Plus some interesting new side-channel attack possibilities for crims to play with
With Silicon Valley under lockdown Chrome 82 has been abandoned by Google, but the Chocolate Factory boffins haven’t been slacking and on Thursday released the beta build of Chrome 83 ahead of schedule.
On March 18, Google paused the development of Chrome, Chromium, and Chrome OS releases due to the labor challenges posed by COVID-19 public health actions. Eight days later, production resumed under a modified schedule that saw the cancellation of Chrome 82.
Planned technical changes in that release were moved to Chrome 83, which is set to debut in mid-May – three weeks earlier than initially planned. The beta version of Chrome 83 has some define pluses, including a safer way to access abusable brower profiling capabilities and various useful features like the ability to detect barcodes in web apps.
But Chrome 83 also adds support for two new HTTP headers –
Cross-Origin-Opener-Policy. These provide a way to use browser profiling features that raise the risk of side-channel attacks, like Spectre, by limiting the loading of cross-origin (cross-domain) resources and windows.
When a server sends these headers to a browser, web pages can safely use memory measurement features like
Performance.measureMemory() that would otherwise enable side-channel memory probing.
The update also adds support for Trusted Types, a technology that provides a defense against DOM-based cross-site scripting (DOM XSS), a common web security vulnerability.
Oh … Fudge This Pandemic! Google walks back on decision to switch off FTP in Chrome 81
The browser update also has better looking, more accessible form controls – the buttons, boxes, and other widgets on web pages for entering information. There’s another accessibility improvement too – support for new Accessible Rich Internet Applications (ARIA) markup to make comments, suggestions and annotations in online documents like Google Docs available to screen readers.
Developers looking to create web apps that implement barcode detection should appreciate the inclusion of the Barcode Detection API, a subset of the Shape Detection API, which can be used to identify and decode barcodes within an image. This obviates the need for a third-party library but does come with a condition: It’s only available on devices with Google Play Service installed.
Those looking to create an
<input> element with a time datatype that starts before midnight and ends after it will be glad to hear that Chrome 83 has added support for reversed ranges. This capability, which has been part of the HTML spec for a while but not implemented in Chrome, allows the value for the “min” attribute to be greater numerically (though earlier in time) than the value of the “max” attribute.
Many other possibly helpful capabilities and origin trials – features available for testing and feedback – are described in Google’s Chrome 83 beta blog post. ®
Choosing A Low-Code Vendor