Today Google Chrome team released the stable version of Chrome 46 on Windows, Mac and Linux. We just deployed Chrome 46 to all our OS platforms and it's now available to all our paying customers and free users.
Try Chrome 46 in Browserling now!
Chrome 46 implements the following new features and updates:
- New flag:
allow-popups-to-escape-sandboxsandboxing flag - This is a new flag for
<iframe sandbox="...">which will allow a sandboxed document to spawn new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon a landing page.
- API to disable scroll restoration on history navigation - The API allows web applications to explicitly disable user agents default scroll restoration behavior on history navigation through
history.scrollRestoration = 'manual'.
- Access relative orientation sensors from Chrome for Android for Virtual Reality - Relative orientation is currently unavailable in Chrome for Android. The main problem with using absolute device orientation for head tracking is drift: even when your head is stationary, your field of view will slowly rotate in some random direction. This is caused by the fact that DeviceOrientationEvents in Chrome fire based on the magnetometer, which is adversely affected by ever-present nearby metallic objects.
- Block modal dialogs inside a sandboxed iframe - Folks in Google's anti-malvertising team would like to be able to prevent sandboxed frames from popping up confusing, modal messages to users. This includes things like
print(), and maybe authentication dialogs).
- CSS Intrinsic Sizing - Extends the CSS sizing properties with keywords that represent content-based "intrinsic" sizes and context-based "extrinsic" sizes, allowing CSS to more easily describe boxes that fit their content or fit into a particular layout context. (Note that the "fill" keyword is only shipping prefixed so far, pending CSSWG agreement to unprefix).
- CSS.escape() -
CSS.escape()serializes a string as a CSS identifier. This enables developers to easily and securely do things like escaping a string for use as part of a selector.
- Cache API is restricted to secure origins - Cache API exposed to window and worker contexts (not just service worker) shipped in Chrome 43. As of Chrome 46, the API is restricted to secure origins (HTTPS only), per https://github.com/slightlyoff/ServiceWorker/issues/709.
- Cache.addAll() - addAll() takes an array of RequestInfo objects, fetches them and adds the response objects into this Cache object.
- DOMException constructor - Allow DOMExceptions to be created from script.
- Deprecate and remove Request.context - Request.context was implemented in Chrome 44, but is removed from the spec.
- Event.isTrusted attribute - Event.isTrusted is an attribute that is true when the event was generated by a user action, and false when the event was created or modified by script, or dispatched via dispatchEvent.
- Fetch API: Request.redirect - Request.redirect could be "follow", "error" or "manual". If it is "follow", fetch() API follows the redirect response (HTTP status code = 301,302,303,307,308). If it is "error", fetch() API treats the redirect response as an error. If it is "manual", fetch() API doesn't follow the redirect and returns an opaque-redirect filtered response which wraps the redirect response.
- HTTP Client Hints: DPR, Width, Viewport-Width - DPR, Width, and Viewport-Width hints enable proactive content negotiation between client and server, enabling automated delivery of optimized assets - e.g. auto-negotiating image DPR resolution, image size, and other optimized assets based on signals such as client's viewport width.
- HTTP Public Key Pinning violating reporting - HTTP Public Key Pinning (HPKP) allows websites to send an HTTP header that pins one or more of the public keys present in the sites certificate chain. This feature tracks the implementation of HPKP reporting, which allows website owners to receive reports when the browser detects HPKP violations.
- Parsing background_color from Web Application Manifest - The background_color attribute in the JSON Web Application Manifest allows web developers to provide a hint to Chrome indicating the background color of their web application. This color is used as the background of the application while its resources are fetched.
- Parsing theme_color from Web Application Manifest - The theme_color attribute in the JSON Web Application Manifest allows web developers to provide a global theme color which can be used throughout their entire website. This color is used for the header in the recents menu of Android.
- Performance Timeline APIs for Workers - Performance Timeline APIs (User Timing and Resource Timing) are now available to Web Workers.
- PerformanceResourceTiming.workerStart - PerformanceResourceTiming.workerStart attribute allows developers to instrument and measure ServiceWorker startup time.
- Referrer Policy - HTML referrerpolicy attribute - Support for the HTML referrerpolicy attribute on elements: <a>, <area>, <img>, <iframe> (and possibly others) allowing authors to set a Referrer-Policy for a single request associated with the HTML element referencing a sub-resource. More details are disclosed in the spec.
- Resource Hints - preconnect - Adds support for <link rel="preconnect" href="..."> (and the equivalent HTTP link header) as a hint that the browser should predictively open a connection to the supplied server/protocol for resources that will be needed later in the loading process.
- Service workers: Clients.matchAll() returns clients in MRU order - Clients.matchAll sorts the clients in most-recently-focused order.
- ServiceWorkerRegistration.update() returns a promise - update() pings the server for an updated version of this Service Worker registration. This feature was shipped in milestone 45. In milestone 46, update() returns a promise that resolves with 'undefined' if the operation completed successfully or there was no update, and rejects if update failed. If the new worker ran but installation failed, the promise still resolves (same with register()).
- Spread (call and array) (ES6) - Spread calls allow an iterable expression to be spread into function arguments, similar to using Function.prototype.apply. Spread array allows an array literal to contain spread expressions which spreads the values of the iterator into the array.
- Unprefixed Resource Timing API - Resource Timing extensions to the Performance interface without the "webkit" prefix.
- WebRTC Data Channel buffer monitoring with the "bufferedamountlow" event - This event allows pages to use WebRTC DataChannels for high-throughput applications more efficiently and conveniently, by removing the need to use timer-based polling for output buffer management.
- new.target (ES6) - new.target is a "meta-property" available in all functions. It refers to the constructor invoked by 'new' (if a construct call is underway) or undefined otherwise.
The new release also includes 24 security fixes. Chrome team highlighted the following fixes that were contributed by external researchers:
- CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous.
- CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne.
- CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG.
- CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura (nishimunea).
- CVE-2015-6760: Improper error handling in libANGLE. Credit to Ronald Crane, an independent security researcher.
- CVE-2015-6761: Memory corruption in FFMpeg. Credit to Aki Helin of OUSPG and Khalil Zhani.
- CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura (nishimunea).
- CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives.
- CVE-2015-7181, CVE-2015-7182, CVE-2015-7183: NSS and NSPR memory corruption issues.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 220.127.116.11).
Happy cross-browser testing in Chrome 46!
Email this blog post to your friends or yourself!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!