Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Chrome Communications Desktops (Apple) Java Network Operating Systems Software The Internet Windows Linux Technology

Chrome 61 Arrives With JavaScript Modules, WebUSB Support (venturebeat.com) 115

The latest version of Google Chrome has launched, bringing a host of new developer features like JavaScript modules and WebUSB support. An anonymous Slashdot reader shares a report from VentureBeat: Google has launched Chrome 61 for Windows, Mac, and Linux. Additions in this release include JavaScript modules and WebUSB support, among other developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. Google also released Chrome 61 for Android today. In addition to performance and stability fixes, you can expect two new features: Translate pages with a more compact toolbar and pick images with an improved image picker.

Chrome now supports JavaScript modules natively via the new element, letting developers declare a script's dependencies. Modules are already popular in third-party build tools, which use them to bundle only the required scripts. Native support means the browser can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page, and ensuring the script executes in the correct order, all without a build step. Google recommends these two blog posts for more information: ECMAScript modules in browsers and ES6 Modules in Depth. Speaking of JavaScript, Chrome 61 also upgrades the browser's V8 JavaScript engine to version 6.1. Developers can expect performance improvements and a binary size reduction. The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web.

This discussion has been archived. No new comments can be posted.

Chrome 61 Arrives With JavaScript Modules, WebUSB Support

Comments Filter:
  • by epyT-R ( 613989 ) on Wednesday September 06, 2017 @05:07PM (#55150247)

    while still preserving the security guarantees of the web.

    I would've stopped reading right there.

    • by Anonymous Coward on Wednesday September 06, 2017 @05:30PM (#55150357)

      HOLY FUCK! I've read one of the articles, and it mentions some stuff that I find really, really, really fucking creepy.

      The Network Information API is now available on desktop as well as Android, enabling sites to access the underlying connection information of a device.

      HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

      The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.

      HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

      Sites can now access an estimate for the disk space used by a given origin and quota in bytes via the Storage API’s new navigator.storage.estimate() function.

      HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

      Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.

      HOLY FUCK! I don't want my browser to be able to give web sites access to do that!

      HOLY FUCK! I don't want this stuff!

      • by epyT-R ( 613989 )

        Welcome to the future, comrade. It is time to goosestep your thoughts in line with proper Party etiquette.

      • by Anonymous Coward

        Let's not overreact.

        Allowing sites to clear their own site data is totally fine. It allows them to just do it all at once instead of having to go through and erase everything individually, or more likely, just clear their login cookie. This is a plus.

        Estimating the amount of storage used by their stored data is equally good. Especially since there are limits to it. If you don't like stored data at all, so be it, but this makes it better, not worse.

        Network information api is probably harmless. Sites already

        • by Anonymous Coward

          Estimating the amount of storage used by their stored data is equally good.

          No. The amount of space varies by client from 2MB to 10MB, if I recall correctly. Let's say that I want to track you: I have the client allocate a random amount of garbage data within 1MB of that space, and then I never touch that data again but still report back its size on each pageload. That gives me another fingerprint to let me identify you even if you block cookies. You might know to delete your caches and storage from time to time, but you might not.

          The network interface api doesn't seem too bad -

          • Why would you even bother? If you give access to the storage API, just generate a GUID and store that for retrieval on each subsequent hit. It's a much better beacon than what you proposed.

        • If the article replaced Chrome with IE I doubt you would be saying this.

          Hell everyone here would be freaking out and talking about how their jobs would be on the line with new ransomware or subverting standards in JavaScript.

          But it's ok to relax because Google is cool. I saw a similar attitude with Apple here turn of the century. Apple was Soo open to standards and would never be abusive +5 rating etc. We saw what happened.

      • Just click No (Score:5, Informative)

        by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Wednesday September 06, 2017 @07:04PM (#55150749) Homepage Journal

        HOLY FUCK! I don't want my browser to be able to give web sites access to that info!

        Then click No when the browser asks you if a particular origin should be able to use a particular API. Depending on localization decisions made before launch, the No button may be labeled Deny or Block or Don't Allow.

        • Yeah it's not an ad can't click allow for you

          • Permission requests are presented through a UI element presented by the web browser, which floats over the HTML document and (at least in Firefox) partially extends into the location bar. A script in an advertisement being able to activate this is considered a serious security defect in the browser, which browser makers promise to fix as soon as discovered.

            • Last I checked javascript can take over the cursor. If the hacker knows where the dialog box is it can insert alt tab and click ok or move the mouse cursor over to allow itself.

              • by tepples ( 727027 )

                Last I checked javascript can take over the cursor.

                I assume you're referring to the pointer lock API [mozilla.org]. Running the linked demo of the pointer lock API [github.io] doesn't engage until the user makes a gesture on the playfield, and then it shows a pop-up notification that a particular origin has control of the mouse pointer. This notification states the domain with control and that the user can press the Esc key to end pointer lock. And when pointer lock ends, the pointer is in the same position it was when pointer lock began.

            • Actually Tepples I take back my other post as I just thought of something. Since Chrome allows memory access why can't a hacker just insert the enabled = true directly into the ram to install other software?

              Yes it is a secure flaw which IS WHY NO BROWSER SHOULD access javascript sessions in other tabs (hence why I stopped using Firefox as it just this year caught up to 2009) or use memory. Sure you can try to patch a particular flaw but the very feature eliminates the sandbox in lowrights mode in %appdata.

              I

              • by tepples ( 727027 )

                Since Chrome allows memory access

                To which API are you referring? Google chrome javascript memory access returned nothing relevant. There is chrome.system.memory [chrome.com], but that's available only in extensions that declare the system.memory permission, not to scripts in an HTML document. Or are you referring to rowhammer?

        • Re:Just click No (Score:5, Informative)

          by AmiMoJo ( 196126 ) on Thursday September 07, 2017 @05:38AM (#55152335) Homepage Journal

          I just tried the Network Information API sample on Chrome for Android (https://googlechrome.github.io/samples/network-information/).

          No permission request, it was enabled by default and there does not seem to be a way to disable it. It knew I was on cellular and that the downlink speed was 3.6Mb/sec (optimistic but basically correct).

          As the AC said, HOLY FUCK.

        • Is this another one of those illusions of control where, "you can always opt-out, unless you can't for some unexplainable (or inconvenient) reason."
      • Wait until the next version, added features will allow Chrome to:
        - Erase the presets on your car stereo
        - Leave the toilet seat up
        - Drop cigarette butts on your front stoop
        - Spit in your orange juice
        - Fart in the elevator
        - Put sugar in your gas tank
        - Mismatch your socks
        - Implement the blink tag

      • Now just give it a decent editor and init boot config and you have a full SystemD competitor and OS as well.

  • by zlives ( 2009072 ) on Wednesday September 06, 2017 @05:12PM (#55150273)

    you mean a zero day to follow ?!!
    you mean unintentional (wink) programming flaws that leak user info?

    i guess me and the other 5 people on the planet still worried about security will not be installing it. good luck the world.

    • by Gr8Apes ( 679165 )
      I uninstalled Chrome back around 28. Even then, I only had it installed for support reasons. It's in a VM now, and that's where it will stay. I think your responses say there's more than 5 people in our group.
  • Nope. (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Wednesday September 06, 2017 @05:16PM (#55150285)

    This JavaScript bullshit has gone too far. It's features are already abused too much, this will just make things worse.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This JavaScript bullshit has gone too far. It's features are already abused too much, this will just make things worse.

      Maybe you will abuse it, as you're doing it with apostrophes.

    • A good idea is to simply whitelist what sites you want to allow Javascript to be run in. Also, Javascript being interpreted, there's no excuse for having some sort of feature to put a "speed limit" on javascript and automatically disable javascript that uses too much CPU.

      Javascript is critical and desirable in some sites, in particular messaging, office online applications and so on. If the browser didnt have Javascript, you would end up with Flash again, a lot of proprietary plugins, which are much worse,w

      • Javascript being interpreted

        Major ECMAScript virtual machines (ESVMs) haven't been primarily interpretive for several years. All have JIT compilers nowadays.

        If the browser didnt have Javascript, you would end up with Flash again

        That or web applications would have instead been written as native applications that run outside the browser in the first place. This means an application would ship as a Windows installer, a macOS disk image, and if you're lucky a CentOS package and a Debian package. Or they'd be like the NES emulator Mesen: an executable for the CLR that runs on .NET Framework under Windows or o

  • by Anonymous Coward

    This is nothing more than another subtle move to try to push people towards web-apps (like palm-pre, mozilla phone (lol!), and other devices that failed miserably)

    Nobody wants webapps. Nobody wants webapps on mobile. Stop trying to give us them because they'll always be shit.

    Native apps work, and don't need a google connection.

    • by Anonymous Coward

      Native apps work, and don't need a google connection.

      Well yeah, that's why Google thinks they're broken.

      Google, trying to out-NSA the NSA.

    • Native apps work

      Only on one operating system. Good luck (legally) running a native app distributed as a .dmg on anything but a Mac.

      • Native apps are also OS-specific. Only on one operating system.

        Nope. Windows runs Linux binaries [microsoft.com]. FreeBSD runs Linux binaries [freebsd.org]. Linux, BSD, and macOS run Windows binaries [winehq.org]. Windows 10 on ARM runs x86 Win32 binaries [msdn.com].

        And that's not even mentioning of cross platform native applications. I use the same web browser and email client on all three operating systems I regularly use.

        How are native applications only on one operating system again?

        • Native apps work

          Only on one operating system. Good luck (legally) running a native app distributed as a .dmg on anything but a Mac.

          Nope. Windows runs Linux binaries [microsoft.com]. FreeBSD runs Linux binaries [freebsd.org]. Linux, BSD, and macOS run Windows binaries [winehq.org]. Windows 10 on ARM runs x86 Win32 binaries [msdn.com].

          Then what else runs macOS binaries? I thought this was clear from "distributed as a .dmg", as .dmg is the archive format commonly used to distribute macOS applications outside the Mac App Store.

          So until a particular developer can scrape together the budget to produce multi-platform releases, is the solution to test in Windows and in Wine on either FreeBSD or GNU/Linux, distribute Windows binaries, and expect users of GNU/Linux, FreeBSD, and macOS to use Wine? If so, this strategy still misses mobile.

          And that's not even mentioning of cross platform native applications. I use the same web browser and email client on all three operating systems I regularly use.

          That's

          • That's because the Chrome and Firefox web browsers and the Thunderbird mail client have enough of a budget for multi-platform development and testing.

            I use the same image editor [gimp.org] on all three platforms. I use the same network analyzer [wireshark.org] on all three platforms. I use the same video tools [ffmpeg.org] on all three platforms. I use the same office suite [libreoffice.org] on all three platforms. I use the same shell, the same command line tools, the same interpreters on all three platforms.

            The claim that native applications equal only one operating system is plainly false. It's pointless trying to defend that position.

            • the Chrome and Firefox web browsers and the Thunderbird mail client have enough of a budget for multi-platform development and testing. A hobbyist or startup may not have enough financial resources to launch simultaneously on all native platforms.

              I use the same image editor [gimp.org] on all three platforms. I use the same network analyzer [wireshark.org] on all three platforms. I use the same video tools [ffmpeg.org] on all three platforms. I use the same office suite [libreoffice.org] on all three platforms.

              GIMP, WireShark, FFmpeg, and LibreOffice are well-known free software projects with enough of a labor budget for multi-platform development and testing. The 1- or 2-person team behind another native application you come across may not. What should the developer of an application that isn't quite as popular as GIMP, WireShark, FFmpeg, or LibreOffice do to lower the cost of multi-platform building and testing?

              • What should the developer of an application that isn't quite as popular as GIMP, WireShark, FFmpeg, or LibreOffice do to lower the cost of multi-platform building and testing?

                Use Pascal [freepascal.org].

                • by tepples ( 727027 )

                  What should the developer of an application that isn't quite as popular as GIMP, WireShark, FFmpeg, or LibreOffice do to lower the cost of multi-platform building and testing?

                  Use Pascal [freepascal.org].

                  Testing an application built in Free Pascal on a Mac still requires a Mac. Testing an application built in Free Pascal on Windows still requires a Windows license. Testing an application built in Free Pascal on GNU/Linux still requires either a PC with hardware compatible with GNU/Linux or enough RAM to run a VM, and laptop makers have tended to skimp on both. What's the preferred way for a 1- or 2-person development team to work around this?

                  • What's the preferred way for a 1- or 2-person development team to work around this?

                    Pretty simple. It's a two step plan:

                    1. Buy a Mac.
                    2. Run Windows and Linux on it as well

                    • by tepples ( 727027 )

                      This raises three questions.

                      1. First, is a new application generally expected to ship on Windows, GNU/Linux, and macOS simultaneously from day one?
                      2. Second, if a new application is expected to ship on Windows, GNU/Linux, and macOS simultaneously from day one, what's the preferred way for a 1- or 2-person development team operating as a bootstrapped startup whose staff currently own non-Mac computers to fund the purchase of a Mac before realizing any revenue?
                      3. Third, why is it desirable for the market that Apple ha
                    • This raises three questions.

                      It doesn't raise any questions. It's a two step plan. Follow it.

                    • by tepples ( 727027 )

                      Step 1 of the plan is "Buy a Mac." The second question is "How do I afford a Mac?"

                    • The second question is "How do I afford a Mac?"

                      How do you afford any other computer? Do the same thing.

                    • by tepples ( 727027 )

                      Someone who starts to develop software is likely to already own a non-Apple computer for other reasons. Affording what you already own is a no-op. And even if not, a non-Apple computer costs half the price of a Mac.

                      You'll end up with "GNU/Linux: Download RPM or DEB | Windows: Download MSI | Mac: Back our campaign".

                    • You'll end up with "GNU/Linux: Download RPM or DEB | Windows: Download MSI | Mac: Back our campaign".

                      And yet, strangely, that never seems to happen. The world is full of cross platform software. Your tedious narrative designed to support your weak argument is simply not reflected in the real world. Your imagined costs aren't the barriers you would like them to be.

                    • by tepples ( 727027 )

                      And yet, strangely, that never seems to happen.

                      "Never" is a strong word. I contend that the following is a counterexample: The application FamiTracker [famitracker.com] has no Mac port. It is made for Windows and works correctly in GNU/Linux under Wine.

                      The world is full of cross platform software.

                      I imagine that much of multi-platform software exists because the company that made it was large enough to afford the extra expense of a multi-platform release.

                    • by tepples ( 727027 )

                      FamiTracker version 0.4.6 from famitracker.com works correctly under Wine. A fork called 0CC-FamiTracker 0.3.14.5 from hertzdevil.com does not, instead working only under Windows.

  • by Anonymous Coward on Wednesday September 06, 2017 @05:58PM (#55150491)

    I'm hoping that the next version of Chrome will allow web pages to automatically update my BIOS. It would be really useful for sysadmins and OEMs!

    /sarcasm/

  • by fibonacci8 ( 260615 ) on Wednesday September 06, 2017 @07:20PM (#55150829)
    Counting down to the first malware strain that sends advertisements to a 3D printer via WebUSB without users intervention...
    • by mentil ( 1748130 )

      That's not a 3d printer, that's a teledildonics device!

    • I hope the first thing it prints is a giant penis.

    • by gweihir ( 88907 )

      Indeed. Also waiting for ransomware on devices like printers: "Pay $100, and you will get your original firmware back". On the plus side, research into setting devices on fire via software has lagged a bit in recent years. I think this will pick up again.

  • WTF, VentureBeat? (Score:3, Informative)

    by Anonymous Coward on Wednesday September 06, 2017 @08:05PM (#55151033)

    issue 1) this was already available as of Chrome 60 (behind a flag)

    issue 2) as of Chrome 62 (Canary), the modules were not (as yet) loading in the correct order.
    The module loader still gets confused if the nesting is too deep (I have to manually order part of the loading).

    issue 3) it's not a "new element". It is new attributes on the same old element.

    Seriously, don't go with what VentureBeat says about anything technical. As if they would even have a clue.

  • Uh, yeah, thanks, Google...

    But can you please build into Chrome a feature that allows users to block HTML5 video that autoplays?

    Please?

If all else fails, lower your standards.

Working...