Security Changes in Chrome 59: worker-src support, rate limits on permission requests and headless chrome…
It’s time to talk security changes in Chrome 59. In this release, Google went pretty light on changes directly related to SSL/TLS, so we have included other changes that developers who work with SSL and HTTPS may be interested in.
The biggest on-going event in the industry is Symantec’s mis-issuance troubles. Google, Mozilla, and other root programs are still deciding how to handle these issues. The proposals put forth by Google and Mozilla would require Symantec to partner with a third-party CA to handle certificate issuance while it improves its own operations and get new roots trusted.
Because Google is still working on finalizing its plans, there are no changes related to the trust of Symantec certificates in this release.
In addition to the changes listed below, three URL spoofing bugs were also fixed (one with “high” severity). Chrome’s policy is to withhold the details of those bugs for 14 weeks so that the majority of users can safely update their browsers.
Here are some of the biggest security changes in Chrome 59:
Venafi’s Gen2 log is now trusted by Chrome. It accepts certificates from all roots trusted by Chrome. Earlier this year, Venafi had a log removed from Chrome after suffering stability problems.
Worker-src is a directive for Content Security Policy (CSP) Level 3. It allows websites to restrict acceptable URLs/origins for Workers, SharedWorker, and ServiceWorker.
Worker-src is defined here in the CSP Level 3 spec.
Pages loading over HTTP/HTTPS will no longer be allowed to load resources from the ftp:// protocol. An example of this would be the URL “http://example.com/index.html” attempting to load “ftp://example.com/image.jpeg.”
Chrome 59 is totally blocking this behavior, and ultimately wants to remove native FTP support altogether.
To stop websites from spamming permission requests, Chrome will now temporarily stop all requests after the third dismissal of a prompt. After the 3rd dismissal, future requests will be stopped for a week. Each further dismissal will re-activate the 1-week ‘cooldown.’
A new feature in Chrome’s Developer Tools allows you to block resources based on its request URL or file type. This is helpful for testing how a site performs when a specific resource is blocked and can be used to simulate certain origins being offline. You can use wildcard functionality to block entire file types, such as “*.css.”
Google’s regular What’s New in DevTools update has more on this feature.
A “headless environment” is an interface that lacks a GUI and is instead console based. A headless browser is all the components of a browser without the GUI. It is designed for development, automated testing, and other automated tasks that don’t require user interaction via a GUI.
For example, you could use a headless browser to automatically connect to a URL at set intervals and take screenshots of the page for archiving or monitoring.
Headless Chrome is available for Linux and Mac in Chrome 59. Windows compatibility will be coming later.
To learn more about headless Chrome, check out this article from Google.