Chrome 51 is now available for cloud testing in Browserling! This new Chrome version was released today by Google and you can already start testing your websites in this browser.

Cloud testing in Chrome 51

Try Chrome 51 in Browserling now!

Chrome 51 New Features

  • Security: 'SameSite' cookie attribute - Same-site cookies ("First-Party-Only") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
  • Security: AES_256_GCM for TLS. - Historically, TLS used AES ciphers based on a flawed CBC-mode-based construction. These ciphers are fragile and very difficult to implement securely. TLS 1.2 added better ciphers based on AES-GCM. Chrome current supports AES_128_GCM, but many servers order by key size above all else, placing the legacy AES_256_CBC above our preferred AES_128_GCM. To simplify server configuration and negotiate modern ciphers with more existing servers. Chrome team will be adding AES_256_GCM as well.
  • JavaScript: Array subclassing and Symbol.species support - ES2015 changes the semantics of Arrays and certain other classes to create subclass instances from certain methods, and allow a new interception point, Symbol.species, to control whether it's actually the subclass or another class which is instantiated. For example, constructs instances of the subclass as its output, with the option to customize this by changing Symbol.species.
  • File APIs: Asynchronous Blob Construction - Large blobs previously blocked the renderer while transferring data to the browser. This is now asynchronous, which speeds up blob construction. This is the first part of the plan to allow blob data to be saved on disk, which removes the 500MB limit on blob storage.
  • CSS @apply Rule - The CSS @apply rule allows authors to define custom properties which contain declaration lists and then apply them inside style rules. This allows custom properties to be used for theming in a more extensible way than var() references.
  • CSS border-image: respect border style - Blink will begin to require a border style in order to paint border images. This has always been required by the spec, but has not been enforced. In order to not be affected by this change, add e.g. 'border-style:solid' where border-image is used.
  • CSS font-display - A new @font-face descriptor and a corresponding property for controlling how a downloadable font renders before it is fully loaded.
  • Network/Connectivity: Clients.get(id) - A method that gets a service worker's Client object matching a given id and returns a promise that resolves with it.
  • CSS: Correct handling of percentages in children of flex items - Certain flex items should be considered to have definite sizes, and therefore if a child element of a flex item uses percentage sizes, they should work.
  • Misc: Credential Management API - The API provides a programmatic interface to the browser's credential manager. In short, an origin can request a user's credentials to sign them in, or can ask the browser to save credentials on the user's behalf. Both of these requests are user-mediated.
  • JavaScript: Remove custom messages in onbeforeunload dialogs - A window's onbeforeunload property may be set to a function that returns a string. If the function returns a string, then before unloading the page, a dialog is shown to have the user confirm that they indeed want to navigate away. The string provided by the function will no longer be shown in the dialog. Rather, a generic string not under the control of the webpage will be shown.
  • Security: Deprecate DHE-based ciphers - Last year, Chrome raised the minimum TLS Diffie-Hellman group size from 512-bit to 1024-bit. As mentioned then, 1024-bit is insufficient for the long-term. However, metrics report that around 95% of DHE connections seen by Chrome use 1024-bit DHE. This, compounded with how DHE is negotiated in TLS, makes it difficult to move past 1024-bit. Servers should upgrade to ECDHE if available. Otherwise, ensure a plain-RSA cipher suite is enabled.
  • Network/Connectivity: Remove SPDY/3.1 - SPDY/3.1 is the experimental application layer protocol that provides performance improvements over HTTP/1.1 by, for example, connection multiplexing and server push. SPDY/3.1 is superseded by HTTP/2, which was published as an RFC last May.
  • Network/Connectivity: Remove TLS Next Protocol Negotiation - NPN was the TLS extension used to negotiate SPDY (and, in transition, HTTP/2). During the standardization process, NPN was replaced with ALPN, published as RFC 7301 in July 2014. Chromium team intends to remove NPN at the same time as the SPDY removal.
  • DOM: Deprecate 'results' attribute for <input type=search> - In Blink, 'results' attribute just adds a magnifier icon to an INPUT field. It's a cosmetic feature. In desktop Safari, it controls how many submitted queries are shown in a popup opened by clicking the magnifier icon. This is a WebKit-extension, and it seems no one tried to standardize it.
  • JavaScript: ES2015 RegExp subclassing semantics - This feature allows RegExp subclasses to override RegExp.prototype.exec and flags to change the semantics of higher-level functionality, such as String.prototype.replace. Previous JavaScript versions always used the original value of exec from replace. This feature makes it easier to implement new RegExp subclasses by changing a single core piece, without duplicating the higher level integration logic.
  • Realtime/Communication: ExtendableMessageEvent on ServiceWorkerGlobalScope - ServiceWorker.postMessage() now results in an ExtendableMessageEvent fired on ServiceWorkerGlobalScope as a 'message' event. ExtendableMessageEvent.waitUntil() extends its lifetime until a passed Promise is settled. Before this change, postMessage() resulted in a MessageEvent fired on the global scope.
  • JavaScript: Function "name" property (ES6) - In ECMAScript 2015, the "name" property on anonymous Function objects is sometimes set based on the syntactic position of the function (or class) expression. For example: var x = function() { }; === 'x'
  • Performance: Intersection Observer - The Intersection Observer API can be used to asynchronously observe changes in the intersection of a target Element with an ancestor element (for infinite scrolling lists) or the top-level document's viewport (for 'viewability' tracking).
  • JavaScript: Iterable Array-like DOM interfaces - Adds Symbol.iterator to any DOM interface containing an indexed property getter, and a "length" property, such as HTMLAllCollection, FileList or MediaList. This enables their use in ECMAScript 6 for-of loops.
  • Realtime/Communication: Media Capture from Canvas - "Media Capture from DOM Elements" document by W3C defines captureStream() method that allows the capture of the <canvas> element in the form of a MediaStream. We want to implement the necessary Blink and Chromium sections that would create this stream by accessing the canvas output according to the given frame rate constraints.
  • DOM: Non-standard contenteditable=plaintext-only limits white-space CSS property - Blink supports plaintext-only editing mode by contenteditable=plaintext-only and -webkit-user-modify:read-write-plaintext-only. This is a non-standard feature inherited from WebKit. An element with plaintext-only editing silently changes white-space CSS property: normal to pre-wrap, nowrap to pre, pre-line to pre-wrap, in order to insert \n by typing Enter key instead of <br>, and insert a space character by typing a space key instead of nbsp.
  • JavaScript: Object.getOwnPropertyDescriptors() - Retrieve all own PropertyDescriptors from an object, which could be used by Object.create() or Object.defineProperties().
  • Misc: Origin Trials Framework - Implement a framework for exposing experimental features in the browser, but only to specific/registered origins, for limited duration and subject to global usage caps.
  • User input: Passive event listeners - Expose "passive" boolean in the EventListenerOptions dictionary. Implement the behaviour with respect to dispatching passive EventListeners so that calling preventDefault inside executing the passive registered callback only generates a warning to the console. Can be used to dramatically improve scrolling performance.
  • Device: Presentation API - Gives ability to access external presentation-type displays and use them for presenting web content.
  • Realtime/Communication: RTCPeerConnection promise-based methods - Add promise-based versions of RTCPeerConnection methods: setLocalDescription, setRemoteDescription, addIceCandidate, createOffer and createAnswer. To be done in 2 steps. First, setLocalDescription, setRemoteDescription and addIceCandidate (anticipated in M50). The new versions of these don't have any overloading issues that can cause problems to existing code. For createOffer and createAnswer the overloading issues will be solved before adding the promised-based versions (anticipated in M51).
  • Security: Referrer Policy - HTML referrerpolicy attribute - Support for the HTML referrerpolicy attribute on elements: <a>, <area>, <img>, <iframe> (and possibly others) allowing authors to set a Referrer-Policy for a single request associated with the HTML element referencing a sub-resource. More details are disclosed in the spec.
  • Security: Referrer Policy: HTMLLinkElement referrerpolicy attribute - Support for the HTML referrerpolicy attribute on <link> elements allowing authors to set a Referrer-Policy for a single request associated with the HTML element referencing a sub-resource. More details are disclosed in the spec.
  • User input: Remove propagation of mouse wheel events to parent iframe. - When an iframe does not handle a mouse wheel event it is currently dispatched to the parent iframe. Mouse wheel events are unique in this dispatching aspect and other vendors FireFox and Microsoft both don't dispatch the event to the parent iframe. This request is to make Chrome match FF and Edge. Some public discussion has happened on Firefox's bug where a web developer asked Mozilla to implement similar behavior to Chrome.
  • DOM: Remove: OSX-specific appearances of <meter> - Remove the following -webkit-appearance values: continuous-capacity-level-indicator, discrete-capacity-level-indicator, relevancy-level-indicator, rating-level-indicator.
  • JavaScript: Tail calls elimination (ES6) - Guarantee "no stack consumption" for function invocations in tail call positions.
  • DOM: UIEvents KeyboardEvent key attribute - The KeyboardEvent key attribute contains information about the character being generated by the key event.
  • Offline/Storage: URL.createObjectURL and URL.revokeObjectURL should not be exposed in Service Workers (deprecated) - URL.createObjectURL and URL.revokeObjectURL should not be exposed in Service Workers.
  • DOM: URL.searchParams readonly attribute - Access the query portion of a URL by way of a URLSearchParams object.
  • Graphics: Web Animations JavaScript API - A unified model for supporting animation and synchronization on the Web platform. This feature covers bug and interop fixes to bring Chrome in line with the spec: lists of values in keyframes; remove dashed-names as keys in keyframes.
  • Multimedia: WebAudio: OfflineAudioContext.length attribute - Add a length attribute to an OfflineAudioContext that indicates the length (in frames) that the offline context will render.
  • Misc: visualViewport API - Exposes information about the visual viewport to the page.

Chrome 51 Security Fixes

Chrome 51 brings fourty-two security fixes. Here are some that were listed by Chrome team:

  • CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
  • CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
  • CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
  • CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
  • CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
  • CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
  • CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
  • CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
  • CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
  • CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
  • CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
  • CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
  • CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.
  • CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan.
  • CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
  • CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
  • CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
  • CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
  • CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.

Happy cross-browser testing in Chrome 51!