As Chrome Web Store apps and extensions have become more popular, users have been generating a large amount of reviews and feedback for developers. Until now, there was no way to separate a user’s review of an app’s features and quality from developer-focused feedback, such as the reporting of bugs, feature requests, and general questions.

To improve the feedback loop between developers and users, we’ve added a new way to get feedback directly from your users:

This feature provides a clean separation between reporting bugs and compatibility issues to developers and the rating / comments users can leave in the store relating to the functionality and usefulness of a given app. The contents of the feedback forum are publicly visible to everyone, which helps to cut down on duplicate issue reporting.

Turning the Feedback Feature On

In order to enable this feature for your store items, go to your developer dashboard and click on the “Edit your User Feedback preferences” option (highlighted below):

Engaging With Your Users

You should encourage your app’s users to engage with you via the new feedback feature by placing links to your app’s feedback page directly on your site after you’ve activated it. To do so, use the url format “https://chrome.google.com/webstore/support/yourappid”. Doing so will increase the likelihood that users will discover the feature and reinforce the idea that you actively support it.

We hope that this new feature will give users a better experience in reporting issues, requesting new features, and asking questions. Similarly, developers will now have a much easier forum to use to have an ongoing social conversation about their products.

When trying to upgrade to the latest LastPass update from the LastPass web site, I ran into an error claiming "Extensions, apps, and user scripts cannot be installed from this web site." If you ever run into a similar error, here's how to work around it. More »

The Beta channel has been updated to 20.0.1132.37 (Platform version: 2248.85.0) for Chromebooks (Acer AC700, Samsung Series 5, Samsung Chromebook Series 5 550, and Samsung Chromebox Series 3, and Cr-48).  This release contains stability improvements.

• Firmware update for Chromebook Series 5 550. Note: A screen with Chrome Logo and a critical update notification will show after update restarts. It will reboot by itself after firmware update completes.
• 131401 - Fixed Chrome crashes on opening Microsoft Office formatted files (such as .doc, .xls, etc) when those files are stored and opened locally on the Chrome OS machine.
• Crash fixes

The Dev channel has been updated to 21.0.1180.0 for Windows, Mac, Linux, and ChromeFrame platforms

All

• Updated V8 - 3.11.10.6
• Content settings for Cookies now also show protected storage granted to hosted apps
• Chromoting client plugin correctly up-scales on when page-zoom is >100%.

Windows

• Windows 8: User-level Chrome no longer requires admin privileges to be made default.

Mac

• Implement HiDPI drawing for composited pages
• Handle dynamic changes to backing scale factor
• Improve tabstrip appearance on HiDPI displays

Cross-posted from the Google Developers Blog

Would you like to use your coding skills to significantly improve the world, and have the chance to win tickets to Google I/O 2013 for your efforts? Google.org has joined forces with the I/O Extended team to bring you the "Develop for Good" Hackathon. We’re looking for hackers to tackle issues around repressive regimes, engaging citizens in politics and enabling us all to be greener!

Almost anyone can participate in the hackathon from just about anywhere in the world. Many of the Extended events are already hosting hackathons, so we encourage you to find an event near you or start your own. If you’re in the San Francisco Bay Area, Google.org will be hosting a ‘Develop for Good’ hackathon at the San Francisco I/O Extended event.

Here are the three challenges developed by the Google teams:

1. Google Ideas: Conflict reporting for blackout situations in repressive regimes.
2. Google Politics & Elections: Citizen Engagement for Politics & Elections.
3. Google Green: Help us all be a little bit greener!

Developers can start preparing, and even coding, right away and then bring their ideas to the Extended event Hackathons during I/O (though we welcome you to participate even if you’re unable to attend an event). Pencils down on Friday night—hacks must be submitted by 11:59 p.m. (PDT) on June 29, 2012 via this form.

After June 29th a team of Googlers will judge the submissions for each challenge. We will announce the winning hacks for each challenge by about August 1st, 2012. There will be one winning hack selected from each challenge area, and each will receive up to 5 tickets to I/O 2013, along with the honorary title of "Google Developer for Good, 2012". In addition, we’ll award one of the latest Chromebooks to each member of the team producing the best web app across all three challenges.

If you are interested in getting involved, we recommend signing up for an I/O Extended event near you and then checking with the organizer to see whether a hackathon is part of the agenda -- or hosting your own Extended event and hackathon!

Find further details of the challenges, prizes, submission guidelines and hackathon rules on the I/O Extended organizers' website.

• Crash fixes
• Updated Pepper Flash version
• 128592 - Fixed problems around first time sync

Known issues:

131401 - Chrome crashes on opening Microsoft Office formatted files (such as .doc, .xls, etc) when those files are stored and opened locally on the Chrome OS machine. Workaround: If the file was sent via email as an attachment, opening the file attachment directly from the email still works properly.

• Firmware update for Chromebook Series 5 550. Note: A screen with Chrome Logo and a critical update notification will show after update restarts. It will reboot by itself after firmware update completes.
• Update Kernel version 3.4
• Update Adobe Flash Player to version 11.3.31.109
• Fix for flashing screen issue seen in previous build
• Stability and security updates

Known issues:

• 131713: User is logged out after a chrome crash
• 130679: Pressing ctrl+t from incognito window opens the new tab in normal window
• 131630: User name not displayed at login screen
• 131710: Tab content area is blank grey after minimize/restore
• 132445: Audio player doesn't play audio files

You always want Chrome to look great, no matter what device you’re using. Apple recently announced a new laptop with a Retina high-resolution screen, and we’re committed to polishing Chrome until it shines on that machine.

The Chrome Canary channel already shows the early results of this work, bringing basic high-resolution support to Chrome. We have further to go over the next few weeks, but we’re off to the races to make Chrome as beautiful as it can be.

Cross-posted from the Google Developers Blog.

A year ago, we released a preview of the PageSpeed Insights Chrome Developer Tools extension, which analyzes the performance of web pages and provides suggestions to make them faster. Today, we’re releasing version 2.0 of the PageSpeed Insights extension, available in the Chrome Web Store.

PageSpeed Insights analyzes all aspects of a web page load and points out the specific things you can do to make your page faster. For instance, PageSpeed Insights can inform you about an expensive JavaScript call that blocks the renderer for too long, remind you about that new photo on the front page of your web site that you might have forgotten to resize or optimize, or recommend changing the way you load third-party content so it no longer blocks the page load.

PageSpeed Insights for Chrome is a Chrome Developer Tools extension that analyzes all aspects of the page load, including resources, network, DOM, and the timeline. If you're already familiar with Chrome Developer Tools, you'll find that PageSpeed Insights integrates with a toolset you're already using.

Using technologies like Native Client, PageSpeed Insights is able to run the open-source PageSpeed Insights SDK securely and with the performance of native code. Leveraging the Insights SDK enables the Chrome extension to automatically optimize the images, CSS, JavaScript and HTML resources on your web page and provide versions of those resources that you can easily deploy on your website.

We hope you’ll give PageSpeed Insights for Chrome a try and start optimizing your web pages today. We’d love to hear from you, as always. Please try PageSpeed Insights for Chrome, and give us feedback on our mailing list with questions, comments, and new features you’d like to see.

During these last few weeks, the Chrome Web Store team has been focused on launching the store in more countries and building some new features for developers that can help them reach and engage with more users.

New Countries 

We recently launched the Chrome Web Store in six additional countries: Turkey, Ukraine, Egypt, Saudi Arabia, Morocco and the United Arab Emirates. This means that developers can now distribute and sell their apps to millions of additional potential users.

To be successful in these new markets, we highly recommend localizing your apps in as many languages as possible. This will make them more accessible to users around the world, and more likely to be promoted in the 42 countries the store is available in.

New Offline Apps Collection

To recognize developers who have made their apps work offline - and help users find them - we created a special collection just to highlight them in the store.

If you are a developer, getting your app listed in this collection is as simple as adding the offline_enabled flag to your app’s manifest file (note: to avoid negative user feedback, please ensure that your app does indeed work well offline before you do this).

Better Information in the Developer Dashboard 

One of the common requests we’ve received from developers, is that they’d like better insight into how well their apps are doing in the store. Many of you would especially like to know how many times your apps and extensions are being viewed vs. how many installations are occurring.

To help you with your data needs, we’ve created a new graph view to help you understand the performance of your apps. To make this data more accessible, you can easily download it as a CSV file. Currently, we provide 90 days of history information.

In the near future, we plan to further refine this feature - for example, we may increase the historical period for which data is available and add other features to help you understand how your apps are being adopted.

After the recent announcement, guys at the Silicon Valley have released the very first build of the Google Chrome Metro web browser.

As you might guess, it was designed for the upcoming Windows 8 OS, which should shake up the tablet market.

Overall, Google Chrome looks bland, does not follow any Metro design guidelines and borrows its UI from the desktop version rather than the Firefox or IE Metro implementations.

We certainly hope that Google will make its interface more Metro like.

The Dev channel has been updated to 21.0.1171.0 for Windows, Mac, Linux and ChromeFrame platforms


All

• HTML5 audio/video and WebAudio now support 24-bit PCM wave files.

Windows

• Improved support for on-screen keyboard on Windows 8 in Metro mode. Resolved several Windows 8 crashes and performance regressions.

More details about additional changes are available in the svn log of all revisions.

When we wrapped up our recent Pwnium event, we praised the creativity of the submissions and resolved to provide write-ups on how the two exploits worked. We already covered Pinkie Pie’s submission in a recent post, and this post will summarize the other winning Pwnium submission: an amazing multi-step exploit from frequent Chromium Security Reward winner Sergey Glazunov.

From the start, one thing that impressed us about this exploit was that it involved no memory corruption at all. It was based on a so-called “Universal Cross-Site Scripting” (or UXSS) bug. The UXSS bug in question (117226) was complicated and actually involved two distinct bugs: a state corruption and an inappropriate firing of events. Individually there was a possible use-after-free condition, but the exploit -- perhaps because of various memory corruption mitigations present in Chromium -- took the route of combining the two bugs to form a “High” severity UXSS bug. However, a Pwnium prize requires demonstrating something “Critical”: a persistent attack against the local user’s account. A UXSS bug alone cannot achieve that.

So how was this UXSS bug abused more creatively? To understand Sergey’s exploit, it’s important to know that Chromium implements some of its built-in functions using special HTML pages (called WebUI), hosted at origins such as chrome://about. These pages have access to privileged JavaScript APIs. Of course, a normal web page or web renderer process cannot just iframe or open a chrome:// URL due to strict separation between http[s]:// and chrome:// URLs. However, Sergey discovered that iframing an invalid chrome-extension:// resource would internally host an error page in the chrome://chromewebdata origin (117230). Furthermore, this error page was one of the few internal pages that did not have a Content Security Policy (CSP) applied. A CSP would have blocked the UXSS bug in this context.

At this point, multiple distinct issues had been abused, to gain JavaScript execution in the chrome://chromewebdata origin.

The exploit still had a long way to go, though, as there are plenty of additional barriers:

• chrome://chromewebdata does not have any sensitive APIs associated with it. 
• chrome://a is not same-origin with chrome://b. 
• chrome://* origins only have privileges when the backing process is tagged as privileged by the browser process, and this tagging only happens as a result of a top-level navigation to a chrome:// URL. 
• The sensitive chrome://* pages generally have CSPs applied that prevent the UXSS bug in question. 

The exploit became extremely creative at this point. To get around the defenses, the compromised chrome://chromewebdata origin opened a window to chrome://net-internals, which had an iframe in its structure. Another WebKit bug -- the ability to replace a cross-origin iframe (117583) -- was used to run script that navigated the popped-up window, simply “back” to chrome://net-internals (117417). This caused the browser to reassess the chrome://net-internals URL as a top-level navigation -- granting limited WebUI permissions to the backing process as a side-effect (117418).

The exploit was still far from done. It was now running JavaScript inside an iframe inside a process with limited WebUI permissions. It then popped up an about:blank window and abused another bug (118467) -- this time in the JavaScript bindings -- to confuse the top-level chrome://net-internals page into believing that the new blank window was a direct child. The blank window could then navigate its new “parent” without losing privileges (113496). The first navigation was to chrome://downloads, which gained access to additional privileged APIs. You probably get a sense of where the exploit was headed now. It finished off by abusing privileged JavaScript APIs to download an attack DLL. The same APIs were used to cleverly “download” and run wordpad.exe from the local disk (thus avoiding the system-level prompt for executing downloads from the internet zone). A design quirk of the Windows operating system caused the attack DLL to be loaded into the trusted executable.

As you can imagine, it took us some time to dissect all of this. Distilling the details into a blog post was a further challenge; we’ve glossed over the use of the UXSS bug to bypass pop-up window restrictions. The UXSS bug was actually used three separate times in the exploit. We also omitted details of various other lockdowns we applied in response to the exploit chain.

What’s clear is that Sergey certainly earned his $60k Pwnium reward. He chained together a whopping 14[*] bugs, quirks and missed hardening opportunities. Looking beyond the monetary prize, Sergey has helped make Chromium significantly safer. Besides fixing the array of bugs, we’ve landed hardening measures that will make it much tougher to abuse chrome:// WebUI pages in the future.

The Dev channel has been updated to 21.0.1166.0 (Platform versions: 2404.0.0) for Chromebooks (Acer AC700, Samsung Series 5, Samsung Chromebook Series 5 550, and Samsung Chromebox Series 3, and Cr-48). This build contains a number of new features, as well as security & stability improvements.

Highlights of these changes are:

Chrome/Firefox: When friends on Facebook share a link with the social reader apps popular with web sites like the Guardian or Yahoo, it means you need to install the Social Reader app and share that you just read an article if you want to read it. Unsocialize is a Firefox and Chrome extension that adds a right-click menu to read those articles without sharing or installing anything.More »

Hangout on Air: the new Chrome OS user interface