Google Patches 30 Chrome Bugs, Adds Instant Pages

JohnBert writes "Google patched 30 vulnerabilities in Chrome, paying out the third-highest bounty total ever for the bugs that outsiders filed with its security team. The company packaged the patches with an update to Chrome 13, adding Instant Pages to the 'stable' channel of the browser. The feature, which Google earlier tucked into Chrome 13 previews, proactively pre-loads some search results to speed up browsing. Google last upgraded Chrome's stable build in early June. Like Mozilla, which this year shifted to a rapid-release schedule, Google produces an update about every six-to-eight weeks. Fourteen of the 30 vulnerabilities patched were rated 'high,' the second-most-serious ranking in Google's four-step scoring system, while nine were pegged 'medium' and the remaining seven were labeled 'low.'"

Instant Pages?

[OverlordQ]

I thought this was called link prefetching.

Re:

[i kan reed]

Yep, I remember when Firefox removed this feature because it was only really useful to 56k users.

Re:Instant Pages?

[Anonymous Coward]

I seem to recall an antivirus software (AVG I think) doing something similar (prefetching and scanning for viruses on search results) and it caused havoc for webmasters.

Re:

[obergfellja]

shouldn't the Google analytics and other website analytics force this idea to be a "bot" read since there wasn't an official delivery rendered by end user but done by prefetching?

Re:

[Phaeilo]

I don't think your browser runs prefetched javascript. So Google Analytics won't be triggered.

Re:

[iceT]

Think of it as free hits to your website, without getting all those pesky customers...

Re:

[rbrausse]

coming to you soon: Google Instant Pages(tm).

the last trademark owner abandoned [uspto.gov] the poor little expression :)

Re:Instant Pages?

[Bloodwine77]

I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

Re:

[Anonymous Coward]

I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

Sites must opt-in by changing their HTML. Users can disable it for their browser by unchecking "Predict network actions to improve page load performance" in Settings.

Re:Instant Pages?

[Bloodwine77]

I did some Googling and apparently Chrome will send the following header when prefetching:

X-Purpose: instant

http://www.google.com/chrome/intl/en/webmasters-faq.html#instant [google.com]

So it looks like it will be easy for me to block just as I have blocked Firefox prefetches.

Re:

[TheRaven64]

Think of a site like the New York Times, which allows you to read n stories for free, and then bounces you to the paywall. If they allow prefetching, then people who use Chrome either always get the stories for free, or they get stories that show up in their search results - but which they don't actually read - counting towards the total. Other sites that change some global state when real humans look at them may do the same thing.

Re:

[Anonymous Brave Guy]

Because bandwidth costs money, in a nutshell. There's no point spending that money to provide a page the user may never see.

The same argument applies in reverse. We don't all have effectively unlimited broadband caps, and I will not thank Google if it starts randomly downloading pages with accompanying multimedia content to use up mine.

(My sites show up plenty fast enough on demand for my visitors, and the only sites I use where speed is a real problem would be unlikely to benefit much from this feature sin

How much are you saving?

[Crag]

Do you log details of blocked pre-fetches? Do you have data on what portion of blocked pre-fetches were then followed by real visitors? You say "My sites show up plenty fast enough on demand for my visitors, ..." but does that apply well to heavily bandwidth-constrained users? Modems may be old-fashioned, but mobile and wireless users still frequently get poor network performance. Do you have data on how fast all of your visitors download your pages?

You may well have done all the analysis and come up wi

Re:

[Anonymous Brave Guy]

I'm a contractor, so I've worked on quite a few projects within a relatively short space of time. Few of them block prefetching techniques in practice as far as I know, but several of them keep quite careful metrics about user download performance, particularly those serving multimedia content of one kind or another, and they are certainly healthy enough for their intended user bases without prefetching.

I'm not arguing that prefetching should always be disabled, BTW, just pointing out a possible reason why

Re:

[alendit]

As far as i understood, Instant Pages not only prefetch the top-hit in your search, but also renders the page in background. Didn't find any original anouncement from google, but here you can read some more about it http://www.ecreativeim.com/blog/2011/06/google-announces-chrome-only-instant-pages/ [ecreativeim.com] .

Re:

[tapo]

The difference is in implementation. Link prefetching was already supported in Chrome (and Firefox), which fetches the page in the background and stores the results in cache. Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

Implementation details are here: http://code.google.com/chrome/whitepapers/prerender.html [google.com]

Re:Instant Pages?

[HarrySquatter]

Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

Better hope that it's not a malware page or something trying to use an XSS exploit. Be exploited before you even clicked the link! Brilliant!

Re:

[Smauler]

I agree - this could be a very serious expoit route. Well meaning sites could easily be spammed with malware site links, and preloading links will completely fubar any sense of trust in that site. Pre-loading is diabolical anyway, for anyone who has a bandwidth cap, and uses it.

Re:

[cyfer2000]

Does this feature draw juice from my notebook batteries?

I can see a couple issues

[Bloodwine77]

The first issue is this is going to play havoc with traffic analytics and tracking. I'm sure Google Analytics will handle Chrome's Instant Pages just fine, but everybody else will have to figure out how to ignore Chrome pre-loads. I did some searching and they are adding a Visibility API to Chrome to allow authors of other traffic reporting packages to handle the difference. Hopefully the Visibility will be pretty straightforward and not require a lot of extra work.

The other issue is that this is going to e

Re:I can see a couple issues

[Anonymous Coward]

The first issue is this is going to play havoc with traffic analytics and tracking.

Good. If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

Re:I can see a couple issues

[Anonymous Brave Guy]

If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

I'm about as pro-privacy as they come on this issue, but even I don't mind a web site doing analytics within its own domain to see which types of content are most popular so they can be prioritised, optimise navigation based on users actual needs, etc. It's the cross-site/cross-visit tracking that is creepy, IMHO, particularly if associated with any other data previously known only to some of those sites.

Re:

[bberens]

The prefetching mechanism passes a special header so anyone in the analytics business will know to ignore those requests.

Re:

[TheRaven64]

Unfortunately, you don't always want to ignore them. The browser will fetch the page and prerender it. It may or may not then display it. You want to ignore the cases where it doesn't display it, but you don't count the cases where it does. Does it send another request to the server saying 'okay, actually displaying the page now'? If not, then this is going to cause problems for Google's accounting for adverts. My cynical guess is that the fix will be to count prefetch pages when charging advertisers,

Does instant pages pump up the hit count?

[bareman]

If the browser starts preloading high ranked pages that I'm not interested in, and do not click on, doesn't that falsely inflate usage statistics on those sites?

Re:

[Bloodwine77]

It looks like they are going to try to address that with the upcoming Visibility API:

http://code.google.com/chrome/whitepapers/pagevisibility.html [google.com]

However, it seems to be JavaScript based which, at least to me, is not a desirable way to determine whether or not the page is being pre-loaded.

At least Firefox sent a "X-moz: prefetch" header which I used to ignore the traffic on those requests.

Re:

[bhcompy]

So because I only enable javascript when I want to they'll never know I was viewing the page?

Re:

[bberens]

Chrome has a similar header

Re:

[JiveDonut]

Yes it does. I have a a very low traffic blog so I can see the results easily. Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

Re:

[SmilingBoy]

Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

Why two?

Re:

[BlueMikey]

Why do you care if this is built in to Chrome? There are extensions that add this behavior.

Re:

[HarrySquatter]

Because one shouldn't need to install an extension for such a basic feature?

Re:

[BlueMikey]

That's not a reason to not use the browser though. If Chrome is superior except for one feature that can be fixed by an extension that takes 30 seconds to install once at the same time you install the browser, that's a really stupid reason to avoid the browser. Trying to add every single feature that every single person wants (and I don't consider this to be a necessary feature, especially considering there are better ways to switch tabs) just leads to a bloated browser, which Google wanted to avoid.

If y

you know what speeds up my browsing

[Osgeld]

its when the page doesnt update every fucking time I type in a letter frantically trying to guess what I mean, often with not even funny anymore horseshit

let me type and when I am good and GD ready for the query to be executed then I will hit enter

Re:

[geekoid]

Then turn it off.

Sheesh.

Re:

[Osgeld]

then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

  Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvienent to not use it

Re:

[Osgeld]

I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

"then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not th

Re:

[Calos]

You must type really slow or something.

In my experience, it only manages to fire off one or two DNS queries before I hit enter, much less load a page. When I am stuck - usually when I'm using it to search my history or the name of a site I can't quite remember - it's always seemed very helpful.

IMHO and YMMV and all that, but for the sake of your health, take a deep breath and calm down :)

Re:

[bhcompy]

You can disable instant searching(for now)

Re:

[Osgeld]

I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

"then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTI

Re:

[Atzanteol]

You're always signed in, yet clearing cookies and using other people's browsers?

Re:

[Osgeld]

um yea firefox just decides to do it once in a while, and 2 its not other peoples, its my computers at home and at work

Re:

[TheRaven64]

Only if you allow google to place a tracking cookie on your system. Contrast this with how DuckDuckGo handles preferences: the cookie that you set contains a string with one flag for each preference setting, and can be added to the URL if you don't want a cookie. If two users have the same preferences, then they have the same cookie / preferences string, and so can't be tracked based on the cookie.

Re:

[Archangel Michael]

So, what you're saying is that when you're searching for porn and it is recommending non-porn search terms, it isn't helpful? ;)

Re:

[Osgeld]

no, like when I was going to look for a specific electronics part and it brings up doggies, yes google perfect I have never searched for doggies in my entire life but I am constantly ordering diodes, thank you for your great service, it makes goggling for something with my laptop impossible

and yet I have to google "something" just to have the option of shutting it off

Re:

[Archangel Michael]

Just tried typing DIode into google. Not a single DOggie reference as I typed. In fact ....

D ... Dictionary.reference.com (and several other such)
I. ... Dictionary.reference.com (no change)
O ... Diocese and a bunch of Catholic sites.
D ... Diodes .... wikipedia entry on top.

Re:

[doti]

I don't see this because I never use the google.com search page, I use quicksearch instead (Firefox feature since 0.x days).

search, go to jail

[box4831]

proactively pre-loads some search results to speed up browsing

God help you if you search for 'child pore cleansing products' with google instant search turned on~

Re:

[IAmGarethAdams]

Well, after you type the 'r' in 'pore', Google will stop showing you any Instant search results

Re:

[MrHanky]

But that's only because they forward your search to the FBI, who doesn't have a public search engine.

Re:

[bberens]

Adult material does not show up in the instant search results.

Re:

[NevarMore]

Good Lord! Did Google hire away the IE guys from Microsoft or something?

No. If they did the vulns wouldn't be getting patched.

Caps?

[Anonymous Coward]

Won't this help you burn through your usage caps in the background?

Re:

[Calos]

What are caps for most people these days? Usually I see 150-250 GB; once, I've encountered 50 GB, so I sent them a letter letting them know I wouldn't be purchasing their service and told them who I was going with and why.

Seems like a few extra pageloads would be insignificant. If you query Google 20 times a day, and as a result, incur 5*20=100 extra pageloads... how big is a page? Loading the /. homepage, I use 519 KB. Ars Technica: 868 KB. Facebook: 417 KB. CNN: 889 KB. And this is assuming no content

Re:

[Calos]

Oh, I should add: I use a script blocking extension as well as Privoxy. Because I do use the tested sites somewhat, chances are some of the scripts are enabled, but Privoxy will crunch ads and certain scripts anyway, and I have it set up to block any kind of Facebook Open Graph stuff, as well as Share This On (Digg|Twitter|Facebook|Reddit) things, and other random things. So, the 1 MB/page may not be quite so generous, but probably not far off the mark.

On the other hand, it very well could be that the peo

Print Preview - Finally!

[bogaboga]

While I appreciate this new print preview functionality, I am not impressed that:

• first, it took so long and
• second, that even the delivered functionality pales in comparison with its Firefox counterpart.

This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

Re:Print Preview - Finally!

[kripkenstein]

While I appreciate this new print preview functionality, I am not impressed that:

• first, it took so long and
• second, that even the delivered functionality pales in comparison with its Firefox counterpart.

This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

What I find more annoying about the new print preview is that it isn't open source. It is in Chrome but not Chromium.

Who cares?

[gweihir]

Seriously, this is patchnotes or changelog entries, but not "News".

Re:

[Atzanteol]

You're at the wrong site. You want http://www.cnn.com./ [www.cnn.com] I can completely understand how you mis-typed that and ended up here by accident.

Pre-fetching requires PERFECT security...

[MadCow42]

For most users the intuition of "don't click on that link" is the last layer of security between the wild west of the Internet and your computer. Prefetching breaks that barrier, and potentially exposes you to any malware writer that's capable enough and determined enough to get their infected (or pwnd) website into the top search results.

Sorry... although Chrome is decent and maybe more secure than other browsers, until they can promise PERFECT security I don't want to take that chance.

That'll never happen.

If I can survive this far on my company-mandated, outdated IE browser without getting pwnd myself (yet), I think that last layer of security may be the most important one of all.

Re:

[hansamurai]

First time I encountered nastiness from pre-fetching was from using Stumbleupon. It would pre-fetch the next stumble (this can thankfully be disabled, though it should be noted you would have stumbled to it either way), so I would get a Noscript warning on like a Youtube or Wikipedia page, bit bizarre. Only until I stumbled again and actually landed on the page in question would things become clearer.

Re:

[dn15]

That's a good point. But... to be the devil's advocate, all that it's doing is pre-loading stuff into cache, right? If that's true, then it seems like it should only be able to do something if you actually click on that page. Is the end result really any different from a security standpoint?

Re:

[Bloodwine77]

Google Instant Pages sounds like it will be rendering the entire page, including images and other external resources. I wouldn't be surprised if it also executed JavaScript, fetched embedded iframes, and anything else that the page would normally do if you clicked on that link. I wonder if it would even follow redirections?

What is to stop a malevolent webmaster from performing redirects to nasty trojan or malware-infected pages if it detects the page is being pre-rendered? If that page contains flash object

Re:

[SmilingBoy]

Don't really see the difference. All this can be done today already after someone clicks on the link. And if it is the first Google result, the likelihood is very high that many people will click on it.

Re:

[smash]

Not quite. Pre-fetching doesn't need perfect security, but pre-rendering certainly does. Which is what they're implementing....

I'll be turning it off...

Re:

[gstrickler]

You can disable (as I have) the prefetch in Chrome 13. Visit chrome://settings/advanced [chrome] and deselect "Predict network actions to improve page load performance".

Due to security, tracking, bandwidth usage, etc. concerns, it's just a bad idea for 95+% of the population. If you have metered performance, it wastes your bandwidth and/or costs you money. If you have a high speed link, the time savings are marginal. If the site has malware, you could get infected, possibly without even clicking the link. If it's a

Re:

[MadCow42]

Hmmm... that's hardly re-assuring.

>> "We've thought hard about this issue, and we don't believe there is any additional risk to users," a Google spokesman explained.

"Sites marked as potentially harmful by our Safe Browsing technology will not be pre-rendered, nor will sites that Chrome detects as suspicious. We also exclude sites with SSL certificate issues and those that try to download files or display popup alerts."

Google added that search engine poisoning to promote scareware sites and the like is

Re:

[utkonos]

I can see how this feature can expose you to security problems. However, it can also provide a measure of performance increase. So, why not let users have their cake and eat it too. Allow users to enable/disable it on a per URL basis in the same way that Javascript, cookies, plug-ins, etc. are. As long as there is fine grained control over the feature, I see no problem.

I wouldn't mind enabling the pre-fetch feature on sites that I trust and use often, and have it disabled by default. I use chrome's set

Re:

[gstrickler]

You can disable it.

Still waiting for split view on Mac Chrome.

[Shag]

BlogSpot loves showing me ads for Chrome, saying I can drag one tab to the right, and get a split-screen view.

Be nice if it actually started working in Chrome for Mac, someday.

Re:

[Sits]

There is a rumour that this is a "Chrome on Windows 7" feature (see http://www.youtube.com/watch?v=YAEN_BDR6ao [youtube.com] for a video of the feature). You can apparently get extensions that offer something close but not quite the same. For what it's worth the split view feature seems to be broken if you have your tabs down the left hand side in Chrome...

Terrifying

[ThatsNotPudding]

proactively pre-loads some search results to speed up browsing.

Better hope your skeezy uncle wasn't using your computer when the party van shows up.

Bookmark Pane

[emgarf]

Another Chrome version, another failure to provide an option for a persistent bookmark sidebar/pane. Sigh.

WTF? I need to upgrade my OS to run Chrome 13?

[xanthos]

Fired up chrome this morning on my linux box and it happily told me that I was running an obsolete OS and needed to upgrade.

I run a highly modified version of debian 5.x on that box that I 'm not going to mess with for the sake of running chrome 13.

Time to turn off the automated update check I guess.

Re:

[Zan Lynx]

It's Debian. It's obsolete when it's released.

Old news...

[TheBrutalTruth]

Cr-48, dev channel. Or try the Chrome dev channel. Old features guys...

Version number sanity?

[kripkenstein]

90 comments so far, and none of the top ones are bashing Google for Chrome's new version number. Have we finally moved past bashing Chrome and Firefox for increasing the major version number every 6 weeks? Please let it be so :)

Re:

[njahnke]

all things are relative.

IE is more intuitive

[jweller13]

I don't care for chrome. I find chrome very unintuitive. I find IE and to a lesser degree FireFox much more intuitive. I use chrome when I want to view videos because it seems faster but otherwise not so much.