Posted by April 13, 2016on
Chrome 50 is available for browser testing! It was just released 30 mins ago by Google and we already have it installed on our servers. Start testing your apps now!
Try Chrome 50 in Browserling now!
Key Changes in Chrome 50
- Chrome 50 no longer supports Windows XP and Vista.
- Auto-fill form letters are now highlighted in bold.
- Bug fixes, stability fixes and speed performance improvements (Android, iOS).
Chrome 50 Developer News
- Network/Connectivity: Accept-encoding: br on HTTPS connection - Brotli (shortname "br") is used in WOFF 2.0 web fonts with great success. This is about making it available as an HTTP content-encoding method (e.g. Accept-Encoding: br). Advantages of Brotli over gzip: - significantly better compression density - comparable decompression speed.
- Device: Access relative and absolute orientation sensors from Chrome for Android for Virtual and Augmented Reality - Summarized this feature includes the following changes/additions: - make 'deviceorientation' relative by default -- now compatible with Safari on iOS, -- better usability (no drift) for VR applications, -- not reliant on magnetometer hence no interference in the presence of magnetic fields. - add dedicated 'deviceorientationabsolute' event for AR applications.
- CSS column-fill property - column-fill is the one missing CSS property from the multicol spec (not counting break-after, break-before or break-inside, which really belong in a more generic spec for fragmentation). This property is used to tell the engine whether columns should be balanced or not. If they are balanced, each column gets similar amounts of content inside. If they are not balanced, each column will be filled to the height of the multicol container, until we run out of content.
- DOMTokenList validation - DOM's DOMTokenList has a "supported tokens" concept which will enable feature detection of things like sandbox flags and link relations.
- Remove CSS's -webkit-background-composite - Removing -webkit-background-composite as the property is non-standard and supported only by WebKit and Blink.
- Realtime/Communication: Remove some nonstandard uses of RTCPeerConnection legacy methods - The latest version of the WebRTC spec introduces new promise-based methods for the RTCPeerConnection interface while keeping support for legacy callback-based methods. Some nonstandard uses of the legacy methods prevent the implementation of the new promise-based methods due to overloading conflicts and they are now deprecated. More specifically, calling createOffer() and createAnswer() without providing a failure callback (mandatory in the spec, but optional in Chromium) is now deprecated.
- Performance: Remove <link rel=subresource> - Remove support for the "subresource" rel of HTMLLinkElement, as it is not useful, proprietary, and buggy.
- Remove Document.defaultCharset - DOM's defaultCharset attribute on the Document interface is non-standard and will be removed.
- Misc: FormData methods for inspection and modification - The FormData object allows pages to programmatically construct a list of key/value entries that can be submitted via XHR just like an HTML form. Previously, the object was write-only via a single append() method. The spec was fleshed out to add has(), get(), getAll(), delete(), set(), entries(), keys(), values(), forEach() and Symbol.iterator() methods to allow inspection, iteration and modification.
- Graphics: HTMLCanvasElement toBlob - Creates a Blob object representing a file containing the image in the canvas, and invokes a callback with a handle to that object.
- Multimedia: HTMLMediaElement.play() returns a promise - This is allowing a simpler flow to know whether playback started or whether it failed. It also allows the UA to reject the promise if playback is not allowed in the current context, solving issues websites have to detect whether autoplay restrictions blocked the playback.
- Graphics: ImageBitmap - An ImageBitmap object represents a bitmap image that can be painted to a canvas without undue latency. An ImageBitmap object can be obtained from a variety of different objects, using the createImageBitmap() method. ImageBitmap provides an asynchronous and resource efficient pathway to prepare textures for rendering in WebGL.
- User input: Remove KeyboardEvent.prototype.keyLocation - The keyLocation attribute allows disambiguating between keys that are on multiple places on a keyboard, like numbers and Enter. It is an alias of the location attribute, which is the more widely supported and standardized form. The keyLocation attribute will be removed.
- Multimedia: Media Source Extensions - SourceBuffer.mode attribute and 'sequence' AppendMode support - Add 'mode' attribute to SourceBuffer, and support the ability to use and switch among 'sequence' and 'segments' appendMode. 'segments' is the default (and current) behavior. 'sequence' enables web developers to simplify some types of media streaming apps that use Media Source Extensions (MSE). 'sequence' appendMode allows more flexibility to maintain a gap-free buffered media timeline for web apps.
- Realtime/Communication: Notification action icons - On some platforms the button rendered for a NotificationAction can display an icon. This change adds an optional icon url for notification actions.
- Realtime/Communication: Notification custom timestamps - By default, Web Notifications on Android display the time at which they were created in their top-right corner. However, this is not always appropriate. For example, when the device was offline the event could have happened in the past, or the notification could be shown for an upcoming meeting. The
timestampproperty enables developers to provide the time. Note that we don't visually surface the timestamp on desktop right now, but do use it to affect notification ordering.
- Realtime/Communication: Notification notificationclose event - Fire a notificationclose event when a notification has been closed by the user in the registered Service Worker.
- Realtime/Communication: Notification renotify preference flag - Allows a developer to specify whether a notification should play sound, light, and vibrate alerts again when the notification replaces another notification which is currently displayed.
- Performance: Preload - Defines the "preload" keyword that may be used with
linkelements. This keyword provides a declarative fetch primitive that initiates an early fetch and separates fetching from resource execution.
- Presentation API: implement PresentationConnection onconnect, onclose, onterminate and deprecate onstatechange - Deprecate
PresentationConnection.onstatechangeand implement explicit state transition events
onclose. This allows us to expose a
PresentationConnectionCloseReasonfor clients listening for
- Network/Connectivity: Push API: Payloads - The ability to include payloads with messages send using the Push API. Message payloads must be encrypted.
- Security: Remove geolocation from Insecure Contexts - Chrome is deprecating and then removing geolocation from insecure contexts. Geolocation is a powerful feature that allows access to the user's precise location, which is a powerful privilege escalation for HTTP content injection. This will remove that attack vector by only allowing it over HTTPS.
- Security: Remove insecure TLS version fallback - TLS has a version negotiation mechanism to securely introduce new versions without breaking compatibility. Yet buggy servers implemented this wrong in the past, so browsers were forced to add (non-standard) insecure fallbacks to work around this. Unlike TLS's actual version negotiation, the fallback is insecure. Network attackers can downgrade to weaker versions, despite both client and server supporting newer, more secure versions. Note that this does not remove TLS 1.0 and TLS 1.1.
- DOM: Remove SVGElement.offset(Parent|Top|Left|Width|Height) - These attributes should only be supported on HTMLElement, but have been supported on all Elements in WebKit and Blink. getBoundingClientRect() can typically be used as a replacement.
- DOM: Sequential focus navigation starting point - The feature 'sequential focus navigation starting point' defines where we start to search for focusable area for sequential focus navigation (TAB or Shift-TAB) when there is no focused area.
- Multimedia: WebAudio: Biquad filters run at a-rate - Automations for the BiquadFilter node will run at a-rate (updated every frame) instead of the current k-rate (updated every rendering quantum of 128 frames).
- Security: X25519 for TLS - Curve25519, designed by Prof. Dan Bernstein, is one of the two curves selected by the CFRG for recommendation. When compared to P-256, the most commonly used curve in TLS today, it admits simpler, faster implementations that are more naturally resistant to side-channels. In Chrome 50, we will be adding support for X25519, the Diffie-Hellman primitive over curve25519, to TLS.
- Network/Connectivity: Remove XMLHttpRequestProgressEvent (position and totalSize) - The XMLHttpRequestProgressEvent interface will be removed, together with the attributes position and totalSize. Instead the ProgressEvent interface will be used, and the attributes loaded and total should be used instead.
Chrome 50 Security Updates
This Chrome version includes 20 security fixes. Here are some that were contributed by external researchers:
- CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
- CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
- CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot.
- CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
- CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
- CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
- CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
- CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso.
Happy cross browser testing in Chrome 50!
Email this blog post to your friends or yourself!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!