Google today launched Chrome 74 for Windows, Mac, Linux, Android, and iOS. The release includes support for a reduced motion media query, private class fields, feature policy improvements, and more developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often must stay on top of everything available — as well as what has been deprecated or removed — most notably, Chrome 74 removes popups during page unload.
Before we jump into the new features, a quick word on dark mode. Chrome 73 introduced dark mode for Mac users, and Chrome 74 was supposed to do the same for Windows users. For whatever reason, the functionality isn’t in Chrome 74, even though the support page is live.
Reducing motion sickness
Motion sickness in the browser is a real thing. Android provides an accessibility option to reduce motion whenever possible, as shown above in the “remove animations” setting. Chrome is now taking that a step further so websites can limit motion sickness when viewing parallax scrolling, zooming, and other motion effects.
Chrome 74 introduces
prefers-reduced-motion (part of Media Queries Level 5) that allows websites to honor when an operating system is set to limit motion effects. This might not seem like a big deal today, but it could be very useful if websites start abusing motion effects.
Android and iOS
Chrome 74 for Android is rolling out slowly on Google Play. It includes stability and performance improvements, and renames Data Saver as Lite Mode. In related news, Google also killed off the Data Saver extension.
Chrome 74 for iOS is also rolling out slowly on Apple’s App Store.
Chrome 74 also implements 39 security fixes. The following were found by external researchers:
- [$3000] High CVE-2019-5805: Use after free in PDFium. Reported by Anonymous on 2018-12-10
- [$3000] High CVE-2019-5806: Integer overflow in Angle. Reported by Wen Xu of SSLab, Georgia Tech on 2019-03-18
- [$3000] High CVE-2019-5807: Memory corruption in V8. Reported by TimGMichaud of Leviathan Security Group. on 2019-03-26
- [$3000] High CVE-2019-5808: Use after free in Blink. Reported by cloudfuzzer on 2019-03-28
- [$N/A] High CVE-2019-5809: Use after free in Blink. Reported by Mark Brand of Google Project Zero on 2019-03-12
- [$2000+$1,337] Medium CVE-2019-5810: User information disclosure in Autofill. Reported by Mark Amery on 2018-12-20
- [$2000] Medium CVE-2019-5811: CORS bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04
- [$2000] Medium CVE-2019-5812: URL spoof in Omnibox on iOS. Reported by Khalil Zhani on 2019-01-26
- [$2000] Medium CVE-2019-5813: Out of bounds read in V8. Reported by Aleksandar Nikolic of Cisco Talos on 2019-03-15
- [$1000] Medium CVE-2019-5814: CORS bypass in Blink. Reported by @AaylaSecura1138 on 2019-02-08
- [$1000] Medium CVE-2019-5815: Heap buffer overflow in Blink. Reported by Nicolas Grégoire, Agarri on 2019-02-11
- [$1000] Medium CVE-2019-5816: Exploit persistence extension on Android. Reported by Yongke Wang of Tencent’s Xuanwu Lab (xlab.tencent.com) on 2019-03-10
- [$1000] Medium CVE-2019-5817: Heap buffer overflow in Angle on Windows. Reported by Wen Xu of SSLab, Georgia Tech on 2019-03-19
- [$500] Medium CVE-2019-5818: Uninitialized value in media reader. Reported by Adrian Tolbaru on 2019-02-08
- [$N/A] Medium CVE-2019-5819: Incorrect escaping in developer tools. Reported by Svyat Mitin on 2019-01-06
- [$N/A] Medium CVE-2019-5820: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07
- [$N/A] Medium CVE-2019-5821: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07
- [$500] Low CVE-2019-5822: CORS bypass in download manager. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-01-29
- [$500] Low CVE-2019-5823: Forced navigation from service worker. Reported by David Erceg on 2019-02-08
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $26,837 in bug bounties for this release, or double last month’s spending. As always, the security fixes alone should be enough incentive for you to upgrade.
Chrome 72 introduced ECMAScript’s public class fields, which simplify class syntax by avoiding the need for constructor functions just to define instance properties. Chrome 74 lets you mark a field as private (just prepend the field with a #) and no consumer of the class can ever access its value. As with public class fields, your properties do not need to be in a constructor. Unlike public fields, private fields are not accessible outside of the class body.
frame.featurePolicy, via three functions:
allowedFeatures()returns a list of features allowed by the current domain.
allowsFeature()returns a boolean indicating whether a specific feature is allowed by either the current domain or by the specified domain.
getAllowlistForFeature()returns a list of domains used on the current page that allow a specified feature.
Other developer features in this release include:
sampleRateoption for the
AudioContextconstructor: Sets the “sampleRate” to a particular value for an AudioContext that will be created. This allows developers to set an arbitrary sample rate for audio processing in Web Audio API that is separate from the hardware rate. Use this to reduce complexity (by using a lower sample rate) or make the sample rate consistent across all devices by using a fixed rate and letting WebAudio resample appropriately for the hardware rate.
Intl.Locale: Chrome now supports the Intl.Locale class, which allows parsing and manipulating the language, region, and script of a locale; reading or writing the Unicode extension tags in a locale; storing user locale preferences for this API in a serializable, standard format (rather than using a combination of language and the options object).
- Signed exchange reporting for distributors: Signed Exchange Reporting for distributors extends Network Error Logging to enable the distributors of signed exchanges to investigate signed exchange loading errors such as certificate verification errors.
- TextEncoder encodeInto() method: Chrome now supports
TextEncoder.prototype.encodeInto(), which allows an encoded string to be written directly “into” a supplied pre-allocated buffer, offering a performant alternative to using encode() to produce a buffer, and copying its contents into an existing buffer.
- Service worker:
client.postMessage()is buffered until the document is ready. To prevent messages from being delivered before the destination is ready, client.postMessage() does not dispatch the message until one of the following has occurred on the destination:
DOMContentLoadedevent is fired,
onmessageis set, or
- CSS transition events: The CSS Transitions specification requires that transition events are sent when a transition is enqueued, starts, ends, or is canceled as
transitioncancelrespectively. These events mirror the CSS animation events which allow developers to observe CSS animations. Chrome now follows the specification.
RTCIceCandidateInitnow comply with the specification. The
RTCIceCandidateinterface describes an ICE candidate in WebRTC. It is available in Chrome, but it is not spec compliant as it is missing some fields. There are also some deviations from the specification in terms of nullable and read-only attributes and errors thrown by the constructor.
- XHR falls back to UTF-8 when invalid encoding is specified: When an invalid encoding is specified for an XMLHttpRequest (via
overrideMimeType()or the response’s MIME type), UTF-8 is used in conformance with the specification. Previously Latin-1 was used.
For a full rundown of what’s new, check out the Chrome 74 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 75 will arrive by early June.