Saturday, June 16, 2012

[Gd] Fridaygram: Humanitarian hacking, Shenzhou 9, robot seeks Martians

| More

Google Developers Blog: Fridaygram: Humanitarian hacking, Shenzhou 9, robot seeks Martians

Author PictureBy Ashleigh Rentz, Google Developers Blog Editor Emerita

The Googleplex is really buzzing this week with people furiously preparing for Google I/O!  As with any conference, there are physical limits on how many people can participate, so we’re striving to make the Google I/O Extended events around the world more interactive than just simple viewing parties.  Yesterday, we got to share the details of the Develop For Good hackathon contest sponsored by Google.org in conjunction with Google I/O Extended.

But this certainly isn’t the first time Google.org has engaged with developers to help make our planet a better place.  In fact, many Googlers recently participated in Random Hacks of Kindness Global, a twice-annual event where developers in 21+ cities around the world spark new ideas for making the world a better place through innovation and technology.  Among the many projects, one team in San Francisco worked on an algorithm for scanning textbooks and processing mathematical formulae in an accessible way for users with vision impairment.  Take some time this weekend to read the recaps and get inspired!

The Chinese space program may also make this an inspiring weekend when they attempt the country’s first manned docking mission, designated Shenzhou 9, and take off for the Tiangong 1 space laboratory on Saturday.  The attempt becomes even more inspiring since the three-person crew will include the first female Chinese astronaut.  We wish them godspeed.


Meanwhile, scientists at NASA in the United States are awaiting the arrival of a new Mars rover which will search for signs of life in a new way.  The rover, named Curiosity, is scheduled to land on the red planet in August, well ahead of any humans who might one day be en route.  Who can imagine what it might find there?



Even when Scott takes a well-deserved break, we bring you Fridaygram: a few items of Google and non-Google geekery to enjoy during the weekend. Ashleigh was our previous blog editor and now works behind the scenes on the Google Developers website. I write about space now; space is cool.
URL: http://googledevelopers.blogspot.com/2012/06/fridaygram-humanitarian-hacking.html

[Gd] Ads background colors in Custom Search

| More

Google Custom Search: Ads background colors in Custom Search

As we continue to improve the look and feel of Google Custom Search Engine (CSE), today we’re announcing a change in how ads are displayed on CSE search results pages.

Currently ads in CSE results are shown in a separate section from organic search results labeled “Ads by Google”. With this latest change, the ads section will also have a distinct background color, in keeping with the visual style of ads on the google.com search results page.

Because CSE allows you to choose from one of several built-in styles, the ads background color is different for each style to contrast in a visually appealing way with the default background color. (Note that if you customize the main background color, the ads background color will automatically match it to avoid clashing.)

The following screenshots illustrate what a user performing a custom search on a website might see, for two of the built-in CSE styles.



This change in design provides users another way to distinguish ads in CSE search result pages.

CSE publishers will see these changes effective immediately. As always, please let us know any questions or feedback in our discussion forum.

Posted by MyLinh Yang, Product Manager
URL: http://googlecustomsearch.blogspot.com/2012/06/ads-background-colors-in-custom-search.html

Friday, June 15, 2012

[Gd] More Power to Google Apps Domain Administrators with Apps Script

| More

Google Apps Developer Blog: More Power to Google Apps Domain Administrators with Apps Script

At the end of last year we launched the UserManager Apps Script service, allowing Google Apps domain administrators to write scripts to programmatically create, delete and edit their user accounts.

We are now extending the family of Domain services with two new additions: NicknameManager and GroupsManager.

The NicknameManager service allows domain administrators to define alternate email addresses (i.e. “nicknames”) with a single line of code, as in the following example:


var nickname = NicknameManager.createNickname("user", "nick");

With the GroupsManager service, Google Apps domain administrators can create and delete groups, and manage their members and owners. The following example shows how to list all members of a group given its unique groupId:


function listMembers(groupId) {
var members = GroupsManager.getGroup(groupId).getAllMembers();
for (var i in members) {
var member = members[i];
Logger.log(i + ": " + member);
}
}

With the same service, one line of code is enough to add a member to a group:


GroupsManager.getGroup(groupId).addMember(memberId);

If you want to know more about the new NicknameManager and GroupsManager services, please check our documentation, and don’t hesitate to get in touch with us if you have questions or suggestions.


Claudio Cherubino   profile | twitter | blog

Claudio is an engineer in the Google Drive Developer Relations team. Prior to Google, he worked as software developer, technology evangelist, community manager, consultant, technical translator and has contributed to many open-source projects. His current interests include Google APIs, new technologies and coffee.

URL: http://googleappsdeveloper.blogspot.com/2012/06/more-power-to-google-apps-domain.html

[Gd] Beta Channel Update for Chromebooks

| More

Chrome Releases: Beta Channel Update for Chromebooks


he Beta channel has been updated to 20.0.1132.34 (Platform version: 2248.70.0) for Chromebooks (Acer AC700, Samsung Series 5, Samsung Chromebook Series 5 550, and Samsung Chromebox Series 3, and Cr-48).  This release contains functional, security and stability improvements.

Highlights of these changes are:
  • Crash fixes
  • Updated Pepper Flash version
  • 128592 - Fixed problems around first time sync


Known issues:
  • 131401 - Chrome crashes on opening Microsoft Office formatted files (such as .doc, .xls, etc) when those files are stored and opened locally on the Chrome OS machine. Workaround: If the file was sent via email as an attachment, opening the file attachment directly from the email still works properly.

If you find new issues, please let us know by visiting our
help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

Danielle Drew

Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/beta-channel-update-for-chromebooks_14.html

[Gd] Develop for Good and have a chance to win tickets to I/O 2013!

| More

Chromium Blog: Develop for Good and have a chance to win tickets to I/O 2013!

Cross-posted from the Google Developers Blog

Would you like to use your coding skills to significantly improve the world, and have the chance to win tickets to Google I/O 2013 for your efforts? Google.org has joined forces with the I/O Extended team to bring you the "Develop for Good" Hackathon. We’re looking for hackers to tackle issues around repressive regimes, engaging citizens in politics and enabling us all to be greener!

Almost anyone can participate in the hackathon from just about anywhere in the world. Many of the Extended events are already hosting hackathons, so we encourage you to find an event near you or start your own. If you’re in the San Francisco Bay Area, Google.org will be hosting a ‘Develop for Good’ hackathon at the San Francisco I/O Extended event.

Here are the three challenges developed by the Google teams:
  1. Google Ideas: Conflict reporting for blackout situations in repressive regimes.
  2. Google Politics & Elections: Citizen Engagement for Politics & Elections.
  3. Google Green: Help us all be a little bit greener!
Developers can start preparing, and even coding, right away and then bring their ideas to the Extended event Hackathons during I/O (though we welcome you to participate even if you’re unable to attend an event). Pencils down on Friday night—hacks must be submitted by 11:59 p.m. (PDT) on June 29, 2012 via this form.

After June 29th a team of Googlers will judge the submissions for each challenge. We will announce the winning hacks for each challenge by about August 1st, 2012. There will be one winning hack selected from each challenge area, and each will receive up to 5 tickets to I/O 2013, along with the honorary title of "Google Developer for Good, 2012". In addition, we’ll award one of the latest Chromebooks to each member of the team producing the best web app across all three challenges.

If you are interested in getting involved, we recommend signing up for an I/O Extended event near you and then checking with the organizer to see whether a hackathon is part of the agenda -- or hosting your own Extended event and hackathon!

Find further details of the challenges, prizes, submission guidelines and hackathon rules on the I/O Extended organizers' website.


Posted by Anna de Paula Hanika, Product Marketing Manager
URL: http://blog.chromium.org/2012/06/develop-for-good-and-have-chance-to-win.html

[Gd] Develop for Good and have a chance to win tickets to I/O 2013!

| More

Google Developers Blog: Develop for Good and have a chance to win tickets to I/O 2013!

Author PictureBy Anna de Paula Hanika, Google.org

Would you like to use your coding skills to significantly improve the world, and have the chance to win tickets to Google I/O 2013 for your efforts? Google.org has joined forces with the I/O Extended team to bring you the "Develop for Good" Hackathon. We’re looking for hackers to tackle issues around repressive regimes, engaging citizens in politics and enabling us all to be greener!

Almost anyone can participate in the hackathon from just about anywhere in the world. Many of the Extended events are already hosting hackathons, so we encourage you to find an event near you or start your own. If you’re in the San Francisco Bay Area, Google.org will be hosting a ‘Develop for Good’ hackathon at the San Francisco I/O Extended event.

Here are the three challenges developed by the Google teams:

  1. Google Ideas: Conflict reporting for blackout situations in repressive regimes.
  2. Google Politics & Elections: Citizen Engagement for Politics & Elections.
  3. Google Green: Help us all be a little bit greener!

Developers can start preparing, and even coding, right away and then bring their ideas to the Extended event Hackathons during I/O (though we welcome you to participate even if you’re unable to attend an event). Pencils down on Friday night—hacks must be submitted by 11:59 p.m. (PDT) on June 29, 2012 via this form.

After June 29th a team of Googlers will judge the submissions for each challenge. We will announce the winning hacks for each challenge by about August 1st, 2012. There will be one winning hack selected from each challenge area, and each will receive up to 5 tickets to I/O 2013, along with the honorary title of "Google Developer for Good, 2012". In addition, we’ll award one of the latest Chromebooks to each member of the team producing the best web app across all three challenges.

If you are interested in getting involved, we recommend signing up for an I/O Extended event near you and then checking with the organizer to see whether a hackathon is part of the agenda  -- or hosting your own Extended event and hackathon!

Find further details of the challenges, prizes, submission guidelines and hackathon rules on the I/O Extended organizers' website.


Anna de Paula Hanika is a Product Marketing Manager on the Google.org team, currently focused on Google's Green and Giving efforts, and all things related to using technology to make the world a better place!

Posted by Ashleigh Rentz, Editor Emerita
URL: http://googledevelopers.blogspot.com/2012/06/develop-for-good-and-have-chance-to-win.html

[Gd] Better Web Templating with AngularJS 1.0

| More

Google Developers Blog: Better Web Templating with AngularJS 1.0

Author Picture By Miško Hevery, Google AngularJS team

AngularJS lets you write web applications as if you had a smarter browser.  It lets you extend HTML's syntax to express your application's components clearly and succinctly and lets use standard HTML as your template language.  And it automatically synchronizes data from your UI (view) with your JavaScript objects (model) through 2-way data binding.

Today we are announcing the 1.0 release of AngularJS.  We’d like to thank our early adopters, and we’re excited to share it with you who haven’t yet experienced it.

Our goal with AngularJS is to eliminate the guesswork in creating web app structure and take the pain and the boilerplate out of web client apps.  We think we’re there and we’d love for you to take a look.

AngularJS’s core features are:

  • Unobtrusive data binding. AngularJS automatically moves data from the UI to your model and back whenever either of them change.  There are no classes to inherit from, and no wrapper or getter/setter methods to call. Your model can be as simple as a as primitive, native array or as complex as you make it via your custom JavaScript type.

  • HTML as the template. You, your browser, your editors and your other tools already know all about working with HTML.  Why introduce something else?  AngularJS lets you expand HTML’s vocabulary with your own app-specific elements, attributes, and class-types that are fully compatible with the HTML specification.

  • Reusable components -- in HTML! AngularJS gives you the power to extend HTML’s syntax with your own elements, attributes that adds behavior or transforms the DOM.  Want to write <tab>, <calendar>, or <colorpicker> instead of <div><div><div>...?  Want to attach keyboard shortcuts to any element by adding an attribute like key=’ctrl-s’?  You miss the <blink> tag?  All these things and more are possible.

  • Views and Routes. AngularJS lets you switch sub-views in your app with a simple route configuration.  And you get URL deep-linking for free.

  • Tests and Testability. Shipping apps means testing them.  We provide common mocks, we take full advantage of dependency injection, and we encourage MVC structure making it easy to test behavior separate from view. It also comes with an end-to-end scenario runner which eliminates test flakiness by having the runner truly understand application state.

Come and check out our many examples, tutorials, videos and our API docs at angularjs.org.  And we’d love to hear your thoughts and questions on Google+ or on our mailing list.


Miško Hevery is a software engineer on the AngularJS team in Mountain View, CA.  Miško focuses on imagining a future where web development is actually simple.

Posted by Ashleigh Rentz, Editor Emerita
URL: http://googledevelopers.blogspot.com/2012/06/better-web-templating-with-angularjs-10.html

Wednesday, June 13, 2012

[Gd] Beta Channel Update

| More

Chrome Releases: Beta Channel Update


The Beta channel has been updated to 20.0.1132.34 for Windows, Mac, Linux, and Chrome Frame. This build contains updates to v8 (3.10.8.16) and fixes for bugs and stability.

Full details about what changes are in this build are available in the SVN revision logInterested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Dharani Govindan
Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/beta-channel-update_13.html

[Gd] Dev Channel Updates for Chromebooks

| More

Chrome Releases: Dev Channel Updates for Chromebooks

The Dev channel has been updated to 21.0.1172.0 (Platform versions: 2430.0.0) for Chromebooks (Acer AC700, Samsung Series 5, Samsung Chromebook Series 5 550, and Samsung Chromebox Series 3, and Cr-48). This build contains a number of new features, as well as UI, stability & security improvements.

Highlights of these changes are:
  • Firmware update for Chromebook Series 5 550. Note: A screen with Chrome Logo and a critical update notification will show after update restarts. It will reboot by itself after firmware update completes.
  • Update Kernel version 3.4
  • Update Adobe Flash Player to version 11.3.31.109
  • Fix for flashing screen issue seen in previous build
  • Stability and security updates

Known issues:

  • 131713: User is logged out after a chrome crash
  • 130679: Pressing ctrl+t from incognito window opens the new tab in normal window
  • 131630: User name not displayed at login screen
  • 131710: Tab content area is blank grey after minimize/restore
  • 132445: Audio player doesn't play audio files

If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

Josafat Garcia
Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/dev-channel-updates-for-chromebooks.html

[Gd] Stable Channel Update for Chromebooks

| More

Chrome Releases: Stable Channel Update for Chromebooks

The Stable channel has been updated to 19.0.1084.57 (Platform versions: 2046.137.0) for Chromebooks (Acer AC700, Samsung Series 5, Samsung Chromebook Series 5 550, and Samsung Chromebox Series 3). This build contains a new version of Flash Player (11.3), in addition to some other security and stability fixes.

If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

Josafat Garcia
Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/stable-channel-update-for-chromebooks.html

[Gd] Make your website faster with PageSpeed Insights

| More

Google Developers Blog: Make your website faster with PageSpeed Insights

Author Photo
Bryan
Libo

By Libo Song and Bryan McQuade,
PageSpeed Insights Team


A year ago, we released a preview of the PageSpeed Insights Chrome Developer Tools extension, which analyzes the performance of web pages and provides suggestions to make them faster. Today, we’re releasing version 2.0 of the PageSpeed Insights extension, available in the Chrome Web Store. PageSpeed Insights analyzes all aspects of a web page load and points out the specific things you can do to make your page faster. For instance, PageSpeed Insights can inform you about an expensive JavaScript call that blocks the renderer for too long, remind you about that new photo on the front page of your web site that you might have forgotten to resize or optimize, or recommend changing the way you load third-party content so it no longer blocks the page load.

PageSpeed Insights for Chrome is a Developer Tools extension that analyzes all aspects of the page load, including resources, network, DOM, and the timeline. If you're already familiar with the Developer Tools, you'll find that PageSpeed Insights integrates with a toolset you're already using.


Using technologies like Native Client, PageSpeed Insights is able to run the open-source PageSpeed Insights SDK securely and with the performance of native code. Leveraging the Insights SDK enables the Chrome extension to automatically optimize the images, CSS, JavaScript and HTML resources on your web page and provide versions of those resources that you can easily deploy on your website.

We hope you’ll give PageSpeed Insights for Chrome a try and start optimizing your web pages today. We’d love to hear from you, as always. Please try PageSpeed Insights for Chrome, and give us feedback on our mailing list with questions, comments, and new features you’d like to see.


Libo Song and Bryan McQuade are Software Engineers on the Google PageSpeed Insights Team in Cambridge, MA. They focus on developing tools to help site owners understand how to speed up their sites.

Posted by Ashleigh Rentz, Editor Emerita
URL: http://googledevelopers.blogspot.com/2012/06/make-your-website-faster-with-pagespeed.html

Tuesday, June 12, 2012

[Gd] Make your website faster with PageSpeed Insights

| More

Chromium Blog: Make your website faster with PageSpeed Insights

Cross-posted from the Google Developers Blog.

A year ago, we released a preview of the PageSpeed Insights Chrome Developer Tools extension, which analyzes the performance of web pages and provides suggestions to make them faster. Today, we’re releasing version 2.0 of the PageSpeed Insights extension, available in the Chrome Web Store.

PageSpeed Insights analyzes all aspects of a web page load and points out the specific things you can do to make your page faster. For instance, PageSpeed Insights can inform you about an expensive JavaScript call that blocks the renderer for too long, remind you about that new photo on the front page of your web site that you might have forgotten to resize or optimize, or recommend changing the way you load third-party content so it no longer blocks the page load.

PageSpeed Insights for Chrome is a Chrome Developer Tools extension that analyzes all aspects of the page load, including resources, network, DOM, and the timeline. If you're already familiar with Chrome Developer Tools, you'll find that PageSpeed Insights integrates with a toolset you're already using.



Using technologies like Native Client, PageSpeed Insights is able to run the open-source PageSpeed Insights SDK securely and with the performance of native code. Leveraging the Insights SDK enables the Chrome extension to automatically optimize the images, CSS, JavaScript and HTML resources on your web page and provide versions of those resources that you can easily deploy on your website.

We hope you’ll give PageSpeed Insights for Chrome a try and start optimizing your web pages today. We’d love to hear from you, as always. Please try PageSpeed Insights for Chrome, and give us feedback on our mailing list with questions, comments, and new features you’d like to see.


Posted by Libo Song and Bryan McQuade, Software Engineers
URL: http://blog.chromium.org/2012/06/make-your-website-faster-with-pagespeed.html

[Gd] New Developer Features in the Chrome Web Store

| More

Chromium Blog: New Developer Features in the Chrome Web Store

During these last few weeks, the Chrome Web Store team has been focused on launching the store in more countries and building some new features for developers that can help them reach and engage with more users.

New Countries 

We recently launched the Chrome Web Store in six additional countries: Turkey, Ukraine, Egypt, Saudi Arabia, Morocco and the United Arab Emirates. This means that developers can now distribute and sell their apps to millions of additional potential users.

To be successful in these new markets, we highly recommend localizing your apps in as many languages as possible. This will make them more accessible to users around the world, and more likely to be promoted in the 42 countries the store is available in.

New Offline Apps Collection

To recognize developers who have made their apps work offline - and help users find them - we created a special collection just to highlight them in the store.



If you are a developer, getting your app listed in this collection is as simple as adding the offline_enabled flag to your app’s manifest file (note: to avoid negative user feedback, please ensure that your app does indeed work well offline before you do this).

Better Information in the Developer Dashboard 

One of the common requests we’ve received from developers, is that they’d like better insight into how well their apps are doing in the store. Many of you would especially like to know how many times your apps and extensions are being viewed vs. how many installations are occurring.

To help you with your data needs, we’ve created a new graph view to help you understand the performance of your apps. To make this data more accessible, you can easily download it as a CSV file. Currently, we provide 90 days of history information.



In the near future, we plan to further refine this feature - for example, we may increase the historical period for which data is available and add other features to help you understand how your apps are being adopted.

If you have any questions about these new features, you can reach us on our developer forum.

Posted by Joe Marini, Developer Advocate
URL: http://blog.chromium.org/2012/06/new-developer-features-in-chrome-web.html

[Gd] For webmasters: Google+ and the +1 button 101

| More

Official Google Webmaster Central Blog: For webmasters: Google+ and the +1 button 101

Webmaster Level: Beginner to Intermediate

Here’s a video that covers the basics of Google+, the +1 button, getting started on Google+, and how social information can make products, like Search, more relevant. This video is for a range of webmasters (from personal bloggers to SEOs of corporations). So, if you’re interested in learning about Google+, we hope that with 20 minutes and this video on YouTube (we have our own Webmaster Support Channel!), you can feel more up to speed with Google’s social opportunities.


Video about the basics of Google+ and how to get started if you're an interested webmaster.


Speaking of Google+, if you join, please say hello! We're often posting and hosting Hangouts.


Written by Maile Ohye, Developer Programs Tech Lead
URL: http://googlewebmastercentral.blogspot.com/2012/06/for-webmasters-google-and-1-button-101.html

[Gd] Dev Channel Update

| More

Chrome Releases: Dev Channel Update


The Dev channel has been updated to 21.0.1171.0 for Windows, Mac, Linux and ChromeFrame platforms

All
  • HTML5 audio/video and WebAudio now support 24-bit PCM wave files.

Windows
  • Improved support for on-screen keyboard on Windows 8 in Metro mode. Resolved several Windows 8 crashes and performance regressions.
More details about additional changes are available in the svn log of all revisions.

You can find out about getting on the Dev channel here: http://dev.chromium.org/getting-involved/dev-channel.
If you find new issues, please let us know by filing a bug at http://code.google.com/p/chromium/issues/entry


Karen Grunberg
Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/dev-channel-update_11.html

[Gd] Stable Channel Update

| More

Chrome Releases: Stable Channel Update

The Stable channel has been updated to 19.0.1084.56 for Mac. This build contains a new version of Flash Player (11.3), in addition to more patches to support transitioning to OSX Mountain Lion.

Full details about what changes are in this build are available in the SVN revision logInterested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Anthony Laforge
Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/stable-channel-update_11.html

Monday, June 11, 2012

[Gd] Using the Google Picker to upload files to Drive

| More

Google Apps Developer Blog: Using the Google Picker to upload files to Drive

The Google Picker API provides developers with an easy-to-use file dialog that can be used to open Google Drive files directly from their web app independently of the Drive UI. The Drive SDK documentation includes an example showing how to incorporate the Google Picker with just a few lines of JavaScript.

Another powerful use case for the Picker API is to allow users to upload files to Drive with the same consistent UI. A single Picker dialog can incorporate multiple views and users can switch from one to another by clicking on a tab on the left:

The following code sample opens the Picker dialog and registers a simple callback function to handle the completed upload event:


<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<title>Google Picker Example</title>

<!-- The standard Google Loader script. -->
<script src="http://www.google.com/jsapi"></script>
<script type="text/javascript">

// Use the Google Loader script to load the google.picker script.
google.setOnLoadCallback(createPicker);
google.load('picker', '1');

// Create and render a Picker object for searching images
// and uploading files.
function createPicker() {
// Create a view to search images.
var view = new google.picker.View(google.picker.ViewId.DOCS);
view.setMimeTypes('image/png,image/jpeg');

// Use DocsUploadView to upload documents to Google Drive.
var uploadView = new google.picker.DocsUploadView();

var picker = new google.picker.PickerBuilder().
addView(view).
addView(uploadView).
setAppId(YOUR_APP_ID).
setCallback(pickerCallback).
build();
picker.setVisible(true);
}

// A simple callback implementation.
function pickerCallback(data) {
if (data.action == google.picker.Action.PICKED) {
var fileId = data.docs[0].id;
alert('The user selected: ' + fileId);
}
}
</script>
</head>
<body>
</body>
</html>

There is an important difference between this upload example and the code used to open files: in addition to the standard view, an instance of DocsUploadView is added to the Picker object, thus providing upload capability.

For more information about this component and all other available views, please refer to the Google Picker Reference Guide.

Claudio Cherubino   profile | twitter | blog

Claudio is an engineer in the Google Drive Developer Relations team. Prior to Google, he worked as software developer, technology evangelist, community manager, consultant, technical translator and has contributed to many open-source projects. His current interests include Google APIs, new technologies and coffee.

URL: http://googleappsdeveloper.blogspot.com/2012/06/using-google-picker-to-upload-files-to.html

[Gd] A Tale Of Two Pwnies (Part 2)

| More

Chromium Blog: A Tale Of Two Pwnies (Part 2)

When we wrapped up our recent Pwnium event, we praised the creativity of the submissions and resolved to provide write-ups on how the two exploits worked. We already covered Pinkie Pie’s submission in a recent post, and this post will summarize the other winning Pwnium submission: an amazing multi-step exploit from frequent Chromium Security Reward winner Sergey Glazunov.

From the start, one thing that impressed us about this exploit was that it involved no memory corruption at all. It was based on a so-called “Universal Cross-Site Scripting” (or UXSS) bug. The UXSS bug in question (117226) was complicated and actually involved two distinct bugs: a state corruption and an inappropriate firing of events. Individually there was a possible use-after-free condition, but the exploit -- perhaps because of various memory corruption mitigations present in Chromium -- took the route of combining the two bugs to form a “High” severity UXSS bug. However, a Pwnium prize requires demonstrating something “Critical”: a persistent attack against the local user’s account. A UXSS bug alone cannot achieve that.

So how was this UXSS bug abused more creatively? To understand Sergey’s exploit, it’s important to know that Chromium implements some of its built-in functions using special HTML pages (called WebUI), hosted at origins such as chrome://about. These pages have access to privileged JavaScript APIs. Of course, a normal web page or web renderer process cannot just iframe or open a chrome:// URL due to strict separation between http[s]:// and chrome:// URLs. However, Sergey discovered that iframing an invalid chrome-extension:// resource would internally host an error page in the chrome://chromewebdata origin (117230). Furthermore, this error page was one of the few internal pages that did not have a Content Security Policy (CSP) applied. A CSP would have blocked the UXSS bug in this context.

At this point, multiple distinct issues had been abused, to gain JavaScript execution in the chrome://chromewebdata origin.

The exploit still had a long way to go, though, as there are plenty of additional barriers:

  • chrome://chromewebdata does not have any sensitive APIs associated with it. 
  • chrome://a is not same-origin with chrome://b
  • chrome://* origins only have privileges when the backing process is tagged as privileged by the browser process, and this tagging only happens as a result of a top-level navigation to a chrome:// URL. 
  • The sensitive chrome://* pages generally have CSPs applied that prevent the UXSS bug in question. 

The exploit became extremely creative at this point. To get around the defenses, the compromised chrome://chromewebdata origin opened a window to chrome://net-internals, which had an iframe in its structure. Another WebKit bug -- the ability to replace a cross-origin iframe (117583) -- was used to run script that navigated the popped-up window, simply “back” to chrome://net-internals (117417). This caused the browser to reassess the chrome://net-internals URL as a top-level navigation -- granting limited WebUI permissions to the backing process as a side-effect (117418).

The exploit was still far from done. It was now running JavaScript inside an iframe inside a process with limited WebUI permissions. It then popped up an about:blank window and abused another bug (118467) -- this time in the JavaScript bindings -- to confuse the top-level chrome://net-internals page into believing that the new blank window was a direct child. The blank window could then navigate its new “parent” without losing privileges (113496). The first navigation was to chrome://downloads, which gained access to additional privileged APIs. You probably get a sense of where the exploit was headed now. It finished off by abusing privileged JavaScript APIs to download an attack DLL. The same APIs were used to cleverly “download” and run wordpad.exe from the local disk (thus avoiding the system-level prompt for executing downloads from the internet zone). A design quirk of the Windows operating system caused the attack DLL to be loaded into the trusted executable.

As you can imagine, it took us some time to dissect all of this. Distilling the details into a blog post was a further challenge; we’ve glossed over the use of the UXSS bug to bypass pop-up window restrictions. The UXSS bug was actually used three separate times in the exploit. We also omitted details of various other lockdowns we applied in response to the exploit chain.

What’s clear is that Sergey certainly earned his $60k Pwnium reward. He chained together a whopping 14[*] bugs, quirks and missed hardening opportunities. Looking beyond the monetary prize, Sergey has helped make Chromium significantly safer. Besides fixing the array of bugs, we’ve landed hardening measures that will make it much tougher to abuse chrome:// WebUI pages in the future.

Posted by Ken Buchanan, Chris Evans, Charlie Reis and Tom Sepez, Software Engineers 


[*]14, or thereabouts. It’s easy to lose count.
URL: http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html

[Gd] Dev Update for Chromebooks

| More

Chrome Releases: Dev Update for Chromebooks

The Dev channel has been updated to 21.0.1166.0 (Platform versions: 2404.0.0) for Chromebooks (Acer AC700, Samsung Series 5, Samsung Chromebook Series 5 550, and Samsung Chromebox Series 3, and Cr-48). This build contains a number of new features, as well as security & stability improvements.

Highlights of these changes are:

  • Firmware update for Chromebook Series 5 550. Note: A screen with Chrome Logo and a critical update notification will show after update restarts. It will reboot by itself after firmware update completes.
  • Update Kernel version 3.4
  • Update Adobe Flash Player to version 11.3.31.109
  • UI Improvements
  • Stability and security updates

Known issues:
  • 31546: Flash fails to use webcam in youtube.com/my_webcam
  • 130679: Pressing ctrl+t from incognito window opens the new tab in normal window
  • 131630: User name not displayed at login screen
  • 131710: Tab content area is blank grey after minimize/restore



If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue’ under the wrench menu.

Josafat Garcia
Google Chrome
URL: http://googlechromereleases.blogspot.com/2012/06/dev-update-for-chromebooks.html