Meanwhile, Chrome 70 Beta rolls out dev and security goodies
Google Chrome 70 arrived as a beta release on Thursday, bringing with it a handful of meaningful improvements and some more esoteric features of interest to developers.
Available on the Chrome Beta channel for Android, Chrome OS, Linux, macOS, and Windows – the iOS beta requires participation in Apple’s TestFlight program – Chrome 70 implements a Shape Detection API that allows web apps to do things like detect faces in images, read barcodes and parse text in images.
The API is particularly promising for mobile web apps, which can now return the location of facial features within an image, turn barcodes and QR codes into strings and read Latin alphabet text found in pictures.
The Chrome team has also updated the browser’s Web Authentication API with a third type of credential, PublicKeyCredential, to complement the two other types it already supports, PasswordCredential and FederatedCredential .
The PublicKeyCredential type allows individuals to log in using mechanisms that support an asymmetric key pair, which is potentially more secure than a password. Two devices that do so are the Android fingerprint reader and the macOS TouchID sensor, which means websites implementing the Web Authentication API will be able to read the PublicKeyCredential passed from either of these biometrics sensors to log the user in.
There’s a privacy enhancement as well. Chrome 70 beta for Android will follow Chrome 69 for iOS in removing the OS build number from user-agent string that the browser passes to visited websites.
This bit of data can be used – along with other technical metrics – to create what’s known as a browser fingerprint by which users can be tracked through their specific device configuration and capabilities. Its absence (in iOS, to match Safari’s parallel effort, it’s frozen as « 15E148 » rather than removed) should make browser fingerprinting less accurate and make it more difficult to serve exploits to specific operating system versions.
Along similar lines, Chrome will now exit full screen mode when a webpage shows a dialog box. This is to help provide the necessary context for users to make decisions when web apps ask for data or permission.
Chrome 70 beta implements TLS 1.3, an improved version of the web security protocol that became an official standard in August. TLS 1.3 manages to be both more efficient than preceding iterations, requiring fewer roundtrips between client and server, and more secure, through the encryption of a more of the handshake negotiation.
The browser update also adds support for the Opus codec in the mp4 container via the Media Source Extensions API, so Opus-encoded audio can be streamed. And it brings Web Bluetooth support to Chrome for Windows 10. Google’s blog post on the subject goes into more detail about developer-oriented additions like intervention reports.
Earlier this week, Google Chrome security product manager Emily Schechter said that Google, in response to community feedback, has decided to roll back Chrome 69’s habit of hiding the subdomains « www » and « m » in URLs displayed in the browser’s omnibox, via an update to Chrome 69 for Desktop and Android.
In Chrome 70 – stable release planned in mid-October – the browser will elide « www » but not « m. » In a Chromium bug report thread, Schechter explained, « We are not going to elide ‘m’ in M70 (milestone 70) because we found large sites that have a user-controlled ‘m’ subdomain. There is more community consensus that sites should not allow the ‘www’ subdomain to be user controlled. »
Among those skeptical of Google’s URL handling change, it’s been suggested that the Chocolate Factory’s motivation is to conceal when it serves Accelerated Mobile Page (AMP) versions of websites, a technology that some argue empowers Google and disempowers publishers.
Google intends to take up the handling of these subdomains with web standards bodies as special cases. « We do not plan to standardize how browsers should treat these special cases in their UI, » said Schechter. « We plan to revisit the ‘m’ subdomain at a later date, after having an opportunity to discuss further with the community. »
To judge by the comments appended to Schechter bug report post, the community would prefer URLs to remain unaltered. ®
Sponsored: Following Bottomline’s journey to the Hybrid Cloud