NW.js v0.28.0 Released with Chromium 64 Upgrade, Node.js 9.4.0 and Mitigations for Spectre Attacks
We're excited to announce NW.js 0.28.0 with Chromium 64 stable upgrade, security updates within it and Node.js 9.4.0. This new major version has new features and important changes regarding Spectre attacks. You need to read it through if you load any 3rd party contents in your application, or care about the performance implications from it.
Mitigations for Spectre Attacks
Spectre attacks impact browsers too. After Chromium upstream announced actions required to mitigate Speculative Side-Channel Attack techniques, we took all the changes from upstream into NW.js to protect applications of our developers and end users. However, the upstream fix has a performance impact that can lead to 15% degradation on extreme computational workloads. Since NW.js application code is trusted in many cases, we've made changes so your applications are not impacted in such cases:
- If your application load untrusted content or code, you need to put them in webview, or use the global flag
--js-flags=--untrusted_code_mitigationsin Chromium arguments. There is no performance degradation for code outside the webview by default.
- If all your application's content and code is trusted, no action is required and no performance degradation is expected.
New Features and Important Fixes
- A new API
webview.inspectElementAt()is added for inspecting located element from embedded devtools.
- Support for ES6 module binary is added.
- A new
nwdirectorydescattribute is added to set the description for nwdirectory in "Browse for Folder" dialog.
Thanks to Jefry Tedjokusumo, transparency clickthrough feature is fixed on macOS 10.13.
What's New in Chromium 64
Chromium 64 contains usual under-the-hood performance and stability tweaks, but there are also some cool new features to explore. It supports Resize Observer, import meta and many more. Please check upstream information for details, as well as the Chrome status page.
We've made the 0.28 branch ready soon after Chromium beta bumps to 64. Thanks to the testers for their valuable feedback and bug reports. We've been working on 3 branches simultaneously: a released branch on current Chromium stable, a beta branch on Chromium beta and a 0.14 branch for legacy OS support.
For more information on the new milestone 0.13 and later versions, please see our blog "What's New in 0.13" for a better introduction.
- Update Chromium to 64.0.3282.119
- Update Node.js to v9.4.0
untrusted-code-mitigationsonly in guest process
- ES6 module binary support (#6303)
nwdirectorydescattribute to set the description for nwdirectory in "Browse for Folder" dialog (#5265)
- Fix: Simply accessing chrome.action crashes nw28-rc1 (#6372)
- Fix: OSX - Transparency clickthrough broken on High Sierra (#6307) (Thanks to Jefry Tedjokusumo)
- Fix: [WIN] fix titlebar issue if the window has custom icon / when window is first moved (#6337, #6345) (Thanks to Jefry Tedjokusumo)
- Fix: XMLHttpRequest from background page fails after an iframe is removed from window (#6410)
- [docs] using devtool extensions and add webview.inspectElementAt()
- [docs] module binary support
- [docs] nwdirectorydesc
Full ChangeLog: https://github.com/nwjs/nw.js/blob/nw28/CHANGELOG.md
Binary for other platforms: https://dl.nwjs.io/v0.28.0/
There are 2 builds for each platform - normal build, and SDK build. Normal build doesn't have devtools, only SDK build does. lt can be opened by pressing F12 (Cmd-Alt-I on OSX). SDK packages also have more development tools to be exposed in the following releases, as well as the NaCl support.
Our build infrastructure enables live binary build from git tip so you can access to the latest binary from https://dl.nwjs.io/live-build/
See our mailing list to discuss on this release: https://groups.google.com/d/msg/nwjs-general/y9ZyE8jMRX4/xbwHAjxAAgAJ