In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes the deprecations and removals in Chrome 56, which is in beta as of December 8. This list is subject to change at any time.
Remove support for SHA-1 certificates
The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago and recent research points to the imminent possibility of attacks that could directly impact the integrity of the web public key infrastructure (PKI).
To protect users from such attacks, Chrome no longer supports SHA-1 certificates starting in Chrome 56, whose stable release is in January 2017. Visiting a site using such a certificate results in an interstitial warning. We provide more details on the Chrome Security Blog.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove CBC-mode ECDSA ciphers in TLS
TLS's CBC-mode construction is flawed, making it fragile and very difficult to implement securely. Although CBC-mode ciphers are still widely used with RSA, they are virtually nonexistent with ECDSA. Other browsers still support these ciphers, we believe the risk is low. Additionally, ECDSA in TLS is used by few organizations and usually with a more complex setup (some older clients only support RSA), so we expect ECDSA sites to be better maintained and more responsive in case of problems.
TLS 1.2 added new ciphers based on AEADs which avoids these problems, specifically AES_128_GCM, AES_256_GCM, or CHACHA20_POLY1305. Although we are only requiring this for ECDSA-based sites at this time, it is recommended for all administrators. AEAD-based ciphers not only improve security but also performance. AES-GCM has hardware support on recent CPUs and ChaCha20-Poly1305 admits fast software implementations. Meanwhile, CBC ciphers require slow complex mitigations and PRNG access on each outgoing record. AEAD-based ciphers are also a prerequisite for HTTP/2 and False Start optimizations.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove user gestures from touch scroll
We've seen multiple examples of poorly written or
malicious ads that trigger navigation for touch scrolls either on touchstart
or all touchend events. If a 'wheel' event can't open a pop-up, then touch
scrolling shouldn't either. This may break some scenarios, for example, media
not playing on touch, or pop-ups not opening on touch. Safari already silently
fails to open pop-ups in all of these scenarios.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Disallow all fetches for scripts with invalid type/language attributes
Currently, Chrome's preload scanner fetches items in <scripts> elements
regardless of the value of the type or language attribute, though the script
will not be executed when parsed. By deprecating the fetch, the preload scanner
and the parser will have the same semantics, and we will not be initiating
fetches for scripts we will not use. This is intended to save data for users who
navigate to sites with a lot of custom script tags that are post-processed (like
type="text/template", for example).
The use case of using invalid scripts to ping servers is adequately covered by the sendBeacon API.
This change aligns Chrome with Safari, though Firefox still requests scripts regardless of type or language.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove MediaStreamTrack.getSources()
This method is no longer part of the spec and is not supported by any other
major browser. It has been replaced by
MediaDevices.enumerateDevices(),
which Blink has supported without flags since version 47 and which is also
supported by other browsers. An example of this is shown below. This
hypothetical getCameras() function first uses feature detection to find and
use enumerateDevices(). If the feature detection fails, it looks for
getSources() in MediaStreamTrack. Finally, if there is no API support of any
kind return the empty cameras array.
function getCameras(camerasCallback) {
var cameras = [];
if('enumerateDevices' in navigator.mediaDevices) {
navigator.mediaDevices.enumerateDevices()
.then(function(sources) {
return sources.filter(function(source) {
return source.kind == 'videoinput'
});
})
.then(function(sources) {
sources.forEach(function(source) {
if(source.label.indexOf('facing back') >= 0) {
// move front facing to the front.
cameras.unshift(source);
}
else {
cameras.push(source);
}
});
camerasCallback(cameras);
});
}
else if('getSources' in MediaStreamTrack) {
MediaStreamTrack.getSources(function(sources) {
for(var i = 0; i < sources.length; i++) {
var source = sources[i];
if(source.kind === 'video') {
if(source.facing === 'environment') {
// cameras facing the environment are pushed to the front of the page
cameras.unshift(source);
}
else {
cameras.push(source);
}
}
}
camerasCallback(cameras);
});
}
else {
// We can't pick the correct camera because the API doesn't support it.
camerasCallback(cameras);
}
};
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove reflected-xss CSP directive
Early drafts of the Content Security Policy Level 2
spec contained a reflected-xss directive which offered nothing more than the
X-XSS-Protection header other than a different syntax. This directive was
removed from the spec in 2015, but not before it was implemented in Chrome.
Support for this directive is now being removed.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Replace CSP 'referrer' directive
The CSP referrer directive allowed site owners to set a referrer policy from
an HTTP header. Not only does this feature have
very low usage,
it has also no longer part of any W3C spec.
Sites that still need this functionality should use <meta name="referrer"> or
the new Referrer-Policy header.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove PaymentAddress.careOf field
The PaymentAddress interface has a careOf field which is non-standard (no
well-known address standards support it). The careOf field is also
unnecessary, the recipient and organization fields sufficiently support all
necessary use cases. Adding careOf poses significant issues in terms of
interoperability with existing postal address schemas and APIs. For a fuller
discussion, read the
spec removal proposal
on GitHub.
Intent to Remove | Chromium Bug
Remove SVGViewElement.viewTarget
The SVGViewElement.viewTarget attribute is not part of the SVG2.0
specification and it's usage is small or nonexistent. This attribute was
deprecated in Chrome 54 and has now been removed.