Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web.
Other developer features in this release include:
- The Network Information API is now available on desktop as well as Android, enabling sites to access the underlying connection information of a device.
- Developers can now specify scrolling smoothness via a new optional parameter in existing Scroll APIs or with the scroll-behavior CSS property.
- CSS color values can now be 8- and 4-digit hex colors of the format #RRGGBBAA and #RGBA.
- Sites can now access the relative positions of the screen content with the Visual Viewport API, exposing complex functionality like pinch-and-zoom in a more direct way.
- The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.
- When navigating from an installed web app to a site outside the initial web app’s scope, the new site now automatically loads in a Custom Chrome Tab.
- For video using native controls, Chrome will now automatically expand video to fullscreen when a user rotates their device in an orientation that matches a video playing on the screen.
- nextHopProtocol is now available in Resource Timing and Navigation Timing, providing access to the network protocol used to fetch a resource.
- Sites can now require embedded third-party content to enforce a given Content Security Policy via the new csp attribute on <iframe> elements.
- The DOMTokenList interface now supports replace() to easily change all identical tokens to a new one, such as active to inactive on expiration.
- To access a list of attribute names of an element, getAttributeNames() is now supported and gives developers a more direct mechanism than going through the attributes collection.
- Sites can now access an estimate for the disk space used by a given origin and quota in bytes via the Storage API’s new navigator.storage.estimate() function.
- To improve the browser’s cache hit rate, URLSearchParams now supports sort() to list all stored name-value pairs.
- The URLSearchParams constructor has been updated to accept any object as a parameter instead of only other URLSearchParams instances.
- To prevent the use of mis-issued certificates from going unnoticed, sites can use the new Expect-CT HTTP header which will enable automated reporting and/or enforcement of Certificate Transparency requirements.
- Chrome will no longer decode frames for videos using Media Source in background tabs.
- “Non-Live” camera settings such as photo resolution, red eye reduction, and flash mode can now be retrieved with ImageCapture.getPhotoSettings().
- Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.
For what’s new in the browser’s DevTools, check out the release notes.
Chrome 61 also implements 22 security fixes. The following ones were found by external researchers:
- [$5000]High CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-06-27
- [$5000]High CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein (www.trapkit.de) on 2017-07-10
- [$5000]High CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous on 2017-07-20
- [$3500]High CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-08-07
- [$3000]High CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini on 2017-07-17
- [$TBD]High CVE-2017-5116: Type confusion in V8. Reported by Anonymous on 2017-08-28
- [$1000]Medium CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein (www.trapkit.de) on 2017-07-04
- [$1000]Medium CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-07-24
- [$N/A]Medium CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous on 2017-05-22
- [$N/A]Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu (@general_nfs) on 2017-05-05
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $23,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Speaking of security, this release also removes trust in WoSign and StartCom certificates. Back in Octobeer 2016, Google unveiled its plan for the process, starting with only trusting certificates issued prior to October 21 2016 in Chrome 56, restricting trust to a set of whitelisted hostnames based on the Alexa Top 1 milion, and then reducing the size of the whitelist over the course of several Chrome releases. In Chrome 61, the whitelist has been removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.
Google releases a new version of its browser every six weeks or so. Chrome 62 will arrive by mid October.