In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes some of the deprecations and removals in Chrome 65, which is in beta as of February 8.
Chrome no longer trusting certain Symantec certificates
As previously announced, Chrome 65 will not trust certificates issued from Symantec’s Legacy PKI after December 1st, 2017, and will result in interstitials. This will only affect site operators who explicitly opted-out of the transition from Symantec’s Legacy PKI to DigiCert’s new PKI.
Block cross-origin <a download>
To avoid what is essentially a user-mediated cross-origin information leakage, Blink will now ignore the presence of the download attribute on anchor elements with cross origin attributes. Note that this applies to HTMLAnchorElement.download as well as to the element itself.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Document.all is no longer replaceable
For a long time now, It's been possible for web developers to overwrite
document.all
. According to the current standard, this should not be so.
Starting in version 65, Chrome complies with the standard.
Chromestatus Tracker | Chromium Bug
The set-cookie value no longer supported for <meta> element's http-equiv attribute
Currently, <meta http-equiv="set-cookie" ...>
can be used to manipulate
existing cookies for a host, or to set new cookies. This allows a non-script
content injection to upgrade itself to a session fixation attack, even in the
presence of a strong content security policy.
It's better from a security perspective to require either access to HTTP
headers (in other words Set-Cookie
) or script execution (in other words
document.cookie
).