We just setup Chrome 48 in our cross-browser testing cloud. This browser version was released today by Google for Windows, OSX and Linux platforms. You can now start testing your websites in Chrome 48!

Web testing in Chrome 48

Try Chrome 48 in Browserling now!

Updates in Chrome 48

  • Tab discardin was enabled by default in chrome://flags.
  • Window change in right-clicking an embedded web link.
  • The key icon in Save your password turns black.
  • Clear browsing history has been improved.
  • Bug fixes and speed performance improvements.
  • Use WKWebView, the latest rendering engine from Apple (iOS).
  • The crash rate was reduced by 70% and JavaScript execution is now faster (iOS).
  • Redesigned icons on the New Tab page: easier access to more of your frequently-visited sites (iOS).
  • Spotlight integration: Drag down or right from the Home screen and search for your Chrome bookmarks (iOS).

Developer Changes in Chrome 48

  • CSS Font Loading API - FontFaceSet interface - Update FontFaceSet to confirm the latest spec. Now, FontFaceSet behaves as setlike<FontFace> with entries(), keys(), values(), and iterator. Also add() and remove() are changed not to throw InvalidModificationError on handling CSS-connected FontFaces.
  • CSS font-feature-settings - This property provides low-level control over OpenType font features. It is intended as a way of providing access to font features that are not widely used but are needed for a particular use case. Currently available with the -webkit prefix. This is about shipping the unprefixed version AND deprecating the prefix version.
  • Remove SVGGraphicsElement.getTransformToElement - Remove the support of SVGGraphicsElement.getTransformToElement.
  • Deprecate/remove support for CSS intrinsic and min-intrinsic - Intrinsic and min-intrinsic are webkit/blink-specific keywords for the standard fit-content and min-content keywords, recently unprefixed. intrinsic and min-intrinsic were deprecated in Chrome 47 and removed in Chrome 48.
  • Fetch API: data and blob schemes support - Fetch to data or blob schemes: fetch('data:...') fetch('blob:...').
  • Remove HTMLFrameElement.prototype.getSVGDocument() - Per spec the getSVGDocument() method should be only on HTMLEmbedElement, HTMLIFrameElement and HTMLObjectElement.
  • Offline/Storage: Indexed DB: Replace DOMError with DOMException - DOMError has been removed from the DOM standard in favor of DOMException, and the Indexed DB draft spec has been updated to use DOMException for error attributes. The error attribute on IDBRequest and IDBTransaction will now return DOMException instances instead of DOMError instances. Both types have 'name' and 'message' properties, so code that tests properties (e.g. request.error.name) or does logging (e.g. transaction.error.message) will be unaffected.
  • Offline/Storage: IndexedDB getAll() methods - Indexed DB "batched get" APIs and two other methods that have been implemented in FF for some time: IDBObjectStore.getAll(), IDBObjectStore.getAllKeys(), IDBIndex.getAll(), IDBIndex.getAllKeys(), IDBObjectStore.openKeyCursor(), and IDBTransaction.objectStoreNames().
  • Realtime/Communication: MediaStreamTrack.remote attribute - This allows Javascript to know whether a WebRTC MediaStreamTrack is from a remote source or a local one.
  • More correct CSS min-width/height: auto implementation for flex items - The implied minimum size of a flex item (min-width: auto / min-height: auto) will now also work correctly when flex-basis is not auto.
  • Notification action buttons - Support for the NotificationOptions.actions, Notification.actions and Notification.maxActions attributes, which allow authors to show action buttons alongside a notification. These allow users to quickly handle the most common tasks for a particular notification, without having to open the originating website. As of Chrome 53, the Notification.actions property is exposed as well.
  • Security: Remove RC4 - RC4 is a 28 year old cipher that has done remarkably well, but it is now the subject of several, significant attacks. The IETF has decided that RC4 is sufficiently bad to warrant a statement that it must no longer be used (RFC 7465). When Chrome makes an HTTPS connection it has an implicit duty to do what it can to ensure that the connection is secure. At this point, the use of RC4 in an HTTPS connection is falling below that bar.
  • Graphics: Remove SVG glyph-orientation-horizontal and glyph-orientation-vertical - CSS writing modes evolved since SVG has forked its old specification and add these properties. It now includes better alternatives for these properties, and recommend to deprecate. Since the usage of these properties are low enough that simply removing them should simplify the work for both browser developers and web developers. Web developers can now use CSS text-orientation property for SVG text.
  • Graphics: Remove darker composite operator - deprecate darker composite operator because Compositing spec doesn't contain "darker" composite operator.
  • Graphics: Remove SVGPathSeg interfaces - The SVGPathSeg interfaces were part of SVG 1.1, but have been removed. Use a polyfill if you still need it.
  • Network/Connectivity: ServiceWorkerRegistration.update() does not bypass the browser HTTP cache - Before this feature, update() always bypassed the browser cache. Now, it only does so if the previous update check occurred over 24 hours ago.
  • DOM: Remove TextTrackList and TextTrackCueList item methods - Per spec the TextTrackList and TextTrackCueList have anonymous indexed getters, but no item method.
  • User input: Touch and TouchEvent constructors - The constructor creates a Touch/TouchEvent object from an init dictionary like other event types, also able to initialize UIEvent fields. More favorable than the old "document.create... + e.init..." way.
  • DOM: UI Events KeyboardEvent code attribute - The KeyboardEvent code attribute contains information about the key event that can use used identify the physical key being pressed by the user.
  • Unprefixed CSS Writing Modes with syntax updates - CSS Writing Modes Level 3 without "webkit" prefix, along with syntax updates to the most recent CR. As part of the work, a non-standard value "horizontal-bt" is removed from -webkit-writing-mode.
  • Realtime/Communication: VP9 software encoder/decoder in Chrome for WebRTC - Include a VP9 video codec encoder and decoder in Chrome for use with WebRTC.
  • WebAudio: Support chaining on AudioNode.connect() and AudioParam automation methods - This is to support method chaining on AudioNode.connect() and the automation methods of AudioParam object. The current implementation does not return anything when these methods get executed. It improves the control flow and the readability of Web Audio JS code.
  • Network/Connectivity: navigator.connection.downlinkMax, wimax, and onchange - Add support for the downlinkMax attribute which provides the maximum theoretical bandwidth that the current connection can support. Also add "wimax" as a connection type. Also adds support for the connection.onchange event. The ontypechange event will be deprecated later.

Security fixes in Chrome 48

Chrome 48 includes thirty seven security fixes. These fixes were highlighted by Google:

  • CVE-2016-1612: Bad cast in V8. Credit to cloudfuzzer.
  • CVE-2016-1613: Use-after-free in PDFium. Credit to anonymous.
  • CVE-2016-1614: Information leak in Blink. Credit to Christoph Diehl.
  • CVE-2016-1615: Origin confusion in Omnibox. Credit to Ron Masas.
  • CVE-2016-1616: URL Spoofing. Credit to Luan Herrera.
  • CVE-2016-1617: History sniffing with HSTS and CSP. Credit to Yan Zhu.
  • CVE-2016-1618: Weak random number generator in Blink. Credit to Aaron Toponce.
  • CVE-2016-1619: Out-of-bounds read in PDFium. Credit to Keve Nagy.

Happy cross browser testing in Chrome 48!