Deprecations and removals in Chrome 65
In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes some of the deprecations and removals in Chrome 65, which is in beta as of February 8.
Chrome no longer trusting certain Symantec certificates
As previously announced, Chrome 65 will not trust certificates issued from Symantec’s Legacy PKI after December 1st, 2017, and will result in interstitials. This will only affect site operators who explicitly opted-out of the transition from Symantec’s Legacy PKI to DigiCert’s new PKI.
Block cross-origin <a download>
To avoid what is essentially a user-mediated cross-origin information leakage, Blink will now ignore the presence of the download attribute on anchor elements with cross origin attributes. Note that this applies to HTMLAnchorElement.download as well as to the element itself.
Document.all is no longer replaceable
For a long time now, It's been possible for web developers to overwrite
document.all. According to the current standard, this should not be so. Starting in version 65, Chrome complies with the standard.
The set-cookie value no longer supported for <meta> element's http-equiv attribute
<meta http-equiv="set-cookie" ...> can be used to manipulate existing cookies for a host, or to set new cookies. This allows a non-script content injection to upgrade itself to a session fixation attack, even in the presence of a strong content security policy.
It's better from a security perspective to require either access to HTTP headers (in other words
Set-Cookie) or script execution (in other words