Posted by July 7, 2016
on Today Chrome 52 was released and we immediately deployed it to our browser test cloud. It's now available to all users for cross-browser testing.
Try Chrome 52 in Browserling now!
Key changes in Chrome 52
- Status bar now has darker text when hovering your mouse over the link.
- DirectWrite is now impossible to disable.
- Bug fixes and speedy performance improvements.
- Accelerated Mobile Pages (AMP).
Web developer features and updates in Chrome 52
- Misc: -webkit-appearance:none for METER element - Web authors had no way to completely disable UA rendering of METER element, and were unable to render them with pure CSS. This feature is to implement the standard appearance:none behavior for METER element as -webkit-appearance:none. -webkit-appearance:none removes UA rendring at all, and renders the content of <meter> element.
- CSS: Accept 8 (#RRGGBBAA) and 4 (#RGBA) value hex colors - Update the CSS color parser to support 8/4-digit hex color. Legacy HTML attribute color parsing, per the "rules for parsing a legacy colour value" of the HTML micro syntax, will not be changed, nor will the CSS hashless color quirk.
- Network/Connectivity: Alternative Services - Alternative services allow an origin serving an http:// or https:// resource to nominate additional (protocol, host, port) tuples that the client can choose to request the resource from instead of the origin when making subsequent requests. This can be used, for example, as a protocol upgrade mechanism, for connection pooling, or for load balancing.
- Security: The 'strict-dynamic' source expression (CSP3) - The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.
- CSS Containment - A primitive for isolating style, layout, and paint. This allows authors to explicitly opt into a set of restrictions that enables user agent optimizations.
- CSS Flexbox: New behavior for absolute-positioned children - A previous version of the Flexbox spec set the static position of abspos children as if they were a 0x0 flex item. However, the latest version of the spec takes them fully out of flow and sets the static position based on align and justify properties. The static position is used when there are no top: or left: or related properties used to position the absolute-positioned element.
- DOM ParentNode + ChildNode method extras: prepend, append (ParentNode) + before, after, and replaceWith (ChildNode) - The DOM standard provides a set of convenience methods for working with DOM Node trees: ParentNode.prepend(), ParentNode.append(), ChildNode.before(), ChildNode.after(), ChildNode.replaceWith(). Removal of the flag is anticipated in Chrome 54.
- DOM: Deprecate and remove WebKit legacy window.postMessage() overload - WebKit/Blink supports three overloads of window.postMessage(): "postMessage(message, targetOrigin)", "postMessage(message, targetOrigin, transferables)" and "postMessage(message, transferables, targetOrigin)" The last one being an accident of history as implementation and spec initially evolved, but an overload that got stuck. As it has little or no actual use (Link1), it will be deprecated and removed. Any remaining uses will have to swap arguments.
- JavaScript: Add exponentiation Operator (`
and
=`) - Provides an arithmetic operator equivalent of Math.pow(), in which the lefthand-side expression serves as the base value, and the righthand-side expression serves as the exponent. - Network/Connectivity: Response construction with ReadableStream (Fetch API) - Developers can now construct their own ReadableStream instances, and use one as a body for constructing a Response object. It enables streaming composed body data from a ServiceWorker to a page controlled by it.
- Network/Connectivity: referrer policy (Fetch API) - This feature enables users to get/set a Request's referrer policy which affect's the "Referer" HTTP header.
- Graphics: Filters in 2D canvas - Add a string attribute called 'filter' to CanvasRenderingContext2D to apply effects to primitives drawn to the canvas. The attributes is parsed the same way as CSS filters.
- Realtime/Communication: H.264 software encoder/decoder in Chrome for WebRTC - Include a H.264 video codec encoder and decoder in Chrome for use with WebRTC. At IETF in late november 2014, a compromise was reached with the main contributors to WebRTC to ship both VP8 and H.264. This launch is to follow up in this public commitment. The plan is to use the OpenH264 (same lib as Firefox uses) for encoding and FFmpeg (which is already used elsewhere in Chrome) for decoding.
- Realtime/Communication: HTMLMediaElement.srcObject attribute - The srcObject attribute allows associating a MediaStream to a media element using a simple assignment. Previously, achieving this required first obtaining a URL associated to the MediaStream, and then associating this URL to the media element.
- Offline/Storage: IDBKeyRange.includes() - Test whether or not a key exists within the bounds of an IDBKeyRange.
- Graphics: ImageBitmapOptions - An ImageBitmapOptions is a dictionary object passed to the createImageBitmap(), such that an ImageBitmap can be created with specific format, for example, premultiplyAlpha = false.
- Performance: Throttle rendering pipeline based on viewport visibility (Intervention) - As an intervention, stop running Blink's rendering pipeline (including requestAnimationFrame callbacks) for content which isn't visible in the viewport. This helps to avoid doing unnecessary work for animations which aren't going to be seen by the user.
- Multimedia: Invalid <track kind> values behave like "metadata", not "subtitles" - Invalid values for <track kind> are currently treated as "subtitles". This means that any new values will be treated as subtitles by old UAs. Instead use "metadata" as the "invalid value default", to avoid UAs showing <track>s with unrecognized values.
- Multimedia: MediaDevices devicechange event - The devicechange event is fired when a media device (e.g., camera, microphone or speaker) is connected to or removed from the system. This feature is useful for applications that wish to react to changes in the set of available media devices; for example, to show a device list that is always up-to-date. This is expected to be on by default in Chrome 57.
- DOM: Node.isConnected - The isConnected attribute's getter returns true, if context object is in a shadow-including document, and false otherwise.
- Misc: Pause event loop during modal dialogs - When using alert(), confirm() or onbeforeunload, Chromium's old behavior was to block JS waiting for the result, but allows all declarative animations to continue. This change is to make all main-thread tasks (such as <marquee> and CSS 2d animations) also pause during this interval.
- Performance Observer - Used to observe the Performance Timeline and be notified of new performance entries as they are recorded by the user agent.
- Realtime/Communication: Push subscription restrictions, Web Push protocol - Supporting server authentication and subscription restrictions from the following IETF draft, that will allow developers to provide a public key when subscribing for push upon which Chrome will return a Web Push protocol-compatible endpoint. This will enable us to move away from our current GCM implementation requirements.
- User input: Stricter user gestures for touch - Don't allow opening popups (and other sensitive operations) on touch events which don't correspond to a tap from inside of cross-origin iframes (Chrome 52).
- CSS: Stylesheets activated after the body is started do not block paint - External stylesheets in the body of the document or that get activated after the body has started to be parsed will no longer block paint. The parser will still block at a script tag until all prior stylesheets have loaded, including those in the body.
- Multimedia: AudioParams include min/max attributes to specify the nominal range (WebAudio) - All AudioParams have a readonly min and max attribute to specify the minimum and maximum value the AudioParam can have. The value is clamped to lie in this range. This allows easy introspection for the developer to determine the valid ranges for a parameter.
- Multimedia: Add Automation Support to PannerNode and AudioListener (WebAudio) - Automation methods for the position and orientation coordinates of PannerNode and the position, up, and forward vectors of the AudioListener are added. This allows smooth changes in the coordinates via AudioParam methods. This effectively undeprecates the PannerNode and AudioListener. The old methods such as setPosition, setOrientation, etc., are retained, but deprecated because they have obvious equivalents with just setting the individual coordinate values.
- Multimedia: DynamicsCompressor.reduction is a float not AudioParam (WebAudio) - Chrome implements the reduction attribute for a DynamicsCompressorNode as an AudioParam. The WebAudio spec says it should be a readonly float. Change Chrome to implement the specification.
- JavaScript: WebRTC API for choosing key pair algorithm (RSA, ECDSA) for certificates used in DTLS handshake - A WebRTC JavaScript API is added to control the key pair algorithm (RSA, ECDSA) to use for the self-signed certificates generated when DTLS is used for peerconnections. Changes to API surface: RTCCertificate class added, RTCPeerConnection.generateCertificate static method added, RTCConfiguration.certificates (sequence<RTCCertificate>) member added. This feature was behind a flag starting in Chrome 48 and Opera 35.
- Realtime/Communication: Storing RTCCertificate in IndexedDB (WebRTC) - RTCCertificates are self-signed certificates used in the DTLS handshake for when setting up a connection with an RTCPeerConnection. This feature allows RTCCertificates to be persisted to storage by an application by implementing the structured clone algorithm. This means RTCCertificates can be saved and loaded from an IndexedDB database, saving the cost of generating new certificates for new sessions.
- DOM: addEventListener AddEventListenerOptions API - The spec was revised to add AddEventListenerOptions which is a dictionary only for addEventListener(...) so that fields could be added that did not make up the matching key. This change is to move the add the AddEventListenerOptions dictionary definition, change the API and move the 'passive' field from EventListenerOptions to AddEventListenerOptions
- CSS: font-variant-caps - Space separated CSS value keywords for activating OpenType features related to small-caps, all-small-caps, etc. Using the CSS keywords for feature selection is at candidate recommendation status in the CSS Fonts Module level 3 and is the spec recommended way to activate common features. Signals from content developers and font foundries indicate that the CSS font-variant-* value keywords are easier to work with and less cryptic than font-feature settings.
- CSS: font-variant-numeric - Space separated CSS value keywords for activating OpenType features related to numeric forms. Using the CSS keywords for feature selection is at candidate recommendation status in the CSS Fonts Module level 3 and is the spec recommended way to activate common features. Signals from content developers and font foundries indicate that the CSS font-variant-* value keywords are easier to work with and less cryptic than font-feature settings.
- Misc: Remove density property from Manifest's icons
- Security: Deprecate 'X-Frame-Options' support inside '<meta>'
Security fixes in Chrome 52
Chrome 52 release includes 48 security fixes. Here are the noteworthy fixes:
- High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie.
- High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent's Xuanwu Lab.
- CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan.
- CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team.
- CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
- CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
- CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer.
- CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous.
- CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin.
- CVE-2016-5130: URL spoofing. Credit to Wadih Matar.
- CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer.
- CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly.
- CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor.
- CVE-2016-5134: URL leakage via PAC script. Credit to Alex Chapman and Paul Stone.
- CVE-2016-5135: Content-Security-Policy bypass. Credit to ShenYeYinJiu.
- CVE-2016-5136: Use after free in extensions. Credit to Rob Wu.
- CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu.
Happy cross-browser testing in Chrome 52!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!