Today Google released Chrome browser version 49. We just deployed to our cloud. You can start cross browser testing your webapps in this new browser.

Cross browser test in Chrome 49

Try Chrome 49 in Browserling now!

Short Summary of Chrome 49 Updates

  • Chrome 49 is the last version available for Windows XP and Vista, and Mac OS 10.6-10.8.
  • Extension icons now appear near search tab.
  • Changes in bookmark bar appearances.
  • Changes in incognito mode window.
  • Changes in scrollbar movement.
  • Changes in downloads page appearance/design.

All Chrome 49 Developer Updates

  • Security: 'noopener' link relation - The 'noreferrer' link relation currently governs both referrer policy for a navigation, as well as the 'opener' attribute of any newly created browsing context. The 'noopener' link relation gives devlopers the ability to control the latter without opting into the former.
  • Multimedia: Audio Output Devices API - This feature will incorporate a set of JavaScript APIs that let a Web application direct the audio output of a media element to authorized devices other than the system or user agent default.
  • Misc: Background Sync API - An API that extends Service Workers with an onsync event.
  • Security: CHACHA20_POLY1305 cipher suites for TLS - Chrome 31 deployed a new TLS cipher suite based on Prof. Dan Bernstein's ChaCha20 and Poly1305 algorithms. They run three times faster than AES-GCM on devices that don't have AES hardware acceleration, including most Android phones. These have now made their way through the standardization process. We'll be deploying the standardized variant in Chrome 49.
  • CSP: Insecure source expressions match secure URLs - In the wake of Sniffly, it seems pretty reasonable to prevent folks from locking themselves into insecurity. To that end, Insecure schemes in source expressions now match their secure variants. That is, http: is equivalent to http: https:, and to
  • CSS Custom Properties (CSS Variables) - Introduces cascading variables as a new primitive value type that is accepted by all CSS properties, and custom properties for defining them.
  • CSS Case-insensitive Attribute Selector Matching - An additional modifier ('i') for attribute selectors, that allows an author to match an attribute (ASCII) case-insensitively.
  • Security: Cookie Prefixes - This feature adds a set of restrictions upon the names which may be used for cookies with specific properties. These restrictions enable user agents to smuggle cookie state to the server within the confines of the existing "Cookie" request header syntax, and limits the ways in which cookies may be abused. In a nutshell: __Secure-* cookies have to have the Secure flag, and __Host-* cookies have to have Path=/, can't have Domain, and might require Secure (depending on the setter).
  • JavaScript: Default parameters (ES6) - Allows formal parameters to be initialized with default values if no value (or 'undefined') is passed.
  • User input: Deprecate and Remove webkitMovementX/Y - Remove prefixed version of MouseEvent.webkitMovementX/Y leaving Pointer Lock specification version: MouseEvent.movementX/Y.
  • JavaScript: Destructuring (ES6) - Destructuring assignment allows extracting data from arrays or objects using a syntax that mirrors array and object literals.
  • Network/Connectivity: Fetch API: New value "navigate" for Request.mode - Introduce a new value "navigate" for Request.mode of the Fetch API. "navigate" mode is intended to be used only for navigation.
  • Network/Connectivity: FetchEvent.clientId attribute - A read-only attribute that indicates the id of the Client object that initiated this fetch request. For a navigation request and worker (dedicated worker and shared worker) script fetch, this attribute returns null.
  • Multimedia: HTMLMediaElement.disableRemotePlayback - This attribute allows websites to tell the UA that they do not wish for a media element to be played remotely. The UA will prevent the element from being played remotely and will not show any UI advertising remote playback.
  • Network/Connectivity: HTTP Client Hints: Save-Data - The "Save-Data" header field is a boolean that, in requests, indicates client's explicit opt-in for reduced data usage, due to high transfer costs, slow connection speeds, or other reasons. When communicated to origins, it allows them to deliver alternate content honoring such preference - e.g. smaller image and video resources, alternate "light mode" markup, etc.
  • DOM: High Resolution Time Stamp for Events - Change Event.timeStamp to be a DOMHighResTimeStamp which is a high resolution monotonic time with microseconds resolution instead DOMTimeStamp which is an epoch time with millisecond resolution. For input events, the timestamp value will represent the underlying OS timestamp for the event. High resolution monotonic timestamp for input events enables new functionality such as accurate measurement of pointer velocity, simple input latency measurements, and etc.
  • Network/Connectivity: Intervention: WebFonts use adaptive timeouts to take fallback fonts - Originally, Blink use fallback fonts if the font loading isn't finished in 3 seconds. But this timeout value wasn't defined in any spec. Blink changes this timeout adaptively to improve performance on slow connections. If font-display feature is enabled, this change happens only if 'auto' is specified to follow the font-display spec. Otherwise, it happens always. The definition of slow connection would be changed in the field trial.
  • Multimedia: MediaRecorder - Encode audio and video streams in the browser.
  • DOM: Remove Navigator.getStorageUpdates() - The getStorageUpdates() method for Navigator is no longer in the spec, and is a no-op.
  • DOM: Promise rejection tracking events - Introduces a pair of events on the global objects, unhandledrejection and rejectionhandled, for tracking promise rejections.
  • JavaScript: Proxies (ES6) - Proxies are objects for which the programmer has to define the semantics in JavaScript.
  • JavaScript: Reflect (ES6) - Improved imperative methods for invoking, examining or modifying values at runtime.
  • CSS: Deprecate and remove non-standard getComputedStyle(e).css behaviour - getComputedStyle(e).css (except for .cssFloat) is non-standard behaviour that only Blink and WebKit support. In all cases it is aliased by getComputedStyle(e).*. Chrome team is proposing to deprecate and remove this functionality in an upcoming release.
  • JavaScript: Sloppy mode block bindings (let, class, const, function) (ES6) - Enable ES6-style block-scoped bindings including let and class in sloppy mode, and modify semantics of const and function to operate according to ES6 in sloppy mode.
  • JavaScript: Symbol.toStringTag (ES6) - Using Symbol.toStringTag, user-defined types can return customized output when passed to Object.prototype.toString (either directly or as a result of string coercion) by storing a descriptive string in a Symbol.toStringTag-keyed property.
  • DOM: URLSearchParams - The URLSearchParams interface allows developers to (shock!) manipulate the search params of a URL. It also provides a mechanism to POST data via fetch() with a urlencoded body vs. the multipart body that FormData produces.
  • Multimedia: WebAudio: Add IIRFilterNode - Add a new node, IIRFilterNode, that implements a general IIR filter. The coefficients are fixed at creation and not changeable with no automation functions allowed.
  • Multimedia: WebAudio: OfflineAudioContext.suspend() and resume() - Adds suspend() and resume() feature in OfflineAudioContext to support the synchronous graph manipulation with the render block precision (k-rate) in the non-realtime audio rendering.
  • Multimedia: WebAudio: decodeAudioData returns a Promise - AudioContext.decodeAudioData returns a Promise that is resolved when decoding the audio data is finished. This is in addition to the existing callbacks, which are now optional.
  • Offline/Storage: WindowClient.navigate() for Service Worker - The method can instruct a controlled window client to navigate to a different url.
  • DOM: addEventListener/removeEventListener EventListenerOptions API - Add an additional API to addEventListener/removeEventListener which takes EventListenerOptions dictionary. void [add|remove]EventListener(DOMString type, EventListener listener, EventListenerOptions options); Currently other platforms (Gecko) add additional booleans to the argument list to modify the behavior of the added event listeners. We'd like to turn this into a dictionary (EventListenerOptions) so that is a more flexible API for future work.
  • DOM: addEventListener/removeEventListener non-optional arguments - For a very long time, the first two arguments (type and listener) of addEventListener and removeEventListener have been optional, where they are non-optional in the spec and other browsers. This will change, so that calling these methods with zero or one argument will start to throw exceptions.

Chrome 49 Security Fixes

There were twenty six security updates in Chrome 49 release. Here are the most important browser security fixes:

  • CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
  • CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski.
  • CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
  • CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
  • CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
  • CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
  • CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and Bryant Zadegan.
  • CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann.
  • CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
  • CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
  • CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
  • CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera.
  • CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of OUSPG.

Happy cross browser testing in Chrome 49!