Google Patches 30 Chrome Bugs, Adds Instant Pages

JohnBert writes "Google patched 30 vulnerabilities in Chrome, paying out the third-highest bounty total ever for the bugs that outsiders filed with its security team. The company packaged the patches with an update to Chrome 13, adding Instant Pages to the 'stable' channel of the browser. The feature, which Google earlier tucked into Chrome 13 previews, proactively pre-loads some search results to speed up browsing. Google last upgraded Chrome's stable build in early June. Like Mozilla, which this year shifted to a rapid-release schedule, Google produces an update about every six-to-eight weeks. Fourteen of the 30 vulnerabilities patched were rated 'high,' the second-most-serious ranking in Google's four-step scoring system, while nine were pegged 'medium' and the remaining seven were labeled 'low.'"

Instant Pages?

[OverlordQ]

I thought this was called link prefetching.

Re:Instant Pages?

[i+kan+reed]

Yep, I remember when Firefox removed this feature because it was only really useful to 56k users.

Re:Instant Pages?

[rbrausse]

coming to you soon: Google Instant Pages(tm).

the last trademark owner abandoned the poor little expression :)

Re:Instant Pages?

[Bloodwine77]

I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

Re:Instant Pages?

I seem to recall an antivirus software (AVG I think) doing something similar (prefetching and scanning for viruses on search results) and it caused havoc for webmasters.

Re:Instant Pages?

[alendit]

As far as i understood, Instant Pages not only prefetch the top-hit in your search, but also renders the page in background. Didn't find any original anouncement from google, but here you can read some more about it http://www.ecreativeim.com/blog/2011/06/google-announces-chrome-only-instant-pages/ .

Re:Instant Pages?

[tapo]

The difference is in implementation. Link prefetching was already supported in Chrome (and Firefox), which fetches the page in the background and stores the results in cache. Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

Implementation details are here: http://code.google.com/chrome/whitepapers/prerender.html

Re:Instant Pages?

I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

Sites must opt-in by changing their HTML. Users can disable it for their browser by unchecking "Predict network actions to improve page load performance" in Settings.

Re:Instant Pages?

[Bloodwine77]

I did some Googling and apparently Chrome will send the following header when prefetching:

X-Purpose: instant

http://www.google.com/chrome/intl/en/webmasters-faq.html#instant

So it looks like it will be easy for me to block just as I have blocked Firefox prefetches.

Re:Instant Pages?

[HarrySquatter]

Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

Better hope that it's not a malware page or something trying to use an XSS exploit. Be exploited before you even clicked the link! Brilliant!

Re:Instant Pages?

[obergfellja]

shouldn't the Google analytics and other website analytics force this idea to be a "bot" read since there wasn't an official delivery rendered by end user but done by prefetching?

Re:Instant Pages?

[cyfer2000]

Does this feature draw juice from my notebook batteries?

Re:Instant Pages?

[TheRaven64]

Think of a site like the New York Times, which allows you to read n stories for free, and then bounces you to the paywall. If they allow prefetching, then people who use Chrome either always get the stories for free, or they get stories that show up in their search results - but which they don't actually read - counting towards the total. Other sites that change some global state when real humans look at them may do the same thing.

Re:Instant Pages?

[Anonymous+Brave+Guy]

Because bandwidth costs money, in a nutshell. There's no point spending that money to provide a page the user may never see.

The same argument applies in reverse. We don't all have effectively unlimited broadband caps, and I will not thank Google if it starts randomly downloading pages with accompanying multimedia content to use up mine.

(My sites show up plenty fast enough on demand for my visitors, and the only sites I use where speed is a real problem would be unlikely to benefit much from this feature since I'd have to log in first to see the real content anyway.)

Re:Instant Pages?

[Phaeilo]

I don't think your browser runs prefetched javascript. So Google Analytics won't be triggered.

Re:Instant Pages?

[Smauler]

I agree - this could be a very serious expoit route. Well meaning sites could easily be spammed with malware site links, and preloading links will completely fubar any sense of trust in that site. Pre-loading is diabolical anyway, for anyone who has a bandwidth cap, and uses it.

Re:Instant Pages?

[iceT]

Think of it as free hits to your website, without getting all those pesky customers...

I can see a couple issues

[Bloodwine77]

The first issue is this is going to play havoc with traffic analytics and tracking. I'm sure Google Analytics will handle Chrome's Instant Pages just fine, but everybody else will have to figure out how to ignore Chrome pre-loads. I did some searching and they are adding a Visibility API to Chrome to allow authors of other traffic reporting packages to handle the difference. Hopefully the Visibility will be pretty straightforward and not require a lot of extra work.

The other issue is that this is going to eat up more hosting bandwidth. Popular websites that appear near the top are going to incur bandwidth usage that may never actually be actively used by the potential visitor.

Re:I can see a couple issues

The first issue is this is going to play havoc with traffic analytics and tracking.

Good. If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

Re:I can see a couple issues

[bberens]

The prefetching mechanism passes a special header so anyone in the analytics business will know to ignore those requests.

Re:I can see a couple issues

[TheRaven64]

Unfortunately, you don't always want to ignore them. The browser will fetch the page and prerender it. It may or may not then display it. You want to ignore the cases where it doesn't display it, but you don't count the cases where it does. Does it send another request to the server saying 'okay, actually displaying the page now'? If not, then this is going to cause problems for Google's accounting for adverts. My cynical guess is that the fix will be to count prefetch pages when charging advertisers, but not count them when paying pages that show advertising.

Re:I can see a couple issues

[Anonymous+Brave+Guy]

If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

I'm about as pro-privacy as they come on this issue, but even I don't mind a web site doing analytics within its own domain to see which types of content are most popular so they can be prioritised, optimise navigation based on users actual needs, etc. It's the cross-site/cross-visit tracking that is creepy, IMHO, particularly if associated with any other data previously known only to some of those sites.

Does instant pages pump up the hit count?

[bareman]

If the browser starts preloading high ranked pages that I'm not interested in, and do not click on, doesn't that falsely inflate usage statistics on those sites?

Re:Does instant pages pump up the hit count?

[Bloodwine77]

It looks like they are going to try to address that with the upcoming Visibility API:

http://code.google.com/chrome/whitepapers/pagevisibility.html

However, it seems to be JavaScript based which, at least to me, is not a desirable way to determine whether or not the page is being pre-loaded.

At least Firefox sent a "X-moz: prefetch" header which I used to ignore the traffic on those requests.

Re:Does instant pages pump up the hit count?

[bhcompy]

So because I only enable javascript when I want to they'll never know I was viewing the page?

Re:Does instant pages pump up the hit count?

[JiveDonut]

Yes it does. I have a a very low traffic blog so I can see the results easily. Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

Re:Does instant pages pump up the hit count?

[bberens]

Chrome has a similar header

Re:Does instant pages pump up the hit count?

[SmilingBoy]

Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

Why two?

search, go to jail

[box4831]

proactively pre-loads some search results to speed up browsing

God help you if you search for 'child pore cleansing products' with google instant search turned on~

Re:search, go to jail

[IAmGarethAdams]

Well, after you type the 'r' in 'pore', Google will stop showing you any Instant search results

Re:search, go to jail

[MrHanky]

But that's only because they forward your search to the FBI, who doesn't have a public search engine.

Re:search, go to jail

[bberens]

Adult material does not show up in the instant search results.

Re:you know what speeds up my browsing

[geekoid]

Then turn it off.

Sheesh.

Caps?

Won't this help you burn through your usage caps in the background?

Re:Caps?

[Calos]

What are caps for most people these days? Usually I see 150-250 GB; once, I've encountered 50 GB, so I sent them a letter letting them know I wouldn't be purchasing their service and told them who I was going with and why.

Seems like a few extra pageloads would be insignificant. If you query Google 20 times a day, and as a result, incur 5*20=100 extra pageloads... how big is a page? Loading the /. homepage, I use 519 KB. Ars Technica: 868 KB. Facebook: 417 KB. CNN: 889 KB. And this is assuming no content is cached; if I don't force a refresh of everything on the page, I use 1/4 or less of these amounts.

So if we're generous, we'll call it 1 MB/page * 100 pages/day * 31 days/month = and additional ~3 GB. So, and extra couple percent, for what I've seen from most ISPs in the States, and maybe as high as 6% - of course dependent on the number of searches one makes.

But this isn't anything new. Prefetching has been around for some time. This new feature just takes the additional step of rendering the prefetched pages, instead of waiting to render if the user decides to go there. The "damage" of prefetching could very well be already factored in to your current usage.

Re:Caps?

[Calos]

Oh, I should add: I use a script blocking extension as well as Privoxy. Because I do use the tested sites somewhat, chances are some of the scripts are enabled, but Privoxy will crunch ads and certain scripts anyway, and I have it set up to block any kind of Facebook Open Graph stuff, as well as Share This On (Digg|Twitter|Facebook|Reddit) things, and other random things. So, the 1 MB/page may not be quite so generous, but probably not far off the mark.

On the other hand, it very well could be that the people most likely to run into cap limitations are the types who know their way around the computer well enough to install, say, Adblock Plus.

Re:you know what speeds up my browsing

[bhcompy]

You can disable instant searching(for now)

Re:you know what speeds up my browsing

[Osgeld]

then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

  Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvienent to not use it

Print Preview - Finally!

[bogaboga]

While I appreciate this new print preview functionality, I am not impressed that:

• first, it took so long and
• second, that even the delivered functionality pales in comparison with its Firefox counterpart.

This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

Re:Print Preview - Finally!

[kripkenstein]

While I appreciate this new print preview functionality, I am not impressed that:

• first, it took so long and
• second, that even the delivered functionality pales in comparison with its Firefox counterpart.

This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

What I find more annoying about the new print preview is that it isn't open source. It is in Chrome but not Chromium.

Re:you know what speeds up my browsing

[Osgeld]

I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

"then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

    Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvenient to not use it"

Re:you know what speeds up my browsing

[Osgeld]

I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

"then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

        Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvenient to not use it"

Re:you know what speeds up my browsing

[Archangel+Michael]

So, what you're saying is that when you're searching for porn and it is recommending non-porn search terms, it isn't helpful? ;)

Re:THIRTY vulnerabilities?

[NevarMore]

Good Lord! Did Google hire away the IE guys from Microsoft or something?

No. If they did the vulns wouldn't be getting patched.

Who cares?

[gweihir]

Seriously, this is patchnotes or changelog entries, but not "News".

Re:Who cares?

[Atzanteol]

You're at the wrong site. You want http://www.cnn.com./ I can completely understand how you mis-typed that and ended up here by accident.

Pre-fetching requires PERFECT security...

[MadCow42]

For most users the intuition of "don't click on that link" is the last layer of security between the wild west of the Internet and your computer. Prefetching breaks that barrier, and potentially exposes you to any malware writer that's capable enough and determined enough to get their infected (or pwnd) website into the top search results.

Sorry... although Chrome is decent and maybe more secure than other browsers, until they can promise PERFECT security I don't want to take that chance.

That'll never happen.

If I can survive this far on my company-mandated, outdated IE browser without getting pwnd myself (yet), I think that last layer of security may be the most important one of all.

Re:Pre-fetching requires PERFECT security...

[hansamurai]

First time I encountered nastiness from pre-fetching was from using Stumbleupon. It would pre-fetch the next stumble (this can thankfully be disabled, though it should be noted you would have stumbled to it either way), so I would get a Noscript warning on like a Youtube or Wikipedia page, bit bizarre. Only until I stumbled again and actually landed on the page in question would things become clearer.

Re:Pre-fetching requires PERFECT security...

[dn15]

That's a good point. But... to be the devil's advocate, all that it's doing is pre-loading stuff into cache, right? If that's true, then it seems like it should only be able to do something if you actually click on that page. Is the end result really any different from a security standpoint?

Re:Pre-fetching requires PERFECT security...

[smash]

Not quite. Pre-fetching doesn't need perfect security, but pre-rendering certainly does. Which is what they're implementing....

I'll be turning it off...

Re:Pre-fetching requires PERFECT security...

[Bloodwine77]

Google Instant Pages sounds like it will be rendering the entire page, including images and other external resources. I wouldn't be surprised if it also executed JavaScript, fetched embedded iframes, and anything else that the page would normally do if you clicked on that link. I wonder if it would even follow redirections?

What is to stop a malevolent webmaster from performing redirects to nasty trojan or malware-infected pages if it detects the page is being pre-rendered? If that page contains flash objects, java apps, or other attack vectors on it, I'd think you'd be just as at risk as if you actually visited the site directly.

I could be wrong, though. I haven't thoroughly researched Google Instant Pages, but from what little I've found it seems it will be performing a full page render in anticipation of you clicking on the link to the page.

Re:Pre-fetching requires PERFECT security...

[SmilingBoy]

Don't really see the difference. All this can be done today already after someone clicks on the link. And if it is the first Google result, the likelihood is very high that many people will click on it.

Re:Pre-fetching requires PERFECT security...

[gstrickler]

You can disable (as I have) the prefetch in Chrome 13. Visit chrome://settings/advanced and deselect "Predict network actions to improve page load performance".

Due to security, tracking, bandwidth usage, etc. concerns, it's just a bad idea for 95+% of the population. If you have metered performance, it wastes your bandwidth and/or costs you money. If you have a high speed link, the time savings are marginal. If the site has malware, you could get infected, possibly without even clicking the link. If it's a porn site, the URL, pics, and text might appear in your cache or history, which could cause you some marital or legal problems. The site may create cookies on your machine, possibly even an ever-cookie. If the site uses Flash or Flash based ads, it may use additional CPU and reduce your battery life on mobile devices. Does it even help if you're in the habit of opening links in a new tab/window (probably, but I don't know)? What if the site pops up other windows (popup or popunder), will those execute (I suspect not, but again I don't know)? I'm sure I've missed a number of other concerns.

Re:Pre-fetching requires PERFECT security...

[MadCow42]

Hmmm... that's hardly re-assuring.

>> "We've thought hard about this issue, and we don't believe there is any additional risk to users," a Google spokesman explained.

"Sites marked as potentially harmful by our Safe Browsing technology will not be pre-rendered, nor will sites that Chrome detects as suspicious. We also exclude sites with SSL certificate issues and those that try to download files or display popup alerts."

Google added that search engine poisoning to promote scareware sites and the like is an industry-wide problem. ®

So... the way I read this is that if an infected site is pre-fetched (pre loaded, pre-rendered, or whatnot), then YES it could harm your computer. But, we're supposed to trust that their browser is smart enough to know a trustworthy site from an untrusty one, and only prefetch "safe" sites.

That's all well and good until a "safe" site (that I would never actually visit anyway) is hacked. But that's NEVER happened before, right? Not.

Re:Pre-fetching requires PERFECT security...

[utkonos]

I can see how this feature can expose you to security problems. However, it can also provide a measure of performance increase. So, why not let users have their cake and eat it too. Allow users to enable/disable it on a per URL basis in the same way that Javascript, cookies, plug-ins, etc. are. As long as there is fine grained control over the feature, I see no problem.

I wouldn't mind enabling the pre-fetch feature on sites that I trust and use often, and have it disabled by default. I use chrome's settings to whitelist Javascript etc just this very way.

Re:Still No MRU Tabs

[BlueMikey]

Why do you care if this is built in to Chrome? There are extensions that add this behavior.

Re:you know what speeds up my browsing

[Atzanteol]

You're always signed in, yet clearing cookies and using other people's browsers?

Still waiting for split view on Mac Chrome.

[Shag]

BlogSpot loves showing me ads for Chrome, saying I can drag one tab to the right, and get a split-screen view.

Be nice if it actually started working in Chrome for Mac, someday.

Re:Still waiting for split view on Mac Chrome.

[Sits]

There is a rumour that this is a "Chrome on Windows 7" feature (see http://www.youtube.com/watch?v=YAEN_BDR6ao for a video of the feature). You can apparently get extensions that offer something close but not quite the same. For what it's worth the split view feature seems to be broken if you have your tabs down the left hand side in Chrome...

Re:you know what speeds up my browsing

[doti]

I don't see this because I never use the google.com search page, I use quicksearch instead (Firefox feature since 0.x days).

Re:Still No MRU Tabs

[HarrySquatter]

Because one shouldn't need to install an extension for such a basic feature?

Re:you know what speeds up my browsing

[Calos]

You must type really slow or something.

In my experience, it only manages to fire off one or two DNS queries before I hit enter, much less load a page. When I am stuck - usually when I'm using it to search my history or the name of a site I can't quite remember - it's always seemed very helpful.

IMHO and YMMV and all that, but for the sake of your health, take a deep breath and calm down :)

Re:Still No MRU Tabs

[BlueMikey]

That's not a reason to not use the browser though. If Chrome is superior except for one feature that can be fixed by an extension that takes 30 seconds to install once at the same time you install the browser, that's a really stupid reason to avoid the browser. Trying to add every single feature that every single person wants (and I don't consider this to be a necessary feature, especially considering there are better ways to switch tabs) just leads to a bloated browser, which Google wanted to avoid.

If you could buy a really great, affordable car, and the car's only downside was crummy factory tires, you buy the car and you put on some tires of your own choosing. You don't go buy a crappy car just because it has nice tires.

Terrifying

[ThatsNotPudding]

proactively pre-loads some search results to speed up browsing.

Better hope your skeezy uncle wasn't using your computer when the party van shows up.

Bookmark Pane

[emgarf]

Another Chrome version, another failure to provide an option for a persistent bookmark sidebar/pane. Sigh.

Re:you know what speeds up my browsing

[Osgeld]

um yea firefox just decides to do it once in a while, and 2 its not other peoples, its my computers at home and at work

Re:you know what speeds up my browsing

[Osgeld]

no, like when I was going to look for a specific electronics part and it brings up doggies, yes google perfect I have never searched for doggies in my entire life but I am constantly ordering diodes, thank you for your great service, it makes goggling for something with my laptop impossible

and yet I have to google "something" just to have the option of shutting it off

Re:you know what speeds up my browsing

[TheRaven64]

Only if you allow google to place a tracking cookie on your system. Contrast this with how DuckDuckGo handles preferences: the cookie that you set contains a string with one flag for each preference setting, and can be added to the URL if you don't want a cookie. If two users have the same preferences, then they have the same cookie / preferences string, and so can't be tracked based on the cookie.

WTF? I need to upgrade my OS to run Chrome 13?

[xanthos]

Fired up chrome this morning on my linux box and it happily told me that I was running an obsolete OS and needed to upgrade.

I run a highly modified version of debian 5.x on that box that I 'm not going to mess with for the sake of running chrome 13.

Time to turn off the automated update check I guess.

Re:"Instant"

[gstrickler]

You can disable it.

Old news...

[TheBrutalTruth]

Cr-48, dev channel. Or try the Chrome dev channel. Old features guys...

How much are you saving?

[Crag]

Do you log details of blocked pre-fetches? Do you have data on what portion of blocked pre-fetches were then followed by real visitors? You say "My sites show up plenty fast enough on demand for my visitors, ..." but does that apply well to heavily bandwidth-constrained users? Modems may be old-fashioned, but mobile and wireless users still frequently get poor network performance. Do you have data on how fast all of your visitors download your pages?

You may well have done all the analysis and come up with the best cost-vs-benefit balanced solution, but I would worry about premature optimization in a situation like this. Pre-fetching doesn't exist at random. It solves a real problem and your defeating of the mechanism has real costs which are less obvious to you than they are to some of your visitors.

If you have done this analysis, it would make an interesting read and you should submit it as a /. story.

Re:How much are you saving?

[Anonymous+Brave+Guy]

I'm a contractor, so I've worked on quite a few projects within a relatively short space of time. Few of them block prefetching techniques in practice as far as I know, but several of them keep quite careful metrics about user download performance, particularly those serving multimedia content of one kind or another, and they are certainly healthy enough for their intended user bases without prefetching.

I'm not arguing that prefetching should always be disabled, BTW, just pointing out a possible reason why some content providers might choose to do so. This is an industry where big players literally remove all of the unnecessary spaces from their HTML files or serve "broken" content with missing closing tags, because a small reduction in file sizes multiplied by a large number of visitors can still equal a significant amount of extra hardware and/or bandwidth you don't have to pay for.

Obviously that sort of argument doesn't apply to most smaller sites, but then I guess most smaller sites wouldn't know or care about blocking prefetching either.

Re:WTF? I need to upgrade my OS to run Chrome 13?

[Zan+Lynx]

It's Debian. It's obsolete when it's released.

Version number sanity?

[kripkenstein]

90 comments so far, and none of the top ones are bashing Google for Chrome's new version number. Have we finally moved past bashing Chrome and Firefox for increasing the major version number every 6 weeks? Please let it be so :)

Re:Version number sanity?

[njahnke]

all things are relative.

IE is more intuitive

[jweller13]

I don't care for chrome. I find chrome very unintuitive. I find IE and to a lesser degree FireFox much more intuitive. I use chrome when I want to view videos because it seems faster but otherwise not so much.

Re:you know what speeds up my browsing

[Archangel+Michael]

Just tried typing DIode into google. Not a single DOggie reference as I typed. In fact ....

D ... Dictionary.reference.com (and several other such)
I. ... Dictionary.reference.com (no change)
O ... Diocese and a bunch of Catholic sites.
D ... Diodes .... wikipedia entry on top.