Saturday, December 4, 2010

[Gd] Stable, Beta Channel Updates

| More

Google Chrome Releases: Stable, Beta Channel Updates

The Chrome team is happy to announce our latest Stable release, 8.0.552.215.  In addition to the over 800 bug fixes and stability improvements, Chrome 8 now contains a built in PDF viewer that is secured in Chrome’s sandbox.  As always, it also contains our latest security fixes, listed below.  This release will also be posted to the Beta Channel.

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
  • [17655] Low Possible pop-up blocker bypass. Credit to Google Chrome Security Team (SkyLined).
  • [55745] Medium Cross-origin video theft with canvas. Credit to Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
  • [56237] Low Browser crash with HTML5 databases. Credit to Google Chrome Security Team (Inferno).
  • [58319] Low Prevent excessive file dialogs, possibly leading to browser crash. Credit to Cezary Tomczak (
  • [$500] [59554] High Use after free in history handling. Credit to Stefan Troger.
  • [Linux / Mac] [59817] Medium Make sure the “dangerous file types” list is uptodate with the Windows platforms. Credit to Billy Rios of the Google Security Team.
  • [61701] Low Browser crash with HTTP proxy authentication. Credit to Mohammed Bouhlel.
  • [61653] Medium Out-of-bounds read regression in WebM video support. Credit to Google Chrome Security Team (Chris Evans), based on earlier testcases from Mozilla and Microsoft (MSVR).
  • [$1000] [62127] High Crash due to bad indexing with malformed video. Credit to miaubiz.
  • [62168] Medium Possible browser memory corruption via malicious privileged extension. Credit to kuzzcc.
  • [$1000] [62401] High Use after free with SVG animations. Credit to Sławomir Błażek.
  • [$500] [63051] Medium Use after free in mouse dragging event handling. Credit to kuzzcc.
  • [$1000] [63444] High Double free in XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
We would like to offer special thanks -- and a number of rewards -- to Aki Helin of OUSPG for his extensive help with the new PDF feature. We’d also like to extend thanks to Sergey Glazunov and Marc Schoenefeld for finding bugs during the development cycle such that they never reached a stable build.

Full details about the changes are available in the SVN revision log. If you find new issues, please let us know by filing a bug. Want to change to another Chrome release channel? Find out how.

Jason Kersey
Google Chrome

[Gd] Dev Channel Update

| More

Google Chrome Releases: Dev Channel Update

The Dev channel has been updated to 9.0.597.0 for Windows, Mac, Linux, and Chrome Frame

  • Ongoing work on IndexDB and GPU
  • Tweaks/Fixes to Google Chrome Instant
  • Extensions/Apps work
  • Autofill related fixes
Known Issues
  • Page becomes unresponsive when trying to play video - Issue 65772
  • Certain HTML5 sites fail to load due to a compositor issue - Issue 64722
More details about additional changes are available in the svn log of all revision.

You can find out about getting on the Dev channel here:

If you find new issues, please let us know by filing a bug at

Anthony Laforge
Google Chrome

Friday, December 3, 2010

[Gd] Rolling out a sandbox for Adobe Flash Player

| More

Chromium Blog: Rolling out a sandbox for Adobe Flash Player

Since this past March, we’ve been working closely with Adobe to allow Flash Player to take advantage of new sandboxing technology in Chrome, extending the work we’ve already done with sandboxing for HTML rendering and JavaScript execution. This week, we’re excited to roll out the initial Flash Player sandbox for our dev channel users on Windows XP, Vista and 7.

This initial Flash Player sandbox is an important milestone in making Chrome even safer. In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox. This first iteration of Chrome’s Flash Player sandbox for all Windows platforms uses a modified version of Chrome’s existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones. This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware.

While we’ve laid a tremendous amount of groundwork in this initial sandbox, there’s still more work to be done. We’re working to improve protection against additional attack vectors, and will be using this initial effort to provide fully sandboxed implementations of the Flash Player on all platforms.

We’ll be posting updates as we continue working with Adobe to add new security improvements to the Flash Player sandbox. For those of you on the dev channel for Windows, you’ll be automatically updated soon, and we look forward to your feedback as you test it out. If you prefer to disable this initial sandbox in your Chrome dev experience, add --disable-flash-sandbox to the command line.

Posted by Justin Schuh and Carlos Pizano, Software Engineers

Thursday, December 2, 2010

[Gd] Happy Holidays from the App Engine team - 1.4.0 SDK released

| More

Google App Engine Blog: Happy Holidays from the App Engine team - 1.4.0 SDK released

App Engine version 1.4.0. is here! It’s our most significant release of the year for the App Engine SDK, including a number of very big features that we know developers have been eagerly awaiting:

  • The Channel API - A bi-directional channel for communicating directly with user browsers by pushing notifications directly to the JavaScript running on the client, eliminating the need for polling. This service makes it easy to build real-time applications such as multi-player games, chat rooms, or any collaboration centric app and is built on the same Google infrastructure that powers Google Talk.

  • Always On - For high-priority applications with low or variable traffic, you can now reserve instances via App Engine's Always On feature. Always On is a premium feature costing $9 per month which reserves three instances of your application, never turning them off, even if the application has no traffic. This mitigates the impact of loading requests on applications that have small or variable amounts of traffic.

Screenshot of the Instances page in the App Engine Admin Console with Always On enabled.
  • Warm Up Requests - This feature reduces time to serve requests by anticipating the need for more instances and loading them before user traffic is sent to the new instance. It can be enabled for all applications through app.yaml or appengine-web.xml and is enabled by default for applications that have purchased Always On. Once enabled, warm up requests will be sent whenever possible to load new instances of your application before it begins serving user traffic.

As well, we’ve spent a lot of time this release on reducing or removing the limitations of some of App Engine’s existing APIs

  • No more 30-second limit for background work - With this release, we’ve significantly raised this limit for offline requests from Task Queue and Cron: you can now run for up to 10 minutes without interruption.

  • Increased API Call Size Limits - A new API architecture has allowed us to start lifting the 1MB size limits on many of the App Engine APIs. To start, the following APIs have been changed:

    • Response size limits for URLFetch have been raised from 1MB to 32MB.

    • Memcache batch get/put can now also do up to 32MB requests.

    • Image API requests and response size limits have been raised from 1MB to 32MB.

    • Mail API outgoing attachments have been increased from 1MB to 10MB

As you can imagine, some of these changes drastically expand the scope of applications that can be easily built using App Engine so download the SDK while it’s hot!

Keep an eye out for more blog posts on how you can take advantage of the new features to build your apps very soon. And we’ve got a few more big features coming very soon, such as a High Replication Datastore, so keep an eye on the App Engine roadmap and stay tuned.

Posted by The App Engine Team Team

[Gd] Web fonts go mobile

| More

Google Web Fonts: Web fonts go mobile

Google Fonts now work for the vast majority of mobile devices, including Android 2.2+ devices, iPhone and iPad! And now with the recent release of iOS4.2, even non-latin scripts like Greek will render beautifully on the iPad and iPhone.

One of the biggest benefits of using the Google Font API is that the service removes the nuances involved with rendering web fonts correctly across all devices and platforms. As a user, you can simply choose which font you'd like, and Google will take care of the rest.

Want a peak behind the curtain? ... When a request for a web font comes into our servers, we detect the browser and device, and serve the font file format that works best on that device. For example, for older versions of iOS, which don't support the TrueType font format, we convert the font vectors into SVG format. Obviously, this is not something you'd want to do manually, for each device you're users are on.

We think that with this increased mobile coverage for web fonts, we'll increase the value of Google Web Fonts while maintaining the incredible simplicity our users love.

Posted by David Wurtz, Product Manager, Google Fonts

Wednesday, December 1, 2010

[Gd] Accelerating YouTube Playback

| More

YouTube API Blog: Accelerating YouTube Playback

The YouTube Players team’s goal is to make sure that watching videos online is as enjoyable an experience as possible. As a viewer, maximizing enjoyment usually involves some tradeoffs: sure, you can watch a 1080p high definition version of the newest movie trailer, but that might mean choppy playback as your computer strains to keep up with the more demanding processing required. We wanted to let you know about some changes we’re making to help minimize those tradeoffs, so that you can watch smoother, higher-quality video from your existing devices.

Adobe’s recently announced Flash Player 10.2 beta release supports a new, more efficient video display mechanism known as the Stage Video API. The full details of how and why Stage Video speeds up video display can be found in Adobe’s technical documentation. The Players Team will be gradually experimenting with Stage Video playbacks on in the coming weeks, but as a developer using the ActionScript 3 Player APIs, you can enable Stage Video playback for your embedded video right away; simply add the wmode=direct parameter to the player URL that you’re using to reference the YouTube video. You’ll need the Flash Player 10.2 beta installed to take advantage of the accelerated playback, but playbacks will work for users with older Flash Player versions as well.

The Players Team knows that Stage Video for Flash playbacks is just one path to take toward improving video playback performance across the web. For example, YouTube playbacks using the new <iframe> embeds will automatically benefit as more and more modern browsers add hardware acceleration for the native HTML5 <video> element.

-Jeff Posnick, on behalf of the YouTube Players team

[Gd] More bang for your testing buck

| More

Google Testing Blog: More bang for your testing buck

By James Whittaker

I am giving a webinar for uTest that may be of interest to some of you. Date: Friday Dec 10 at 8am PST. I tend to be pretty grouchy about that time of the morning and I have some pretty exhausting plans for the evening before so it might be extra fun.

Here's the link to register:

And here's the abstract:

"If you were going to invest more money in testing, where would you place those bets? Testing early in the cycle? Automation? Manual testing? Better requirements and planning? Better documentation? Torture devices for your devs? James Whittaker takes a critical look at such an investment and draws some very counterintuitive conclusions about maximizing such an investment. He then outlines a set of tools and practices that will help maximize the overall investment and make testing a happier place."

[Gd] HTML5 Games, Jammed

| More

Google Code Blog: HTML5 Games, Jammed

Last month, more than 50 developers assembled in Hilversum, Netherlands, and San Francisco, California for an HTML5 game jam.

The idea of HTML5 gaming may seem unusual, but if the results from this event are anything to go by, there will be plenty more HTML5 games in the future. In just over 24 hours of coding, attendees were able to produce the seeds of great games, powered by standard web technologies. The games we saw were novel, visually appealing, and in many cases, already very playable.

HTML5 is making it easy to develop games for standard web browsers, and it also provides a way for developers to reach mobiles and tablets with a single code base. Watch for other initiatives, like Mozilla's current HTML5 gaming competition, to take HTML5 gaming to the next level.

Here’s a look at the winners from both venues. You can see a detailed list of all the entries here.

First Place, San Francisco: Ninja Leap

A novel 8-bit style game where you “leap” over the bad guys. A good demo of the Canvas element and a complete game with levels and scoring. Congratulations David Ganzhorn and Mike Rotondo on winning the HTML5 Game Jam in the USA.

First Place, Hilversum: Monkey Fortress

A puzzle game where you build a fortress to protect the monkey, demonstrating a physics engine in Canvas. Congratulations Tom Hastjarjanto on winning the HTML5 Game Jam in Europe.

Second Place, San Francisco: Shell Shock

A platform shooter involving turtle-like creatures on wheels, using Canvas. By Wolff Dobson, Charles Lee, Nicolas Coderre, Dan Fessler, Sara Asher. (No online demo at present.)

Second Place, Hilversum: Snakes

A refresh on the classic “Snake” game, demonstrating multiplayer powered by NodeJS and WebSocket, and 3D transforms of the canvas element. By David Durman & Ales Sturala. (No online demo at present, but code repository available.)

Third Place, San Francisco: Fruit Link

A casual puzzle game by Bruno Garcia, where you link up adjacent matching fruit.

Third Place, Hilversum: Enterprise

A stunning 3D game inspired by the classic Syndicate series showcasing just how far we’ve come with Canvas-based graphics. Observe the collision detection and be sure to hit the “Flying Carpet” button as well as the space bar to fire! This game was also shown in the “Web or Native for Mobile Development?” session at the recent Google Developer Days conferences in Europe. Created by Kornel Lesinski, Peter van der Zee, and Edwin Martin.

A few other readily playable games you might enjoy are:

We were also honoured to have keynotes by two pioneers of web-based gaming. In Hilversum, the speaker was Tino Zijdel, creator of DHTML Lemmings back in 2004. Tino, coincidentally a Hilversum local, explained the tricks he used to make the game playable on the browsers of the day. He has subsequently written his account of the Game Jam. It’s in Dutch, so here’s an English translation. There were additional presentations from from Yu Jianrong, who covered ten tips for HTML5 Game Development and Paul Irish on HTML5.

The San Francisco keynote was given by Marcin Wichary, who gave a keynote on games and HTML5. Marcin is the creator of the Pac-Man doodle and also the first version of the popular HTML5Rocks slides. Marcin talked about his experiences in recreating Pac-Man and the timeless aspects of videogaming in modern age, shared some behind-the-scenes trivia, and shared the technology used to write the doodle and debug it.

We thank SPIL Games for hosting and co-organising the Netherlands event, and we also thank Samsung for contributing a Galaxy Tab for the Game Jam at that venue. Developers working on touch apps were able to use the Tab for testing, and we later gave the device away as a prize. Congratulations all who took part!

You can find more details about the event, including links to code repositories and further demos, at

By Michael Mahemoff, Chrome Developer Relations

Tuesday, November 30, 2010

[Gd] Google’s sample OpenID relying party site

| More

Google Code Blog: Google’s sample OpenID relying party site

More and more websites are enhancing their login systems to include buttons for identity providers such as Google, Yahoo, Facebook, Twitter, Microsoft, etc. Users generally prefer this approach because it makes it easier for them to sign up for a new site that they visit. However if a user already has an account at a website, and they are used to logging in with their email and password, then it is hard to get them to switch to using an identity provider.

Google has recently released a sample site that shows how a website can migrate users away from password based logins, and instead have them leverage an identity provider. This sample site incorporates many of the ideas of the Internet Identity community, as well as feedback from numerous websites who have been on the cutting edge of applying these techniques. The following video provides highlights of some elements of the user experience.

The sample site is at, but we suggest first reading this FAQ which describes the site and has links to additional videos of some of the features. We hope website developers will use these techniques to reduce the need for passwords on their site.

By Eric Sachs, Internet Identity Team