Deprecations and removals in Chrome 65

Joe Medley
Joe Medley

In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes some of the deprecations and removals in Chrome 65, which is in beta as of February 8.

Chrome no longer trusting certain Symantec certificates

As previously announced, Chrome 65 will not trust certificates issued from Symantec’s Legacy PKI after December 1st, 2017, and will result in interstitials. This will only affect site operators who explicitly opted-out of the transition from Symantec’s Legacy PKI to DigiCert’s new PKI.

Block cross-origin <a download>

To avoid what is essentially a user-mediated cross-origin information leakage, Blink will now ignore the presence of the download attribute on anchor elements with cross origin attributes. Note that this applies to HTMLAnchorElement.download as well as to the element itself.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Document.all is no longer replaceable

For a long time now, It's been possible for web developers to overwrite document.all. According to the current standard, this should not be so. Starting in version 65, Chrome complies with the standard.

Chromestatus Tracker | Chromium Bug

Currently, <meta http-equiv="set-cookie" ...> can be used to manipulate existing cookies for a host, or to set new cookies. This allows a non-script content injection to upgrade itself to a session fixation attack, even in the presence of a strong content security policy.

It's better from a security perspective to require either access to HTTP headers (in other words Set-Cookie) or script execution (in other words document.cookie).

Intent to Remove | Chromestatus Tracker | Chromium Bug