Deprecations and removals in Chrome 72
Removals
Don't allow popups during page unload
Pages may no longer use window.open() to open a new page during unload. The
Chrome popup blocker already prohibited this, but now it is prohibited whether
or not the popup blocker is enabled.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove HTTP-Based Public Key Pinning
HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain. Unfortunately, it has very low adoption, and although it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning. For these reasons, this feature is being removed.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Remove rendering FTP resources.
FTP is a non-securable legacy protocol. When even the Linux kernel is migrating off of it, it's time to move on. One step toward deprecation and removal is to deprecate rendering resources from FTP servers and instead download them. Chrome will still generate directory listings, but any non-directory listing will be downloaded rather than rendered in the browser.
Intent to Remove | Chromestatus Tracker | Chromium Bug
Deprecations
Deprecate TLS 1.0 and TLS 1.1
TLS (Transport Layer Security) is the protocol which secures HTTPS. It has a long history stretching back to the nearly twenty-year-old TLS 1.0 and its even older predecessor, SSL. Both TLS 1.0 and 1.1 have a number of weaknesses.
- TLS 1.0 and 1.1 use MD5 and SHA-1, both weak hashes, in the transcript hash for the Finished message.
- TLS 1.0 and 1.1 use MD5 and SHA-1 in the server signature. (Note: this is not the signature in the certificate.)
- TLS 1.0 and 1.1 only support RC4 and CBC ciphers. RC4 is broken and has since been removed. TLS’s CBC mode construction is flawed and was vulnerable to attacks.
- TLS 1.0’s CBC ciphers additionally construct their initialization vectors incorrectly.
- TLS 1.0 is no longer PCI-DSS compliant.
Supporting TLS 1.2 is a prerequisite to avoiding the above problems. The TLS working group has deprecated TLS 1.0 and 1.1. Chrome has now also deprecated these protocols. Removal is expected in Chrome 81 (early 2020).
Intent to Remove | Chromestatus Tracker | Chromium Bug
Deprecate PaymentAddress.languageCode
PaymentAddress.languageCode is the browser's best guess for the language of
the text in the shipping, billing, delivery, or pickup address in the Payment
Request API. The languageCode is marked at risk in the specification and has
already been removed from Firefox and Safari. Usage in Chrome is small enough
for safe deprecation and removal. Removal is expected in Chrome 74.
Intent to Remove | Chromestatus Tracker | Chromium Bug