Google today launched Chrome 70 for Windows, Mac, and Linux. The release includes an option to disable linking Google site and Chrome sign-ins, Progressive Web Apps on Windows, the ability for users to restrict extensions’ access to a custom list of sites, an AV1 decoder, and plenty more. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often must make an effort to stay on top of everything available — as well as what has been deprecated or removed.

Fixing Chrome sign-in

The biggest change in this release is probably one where Google is backpedaling. In Chrome 69, Google tried to “simplify” how it handles Google site sign-ins by also signing you into Chrome with the same account. If you sign out, whether from Chrome or from any Google site, you’re signed out of both.

This led to a massive outcry from Chrome users, at least in part because there was concern that the change meant Chrome sync was turned on. While that wasn’t the case (you still had to turn on syncing of data like browsing history, passwords, and bookmarks to make it available on other devices), many still didn’t appreciate Google automatically signing them into Chrome just because they were signed into a Google site.

Chrome 70 thus makes three changes:

An option (see above) that allows users to turn off linking web-based sign-in with browser-based sign-in. If you disable this feature, signing into a Google site will not sign you into Chrome.

An update to the user interface (see below) to better communicate a user’s sync state.

Instead of keeping the Google auth cookies to allow you to stay signed in after cookies are cleared, as Chrome 69 does, the browser will once again delete all cookies.

Sadly, Google still doesn’t get it. All three changes are certainly an improvement, but the first doesn’t address the main problem: The automatic sign-in is still on by default. Chrome users should not have to opt out of automatic sign-in if they use Google sites, but instead opt in if they want the functionality.

PWAs on Windows and AV1 decoder

In addition to trying to fix what it broke, Google has added a slew of new features in Chrome 70. The browser now supports Progressive Web Apps (PWAs) on Windows. These apps can launch from the Start menu, and run like all other installed apps (without an address bar or tabs). Google killed off Chrome apps earlier this year and is now focusing on PWAs instead.

If you’re a developer, you should check out the standard PWA criteria that Chrome will check. If your PWA passes, Chrome will fire the beforeinstallprompt event, which you can add to with prompt().

AV1 is a royalty-free codec developed by the Alliance for Open Media. AV1 improves compression efficiency by more than 30 percent over the codec VP9, which it is meant to succeed.

Chrome 70 adds an AV1 decoder (no encoding capabilities are included) with MP4 as the supported container (ISO-BMFF). You can try it out yourself by going to YouTube’s TestTube page, selecting “Prefer AV1 for SD” or “Always Prefer AV1,” and playing clips from the AV1 Beta Launch Playlist. If you right-click the video and select “Stats for nerds,” you should see the above (note the codec is av01).

Android and iOS

Chrome 70 for Android isn’t out quite yet, but it should arrive soon over on Google Play. Chrome 70 for iOS meanwhile is available on Apple’s App Store, but the changelog isn’t anything too extensive:

Bug fixes and design polish for the redesign.

Updates to how Chrome launches other apps to improve reliability and security.

Fixes to authentication issues caused by using out-of-date cookies. Let us know if you encounter any issues with signing in to or out of websites.

Security fixes and improvements

As promised, Google is cracking down on extensions. Chrome 70 lets users restrict extension host access to a custom list of sites or to configure extensions to require a click for access to the current page.

Host permissions, which allow extensions to automatically read and change data on websites, enable various powerful and creative use cases, but Google says they have also led to a broad range of malicious and unintentional misuses. In later Chrome releases, Google plans to further tweak how its browser handles the user experience around host permissions. If your extension requests host permissions, you should check out the transition guide and make any necessary changes over the next two weeks.

Chrome 70 also continues Google’s war on HTTP sites.

HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.

Google has been pushing the web to HTTPS for years, but it accelerated those efforts last year by making changes to Chrome’s user interface. Chrome 56, released in January 2017, started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.” Chrome 68, released in July, marks all HTTP sites as “Not secure” right in the address bar, and Chrome 69, released in September, removed the “Secure” wording from HTTPS sites.

Now, with the release of Chrome 70, HTTP sites will show a red “Not secure” warning when users enter data:

The plan was always to mark all HTTP sites as “Not secure.” Eventually, Google will change the icon beside the “Not secure” label and make the text red to further emphasize you should not trust HTTP sites:

Chrome 70 also implements 23 security fixes. The following were found by external researchers:

[$N/A][888926] High CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25

[$N/A][888923] High CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25

[$3500][872189] High CVE to be assigned: Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn (@quangnh89) of Viettel Cyber Security on 2018-08-08

[$3000][887273] High CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2018-09-20

[$3000][870226] High CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian on 2018-08-02

[$1000][880906] High CVE-2018-17466: Memory corruption in Angle. Reported by Omair on 2018-09-05

[$3000][844881] Medium CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-19

[$2000][876822] Medium CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2018-08-22

[$1000][880675] Medium CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-09-05

[$1000][877874] Medium CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-08-27

[$1000][873080] Medium CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang on 2018-08-10

[$1000][822518] Medium CVE-2018-17472: iframe sandbox escape on iOS. Reported by Jun Kokatsu (@shhnjk) on 2018-03-16

[$500][882078] Medium CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-09-08

[$500][843151] Medium CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-15

[$500][852634] Low CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew on 2018-06-14

[$500][812769] Low CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani on 2018-02-15

[$500][805496] Low CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger on 2018-01-24

[$N/A][863703] Low CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton <aaron@correspondwith.me> on 2018-07-14

[895893] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $22,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

Chrome 70 implements the Shape Detection API (available through a Chrome origin trial), which lets developers identify faces, barcodes, and text in images “without the use of a performance-killing library.” The API really consists of three APIs: a Face Detection API, a Barcode Detection API, and a Text Detection API. Given an image bitmap or a blob, the Face Detection API returns the location of faces and the locations of eyes, noses, and mouths within those faces (you can limit the number of returned faces and prioritize speed over performance). The Barcode Detection API decodes barcodes and QR codes into strings (anything from a single set of digits to multi-line text). The Text Detection API reads Latin-1 text (as per iso8859-1) in images.

The Web Authentication API now enables macOS’ TouchID and Android’s fingerprint sensor by default. These allow developers to access biometric authenticators through the Credential Management API‘s PublicKeyCredential type.

Chrome 70 updates the V8 JavaScript engine to version 7.0. It includes embedded builtins on more platforms, a preview of WebAssembly Threads, and new JavaScript language features. Check out the full list of changes for more information.

Other developer features in this release include:

For a full rundown of what’s new, check out the Chrome 70 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 71 will arrive by early December.