Today Chrome 55 browser was released by Google. We just deployed Chrome 55 to our browser cloud and it's available for website testing.

Cross-browser testing in Chrome 55

Try Chrome 55 in Browserling now!

Chrome 55 has several key new features and changes:

  • The History page has changed and is no longer in "Settings".
  • Flash Player is now off by default for most sites.
  • It's impossible to disable Material Design.
  • Bug fixes and speedy performance improvements (Android).
  • Easily download music, videos, and even full web pages for viewing offline (Android).
  • View and share your downloads within Chrome (Android).
  • See misspelled words highlighted in text fields (Android).
  • Improvements to contextual search UI (Android).

Here'a a list of all Chrome 55 features and updates:

  • JavaScript: Async/await functions - Async functions make it easy to write code which needs to "block" on certain asynchronous events JavaScript. Async/await does this by providing a simpler and more ergonomic way to use Promises. To block on a value, use the 'await' keyword. Async/await can be implemented based on a desugaring to generators.
  • Device: Removed blocking navigator.vibrate in cross-origin iframes - Calls to navigator.vibrate will immediately return 'false' inside cross-origin iframes. The Vibrate API is being abused by unsafe third-party content (eg., malicious ads). As of Chrome 57 this is relaxed to allow vibration after the user has tapped on the frame.
  • Security: Block script execution for non-script MIME types - Script should not execute if it is delivered with a MIME type of 'audio/', 'image/', 'video/*', or 'text/csv'.
  • Realtime/Communication: Budget API - This specification describes an API that can be used to retrieve the amount of budget an origin has available for resource consuming background operations, as well as the cost associated with doing such an operation.
  • CSS: CSS hyphens property - This CSS property controls automatic hyphenations. The automatic hyphenation is strongly demanded as seen in crbug.com/47083, and is already supported by all other major browsers. Blink enables the following values on all platforms: "manual" - the initial value. "none" - disables soft hyphens. and the following value on Android and Mac: "auto" - enables the automatic hyphenation for languages where the underlying operating system has dictionaries.
  • Multimedia: onwaitingforkey, onkeystatuseschange, & onmessage event handler attributes (EME) - Add the following EventHandler attributes for existing EME events: HTMLMediaElement: onwaitingforkey, onencrypted. MediaKeySession: onkeystatuseschange, onmessage.
  • JavaScript: Intl.DateTimeFormat.prototype.formatToParts() (Ecma 402) - Intl.DateTimeFormat.prototype.formatToParts() is scheduled to be added to the EcmaScript Internationalization API specification (Ecma 402). It adds a method to format date and time to a list of tokens and their type (e.g. literal, day, year, month, hour, minute, era, etc). It's implemented and shipped by Firefox. v8 implemented it behind a flag.
  • Security: GREASE for TLS - TLS clients offer lists of 16-bit code points (e.g. cipher suites) that servers select from. To remain extensible, servers must ignore unknown values. However, servers may have bugs and reject unknown values. These servers will interoperate with existing clients, so the mistake may spread unnoticed, breaking extensibility for the whole ecosystem. We will reserve some values to advertise at random, to prevent such mistakes before broken servers are widespread.
  • Network/Connectivity: Removed HTTP/0.9 over non-default ports. - HTTP/0.9 is the predecessor to HTTP/1.x. One big difference between HTTP/0.9 and HTTP/1.x is that HTTP/0.9 lacks any response headers. So when we send an HTTP/1.x request, if the server responds with a message that doesn't look like HTTP/1.x, we just assume it's an HTTP/0.9 response and treat the entire response is the response body, with no headers. We're removing this behavior except on default ports, and plan to further reduce support in the future.
  • Performance: Intervention: Blocking the load of cross-origin, parser-blocking scripts inserted via document.write for users on 2G - For users on slow connections such as 2G, the performance penalty from third-party scripts loaded via document.write is often so severe as to delay display of main page content for tens of seconds. This feature will block the load of cross-origin, parser-blocking scripts inserted via document.write in case of an HTTP cache miss for users on a 2G connection. The feature will only be applicable to such scripts in the main frame.
  • Multimedia: Intervention: Web Audio user gesture requirement on cross origin iframes on Android - This will require a user gesture in order to start playback using Web Audio in a cross origin iframe, the same way a user gesture is required to play an audio or video element.
  • JavaScript: Long Task API - A performance API to enable applications to detect presence of "long tasks" that monopolize the UI thread for extended periods of time and block other critical tasks from being executed - e.g. reacting to user input.
  • DOM: Make Event.composedPath() behavior on window match that on document - Before: event.composedPath() on window object returns [window] in Blink, which does not include nodes in a document. After: event.composedPath() on window behaves the same way as that on document. It would include a node in a document tree.
  • Multimedia: MediaStream constructor - A prefixed constructor webkitMediaStream has been available since 2012. It will now be available without the prefix as MediaStream.
  • Multimedia: MediaStreamTrackEvent constructor - This is a standard event constructor. Previously, the event interface was hidden, so that scripts could not create instances.
  • User input: New "auxclick" event for non-primary button click behavior - The new input event type "auxclick" introduced here provides web developers a way to listen to the click behavior of non-primary buttons, and potentially cancel their effect (eg. opening a new tab when middle clicking on a link).
  • Offline/Storage: Persistent Storage Permission (Durable Storage) - Allow sites to request that web storage be treated as "persistent", preventing Chrome's automatic storage eviction from clearing storage for that site. The permission is automatically granted when the site is bookmarked (if the user has less than 6 bookmarks), is added to homescreen, has push notification permissions, has high site engagement (launched as Origin Trial in M52).
  • Offline/Storage: Persistent storage - Allow origins to opt out of the browser's storage-eviction logic that is run when the user's storage space is running low.
  • User input: Pointer Events - Unified pointer input API subsuming MouseEvent and TouchEvents which addresses several existing problems (especially on touchscreen laptops) and provides future extensibility.
  • JavaScript: RTCPeerConnection.getStats - This is a spec-compliant version of RTCPeerConnection.getStats returning a promise resolved with RTCStatsReport, a maplike containing RTCStats dictionaries. Stats are being implemented according to the spec in a continuous effort for coverage to become good enough that the old getStats method can be deprecated. The old getStats (taking a callback as argument) is very different from the spec and riddled with goog-prefixed things. It's anticipated to be out from behind the flag in Chrome 58.
  • DOM: Support "once" event listener option - Support adding event listeners with the "once" option set to true. When set to true, options's once member indicates that the callback will only be invoked once after which the event listener will be removed.
  • DOM: Support dataset property on SVGElement - Dataset is supported on HTMLElement. Recently spec was modified to support for SVGElement as well.
  • Graphics: The ImageBitmap rendering context for <canvas> - A new rendering context that streamlines the display of ImageBitmap objects. This new rendering context uses transfer semantics to take ownership of the pixels of an ImageBitmap object, thus avoiding memory duplication and rasterization overhead.
  • CSS: Touch-action: pan-up pan-down pan-left pan-right CSS properties - The touch-action CSS property determines whether touch input may trigger default behavior supplied by user agent. This includes, but is not limited to, behaviors such as panning or zooming. Additional keywords indicating: pan-up, pan-down, pan-left, pan-right have been added to the specification.
  • CSS: Unprefixed CSS Clipping Paths - The CSS Clipping Path (CSS Masking specification) property without the "webkit" prefix.
  • DOM: Update <textarea maxlength/minlength> behavior for linebreaks - Before the change, maxlength/minlength limits value length, not API value length. In <textarea>, a single linebreak is represented as CR LF in value, and LF in API value. Firefox and Edge incorrectly applied to API value, and WebKit and Blink correctly applied to value. But the specification followed Firefox and Edge.
  • Device: Web Share - Web Share is a proposed API for sharing data (text, URLs, images) from the web to an app of the user's choosing.
  • Multimedia: Add BaseAudioContext to WebAudio. - Implement BaseAudioContext according to the spec. This introduces a trivial but user-visible change: querying AudioContext.prototype.hasOwnProperty(functionName) will fail.
  • Multimedia: Add AudioNode constructors to WebAudio. - Add constructor for WebAudio AudioNodes. Instead of saying "context.createFoo()", you can now say "new FooNode(context, optionalOptions)", roughly.
  • Multimedia: Webaudio close() method removed from OfflineAudioContext - The close() method is no longer defined for an OfflineAudioContext. It only threw an error anyway, so it wasn't useful. It's now only defined for an AudioContext.

Chrome 55 includes 36 security fixes. Here's a list of security bug fixes in this release:

  • Universal XSS in Blink. Credit to Anonymous.
  • Use after free in Webaudio. Credit to Looben Yang.
  • Integer overflow in PDFium. Credit to Hwiwon Lee.
  • Use after free in V8. Credit to Khalil Zhani.
  • Use after free in PDFium. Credit to Anonymous.
  • Local file disclosure in DevTools. Credit to Khalil Zhani.
  • Local file access in PDFium. Credit to Rob Wu (robwu.nl).
  • Use of unvalidated data in PDFium. Credit to Rob Wu (robwu.nl).
  • Integer overflow in ANGLE. Credit to Tim Becker of ForAllSecure.
  • Out of bounds write in Blink. Credit to Giwan Go of STEALIEN.
  • Universal XSS in Blink. Credit to Mariusz Mlynski.
  • File download protection bypass. Credit to Jonathan Birch and MSVR.
  • CSP bypass in Blink. Credit to Scott Helme (@Scott_Helme, scotthelme.co.uk).
  • Use after free in PDFium. Credit to Anonymous.
  • CVE-2016-5224: Same-origin bypass in SVG. Credit to Roeland Krak.
  • Universal XSS in Blink. Credit to Mariusz Mlynski.
  • CSP Referrer disclosure. Credit to Jakub ?oczek.
  • Same-origin bypass in PDFium. Credit to Rob Wu (robwu.nl).
  • Private property access in V8. Credit to Guang Gong of Alpha Team Of Qihoo 360 reported through Pwnfest.
  • Universal XSS in Blink. Credit to Mariusz Mlynski.
  • Out of bounds write in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • Use after free in PDFium. Credit to Anonymous.
  • Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi (@qab).
  • Limited XSS in Blink. Credit to Jun Kokatsu (@shhnjk).
  • Address spoofing in Omnibox. Credit to xisigr of Tencent's Xuanwu Lab.
  • Use after free in V8. Credit to Rob Wu (robwu.nl).

Happy cross-browser testing in Chrome 55!