- This release fixes an issue with address spoofing in pop-ups. A site could convince a user to click a link to open a pop-up window. The window’s address bar could be manipulated to show a different address than the actual origin of the content.
Security rating: Medium. This flaw could be used to mislead people about the origin of a web site in order to get them to divulge sensitive information.
Disclosed by: Liu Die Yu of the TopsecTianRongXin research lab.
Top Issues Fixed
- Scrolling with laptop touchpads now works.
- Improved performance and reliability for plugins (like Flash, Silverlight, QuickTime, and Windows Media). We fixed issues with video not loading, stopping after a second, and slowing down or freezing Google Chrome (100% CPU usage).
- Fixed the ‘chrome has crashed’ message when you close a tab that was showing PDF using Adobe Reader 9.
- We no longer store data from secure sites (they use https: and show a lock in the address bar) in your history. You can still search your history for the site’s address, but not the contents on the page.
- Improved performance and reliability for people who use web proxies (thanks to griffinz for the fixes).
Changes to how things look and work
- The New tab, New window, and New incognito window options moved from the ‘Control the current page’ menu to the ‘Customize and control Google Chrome’ (wrench) menu. Thanks to Szymon Piechowicz for the patch.
- ‘New incognito window’ always opens a new window. ‘New window’ always opens a new normal window. Both options are always visible on the wrench menu.
- The spell checker works on text input fields and underlines misspelled words. You can now add words to the spell check dictionary so they are not shown as misspelled (right click on a misspelled word and choose ‘Add to dictionary…’).
- The download behavior for files that could run programs (exe, dll, bat, etc.) has changed. These files are now downloaded to unconfirmed_*.download files. Google Chrome asks you if you want to accept the download. Only after you click Save is the unconfirmed_*.download file converted to the real file name. Downloads that you never confirm are deleted when Google Chrome exits.
Filed under: zPublic Service Announcements