API Deprecations and Removals in Chrome 55
In nearly every version of Chrome, we see a significant number of updates and improvements to the product, its performance, and also capabilities of the Web Platform. This article describes the deprecations and removals in Chrome 55, which is in beta as of October 21. This list is subject to change at any time.
Resources with non-script MIME types can no longer be executed
Previous versions of Chrome allowed content to with several non-script MIME types to be executed as script. In addition to the obvious security vulnerability, this problem also reduces the value of content security policy settings like script-src 'self'
.
For example, a site might lock down same-origin JavaScript, yet still allow users to upload images that are served from that origin. Malicious users might upload JavaScript embedded within a specially-crafted image file, and that JavaScript had the potential to be served from that origin and executed. As of Chrome 55 will no longer execute content loaded with the following MIME types:
audio/*
image/*
video/*
text/csv
Intent to Remove| Chromestatus Tracker | Chromium Bug
Remove SVGSVGElement.viewPort
The implementation of SVGSVGElement.viewPort
has not worked in Chrome since 2012. The attribute is not present at all in other browsers and it has been removed from the specification. For these reasons the property was deprecated in Chrome 54 and has now been removed.