Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Chrome Bug Upgrades

Google Patches 30 Chrome Bugs, Adds Instant Pages 103

Posted by CmdrTaco
from the not-a-bad-month dept.
JohnBert writes "Google patched 30 vulnerabilities in Chrome, paying out the third-highest bounty total ever for the bugs that outsiders filed with its security team. The company packaged the patches with an update to Chrome 13, adding Instant Pages to the 'stable' channel of the browser. The feature, which Google earlier tucked into Chrome 13 previews, proactively pre-loads some search results to speed up browsing. Google last upgraded Chrome's stable build in early June. Like Mozilla, which this year shifted to a rapid-release schedule, Google produces an update about every six-to-eight weeks. Fourteen of the 30 vulnerabilities patched were rated 'high,' the second-most-serious ranking in Google's four-step scoring system, while nine were pegged 'medium' and the remaining seven were labeled 'low.'"
This discussion has been archived. No new comments can be posted.

Google Patches 30 Chrome Bugs, Adds Instant Pages

Comments Filter:
  • Instant Pages? (Score:4, Insightful)

    by OverlordQ (264228) on Wednesday August 03, 2011 @10:53AM (#36973596) Journal

    I thought this was called link prefetching.

    • Yep, I remember when Firefox removed this feature because it was only really useful to 56k users.

      • Re:Instant Pages? (Score:4, Insightful)

        by Anonymous Coward on Wednesday August 03, 2011 @11:07AM (#36973766)

        I seem to recall an antivirus software (AVG I think) doing something similar (prefetching and scanning for viruses on search results) and it caused havoc for webmasters.

        • by iceT (68610)

          Think of it as free hits to your website, without getting all those pesky customers...

    • by rbrausse (1319883)

      coming to you soon: Google Instant Pages(tm).

      the last trademark owner abandoned [uspto.gov] the poor little expression :)

    • Re:Instant Pages? (Score:4, Interesting)

      by Bloodwine77 (913355) on Wednesday August 03, 2011 @11:02AM (#36973710)

      I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

      Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

        Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

        Sites must opt-in by changing their HTML. Users can disable it for their browser by unchecking "Predict network actions to improve page load performance" in Settings.

    • Re: (Score:3, Informative)

      by alendit (1454311)

      As far as i understood, Instant Pages not only prefetch the top-hit in your search, but also renders the page in background. Didn't find any original anouncement from google, but here you can read some more about it http://www.ecreativeim.com/blog/2011/06/google-announces-chrome-only-instant-pages/ [ecreativeim.com] .

    • by tapo (855172)

      The difference is in implementation. Link prefetching was already supported in Chrome (and Firefox), which fetches the page in the background and stores the results in cache. Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

      Implementation details are here: http://code.google.com/chrome/whitepapers/prerender.html [google.com]

      • Re:Instant Pages? (Score:5, Insightful)

        by HarrySquatter (1698416) on Wednesday August 03, 2011 @11:50AM (#36974232)

        Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

        Better hope that it's not a malware page or something trying to use an XSS exploit. Be exploited before you even clicked the link! Brilliant!

        • by Smauler (915644)

          I agree - this could be a very serious expoit route. Well meaning sites could easily be spammed with malware site links, and preloading links will completely fubar any sense of trust in that site. Pre-loading is diabolical anyway, for anyone who has a bandwidth cap, and uses it.

      • by cyfer2000 (548592)
        Does this feature draw juice from my notebook batteries?
  • The first issue is this is going to play havoc with traffic analytics and tracking. I'm sure Google Analytics will handle Chrome's Instant Pages just fine, but everybody else will have to figure out how to ignore Chrome pre-loads. I did some searching and they are adding a Visibility API to Chrome to allow authors of other traffic reporting packages to handle the difference. Hopefully the Visibility will be pretty straightforward and not require a lot of extra work.

    The other issue is that this is going to e

    • by Anonymous Coward on Wednesday August 03, 2011 @11:03AM (#36973716)

      The first issue is this is going to play havoc with traffic analytics and tracking.

      Good. If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

      • by Anonymous Brave Guy (457657) on Wednesday August 03, 2011 @01:10PM (#36975130)

        If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

        I'm about as pro-privacy as they come on this issue, but even I don't mind a web site doing analytics within its own domain to see which types of content are most popular so they can be prioritised, optimise navigation based on users actual needs, etc. It's the cross-site/cross-visit tracking that is creepy, IMHO, particularly if associated with any other data previously known only to some of those sites.

    • by bberens (965711)
      The prefetching mechanism passes a special header so anyone in the analytics business will know to ignore those requests.
      • Unfortunately, you don't always want to ignore them. The browser will fetch the page and prerender it. It may or may not then display it. You want to ignore the cases where it doesn't display it, but you don't count the cases where it does. Does it send another request to the server saying 'okay, actually displaying the page now'? If not, then this is going to cause problems for Google's accounting for adverts. My cynical guess is that the fix will be to count prefetch pages when charging advertisers,
  • If the browser starts preloading high ranked pages that I'm not interested in, and do not click on, doesn't that falsely inflate usage statistics on those sites?

    • It looks like they are going to try to address that with the upcoming Visibility API:

      http://code.google.com/chrome/whitepapers/pagevisibility.html [google.com]

      However, it seems to be JavaScript based which, at least to me, is not a desirable way to determine whether or not the page is being pre-loaded.

      At least Firefox sent a "X-moz: prefetch" header which I used to ignore the traffic on those requests.

    • by JiveDonut (135491)

      Yes it does. I have a a very low traffic blog so I can see the results easily. Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

      • Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

        Why two?

  • its when the page doesnt update every fucking time I type in a letter frantically trying to guess what I mean, often with not even funny anymore horseshit

    let me type and when I am good and GD ready for the query to be executed then I will hit enter

    • by geekoid (135745)

      Then turn it off.

      Sheesh.

      • by Osgeld (1900440)

        then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

          Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvienent to not use it

        • by Osgeld (1900440)

          I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

          "then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

          Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not th

          • by Calos (2281322)

            You must type really slow or something.

            In my experience, it only manages to fire off one or two DNS queries before I hit enter, much less load a page. When I am stuck - usually when I'm using it to search my history or the name of a site I can't quite remember - it's always seemed very helpful.

            IMHO and YMMV and all that, but for the sake of your health, take a deep breath and calm down :)

    • by bhcompy (1877290)
      You can disable instant searching(for now)
      • by Osgeld (1900440)

        I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

        "then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

        Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTI

        • by Atzanteol (99067)
          You're always signed in, yet clearing cookies and using other people's browsers?
          • by Osgeld (1900440)

            um yea firefox just decides to do it once in a while, and 2 its not other peoples, its my computers at home and at work

      • Only if you allow google to place a tracking cookie on your system. Contrast this with how DuckDuckGo handles preferences: the cookie that you set contains a string with one flag for each preference setting, and can be added to the URL if you don't want a cookie. If two users have the same preferences, then they have the same cookie / preferences string, and so can't be tracked based on the cookie.
    • So, what you're saying is that when you're searching for porn and it is recommending non-porn search terms, it isn't helpful? ;)

      • by Osgeld (1900440)

        no, like when I was going to look for a specific electronics part and it brings up doggies, yes google perfect I have never searched for doggies in my entire life but I am constantly ordering diodes, thank you for your great service, it makes goggling for something with my laptop impossible

        and yet I have to google "something" just to have the option of shutting it off

        • Just tried typing DIode into google. Not a single DOggie reference as I typed. In fact ....

          D ... Dictionary.reference.com (and several other such)
          I. ... Dictionary.reference.com (no change)
          O ... Diocese and a bunch of Catholic sites.
          D ... Diodes .... wikipedia entry on top.

    • by doti (966971)

      I don't see this because I never use the google.com search page, I use quicksearch instead (Firefox feature since 0.x days).

  • proactively pre-loads some search results to speed up browsing

    God help you if you search for 'child pore cleansing products' with google instant search turned on~

  • Caps? (Score:4, Insightful)

    by Anonymous Coward on Wednesday August 03, 2011 @11:08AM (#36973784)

    Won't this help you burn through your usage caps in the background?

    • by Calos (2281322)

      What are caps for most people these days? Usually I see 150-250 GB; once, I've encountered 50 GB, so I sent them a letter letting them know I wouldn't be purchasing their service and told them who I was going with and why.

      Seems like a few extra pageloads would be insignificant. If you query Google 20 times a day, and as a result, incur 5*20=100 extra pageloads... how big is a page? Loading the /. homepage, I use 519 KB. Ars Technica: 868 KB. Facebook: 417 KB. CNN: 889 KB. And this is assuming no content

      • by Calos (2281322)

        Oh, I should add: I use a script blocking extension as well as Privoxy. Because I do use the tested sites somewhat, chances are some of the scripts are enabled, but Privoxy will crunch ads and certain scripts anyway, and I have it set up to block any kind of Facebook Open Graph stuff, as well as Share This On (Digg|Twitter|Facebook|Reddit) things, and other random things. So, the 1 MB/page may not be quite so generous, but probably not far off the mark.

        On the other hand, it very well could be that the peo

  • by bogaboga (793279) on Wednesday August 03, 2011 @11:16AM (#36973870)
    While I appreciate this new print preview functionality, I am not impressed that:
    • first, it took so long and
    • second, that even the delivered functionality pales in comparison with its Firefox counterpart.

    This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

    • by kripkenstein (913150) on Wednesday August 03, 2011 @09:26PM (#36980828) Homepage

      While I appreciate this new print preview functionality, I am not impressed that:

      • first, it took so long and
      • second, that even the delivered functionality pales in comparison with its Firefox counterpart.

      This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

      What I find more annoying about the new print preview is that it isn't open source. It is in Chrome but not Chromium.

  • Seriously, this is patchnotes or changelog entries, but not "News".

  • by MadCow42 (243108) on Wednesday August 03, 2011 @11:34AM (#36974080) Homepage

    For most users the intuition of "don't click on that link" is the last layer of security between the wild west of the Internet and your computer. Prefetching breaks that barrier, and potentially exposes you to any malware writer that's capable enough and determined enough to get their infected (or pwnd) website into the top search results.

    Sorry... although Chrome is decent and maybe more secure than other browsers, until they can promise PERFECT security I don't want to take that chance.

    That'll never happen.

    If I can survive this far on my company-mandated, outdated IE browser without getting pwnd myself (yet), I think that last layer of security may be the most important one of all.

    • First time I encountered nastiness from pre-fetching was from using Stumbleupon. It would pre-fetch the next stumble (this can thankfully be disabled, though it should be noted you would have stumbled to it either way), so I would get a Noscript warning on like a Youtube or Wikipedia page, bit bizarre. Only until I stumbled again and actually landed on the page in question would things become clearer.

    • by dn15 (735502)

      That's a good point. But... to be the devil's advocate, all that it's doing is pre-loading stuff into cache, right? If that's true, then it seems like it should only be able to do something if you actually click on that page. Is the end result really any different from a security standpoint?

      • Google Instant Pages sounds like it will be rendering the entire page, including images and other external resources. I wouldn't be surprised if it also executed JavaScript, fetched embedded iframes, and anything else that the page would normally do if you clicked on that link. I wonder if it would even follow redirections?

        What is to stop a malevolent webmaster from performing redirects to nasty trojan or malware-infected pages if it detects the page is being pre-rendered? If that page contains flash object

        • Don't really see the difference. All this can be done today already after someone clicks on the link. And if it is the first Google result, the likelihood is very high that many people will click on it.
    • by smash (1351)

      Not quite. Pre-fetching doesn't need perfect security, but pre-rendering certainly does. Which is what they're implementing....

      I'll be turning it off...

    • You can disable (as I have) the prefetch in Chrome 13. Visit chrome://settings/advanced [chrome] and deselect "Predict network actions to improve page load performance".

      Due to security, tracking, bandwidth usage, etc. concerns, it's just a bad idea for 95+% of the population. If you have metered performance, it wastes your bandwidth and/or costs you money. If you have a high speed link, the time savings are marginal. If the site has malware, you could get infected, possibly without even clicking the link. If it's a

    • by utkonos (2104836)

      I can see how this feature can expose you to security problems. However, it can also provide a measure of performance increase. So, why not let users have their cake and eat it too. Allow users to enable/disable it on a per URL basis in the same way that Javascript, cookies, plug-ins, etc. are. As long as there is fine grained control over the feature, I see no problem.

      I wouldn't mind enabling the pre-fetch feature on sites that I trust and use often, and have it disabled by default. I use chrome's set

  • BlogSpot loves showing me ads for Chrome, saying I can drag one tab to the right, and get a split-screen view.

    Be nice if it actually started working in Chrome for Mac, someday.

    • by Sits (117492)

      There is a rumour that this is a "Chrome on Windows 7" feature (see http://www.youtube.com/watch?v=YAEN_BDR6ao [youtube.com] for a video of the feature). You can apparently get extensions that offer something close but not quite the same. For what it's worth the split view feature seems to be broken if you have your tabs down the left hand side in Chrome...

  • proactively pre-loads some search results to speed up browsing.

    Better hope your skeezy uncle wasn't using your computer when the party van shows up.

  • Another Chrome version, another failure to provide an option for a persistent bookmark sidebar/pane. Sigh.
  • Fired up chrome this morning on my linux box and it happily told me that I was running an obsolete OS and needed to upgrade.

    I run a highly modified version of debian 5.x on that box that I 'm not going to mess with for the sake of running chrome 13.

    Time to turn off the automated update check I guess.

  • Cr-48, dev channel. Or try the Chrome dev channel. Old features guys...
  • by kripkenstein (913150) on Wednesday August 03, 2011 @03:28PM (#36976678) Homepage
    90 comments so far, and none of the top ones are bashing Google for Chrome's new version number. Have we finally moved past bashing Chrome and Firefox for increasing the major version number every 6 weeks? Please let it be so :)
  • I don't care for chrome. I find chrome very unintuitive. I find IE and to a lesser degree FireFox much more intuitive. I use chrome when I want to view videos because it seems faster but otherwise not so much.

* * * * * THIS TERMINAL IS IN USE * * * * *

Working...