Unless otherwise noted, changes described below apply to the newest Chrome Beta channel release for Android, Chrome OS, Linux, Mac, and Windows.









“Not Secure” warning for HTTP password and credit card pages









To help users browse safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Starting in version 56, Chrome will mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. The feature will roll out gradually over the next few weeks.





To avoid being labeled insecure, sites should secure their traffic with HTTPS and follow general security guidelines .





Chrome ‘Not Secure’ warning appearing in the URL bar for a site with an HTTP connection





Web Bluetooth









An Android device connecting to a BLE-enabled heart rate monitor via the web ( source )





CSS position: sticky





Chrome now supports CSS position: sticky , a new way to position elements. A position: sticky element is relatively-positioned, but becomes position: fixed after the user reaches a certain scroll position.





Previously, building content headers that scrolled normally until sticking to the top of the viewport required listening to scroll events and switching an element’s position from relative to fixed at a specified threshold. This solution was difficult to synchronize, resulting in small visual jumps. Now, users can achieve the desired effect by simply positioning their elements as sticky .









Other features in this release

Showing and hiding the URL bar on mobile no longer resizes the initial containing block or elements sized with viewport units such as vh .

Text input elements such as <input type="text"> now have spell-checking enabled by default on Android devices with at least 512 MB of memory and a system dictionary.

The generic font family used to fit content within the UI has been standardized and renamed as system-ui on all platforms.

The new Referrer-Policy HTTP header allows sites to forward site traffic by URL without leaking the user’s session identifier or other private information.

KeyboardEvent.isComposing() allows sites to determine if the user is typing based on recent KeyboardEvents , without monitoring keyboard events directly.

Chrome for Android now sets the default preload attribute for videos to metadata on cellular connections, showing a preview image and time information to match other mobile browsers.

Chrome now supports TLS 1.3 and includes 1-RTT based on draft-18 .

Sites can use ImageBitmapRenderingContext to reduce memory consumption and compositing overhead by rendering pixel data in the form of an ImageBitmap .

Sites can respond to pinch gestures using the pinch-zoom CSS touch-action property.

ConstantSourceNode is a new audio source node that produces a constant output mixed with an AudioParam .

Two Web Audio ChannelSplitterNode Interface attributes are now read-only: channelCount , which is defined by numberOfOutputs in createChannelSplitter() , and channelCountMode , which is set to explicit.

PannerNode.rolloffFactor now clamps to the nominal range of a PannerNode’s distance model to describe the volume reduction rate as the source moves away from the listener.

window.prompt() will no longer focus its parent tab if the page is not currently in the foreground, and the dialog will be automatically dismissed.

To match behavior on Windows, Chrome Extensions can now override default search, startup, and homepage settings on Mac with the Chrome Settings Overrides API .

Support for FLAC is enabled within the FLAC and Ogg containers for the <audio> tag and decodeAudioData() .

OPUS can now be used with decodeAudioData() , expanding the variety of audio codecs supported by the WebAudio API .





Deprecations and interoperability improvements

The WebAudio API no longer includes the deprecated Doppler API, including speedOfSound , dopplerFactor , and setVelocity .

To improve standards conformance, RTCPeerConnection now accepts iceTransportPolicy as an RTCConfiguration parameter as well as iceTransports .

RTCPeerConnection is now available without a webkit prefix, though webkitRTCPeerConnection still remains.

Non-whitespace unicode control characters will now be rendered according to the specification , rather than being ignored.

The reflected-xss directive has been removed from Content Security Policy 2 since it was solely a wrapper for the X-XSS-Protection header and provided no additional functionality.

Support for the MediaStreamTrack.getSources() method has been removed in favor of MediaDevices.enumerateDevices() .

The CSP referrer directive is no longer supported in favor of the new Referrer-Policy header.

ShadowDOM’s slotchange events bubble, but no longer re-fires, at a slot 's assignedSlot .

Legacy CBC-mode ECDSA cipher suites ECDHE_ECDSA_WITH_AES_128_CBC_SHA and ECDHE_ECDSA_WITH_AES_256_CBC_SHA have been removed in favor of modern ciphers such as ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 .

ECDSA with both SHA-1 and SHA-512 have been removed to reduce dependencies on SHA-1 and align with TLS 1.3's new ECDSA handling.

Chrome no longer allows opening of pop-ups during inputs which represent a touch scroll, such as touchstart and touchmove .

Sites will no longer initiate fetches for scripts with invalid type or language attributes, such as type="python" , unless triggered by declarative fetches using link preload .

MIDIMessageEvent.receivedTime has been deprecated in favor of Event.timeStamp , since Event.timeStamp now supports high-resolution monotonic time instead of epoch time.



