API Deprecations and Removals in Chrome 56

Joe Medley
Joe Medley

In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes the deprecations and removals in Chrome 56, which is in beta as of December 8. This list is subject to change at any time.

Remove support for SHA-1 certificates

The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago and recent research points to the imminent possibility of attacks that could directly impact the integrity of the web public key infrastructure (PKI).

To protect users from such attacks, Chrome no longer supports SHA-1 certificates starting in Chrome 56, whose stable release is in January 2017. Visiting a site using such a certificate results in an interstitial warning. We provide more details on the Chrome Security Blog.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Remove CBC-mode ECDSA ciphers in TLS

TLS's CBC-mode construction is flawed, making it fragile and very difficult to implement securely. Although CBC-mode ciphers are still widely used with RSA, they are virtually nonexistent with ECDSA. Other browsers still support these ciphers, we believe the risk is low. Additionally, ECDSA in TLS is used by few organizations and usually with a more complex setup (some older clients only support RSA), so we expect ECDSA sites to be better maintained and more responsive in case of problems.

TLS 1.2 added new ciphers based on AEADs which avoids these problems, specifically AES_128_GCM, AES_256_GCM, or CHACHA20_POLY1305. Although we are only requiring this for ECDSA-based sites at this time, it is recommended for all administrators. AEAD-based ciphers not only improve security but also performance. AES-GCM has hardware support on recent CPUs and ChaCha20-Poly1305 admits fast software implementations. Meanwhile, CBC ciphers require slow complex mitigations and PRNG access on each outgoing record. AEAD-based ciphers are also a prerequisite for HTTP/2 and False Start optimizations.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Remove user gestures from touch scroll

We've seen multiple examples of poorly written or malicious ads that trigger navigation for touch scrolls either on touchstart or all touchend events. If a 'wheel' event can't open a pop-up, then touch scrolling shouldn't either. This may break some scenarios, for example, media not playing on touch, or pop-ups not opening on touch. Safari already silently fails to open pop-ups in all of these scenarios.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Disallow all fetches for scripts with invalid type/language attributes

Currently, Chrome's preload scanner fetches items in <scripts> elements regardless of the value of the type or language attribute, though the script will not be executed when parsed. By deprecating the fetch, the preload scanner and the parser will have the same semantics, and we will not be initiating fetches for scripts we will not use. This is intended to save data for users who navigate to sites with a lot of custom script tags that are post-processed (like type="text/template", for example).

The use case of using invalid scripts to ping servers is adequately covered by the sendBeacon API.

This change aligns Chrome with Safari, though Firefox still requests scripts regardless of type or language.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Remove MediaStreamTrack.getSources()

This method is no longer part of the spec and is not supported by any other major browser. It has been replaced by MediaDevices.enumerateDevices(), which Blink has supported without flags since version 47 and which is also supported by other browsers. An example of this is shown below. This hypothetical getCameras() function first uses feature detection to find and use enumerateDevices(). If the feature detection fails, it looks for getSources() in MediaStreamTrack. Finally, if there is no API support of any kind return the empty cameras array.

    function getCameras(camerasCallback) {
      var cameras = [];
      if('enumerateDevices' in navigator.mediaDevices) {
         navigator.mediaDevices.enumerateDevices()
          .then(function(sources) {
            return sources.filter(function(source) { 
              return source.kind == 'videoinput' 
            });
          })
          .then(function(sources) {
            sources.forEach(function(source) {
              if(source.label.indexOf('facing back') >= 0) {
                // move front facing to the front.
                cameras.unshift(source);
              }
              else {
                cameras.push(source);
              }
            });
            camerasCallback(cameras);
          });
      }
      else if('getSources' in MediaStreamTrack) {
        MediaStreamTrack.getSources(function(sources) {

          for(var i = 0; i < sources.length; i++) {
            var source = sources[i];
            if(source.kind === 'video') {

              if(source.facing === 'environment') {
                // cameras facing the environment are pushed to the front of the page
                cameras.unshift(source);
              }
              else {
                cameras.push(source);
              }
            }
          }
          camerasCallback(cameras);
        });
      }
      else {
        // We can't pick the correct camera because the API doesn't support it.
        camerasCallback(cameras);
      }
    };

Intent to Remove | Chromestatus Tracker | Chromium Bug

Remove reflected-xss CSP directive

Early drafts of the Content Security Policy Level 2 spec contained a reflected-xss directive which offered nothing more than the X-XSS-Protection header other than a different syntax. This directive was removed from the spec in 2015, but not before it was implemented in Chrome. Support for this directive is now being removed.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Replace CSP 'referrer' directive

The CSP referrer directive allowed site owners to set a referrer policy from an HTTP header. Not only does this feature have very low usage, it has also no longer part of any W3C spec.

Sites that still need this functionality should use <meta name="referrer"> or the new Referrer-Policy header.

Intent to Remove | Chromestatus Tracker | Chromium Bug

Remove PaymentAddress.careOf field

The PaymentAddress interface has a careOf field which is non-standard (no well-known address standards support it). The careOf field is also unnecessary, the recipient and organization fields sufficiently support all necessary use cases. Adding careOf poses significant issues in terms of interoperability with existing postal address schemas and APIs. For a fuller discussion, read the spec removal proposal on GitHub.

Intent to Remove | Chromium Bug

Remove SVGViewElement.viewTarget

The SVGViewElement.viewTarget attribute is not part of the SVG2.0 specification and it's usage is small or nonexistent. This attribute was deprecated in Chrome 54 and has now been removed.

Intent to Remove | Chromestatus Tracker | Chromium Bug