Google Chrome 25 Beta for Developers: Content Security Policy, Shadow DOM, Dev Tools Updates

The latest beta comes with plenty of new features under the hood

Google Chrome 25 is now in the beta channel on the desktop as well, after making its debut on Android last week. There are plenty of new features in the new Chrome for regular users, unlike in most cases, but there's plenty to like for developers as well.

Content Security Policy

On the security side, Chrome 25 adds unprefixed support for Content Security Policy (CSP). This enables websites to define a whitelist of domains from where code can be executed. There are very few websites that only rely on their own code these days.

"Like" buttons, site analytics, YouTube videos, all come from external sources but must be treated just like the regular code. This why XSS attacks are so dangerous, browsers implicitly trust any code, from any source, that is pushed by a page.

With CSP, websites can specify what code can be executed, browsers that support CSP will only run code originating from places in the whitelist.

Shadow DOM

Also new in Chrome 25, new in all senses of the word, is support for Shadow DOM. The Shadow DOM, while ominous sounding, is just a way of making sure widgets, i.e. third-party snippets of code, can run on any page and not conflict with the existing code.

It's part of the Web Components technology, which is in the early stages. Web Components aims to make it possible for developers to create stand-alone pieces of code that can do much more than what's possible today with CSS and external JavaScript libraries.

The Shadow DOM makes it possible to "run" widget code in a separate DOM from the one used by the document being displayed. There's still plenty to do before Web Components is ready, Google has submitted a test suite to the W3C for Shadow DOM.

Web Speech API, IndexedDB, dev tools

There's more under the hood of Chrome 25, support for the JavaScript Web Speech API makes it possible to add speech-to-text and text-to-speech features to web pages.

The IndexedDB implementation now supports concurrent transactions which should speed things up in some cases but can cause problems for older apps that have been built to rely on a strict sequential transactions.

In the dev tools, there's now a console.clear() command which does exactly what you think it does. The icons in the top toolbar have been removed, for a cleaner look and less unnecessarily used space, though they can be re-enabled in the settings if the new toolbar looks strange to you.

Hot right now  ·  Latest news