Chrome 87 brings tab throttling, Occlusion Tracking on Windows, back/forward cache on Android

Google today launched Chrome 87 for Windows, Mac, Linux, Android, and iOS. “This month’s update represents the largest gain in Chrome performance in years,” the company declared. Chrome 87 brings tab throttling, Occlusion Tracking on Windows, back/forward cache on Android, Chrome Actions, and a slew of developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 87, for example, deprecates support for FTP URLs for 50% of users, ramping up to 100% by Chrome 88.

Tab throttling, Occlusion Tracking, and back/forward cache

Chrome 87 actively manages your computer’s resources with tab throttling, occlusion tracking, and back/forward caching. All in all, the tabs you care about should be faster, but you’ll still be able to keep hundreds of tabs open so you can pick up where you left off.

Google found that JavaScript Timers represent more than 40% of the work in background tabs. Chrome now prevents background tabs from waking up your CPU too often and rendering tabs that you can’t see. Specifically, the browser throttles JavaScript timer wake-ups in background tabs to once per minute. This reduces CPU usage by up to 5x and extends battery life up to 1.25 hours, according to the team’s internal testing. Background features like playing music and getting notifications are unaffected.

Occlusion Tracking, which was previously added to Chrome OS and Mac, is now available on Windows. The feature allows Chrome to know which windows and tabs are visible to you and optimize resources for the tabs you are using, not the ones you’ve minimized. Chrome as a result is up to 25% faster to start up and 7% faster to load pages, all while using less memory.

Finally, back/forward cache is a browser optimization which enables instant back and forward navigations. On Chrome for Android, the cache will make 20% of back/forward navigations instant, though Google plans to increase this to 50% “through further improvements and developer outreach in the near future.”

Chrome Actions

Chrome 87 expands what you can do in the address bar with Chrome Actions. Think of the feature as a way to get something done faster with your keyboard.

When you type “edit passwords” or “delete history,” for example, you can now take action directly from Chrome’s address bar. The first set of Chrome Actions focus on privacy and security, but Google presumably plans to add more in the future.

Android and iOS

Chrome 87 for Android is rolling out slowly on Google Play. The changelog isn’t available yet — it merely states that “This release includes stability and performance improvements.” The aforementioned back/forward cache is likely the main feature in this release.

Chrome 87 for iOS hadn’t hit Apple’s App Store as of publication time, but it should soon.

Security fixes

Chrome 87 implements 33 security fixes. The following were found by external researchers:

• [$TBD][1136078] High CVE-2020-16018: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-10-07
• [$TBD][1139408] High CVE-2020-16019: Inappropriate implementation in filesystem. Reported by Rory McNamara on 2020-10-16
• [$TBD][1139411] High CVE-2020-16020: Inappropriate implementation in cryptohome. Reported by Rory McNamara on 2020-10-16
• [$TBD][1139414] High CVE-2020-16021: Race in ImageBurner. Reported by Rory McNamara on 2020-10-16
• [$TBD][1145680] High CVE-2020-16022: Insufficient policy enforcement in networking. Reported by @SamyKamkar on 2020-11-04
• [$TBD][1146673] High CVE-2020-16015: Insufficient data validation in WASM. Reported by Rong Jian and Leecraso of 360 Alpha Lab on 2020-11-07
• [$TBD][1146675] High CVE-2020-16014: Use after free in PPAPI. Reported by Rong Jian and Leecraso of 360 Alpha Lab on 2020-11-07
• [$TBD][1146761] High CVE-2020-16023: Use after free in WebCodecs. Reported by Brendon Tiszka and David Manouchehri supporting the @eff on 2020-11-07
• [$NA][1147430] High CVE-2020-16024: Heap buffer overflow in UI. Reported by Sergei Glazunov of Google Project Zero on 2020-11-10
• [$NA][1147431] High CVE-2020-16025: Heap buffer overflow in clipboard. Reported by Sergei Glazunov of Google Project Zero on 2020-11-10
• [$7500][1139153] Medium CVE-2020-16026: Use after free in WebRTC. Reported by Jong-Gwon Kim (kkwon) on 2020-10-16
• [$5000][1116444] Medium CVE-2020-16027: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-08-14
• [$5000][1138446] Medium CVE-2020-16028: Heap buffer overflow in WebRTC. Reported by asnine on 2020-10-14
• [$3000][1134338] Medium CVE-2020-16029: Inappropriate implementation in PDFium. Reported by Anonymous on 2020-10-01
• [$3000][1141350] Medium CVE-2020-16030: Insufficient data validation in Blink. Reported by Michał Bentkowski of Securitum on 2020-10-22
• [$1000][945997] Medium CVE-2019-8075: Insufficient data validation in Flash. Reported by Nethanel Gelernter, Cyberpion (https://www.cyberpion.com) on 2019-03-26
• [$500][1133183] Medium CVE-2020-16031: Incorrect security UI in tab preview. Reported by wester0x01(https://twitter.com/wester0x01) on 2020-09-29
• [$500][1136714] Medium CVE-2020-16032: Incorrect security UI in sharing. Reported by wester0x01(https://twitter.com/wester0x01) on 2020-10-09
• [$500][1143057] Medium CVE-2020-16033: Incorrect security UI in WebUSB. Reported by Khalil Zhani on 2020-10-28
• [$TBD][1137362] Medium CVE-2020-16034: Inappropriate implementation in WebRTC. Reported by vvmute (Benjamin Petermaier) on 2020-10-12
• [$TBD][1139409] Medium CVE-2020-16035: Insufficient data validation in cros-disks. Reported by Rory McNamara on 2020-10-16
• [$5000][1088224] Low CVE-2020-16012: Side-channel information leakage in graphics. Reported by Aleksejs Popovs on 2020-05-30
• [$500][830808] Low CVE-2020-16036: Inappropriate implementation in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-09
• [1149434] Various fixes from internal audits, fuzzing, and other initiatives

Google thus spent at least $31,500‬ in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

Chrome 87 adds a WebAuthn tab in DevTools (More options => More tools => WebAuthn). As a result, it is now possible to test web authentication without specific devices. To learn how to use it, see the section in What’s New in DevTools (Chrome 87).

Camera pan, tilt, and zoom capabilities are now accessible to websites in Chrome 87. Developers can access them using media track constraints in MediaDevices.getUserMedia() and MediaStreamTrack.applyConstraints().

Chrome 87 also implements granular flow-relative features of the CSS Logical Properties and Values spec. What was once written with multiple CSS rules can now be written as one: logical layout enhancements with flow-relative shorthands.

Chrome offers Origin Trials, which let you try new features and provide feedback to the web standards community. Chrome 87 doesn’t have any new Origin Trials. Instead, one Origin Trial has been completed and is now enabled by default: The Cookie Store API exposes HTTP cookies to service workers and offers an asynchronous alternative to document.cookie.

As always, Chrome 87 includes the latest V8 JavaScript engine. V8 version 8.7 brings unsafe fast JavaScript calls and Atomics.waitAsync. Check out the full changelog for more information.

Other developer features in this release include:

• cross-origin isolation: Chrome will now use origin instead of site as agent cluster key for cross-origin isolated agent clusters. Mutation of document.domain is no longer supported for cross-origin isolated agent clusters. This change also introduces window.crossOriginIsolated, a boolean that indicates whether APIs that require cross-origin isolation are allowed to use it. Supporting APIs include SharedArrayBuffer (required for WebAssembly Threads), performance.measureMemory(), and JS Self-Profiling API.
• iframe attribute for limiting same-origin iframe document access: Adds the disallowdocumentaccess property to disallow cross-document scripting between iframes from the same origin in the same parent document. This also puts same-origin iframes in separate event loops.
• isInputPending(): Chrome has added a method called isInputPending(), accessible from navigator.scheduling, which can be called from long-running operations. You can find an example of the method’s use in the draft spec.
• Range Request Headers in Service Workers: Historically, range requests and services workers did not work well together, forcing developers to build work-arounds. Starting in Chrome 87, passing range requests through to the network from inside a service worker will “just work.”
• Streams API: transferable streams: Transferable streams now allows ReadableStream, WritableStream, and TransformStream objects to be passed as arguments to postMessage(). The streams APIs provide ubiquitous, interoperable primitives for creating, composing, and consuming streams of data. A natural thing to do with a stream is to pass it to a web worker. This provides a fluent primitive for offloading work to another thread. Offloading work onto a worker is important for a smooth user experience, but the ergonomics can be awkward. Transferable streams solve this problem for streams. Once the stream itself has been transferred, the data is transparently cloned in the background.
• Transition related event handlers: The ontransitionrun, ontransitionstart, and ontransitioncancel event handler attributes allow developers to add event listeners for 'transitionrun', 'transitionstart', and 'transitioncancel' events on elements, Document objects, and Window objects.
• WakeLockSentinel.released Attribute: The WakeLockSentinel object has a new property called released that indicates whether a sentinel has already been released. It defaults to false and changes to true when a release event is dispatched. The new attribute helps web developers know when locks are released so that they do not need to keep track of them manually.
• @font-face descriptors to override font metrics: New @font-face descriptors have been added to ascent-override, descent-override, and line-gap-override to override metrics of the font. This Improves interoperably across browsers and operating systems, so that the same font always looks the same on the same site, regardless of OS or browser. Additionally, it aligns metrics between two web fonts present simultaneously, but for different glyphs. Finally, it overrides font metrics for a fallback font to emulate a web font, to minimize cumulative layout shift.
• Text Decoration and Underline Properties: Chrome now supports several new text decoration and underline properties. These properties solve use cases where underlines are too close to the text baseline and ink-skipping triggers too early in a text run. These use cases solve problems caused by the launch of the text-decoration-skip-ink property. The new properties are text-decoration-thickness, text-underline-offset and a from-font keyword for text-underline-position.
• The quotes Property Supports the ‘auto’ Value: CSS2 allowed browsers to define the default value for the quotes property, which Chrome formerly followed. Chrome 87 now follows CSS Generated Content Module Level 3 in which the 'auto' keyword is the default value. That spec requires that a typographically appropriate value be used for quotes based on the content language of the element and/or its parent.

For a full rundown of what’s new, check out the Chrome 87 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 88 will arrive in mid-January.