Chrome 61 Arrives With JavaScript Modules, WebUSB Support

The latest version of Google Chrome has launched, bringing a host of new developer features like JavaScript modules and WebUSB support. An anonymous Slashdot reader shares a report from VentureBeat: Google has launched Chrome 61 for Windows, Mac, and Linux. Additions in this release include JavaScript modules and WebUSB support, among other developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. Google also released Chrome 61 for Android today. In addition to performance and stability fixes, you can expect two new features: Translate pages with a more compact toolbar and pick images with an improved image picker.

Chrome now supports JavaScript modules natively via the new element, letting developers declare a script's dependencies. Modules are already popular in third-party build tools, which use them to bundle only the required scripts. Native support means the browser can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page, and ensuring the script executes in the correct order, all without a build step. Google recommends these two blog posts for more information: ECMAScript modules in browsers and ES6 Modules in Depth. Speaking of JavaScript, Chrome 61 also upgrades the browser's V8 JavaScript engine to version 6.1. Developers can expect performance improvements and a binary size reduction. The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web.

Re:

[arglebargle_xiv]

It's pretty straightforward, it means that it'll have the same security as the mass of malware, trojans, droppers, bots, and worms that have made the web what it is today.

Re:

[gweihir]

Indeed. But now it can hack your USB devices without hacking your computer or browser first. The sheer stupidity and arrogance expressed in this is staggering.

I wish this was at the beginning of the summary

[epyT-R]

while still preserving the security guarantees of the web.

I would've stopped reading right there.

WHAT THE FUCK?! I DO NOT WANT THIS SHIT!

[Anonymous Coward]

HOLY FUCK! I've read one of the articles, and it mentions some stuff that I find really, really, really fucking creepy.

The Network Information API is now available on desktop as well as Android, enabling sites to access the underlying connection information of a device.

HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.

HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

Sites can now access an estimate for the disk space used by a given origin and quota in bytes via the Storage API’s new navigator.storage.estimate() function.

HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.

HOLY FUCK! I don't want my browser to be able to give web sites access to do that!

HOLY FUCK! I don't want this stuff!

Re:

[epyT-R]

Welcome to the future, comrade. It is time to goosestep your thoughts in line with proper Party etiquette.

Re:

[Anonymous Coward]

Let's not overreact.

Allowing sites to clear their own site data is totally fine. It allows them to just do it all at once instead of having to go through and erase everything individually, or more likely, just clear their login cookie. This is a plus.

Estimating the amount of storage used by their stored data is equally good. Especially since there are limits to it. If you don't like stored data at all, so be it, but this makes it better, not worse.

Network information api is probably harmless. Sites already

Re:

[Anonymous Coward]

Estimating the amount of storage used by their stored data is equally good.

No. The amount of space varies by client from 2MB to 10MB, if I recall correctly. Let's say that I want to track you: I have the client allocate a random amount of garbage data within 1MB of that space, and then I never touch that data again but still report back its size on each pageload. That gives me another fingerprint to let me identify you even if you block cookies. You might know to delete your caches and storage from time to time, but you might not.

The network interface api doesn't seem too bad -

Re:

[KingMotley]

Why would you even bother? If you give access to the storage API, just generate a GUID and store that for retrieval on each subsequent hit. It's a much better beacon than what you proposed.

Re:

[Billly Gates]

If the article replaced Chrome with IE I doubt you would be saying this.

Hell everyone here would be freaking out and talking about how their jobs would be on the line with new ransomware or subverting standards in JavaScript.

But it's ok to relax because Google is cool. I saw a similar attitude with Apple here turn of the century. Apple was Soo open to standards and would never be abusive +5 rating etc. We saw what happened.

Just click No

[tepples]

HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

Then click No when the browser asks you if a particular origin should be able to use a particular API. Depending on localization decisions made before launch, the No button may be labeled Deny or Block or Don't Allow.

Use a competitor

[tepples]

you say "disagree" and maps closes.

If Google Maps requires surveillance of users' locations at all times as a condition of use, and you disagree with this surveillance, try this: Close Google Maps, use a competitor [wikipedia.org], recommend a competitor to your friends, and explain on your blog why you use a competitor.

Re:

[Billly Gates]

Yeah it's not an ad can't click allow for you

If an ad can click Allow, it's a serious bug

[tepples]

Permission requests are presented through a UI element presented by the web browser, which floats over the HTML document and (at least in Firefox) partially extends into the location bar. A script in an advertisement being able to activate this is considered a serious security defect in the browser, which browser makers promise to fix as soon as discovered.

Re:

[Billly Gates]

Last I checked javascript can take over the cursor. If the hacker knows where the dialog box is it can insert alt tab and click ok or move the mouse cursor over to allow itself.

Re:

[tepples]

Last I checked javascript can take over the cursor.

I assume you're referring to the pointer lock API [mozilla.org]. Running the linked demo of the pointer lock API [github.io] doesn't engage until the user makes a gesture on the playfield, and then it shows a pop-up notification that a particular origin has control of the mouse pointer. This notification states the domain with control and that the user can press the Esc key to end pointer lock. And when pointer lock ends, the pointer is in the same position it was when pointer lock began.

Re:

[Billly Gates]

Actually Tepples I take back my other post as I just thought of something. Since Chrome allows memory access why can't a hacker just insert the enabled = true directly into the ram to install other software?

Yes it is a secure flaw which IS WHY NO BROWSER SHOULD access javascript sessions in other tabs (hence why I stopped using Firefox as it just this year caught up to 2009) or use memory. Sure you can try to patch a particular flaw but the very feature eliminates the sandbox in lowrights mode in %appdata.

I

Re:

[tepples]

Since Chrome allows memory access

To which API are you referring? Google chrome javascript memory access returned nothing relevant. There is chrome.system.memory [chrome.com], but that's available only in extensions that declare the system.memory permission, not to scripts in an HTML document. Or are you referring to rowhammer?

Re:Just click No

[AmiMoJo]

I just tried the Network Information API sample on Chrome for Android (https://googlechrome.github.io/samples/network-information/).

No permission request, it was enabled by default and there does not seem to be a way to disable it. It knew I was on cellular and that the downlink speed was 3.6Mb/sec (optimistic but basically correct).

As the AC said, HOLY FUCK.

Re:

[Waccoon]

Is this another one of those illusions of control where, "you can always opt-out, unless you can't for some unexplainable (or inconvenient) reason."

Re:

[tepples]

If a site offers a stark white page, visit it's competitor that offers something other than a stark white page, such as a static (HTML+CSS only) document or a native application for Windows or Wine.

Re:WHAT THE FUCK?! I DO NOT WANT THIS SHIT!

[blindseer]

Wait until the next version, added features will allow Chrome to:
- Erase the presets on your car stereo
- Leave the toilet seat up
- Drop cigarette butts on your front stoop
- Spit in your orange juice
- Fart in the elevator
- Put sugar in your gas tank
- Mismatch your socks
- Implement the blink tag

Re:

[cordovaCon83]

Now implementing the blink tag, that's just too far!

Re: WHAT THE FUCK?! I DO NOT WANT THIS SHIT!

[tigersha]

Now if Chrome will leave the toilet seat down my wife will be all for it and then I would have to install it on her machine.

Re:

[Billly Gates]

Now just give it a decent editor and init boot config and you have a full SystemD competitor and OS as well.

security guarantees

[zlives]

you mean a zero day to follow ?!!
you mean unintentional (wink) programming flaws that leak user info?

i guess me and the other 5 people on the planet still worried about security will not be installing it. good luck the world.

Re:

[Anonymous Coward]

Nope. I also don't inspect and sniff every bit of food i put in my mouth for pathogens. Just the food that looks 'off' in some way or another.

This gives Chrome a delightful green hue that smells faintly of almonds and gym socks.

LibreJS

[tepples]

and you are even using the internet how? did you personally audit the code running on your machine line for line.

Some people use a Firefox ESR extension* called LibreJS [gnu.org]. It's similar to NoScript, except it automatically whitelists any script that it can verify as having complete corresponding source code available under a free software license. This preserves the user's ability to audit code that runs in the browser's ESVM [gnu.org].

* I refer to this as a "Firefox ESR extension" because it uses Jetpack, not WebExtensions.

Re:

[Dog-Cow]

All JS which executes in your browser has complete source available. The license doesn't matter in the slightest.

Transpiler result != source code

[tepples]

All JS which executes in your browser has complete source available.

Just because it has the same syntax as source code doesn't mean it's source code. A transpiled or minified ES program is not "the preferred form of the work for making modifications to it." That'd be like saying the assembly language output of a C++ compiler is source code because some people write programs in x86 or x86-64 assembly language.

Most sites do not use the default

[tepples]

by default JavaScript is delivered as source code.

Most major sites do not use this default scenario. Instead they send the program in minified form, which strips out meaningful variable names, meaningful function names, and comments, because the Gzip encoding of a minified script is smaller than the Gzip encoding of its source code.

Re: LibreJS

[tigersha]

WebASM will prett much eliminate that, unless you want to review assembler

It has a deny button

[tepples]

Scouts honour, we won't access your usb webcam - we leave that for the shady ad server companies?

I think the idea is that it follows the same permission pattern as WebRTC:
"shadyadnetwork.com wants to access your webcam" - "Deny"

Re:

[fibonacci8]

Somewhere in an event log "shadyadnetworked wanted access to your 3D printer" - "auto-granted via WebUSB settings"

Re:

[Gr8Apes]

I uninstalled Chrome back around 28. Even then, I only had it installed for support reasons. It's in a VM now, and that's where it will stay. I think your responses say there's more than 5 people in our group.

Re:

[zlives]

no no, its 5, we just like to post as multiple personas to confuse THEM :)

Nope.

[Gravis Zero]

This JavaScript bullshit has gone too far. It's features are already abused too much, this will just make things worse.

Re:

[Anonymous Coward]

This JavaScript bullshit has gone too far. It's features are already abused too much, this will just make things worse.

Maybe you will abuse it, as you're doing it with apostrophes.

Re:

[Eravnrekaree]

A good idea is to simply whitelist what sites you want to allow Javascript to be run in. Also, Javascript being interpreted, there's no excuse for having some sort of feature to put a "speed limit" on javascript and automatically disable javascript that uses too much CPU.

Javascript is critical and desirable in some sites, in particular messaging, office online applications and so on. If the browser didnt have Javascript, you would end up with Flash again, a lot of proprietary plugins, which are much worse,w

ECMAScript is JIT compiled

[tepples]

Javascript being interpreted

Major ECMAScript virtual machines (ESVMs) haven't been primarily interpretive for several years. All have JIT compilers nowadays.

If the browser didnt have Javascript, you would end up with Flash again

That or web applications would have instead been written as native applications that run outside the browser in the first place. This means an application would ship as a Windows installer, a macOS disk image, and if you're lucky a CentOS package and a Debian package. Or they'd be like the NES emulator Mesen: an executable for the CLR that runs on .NET Framework under Windows or o

Re:

[Anonymous Coward]

Also coming web serial port, web Firewire and web smoke signals.

"Sorry, not available for your platform."

[tepples]

Which stupid idiotic moron thought it was a good idea to allow USB access from a web browser ?

Somebody who was interested in a particular native application that interacted with a USB peripheral but felt disappointed after he discovered that it was exclusive to an operating system other than the one that his PC runs.

Re:

[gweihir]

These are people with a "can do" attitude and the skills to back that up. Unfortunately, these are also young and inexperienced people that vastly overestimate their own skills and that think it could never happen to them. To make matters worse, they are living inside the Google filter-bubble.

This is a catastrophe in the making.

Incidentally, read a few "scientific" publications by Google people to find out how utterly clueless they are about reality, all while thinking they are the greatest engineers ans s

Subtle moves towards mobile webapps again

[Anonymous Coward]

This is nothing more than another subtle move to try to push people towards web-apps (like palm-pre, mozilla phone (lol!), and other devices that failed miserably)

Nobody wants webapps. Nobody wants webapps on mobile. Stop trying to give us them because they'll always be shit.

Native apps work, and don't need a google connection.

Re:

[Anonymous Coward]

Native apps work, and don't need a google connection.

Well yeah, that's why Google thinks they're broken.

Google, trying to out-NSA the NSA.

Native apps are also OS-specific.

[tepples]

Native apps work

Only on one operating system. Good luck (legally) running a native app distributed as a .dmg on anything but a Mac.

Re:

[theweatherelectric]

Native apps are also OS-specific. Only on one operating system.

Nope. Windows runs Linux binaries [microsoft.com]. FreeBSD runs Linux binaries [freebsd.org]. Linux, BSD, and macOS run Windows binaries [winehq.org]. Windows 10 on ARM runs x86 Win32 binaries [msdn.com].

And that's not even mentioning of cross platform native applications. I use the same web browser and email client on all three operating systems I regularly use.

How are native applications only on one operating system again?

How practical is "Let 'em drink Wine"?

[tepples]

Native apps work

Only on one operating system. Good luck (legally) running a native app distributed as a .dmg on anything but a Mac.

Nope. Windows runs Linux binaries [microsoft.com]. FreeBSD runs Linux binaries [freebsd.org]. Linux, BSD, and macOS run Windows binaries [winehq.org]. Windows 10 on ARM runs x86 Win32 binaries [msdn.com].

Then what else runs macOS binaries? I thought this was clear from "distributed as a .dmg", as .dmg is the archive format commonly used to distribute macOS applications outside the Mac App Store.

So until a particular developer can scrape together the budget to produce multi-platform releases, is the solution to test in Windows and in Wine on either FreeBSD or GNU/Linux, distribute Windows binaries, and expect users of GNU/Linux, FreeBSD, and macOS to use Wine? If so, this strategy still misses mobile.

And that's not even mentioning of cross platform native applications. I use the same web browser and email client on all three operating systems I regularly use.

That's

Re:

[theweatherelectric]

That's because the Chrome and Firefox web browsers and the Thunderbird mail client have enough of a budget for multi-platform development and testing.

I use the same image editor [gimp.org] on all three platforms. I use the same network analyzer [wireshark.org] on all three platforms. I use the same video tools [ffmpeg.org] on all three platforms. I use the same office suite [libreoffice.org] on all three platforms. I use the same shell, the same command line tools, the same interpreters on all three platforms.

The claim that native applications equal only one operating system is plainly false. It's pointless trying to defend that position.

Projects not quite as popular as GIMP or LO

[tepples]

the Chrome and Firefox web browsers and the Thunderbird mail client have enough of a budget for multi-platform development and testing. A hobbyist or startup may not have enough financial resources to launch simultaneously on all native platforms.

I use the same image editor [gimp.org] on all three platforms. I use the same network analyzer [wireshark.org] on all three platforms. I use the same video tools [ffmpeg.org] on all three platforms. I use the same office suite [libreoffice.org] on all three platforms.

GIMP, WireShark, FFmpeg, and LibreOffice are well-known free software projects with enough of a labor budget for multi-platform development and testing. The 1- or 2-person team behind another native application you come across may not. What should the developer of an application that isn't quite as popular as GIMP, WireShark, FFmpeg, or LibreOffice do to lower the cost of multi-platform building and testing?

Re:

[theweatherelectric]

What should the developer of an application that isn't quite as popular as GIMP, WireShark, FFmpeg, or LibreOffice do to lower the cost of multi-platform building and testing?

Use Pascal [freepascal.org].

Re:

[tepples]

What should the developer of an application that isn't quite as popular as GIMP, WireShark, FFmpeg, or LibreOffice do to lower the cost of multi-platform building and testing?

Use Pascal [freepascal.org].

Testing an application built in Free Pascal on a Mac still requires a Mac. Testing an application built in Free Pascal on Windows still requires a Windows license. Testing an application built in Free Pascal on GNU/Linux still requires either a PC with hardware compatible with GNU/Linux or enough RAM to run a VM, and laptop makers have tended to skimp on both. What's the preferred way for a 1- or 2-person development team to work around this?

Re:

[theweatherelectric]

What's the preferred way for a 1- or 2-person development team to work around this?

Pretty simple. It's a two step plan:

1. Buy a Mac.
2. Run Windows and Linux on it as well

Re:

[tepples]

This raises three questions.

1. First, is a new application generally expected to ship on Windows, GNU/Linux, and macOS simultaneously from day one?
2. Second, if a new application is expected to ship on Windows, GNU/Linux, and macOS simultaneously from day one, what's the preferred way for a 1- or 2-person development team operating as a bootstrapped startup whose staff currently own non-Mac computers to fund the purchase of a Mac before realizing any revenue?
3. Third, why is it desirable for the market that Apple ha

Re:

[theweatherelectric]

This raises three questions.

It doesn't raise any questions. It's a two step plan. Follow it.

Re:

[tepples]

Step 1 of the plan is "Buy a Mac." The second question is "How do I afford a Mac?"

Re:

[theweatherelectric]

The second question is "How do I afford a Mac?"

How do you afford any other computer? Do the same thing.

Re:

[tepples]

Someone who starts to develop software is likely to already own a non-Apple computer for other reasons. Affording what you already own is a no-op. And even if not, a non-Apple computer costs half the price of a Mac.

You'll end up with "GNU/Linux: Download RPM or DEB | Windows: Download MSI | Mac: Back our campaign".

Re:

[theweatherelectric]

You'll end up with "GNU/Linux: Download RPM or DEB | Windows: Download MSI | Mac: Back our campaign".

And yet, strangely, that never seems to happen. The world is full of cross platform software. Your tedious narrative designed to support your weak argument is simply not reflected in the real world. Your imagined costs aren't the barriers you would like them to be.

Re:

[tepples]

And yet, strangely, that never seems to happen.

"Never" is a strong word. I contend that the following is a counterexample: The application FamiTracker [famitracker.com] has no Mac port. It is made for Windows and works correctly in GNU/Linux under Wine.

The world is full of cross platform software.

I imagine that much of multi-platform software exists because the company that made it was large enough to afford the extra expense of a multi-platform release.

Re:

[tepples]

FamiTracker version 0.4.6 from famitracker.com works correctly under Wine. A fork called 0CC-FamiTracker 0.3.14.5 from hertzdevil.com does not, instead working only under Windows.

Re:

[tepples]

So, you are not asking about running the same software on all operating systems, you are asking specifically about running MAC software on all operating systems...

I was using Mac software as a counterexample to the implied claim that all PC operating systems can run software for all other PC operating systems through compatibility layers.

If a hobbyist or startup developer uses one operating system and doesn't yet have the money to acquire lawfully made copies of other operating systems or the hardware to run them or doesn't yet have the time to test thoroughly on other operating systems, what should he do to make his application available to users of other operating

Re:

[tepples]

With Java you don't need extra budget for multi-platform development and testing.

Provided your application doesn't need any native libraries called through JNI. If it does, you need to buy a Mac on which to test integration with the Mac version of each such library.

Re:

[tepples]

At this moment there is no way your web app be able to call native libs in client.

True, but if I tried, I could probably think of a few applications that require some WebWhatever functionality that exists in the HTML living standard but has no counterpart in the Java SE standard library.

Re:

[Fly Swatter]

I think they are just being honest. "We have as much security as the wide open internet." Hopefully systemd has a method for blocking USB device access to a specific application, in this case chrome.

Had to block chrome from using dbus because it kept the computer from sleeping even with a blank page open. Chrome is bad at cleaning up it's dbus power manager locks.

Re:

[gweihir]

You think systemd will save you? If I were religious, my prayers would be with you....

But I need WebBIOS

[Anonymous Coward]

I'm hoping that the next version of Chrome will allow web pages to automatically update my BIOS. It would be really useful for sysadmins and OEMs!

/sarcasm/

A new vector

[fibonacci8]

Counting down to the first malware strain that sends advertisements to a 3D printer via WebUSB without users intervention...

Re:

[mentil]

That's not a 3d printer, that's a teledildonics device!

Re:

[thegarbz]

I hope the first thing it prints is a giant penis.

Re:

[Billly Gates]

A life sized model of goatse man Johnson for the trolls op codes on web forums will be the newest rage

Re:

[gweihir]

Indeed. Also waiting for ransomware on devices like printers: "Pay $100, and you will get your original firmware back". On the plus side, research into setting devices on fire via software has lagged a bit in recent years. I think this will pick up again.

WTF, VentureBeat?

[Anonymous Coward]

issue 1) this was already available as of Chrome 60 (behind a flag)

issue 2) as of Chrome 62 (Canary), the modules were not (as yet) loading in the correct order.
The module loader still gets confused if the nesting is too deep (I have to manually order part of the loading).

issue 3) it's not a "new element". It is new attributes on the same old element.

Seriously, don't go with what VentureBeat says about anything technical. As if they would even have a clue.

Better browser

[sproketboy]

https://brave.com/ [brave.com]

Block autoplay HTML5 video

[Teckla]

Uh, yeah, thanks, Google...

But can you please build into Chrome a feature that allows users to block HTML5 video that autoplays?

Please?