Google released earlier today version 62 of its Chrome browser that comes with quite a few new features but also fixes for 35 security issues.

The most interesting new features are support for OpenType variable fonts, the full release of the Network Quality Estimator API, the ability to capture and stream DOM elements, and HTTP warnings for the browser's Normal and Incognito mode.

OpenType variable fonts

While for most users this wouldn't seem like a big deal, the most important new feature added in Chrome 62 is support for OpenType variable fonts.

Until now, web developers had to load multiple font families whenever they wanted variations on a font family. For example, if a developer was using the Open Sans font family on a site, if he wanted a font variation such as Regular, Bold, Black, Normal, Condensed, Expanded, Highlight, Slab, Heavy, Dashed, or another, he'd have to load a different font file for each.

OpenType variable fonts allow font makers to merge all these font family variations in one file that developers can use on their site and control via CSS. This results in fewer files loaded on a website, saving bandwidth and improving page load times.

HTTP warnings for Normal and Incognito mode

Announced earlier in April, starting with Chrome 62, Google will add a "Not secure" marker under certain conditions in Chrome's Normal and Incognito modes. Google's plan includes two major changes.

The first is how Chrome marks HTTP pages in the default browsing mode. Until now, Chrome labeled HTTP pages as "Not secure" when there was a form field present on the page for entering payment card or password information. This change was added in Chrome in January, with the release of version 56.

Starting today, Chrome 62 will mark any HTTP page as "Not secure" if the user is entering data in any kind of field, may it be a search field or a simple numeric input.

The second major change is in Incognito mode. Google says that all HTTP pages will be marked as "Not Secure" starting with Chrome 62. This labeling will happen regardless if there's a form field on the page or not.

Network Quality Estimator & Media Capture from DOM APIs

Two other features that will interest mostly developers are the Network Quality Estimator and the Media Capture from DOM Elements APIs.

As the name hints, the first grants developers access to network speed and performance metrics, information that some websites may use to adapt video streams, audio quality, or deliver low-fi versions of their sites.

Developers can use the second API — the Media Capture from DOM Elements — to record videos of how page sections behave during interaction and stream the content over WebRTC. This latter API could be useful for developers debugging a page, but also support teams that want to see what's happening on the user's side.

Other features

Deprecations and interoperability improvements

Following an update to native button appearance on macOS, the appearance of < input > buttons and the < button > element have been similarly changed , affecting the default values for the background-color , border , border-radius , and padding CSS properties .

The ability to request permission to show notifications has been removed over HTTP connections and within cross-origin iframes , in line with our policy on restricting powerful features to only HTTPS.

To increase accuracy and ensure that users receive content in the language they expect, base language is now added immediately after language+region when generating accept-language headers from language settings.

To improve UX and browser consistency, transitional mouse events will now be dispatched , and hover states will now be updated more quickly after the intended layout has been modified.

OfflineAudioContext now accepts a dictionary argument, in addition to the existing constructor that takes three separate arguments.

In line with other browsers, the getStreamById method on RTCPeerConnection has now been removed .

SharedWorker.workerStart has been removed, following its deprecation and removal from other major browsers.

To better conform to spec, the default value of < ol >.start has been set to 1 .

Security fixes

- High - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07 [$7500+$1337][ 762930 - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07

- High - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26 [$5000][ 749147 - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26

- High - CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30 [$3000][ 760455 - CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30

- High - CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14 [$3000][ 765384 - CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14

- High - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14 [$3000][ 765469 - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14

- High - CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15 [$3000][ 765495 - CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15

- High - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05 [$3000][ 718858 - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05

- High - CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14 [$N/A][ 722079 - CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14

- Medium - CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16 [$5000][ 744109 CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16

- Medium - CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05 [$2000][ 762106 CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05

- Medium - CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03 [$1000][ 752003 CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03

- Medium - CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16 [$1000][ 756040 CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16

- Medium - CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17 [$1000][ 756563 CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17

- Medium - CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06 [$500][ 739621 CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06

- Medium - CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28 [$500][ 750239 CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28

- Low - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28 [$500][ 598265 - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28

- Low - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22 [$N/A][ 714401 - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22

- Low - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13 [$N/A][ 732751 - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13

- Low - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18 [$N/A][ 745580 - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18

- Low - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by johberlvi@ on 2017-08-28 [$N/A][ 759457 - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by johberlvi@ on 2017-08-28