Dear ALL,
Google released today Chrome 52.0.2743.82, promoting the 52.x branch to the Stable Channel, making it Chrome's official version.
This new release is a little bit light on visible UI features but brings a lot for developers that like to tinker on websites and are, generally, more interested in what's under the browser's hood.
Back in early June, Google engineers had drawn out a plan of what features users should expect in Chrome 52.
New CSS contain property
The team didn't stray much from their plan, and now Chrome features support for CSS containment, via the CSS contain property, which prevents child elements from displaying outside the boundaries of their parent element.
A good reason for developers to implement CSS containment on their websites is to speed up page load times. Google engineers have played around and detailed the advantages of using the contain property in a blog post in June.
CSS contain support is only available in Chrome 52 and Opera 40 (alpha stage). Firefox devs have shown public interest in integrating the property into their browser, but no code to support it has landed in the browser until now.
Simpler and more efficient process for gathering performance metrics
The second big feature Google engineers added is the PerformanceObserver API, a feature that allows Web developers to fine tune the performance metrics gathering process.
Until now, developers that wanted to collect performance metrics had to rely on Chrome's DevTools, which is not a tool specifically designed for such a process.
With the integration of this new API, developers can specify which performance metrics they want Chrome to collect, and avoid situations when the browser gathers information which is never used and wasting memory space. Google devs have explained how this feature works this past June.
VAPID Support and the Streams API
Chrome 52 also supports the VAPID specification (Voluntary Application Server Identification for Web Push).
VAPID allows a site that uses push notifications to authenticate much easier with Web Push services that interact with your desktops or mobile devices.
Play Video
Additionally, the Streams API also introduced with Chrome 52 will allow the browser to start rendering page content even if the entire HTTP request has finished downloading. This basically means that CSS code is already used on the page, even before the entire stylesheet has been downloaded.
As seen in the video above, this improves page loading times, something that which Google engineers will never stop trying to improve.
Deprecations and removals
The first thing you will notice missing from Chrome 52 is the company's Chrome App Launcher that allowed the user to launch Chrome apps even if the browser was closed.
Google announced the deprecation of this feature at the start of the year, but people that love it can still use it inside Chrome OS.
Other things that were removed or deprecated include support for the MediaStream ended event and attribute, the MediaStream onended attribute, overload of postMessage(), X-Frame-Options intags, non-primary button click event, requestAutocomplete(), and the ability to block cross-origin iframes during touch events except during a tap gesture.
Security bugs and other smaller updates
Google's security team didn't slack either, and based on their own audits and reported bugs, the engineers fixed 48 security issues, handing out $21,000 to contributors along the way.
Below is the full list of security bugs, followed by a selection of smaller changes also included in Chrome 52's full changelog.
[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent's Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu
Other features in this release
Chrome now pauses animations while showing modal dialog boxes.
HTTP alternative services allow sites to specify additional origins that can be used to reach a certain resource, enabling easier protocol upgrades and load balancing.
ImageBitmaps can be created more easily using ImageBitmapOptions to specify configurations on construction.
Sites can now free the memory consumed by an ImageBitmap using ImageBitmap.close().
Chrome now supports OpenType small capitals and easier styling of numbers using the font-variant-caps and font-variant-numeric properties.
Touch gestures inside a cross-origin iframe can no longer trigger popups unless they correspond to a tap gesture, preventing accidental pop-ups during scrolling.
Now only secure origins can create or delete secure cookies on Chrome for Android.
The latest version of Chrome supports -webkit-appearance:none which disables the default rendering of HTML5 meter elements and allows easier custom CSS styling.
The unsafe-dynamic Content Security Policy expression allows sites to use single-use or hash-based whitelists to verify script sources, making it easier to protect against cross-origin scripting attacks.
Sites can now use the Fetch API to programmatically set the referrer policy for a request.
CanvasRenderingContext2D now supports the filter attribute, allowing sites to apply effects to primitives drawn to the canvas.
Sites can now test whether or not a key exists within the bounds of an IDBKeyRange using IDBKeyRange.includes().
The HTMLMediaElement.srcObject attribute simplifies associating a MediaStream with a media element.
AudioParam now supports the read-only min and max attributes to simplify introspection.
RTCCertificates can now be stored in IndexedDB.
PannerNode and AudioListener now support automation methods, allowing smooth audio transitions.
Stylesheets can now specify alpha values for colors using eight- and four-bit hexadecimal values instead of the longer rgba() syntax.
Sites can now experiment with persistent storage as an origin trial, allowing a site to disable automatic storage clearing when bookmarked.
Multiple WebVTT tracks will now be presented as user options in the default media controls, enabling language selection for captions and subtitles.
postMessage overrides of the form postMessage(message,transferables,targetOrigin) have been deprecated.
The MediaStream ended event and the corresponding onended attribute have been deprecated.
The web app manifest icons entry no longer supports the density property.
The DynamicsCompressorNode.reduction attribute is now a readonly float instead of an AudioParam.
flexbox children with position:absolute will now be positioned using justify and align if the element does not have a left:, right:, top:, or bottom: position specified.
requestAutocomplete() has been deprecated and removed due to low usage numbers.
X-Frame-Option will no longer be supported in the meta tag to support a more secure implementation.
Invalid values for track-kind are now treated as metadata instead of subtitles to improve media behavior in older user agents.
Article source
Google released today Chrome 52.0.2743.82, promoting the 52.x branch to the Stable Channel, making it Chrome's official version.
This new release is a little bit light on visible UI features but brings a lot for developers that like to tinker on websites and are, generally, more interested in what's under the browser's hood.
Back in early June, Google engineers had drawn out a plan of what features users should expect in Chrome 52.
New CSS contain property
The team didn't stray much from their plan, and now Chrome features support for CSS containment, via the CSS contain property, which prevents child elements from displaying outside the boundaries of their parent element.
A good reason for developers to implement CSS containment on their websites is to speed up page load times. Google engineers have played around and detailed the advantages of using the contain property in a blog post in June.
CSS contain support is only available in Chrome 52 and Opera 40 (alpha stage). Firefox devs have shown public interest in integrating the property into their browser, but no code to support it has landed in the browser until now.
Simpler and more efficient process for gathering performance metrics
The second big feature Google engineers added is the PerformanceObserver API, a feature that allows Web developers to fine tune the performance metrics gathering process.
Until now, developers that wanted to collect performance metrics had to rely on Chrome's DevTools, which is not a tool specifically designed for such a process.
With the integration of this new API, developers can specify which performance metrics they want Chrome to collect, and avoid situations when the browser gathers information which is never used and wasting memory space. Google devs have explained how this feature works this past June.
VAPID Support and the Streams API
Chrome 52 also supports the VAPID specification (Voluntary Application Server Identification for Web Push).
VAPID allows a site that uses push notifications to authenticate much easier with Web Push services that interact with your desktops or mobile devices.
Play Video
Additionally, the Streams API also introduced with Chrome 52 will allow the browser to start rendering page content even if the entire HTTP request has finished downloading. This basically means that CSS code is already used on the page, even before the entire stylesheet has been downloaded.
As seen in the video above, this improves page loading times, something that which Google engineers will never stop trying to improve.
Deprecations and removals
The first thing you will notice missing from Chrome 52 is the company's Chrome App Launcher that allowed the user to launch Chrome apps even if the browser was closed.
Google announced the deprecation of this feature at the start of the year, but people that love it can still use it inside Chrome OS.
Other things that were removed or deprecated include support for the MediaStream ended event and attribute, the MediaStream onended attribute, overload of postMessage(), X-Frame-Options intags, non-primary button click event, requestAutocomplete(), and the ability to block cross-origin iframes during touch events except during a tap gesture.
Security bugs and other smaller updates
Google's security team didn't slack either, and based on their own audits and reported bugs, the engineers fixed 48 security issues, handing out $21,000 to contributors along the way.
Below is the full list of security bugs, followed by a selection of smaller changes also included in Chrome 52's full changelog.
[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent's Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu
Other features in this release
Chrome now pauses animations while showing modal dialog boxes.
HTTP alternative services allow sites to specify additional origins that can be used to reach a certain resource, enabling easier protocol upgrades and load balancing.
ImageBitmaps can be created more easily using ImageBitmapOptions to specify configurations on construction.
Sites can now free the memory consumed by an ImageBitmap using ImageBitmap.close().
Chrome now supports OpenType small capitals and easier styling of numbers using the font-variant-caps and font-variant-numeric properties.
Touch gestures inside a cross-origin iframe can no longer trigger popups unless they correspond to a tap gesture, preventing accidental pop-ups during scrolling.
Now only secure origins can create or delete secure cookies on Chrome for Android.
The latest version of Chrome supports -webkit-appearance:none which disables the default rendering of HTML5 meter elements and allows easier custom CSS styling.
The unsafe-dynamic Content Security Policy expression allows sites to use single-use or hash-based whitelists to verify script sources, making it easier to protect against cross-origin scripting attacks.
Sites can now use the Fetch API to programmatically set the referrer policy for a request.
CanvasRenderingContext2D now supports the filter attribute, allowing sites to apply effects to primitives drawn to the canvas.
Sites can now test whether or not a key exists within the bounds of an IDBKeyRange using IDBKeyRange.includes().
The HTMLMediaElement.srcObject attribute simplifies associating a MediaStream with a media element.
AudioParam now supports the read-only min and max attributes to simplify introspection.
RTCCertificates can now be stored in IndexedDB.
PannerNode and AudioListener now support automation methods, allowing smooth audio transitions.
Stylesheets can now specify alpha values for colors using eight- and four-bit hexadecimal values instead of the longer rgba() syntax.
Sites can now experiment with persistent storage as an origin trial, allowing a site to disable automatic storage clearing when bookmarked.
Multiple WebVTT tracks will now be presented as user options in the default media controls, enabling language selection for captions and subtitles.
postMessage overrides of the form postMessage(message,transferables,targetOrigin) have been deprecated.
The MediaStream ended event and the corresponding onended attribute have been deprecated.
The web app manifest icons entry no longer supports the density property.
The DynamicsCompressorNode.reduction attribute is now a readonly float instead of an AudioParam.
flexbox children with position:absolute will now be positioned using justify and align if the element does not have a left:, right:, top:, or bottom: position specified.
requestAutocomplete() has been deprecated and removed due to low usage numbers.
X-Frame-Option will no longer be supported in the meta tag to support a more secure implementation.
Invalid values for track-kind are now treated as metadata instead of subtitles to improve media behavior in older user agents.
Article source
