running a 3D demo.
CodeLoad
measures how quickly a JavaScript engine can bootstrap commonly used JavaScript libraries and start executing code in them. The source for this test is derived from open source libraries (
Closure
,
jQuery
).
Besides an expanded
set of benchmarks
, Octane also has an interface that makes it easier to read and that adapts automatically to tablet and mobile screens.
You can try out
Octane
yourself, browse the
source code
, or read more about each benchmark at the
Octane site
. Still have some questions? Have a look at the
FAQ page
.
[1]
Beside glue logic and emulation of canvas / DOM interaction where necessary.
Posted by Stefano Cazzulani, Product Manager
Announcing Pwnium 2
Wednesday, August 15, 2012
The
first Pwnium competition
held earlier this year
exceeded our expectations
. We received two submissions of such complexity and quality that both of them won
Pwnie Awards
at this year’s Black Hat industry event. Most importantly, we were able to make Chromium significantly stronger based on what we learned.
We’re therefore going to host another Pwnium competition, called... Pwnium 2. It will be held on Oct 10th, 2012 at the
Hack In The Box
10 year anniversary conference in Kuala Lumpur, Malaysia.
This time, we’ll be sponsoring up to $2 million worth of rewards at the following reward levels:
$60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
$40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
$Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get “part way” as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can.
Exploits should be demonstrated against the latest stable version of Chrome. Chrome and the underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop (which we’ll be giving away to the best entry.) Exploits should be served from a password-authenticated and HTTPS Google property, such as App Engine. The bugs used must be novel i.e. not known to us or fixed on trunk. Please document the exploit.
You may have noticed that we’ve compressed the reward levels closer together for Pwnium 2. This is in response to feedback, and reflects that any local account compromise is very serious. We’re happy to make the web safer by any means -- even rewarding vulnerabilities outside of our immediate control.
Another well-received piece of feedback from the first Pwnium was that more notice would have been nice. Accordingly, we’re giving about two months notice. We hope this gives enough time for the security community to craft more
beautiful
works
, which we’d be more than happy to reward and celebrate.
Posted by Chris Evans, Software Engineer
Chromium Vulnerability Rewards Program: larger rewards!
Tuesday, August 14, 2012
The
Chromium Vulnerability Rewards Program
was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. We’ve been very pleased with the response: Google’s various vulnerability reward programs have kept our users protected and netted more than $1 million dollars of total rewards for security researchers. Recently, we’ve seen a significant drop-off in externally reported Chromium security issues. This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger.
Therefore, we’re making the following changes to the reward structure:
Adding a bonus of $1,000 or more on top of the base reward for “particularly exploitable” issues. The onus is on the reporter to provide a quick demonstration as part of the repro. For example, for a DOM-based use-after-free, one might use JavaScript to allocate a specific object type in the “freed” slot, resulting in a vtable dereference of 0x41414141.
Adding a bonus of $1,000 or more on top of the base reward for bugs in stable areas of the code base—see below for an example. By “stable”, we mean that the defect rate appears to be low and we think it’s harder to find a security bug in the area.
Adding a bonus of $1,000 or more on top of the base reward for serious bugs which impact a significantly wider range of products than just Chromium. For example, certain open source parsing libraries—see below for an example.
The rewards panel has always reserved the right to reward at our discretion. At times, rewards have reached the $10,000 level for
particularly significant contributions
. An extraordinary contribution could be a sustained level of bug finding, or even one individual impressive report. Examples of individual items that might impress the panel include:
Nvidia / ATI / Intel GPU driver vulnerabilities. High or critical severity vulnerabilities in the respective Windows drivers, demonstrated and triggered from a web page. Submissions on Chrome OS would also be interesting. Chrome OS typically runs on a device with an Intel GPU.
Local privilege escalation exploits in Chrome OS via the Linux kernel. Chrome OS has a stripped-down kernel, so a working exploit against it would certainly be worth examining. We reserve the right to reward more generously if the exploit works inside our “setuid sandbox” and / or our fast-evolving “seccomp BPF sandbox”.
Serious vulnerabilities in IJG libjpeg. For well over a decade, there hasn’t been a serious vulnerability against IJG libjpeg. Can one be found?
64-bit exploits. Any working code execution exploit on a 64-bit Chrome release. Sandbox escape not required.
Renderer to browser exploit. Any working browser code execution exploit, starting from the assumed precondition of full code execution inside a normal web renderer or PPAPI process.
Aside from the new bonuses, it’s worth recapping some details of the existing reward structure that aren’t as widely known:
Our reward program covers vulnerabilities in Adobe Flash as well as other well-known software such as the Linux kernel, various open-source libraries and daemons, X windows, etc.
Our base reward is $2,000 for well-reported UXSS bugs, covering both the Chromium browser and also Adobe Flash. (With the new reward bonus for exploitability, UXSS rewards will likely become $4,000.)
Our reward program already includes a bonus of $500 to $1,000 when the reporter becomes a more involved Chromium community member and provides a peer-reviewed patch.
We have always considered rewards for regressions affecting our Beta or Dev channel releases. It’s a big success to fix security regressions before they ship to the Stable channel.
To illustrate how the new reward bonuses will work, we’re retroactively applying the bonuses to some older, memorable bugs:
$1,000
to Atte Kettunen of OUSPG for
bug 104529
(new total: $2,000). We believe that our PDF component is one of the more secure (C++) implementations of PDF, hence the $1,000 top-up.
$3,000
to Jüri Aedla for
bug 107128
(new total: $4,000). There is a $1,000 bonus because this bug affects many projects via core libxml parsing, and we added a $2,000 bonus for exploitability: this is a heap-based buffer overflow involving user-controlled data with a user-controlled length.
We’re more excited than ever to work with the community and
reward their efforts
.
Posted by Chris Evans, Software Engineer
The evolution of Chrome packaged apps
Thursday, August 9, 2012
Just over a month ago, at Google I/O,
we announced
significant changes to Chrome’s packaged application platform. These changes are intended to allow apps to break out of the browser, work offline by default, and enable richer, more immersive experiences.
Check out our overview video for a quick intro to the new platform.
With the latest version of Chrome in the
developer channel
, you can build, load, debug and test your apps without command-line flags, although you may need to enable experimental APIs in some cases. Because we’re still in developer preview mode, the
Chrome Web Store
doesn’t yet accept uploads of these new packaged apps. We’ll enable web store support later this year, and when we flip that switch, users will be able to discover and download your apps directly from the store.
In order to get started building apps, visit our developer documentation at
developer.chrome.com/apps
and check out our growing list of
sample applications
on Github (thanks for the pull requests; keep them coming). If you’d like to reach us while you’re building apps, you can join us on the #chromium-apps Freenode IRC channel, join the
chromium-apps
group or
report an issue
.
We’re also starting a regular weekly hangout every Tuesday at 9:30am (Pacific Time). Our first one will take place on Tuesday, August 14th. You can add a
reminder to your calendar
and then tune in at
Google Developers Live
. And be sure to add
+Google Chrome Developers
to your circles to keep up on the latest from the Chrome team.
Posted by Mike Tsao, Evolved Software Engineer
Labels
$200K
1
10th birthday
4
abusive ads
1
abusive notifications
2
accessibility
3
ad blockers
1
ad blocking
2
advanced capabilities
1
android
2
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
83
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
35
chrome 81
1
chrome 83
2
chrome 84
2
chrome ads
1
chrome apps
5
Chrome dev
1
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
chrome extensions
3
Chrome Frame
1
Chrome lite
1
Chrome on Android
2
chrome on ios
1
Chrome on Mac
1
Chrome OS
1
chrome privacy
4
chrome releases
1
chrome security
10
chrome web store
32
chromedevtools
1
chromeframe
3
chromeos
4
chromeos.dev
1
chromium
9
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
core web vitals
2
csrf
1
css
1
cumulative layout shift
1
custom tabs
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
2
developer dashboard
1
Developer Program Policy
2
developer website
1
devtools
13
digital event
1
discoverability
1
DNS-over-HTTPS
4
DoH
4
emoji
1
emscriptem
1
enterprise
1
extensions
27
Fast badging
1
faster web
1
features
1
feedback
2
field data
1
first input delay
1
Follow
1
fonts
1
form controls
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google event
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
HTTP/3
1
HTTPS
4
iframes
1
images
1
incognito
1
insecure forms
1
intent to explain
1
ios
1
ios Chrome
1
issue tracker
3
jank
1
javascript
5
lab data
1
labelling
1
largest contentful paint
1
launch
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
lock icon
1
long-tail
1
mac
1
manifest v3
2
metrics
2
microsoft edge
1
mixed forms
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
passwords
1
payment handler
1
payment request
1
payments
2
performance
20
performance tools
1
permission UI
1
permissions
1
play store
1
portals
3
prefetching
1
privacy
2
privacy sandbox
4
private prefetch proxy
1
profile guided optimization
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
QUIC
1
quieter permissions
1
releases
3
removals
1
rlz
1
root program
1
safe browsing
2
Secure DNS
2
security
36
site isolation
1
slow loading
1
sms receiver
1
spam policy
1
spdy
2
spectre
1
speed
4
ssl
2
store listing
1
strobe
2
subscription pages
1
suspicious site reporter extension
1
TCP
1
the fast and the curious
23
TLS
1
tools
1
tracing
1
transparency
1
trusted web activities
1
twa
2
user agent string
1
user data policy
1
v8
6
video
2
wasm
1
web
1
web apps
1
web assembly
2
web developers
1
web intents
1
web packaging
1
web payments
1
web platform
1
web request api
1
web vitals
1
web.dev
1
web.dev live
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
WebM
1
webmaster
1
webp
5
webrtc
6
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2025
Oct
Jul
Jun
May
Jan
2024
Dec
Aug
Jun
May
Apr
Mar
Feb
2023
Nov
Oct
Sep
Aug
Jun
May
Apr
Feb
2022
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.
