Wednesday 20 July 2016

Chrome 52 Released

Dear ALL,
Google released today Chrome 52.0.2743.82, promoting the 52.x branch to the Stable Channel, making it Chrome's official version.

This new release is a little bit light on visible UI features but brings a lot for developers that like to tinker on websites and are, generally, more interested in what's under the browser's hood.

Back in early June, Google engineers had drawn out a plan of what features users should expect in Chrome 52.

New CSS contain property
The team didn't stray much from their plan, and now Chrome features support for CSS containment, via the CSS contain property, which prevents child elements from displaying outside the boundaries of their parent element.

A good reason for developers to implement CSS containment on their websites is to speed up page load times. Google engineers have played around and detailed the advantages of using the contain property in a blog post in June.

CSS contain support is only available in Chrome 52 and Opera 40 (alpha stage). Firefox devs have shown public interest in integrating the property into their browser, but no code to support it has landed in the browser until now.

Simpler and more efficient process for gathering performance metrics
The second big feature Google engineers added is the PerformanceObserver API, a feature that allows Web developers to fine tune the performance metrics gathering process.

Until now, developers that wanted to collect performance metrics had to rely on Chrome's DevTools, which is not a tool specifically designed for such a process.

With the integration of this new API, developers can specify which performance metrics they want Chrome to collect, and avoid situations when the browser gathers information which is never used and wasting memory space. Google devs have explained how this feature works this past June.

VAPID Support and the Streams API
Chrome 52 also supports the VAPID specification (Voluntary Application Server Identification for Web Push).

VAPID allows a site that uses push notifications to authenticate much easier with Web Push services that interact with your desktops or mobile devices.

Play Video
Additionally, the Streams API also introduced with Chrome 52 will allow the browser to start rendering page content even if the entire HTTP request has finished downloading. This basically means that CSS code is already used on the page, even before the entire stylesheet has been downloaded.

As seen in the video above, this improves page loading times, something that which Google engineers will never stop trying to improve.

Deprecations and removals
The first thing you will notice missing from Chrome 52 is the company's Chrome App Launcher that allowed the user to launch Chrome apps even if the browser was closed.

Google announced the deprecation of this feature at the start of the year, but people that love it can still use it inside Chrome OS.

Other things that were removed or deprecated include support for the MediaStream ended event and attribute, the MediaStream onended attribute, overload of postMessage(), X-Frame-Options intags, non-primary button click event, requestAutocomplete(), and the ability to block cross-origin iframes during touch events except during a tap gesture.

Security bugs and other smaller updates
Google's security team didn't slack either, and based on their own audits and reported bugs, the engineers fixed 48 security issues, handing out $21,000 to contributors along the way.

Below is the full list of security bugs, followed by a selection of smaller changes also included in Chrome 52's full changelog.

[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent's Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu

Other features in this release
Chrome now pauses animations while showing modal dialog boxes.
HTTP alternative services allow sites to specify additional origins that can be used to reach a certain resource, enabling easier protocol upgrades and load balancing.
ImageBitmaps can be created more easily using ImageBitmapOptions to specify configurations on construction.
Sites can now free the memory consumed by an ImageBitmap using ImageBitmap.close().
Chrome now supports OpenType small capitals and easier styling of numbers using the font-variant-caps and font-variant-numeric properties.
Touch gestures inside a cross-origin iframe can no longer trigger popups unless they correspond to a tap gesture, preventing accidental pop-ups during scrolling.
Now only secure origins can create or delete secure cookies on Chrome for Android.
The latest version of Chrome supports -webkit-appearance:none which disables the default rendering of HTML5 meter elements and allows easier custom CSS styling.
The unsafe-dynamic Content Security Policy expression allows sites to use single-use or hash-based whitelists to verify script sources, making it easier to protect against cross-origin scripting attacks.
Sites can now use the Fetch API to programmatically set the referrer policy for a request.
CanvasRenderingContext2D now supports the filter attribute, allowing sites to apply effects to primitives drawn to the canvas.
Sites can now test whether or not a key exists within the bounds of an IDBKeyRange using IDBKeyRange.includes().
The HTMLMediaElement.srcObject attribute simplifies associating a MediaStream with a media element.
AudioParam now supports the read-only min and max attributes to simplify introspection.
RTCCertificates can now be stored in IndexedDB.
PannerNode and AudioListener now support automation methods, allowing smooth audio transitions.
Stylesheets can now specify alpha values for colors using eight- and four-bit hexadecimal values instead of the longer rgba() syntax.
Sites can now experiment with persistent storage as an origin trial, allowing a site to disable automatic storage clearing when bookmarked.
Multiple WebVTT tracks will now be presented as user options in the default media controls, enabling language selection for captions and subtitles.
postMessage overrides of the form postMessage(message,transferables,targetOrigin) have been deprecated.
The MediaStream ended event and the corresponding onended attribute have been deprecated.
The web app manifest icons entry no longer supports the density property.
The DynamicsCompressorNode.reduction attribute is now a readonly float instead of an AudioParam.
flexbox children with position:absolute will now be positioned using justify and align if the element does not have a left:, right:, top:, or bottom: position specified.
requestAutocomplete() has been deprecated and removed due to low usage numbers.
X-Frame-Option will no longer be supported in the meta tag to support a more secure implementation.
Invalid values for track-kind are now treated as metadata instead of subtitles to improve media behavior in older user agents.

Article source

Tuesday 19 July 2016

Microsoft steps up legal pressure against Windows 10 pirates

Dear All,
Microsoft, Files fifth lawsuit since February to stop alleged pirates from illegally activating Windows and Office

Microsoft last week continued its campaign to quash software pirates when it filed the fifth lawsuit in as many months accusing unidentified individuals with illegally activating more than 1,000 copies of Windows, including the newest Windows 10, and Office.

The suit was filed in a Seattle court last Thursday. It was almost identical to others submitted since February, when Microsoft started a string of cases targeting numerous "John Does."

"Microsoft’s cyberforensics have identified over one thousand activations of Microsoft software originating from IP address 69.92.99.109 ('the IP Address'), which is presently assigned to Cable One, Inc.," Microsoft's complaint read.

Microsoft did not identify the culprits, but tagged them as "John Doe" 1 through 10.

"Defendants have activated and attempted to active [sic] copies of Microsoft Windows 10, Windows 8.1, Windows 8, Windows Vista, Windows 7, Office 2013, Office 2010, and Windows Server 2008," Microsoft charged.
As with the previous four John Doe cases of 2016, Microsoft asserted that it tracked the allegedly illegal activations to the IP address, and that the number and pattern of those activation's "make it more likely than not" that they were using stolen product keys or abusing legitimate keys.

The 25-character alphanumeric key codes are a core component of Microsoft's anti-piracy technology. Although the software can be copied an unlimited number of times, the keys individually lock a license to a device. Minus a legitimate key and thus activation, Microsoft's software retreats to a hobbled or even crippled mode.

In a related filing for the same case, Microsoft requested that the latest be assigned to the same federal judge who is overseeing the four others initiated this year because they "are substantially related." Altogether, Microsoft has filed 13 anti-piracy lawsuits since November 2014 with the Seattle court.

Microsoft has been given permission in two of the 2016 cases -- both filed in early June -- to serve subpoenas to internet service providers (ISPs) Comcast and Earth-link. Those subpoenas have demanded that the ISPs identify the alleged software pirates who have been assigned the IP addresses Microsoft had fingered.

source

Satya Nadella says Microsoft is revising its goals for Windows 10

Dear All,
We all know that Microsoft was having its stakes high on Windows 10.

Microsoft was recently forced to delay its ambitious goal of getting 1 billion devices onto Windows 10 within the next two years, after its collapsing phone business made that an unrealistic milestone.
Instead, CEO Satya Nadella announced Tuesday during the company's quarterly earnings call that Microsoft will change the way it reports the number of Windows 10 installations (currently at over 350 million), reflecting a shift in how it thinks about the operating system.
 
"We changed how we will assess progress," Nadella says. 
 
Now, instead of the irregular updates on Windows 10 growth we've been gotten for the last year, mainly at Microsoft conferences and events, Nadella says Microsoft will share monthly active users on the operating system "regularly."
 
Notably, instead of installations, Microsoft is now tracking monthly active users of Windows 10 — the same kind of metric used to track services like Google's Gmail, which has a billion monthly active users.
And what does "regularly" mean? Who knows? With Windows 10 rapidly approaching its first birthday, maybe it'll become just another line item on the quarterly earnings report. 
 
Furthermore, Nadella says that Microsoft is measuring the success of Windows 10 on some key benchmarks, which will also be reported on that same "regularly" scale:
 
"Deliver more value and innovation" — on August 2nd, Microsoft is delivering the Windows 10 Anniversary Update, a free upgrade that brings new stylus and security features. Nadella says new features bring new people into the Windows 10 fold.
"More services" — Nadella has long held that Windows 10 is an excellent sales funnel towards Microsoft's key subscription services, including Office 365 and Xbox Live. Nadella says that Microsoft is focusing on how Windows 10 can push more of that kind of service revenue.
"New device categories" — In the same way that the Surface Pro tablet and Surface Book laptop are incentivizing manufacturers like Dell, HP, and Lenovo to up their games in the hardware market, Nadella says that new-era devices like the HoloLens holographic headset and Surface Hub mega-tablet can inspire new kinds of Windows-powered computers to hit the market, increasing Windows' footprint.
 
None of this is especially new: The reason Microsoft was angling for a billion devices in the first place was because with Windows 10 everywhere, it gives the crucial software development industry a reason to stick around Windows and not leave for the iPhone or Android.
 
But by reporting the monthly number, and explicitly making these three points Microsoft's goals, it's demystifying its intentions around Windows 10, while making it more explicit that it plans to keep growing in these areas. 
 
The Windows 10 free upgrade offer will end on July 30th, meaning people are going to have to pay $130 for the operating system. It'll be really interesting to see, on a more regular basis, how many people are willing to pony up for Nadella's vision of an always-improving Windows.