Thursday, 8 December, 2016 UTC


Summary

Unless otherwise noted, changes described below apply to the newest Chrome Beta channel release for Android, Chrome OS, Linux, Mac, and Windows.


“Not Secure” warning for HTTP password and credit card pages


To help users browse safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Starting in version 56, Chrome will mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. The feature will roll out gradually over the next few weeks.

To avoid being labeled insecure, sites should secure their traffic with HTTPS and follow general security guidelines.

Chrome ‘Not Secure’ warning appearing in the URL bar for a site with an HTTP connection  

Web Bluetooth

Sites can now interact with Bluetooth Low Energy (BLE) devices using the Web Bluetooth API on Android, Chrome OS, and Mac. The Web Bluetooth API uses the GATT protocol, which enables web developers to connect to bluetooth devices such as printers and LED displays with just a few lines of JavaScript. Web Bluetooth can also be combined with Physical Web beacons to discover and control nearby devices. To get started, check out these samples and demos on GitHub.  

An Android device connecting to a BLE-enabled heart rate monitor via the web (source)

CSS position: sticky

Chrome now supports CSS position: sticky, a new way to position elements. A position: sticky element is relatively-positioned, but becomes position: fixed after the user reaches a certain scroll position.

Previously, building content headers that scrolled normally until sticking to the top of the viewport required listening to scroll events and switching an element’s position from relative to fixed at a specified threshold. This solution was difficult to synchronize, resulting in small visual jumps. Now, users can achieve the desired effect by simply positioning their elements as sticky.


Other features in this release
  • The new Remote Playback API on Android enables sites to initiate and control playback of an HTMLMediaElement on smart TVs and speakers.
  • The WebVR API is available on Android as an origin trial, allowing developers to create virtual reality experiences on the web.
  • The WebGL 2.0 API is enabled by default on desktop platforms, providing OpenGL ES 3.0 level rendering capabilities via the <canvas> element.
  • Support for Adobe Flash will no longer be advertised in navigator.plugins and navigator.mimetypes if the user has not substantially interacted with a site, though users can re-enable Flash experiences on a per-site basis.
  • Sites can now experiment with taking photos and configuring camera settings like zoom using the Image Capture origin trial.
  • When content changes above the viewport, Chrome now automatically adjusts the scroll position to keep content in the viewport fixed unless the CSS overflow-anchor property is set.
  • The Notifications API now allows sites to include an image in notifications by setting the image property.
  • The PaymentRequest API has a variety of new features including requestPayerName and JSON serialization.
  • Showing and hiding the URL bar on mobile no longer resizes the initial containing block or elements sized with viewport units such as vh.
  • Text input elements such as <input type="text"> now have spell-checking enabled by default on Android devices with at least 512 MB of memory and a system dictionary.
  • The generic font family used to fit content within the UI has been standardized and renamed as system-ui on all platforms.
  • The new Referrer-Policy HTTP header allows sites to forward site traffic by URL without leaking the user’s session identifier or other private information.
  • KeyboardEvent.isComposing() allows sites to determine if the user is typing based on recent KeyboardEvents, without monitoring keyboard events directly.
  • Chrome for Android now sets the default preload attribute for videos to metadata on cellular connections, showing a preview image and time information to match other mobile browsers.
  • Chrome now supports TLS 1.3 and includes 1-RTT based on draft-18.
  • Sites can use ImageBitmapRenderingContext to reduce memory consumption and compositing overhead by rendering pixel data in the form of an ImageBitmap.
  • Sites can respond to pinch gestures using the pinch-zoom CSS touch-action property.
  • ConstantSourceNode is a new audio source node that produces a constant output mixed with an AudioParam.
  • Two Web Audio ChannelSplitterNode Interface attributes are now read-only: channelCount, which is defined by numberOfOutputs in createChannelSplitter(), and channelCountMode, which is set to explicit.
  • PannerNode.rolloffFactor now clamps to the nominal range of a PannerNode’s distance model to describe the volume reduction rate as the source moves away from the listener.
  • window.prompt() will no longer focus its parent tab if the page is not currently in the foreground, and the dialog will be automatically dismissed.
  • To match behavior on Windows, Chrome Extensions can now override default search, startup, and homepage settings on Mac with the Chrome Settings Overrides API.
  • Support for FLAC is enabled within the FLAC and Ogg containers for the <audio> tag and decodeAudioData().
  • OPUS can now be used with decodeAudioData(), expanding the variety of audio codecs supported by the WebAudio API.

Deprecations and interoperability improvements
  • The WebAudio API no longer includes the deprecated Doppler API, including speedOfSound, dopplerFactor, and setVelocity.
  • To improve standards conformance, RTCPeerConnection now accepts iceTransportPolicy as an RTCConfiguration parameter as well as iceTransports.
  • RTCPeerConnection is now available without a webkit prefix, though webkitRTCPeerConnection still remains.
  • Non-whitespace unicode control characters will now be rendered according to the specification, rather than being ignored.
  • The reflected-xss directive has been removed from Content Security Policy 2 since it was solely a wrapper for the X-XSS-Protection header and provided no additional functionality.
  • Support for the MediaStreamTrack.getSources() method has been removed in favor of MediaDevices.enumerateDevices().
  • The CSP referrer directive is no longer supported in favor of the new Referrer-Policy header.
  • ShadowDOM’s slotchange events bubble, but no longer re-fires, at a slot's assignedSlot.  
  • Legacy CBC-mode ECDSA cipher suites ECDHE_ECDSA_WITH_AES_128_CBC_SHA and ECDHE_ECDSA_WITH_AES_256_CBC_SHA have been removed in favor of modern ciphers such as ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
  • ECDSA with both SHA-1 and SHA-512 have been removed to reduce dependencies on SHA-1 and align with TLS 1.3's new ECDSA handling.
  • Chrome no longer allows opening of pop-ups during inputs which represent a touch scroll, such as touchstart and touchmove.
  • Sites will no longer initiate fetches for scripts with invalid type or language attributes, such as type="python", unless triggered by declarative fetches using link preload.
  • MIDIMessageEvent.receivedTime has been deprecated in favor of Event.timeStamp, since Event.timeStamp now supports high-resolution monotonic time instead of epoch time.

Posted by Vincent Scheib, Web Bluetooth Orthodontist