Chrome Dev Summit is back! Visit to secure your spot in workshops, office hours and learning lounges!

Deprecations and removals in Chrome 65

In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes some of the deprecations and removals in Chrome 65, which is in beta as of February 8.

Chrome no longer trusting certain Symantec certificates

As previously announced, Chrome 65 will not trust certificates issued from Symantec’s Legacy PKI after December 1st, 2017, and will result in interstitials. This will only affect site operators who explicitly opted-out of the transition from Symantec’s Legacy PKI to DigiCert’s new PKI.

Block cross-origin <a download>

To avoid what is essentially a user-mediated cross-origin information leakage, Blink will now ignore the presence of the download attribute on anchor elements with cross origin attributes. Note that this applies to as well as to the element itself.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Document.all is no longer replaceable

For a long time now, It's been possible for web developers to overwrite document.all. According to the current standard, this should not be so. Starting in version 65, Chrome complies with the standard.

Chromestatus Tracker | Chromium Bug

Currently, <meta http-equiv="set-cookie" ...> can be used to manipulate existing cookies for a host, or to set new cookies. This allows a non-script content injection to upgrade itself to a session fixation attack, even in the presence of a strong content security policy.

It's better from a security perspective to require either access to HTTP headers (in other words Set-Cookie) or script execution (in other words document.cookie).

Intent to Remove | Chromestatus Tracker | Chromium Bug

Deprecation policy

To keep the platform healthy, we sometimes remove APIs from the Web Platform which have run their course. There can be many reasons why we would remove an API, such as:

  • They are superseded by newer APIs.
  • They are updated to reflect changes to specifications to bring alignment and consistency with other browsers.
  • They are early experiments that never came to fruition in other browsers and thus can increase the burden of support for web developers.

Some of these changes will have an effect on a very small number of sites. To mitigate issues ahead of time, we try to give developers advanced notice so they can make the required changes to keep their sites running.

Chrome currently has a process for deprecations and removals of API's, essentially:

  • Announce on the blink-dev mailing list.
  • Set warnings and give time scales in the Chrome DevTools Console when usage is detected on the page.
  • Wait, monitor, and then remove the feature as usage drops.

You can find a list of all deprecated features on using the deprecated filter and removed features by applying the removed filter. We will also try to summarize some of the changes, reasoning, and migration paths in these posts.

Subscribe to our RSS or Atom feed and get the latest updates in your favorite feed reader!