Posted by August 8, 2016
on Chrome 53 is now available for cross-browser testing. Chromium 53 was just released by Google for Windows, OSX and Linux platforms. We just installed it to our browser testing cloud and it's available to all users.
Try Chrome 53 in Browserling now!
Key changes in Chrome 53:
- New browser inside look, including new bookmarks.
- Shadow DOM v1 implemented.
- Simplify page option removed from Save as PDF.
- Bug fixes and speedy performance improvements.
- Muted autoplay for video (Android).
- Chrome's history has a new look and it's now easier to review, find, and delete your browsing history (iOS).
- Voice Search has been updated with a fresh look to show that Google is working for you (iOS).
All Chrome 53 features, fixes and updates:
- Multimedia: 'allow-presentation' sandboxing flag - This is a new flag for
<iframe sandbox="...">
which will allow embedders to have control over whether an iframe can start a presentation session. - Multimedia: API for customizing HTMLMediaElement.seekable for Media Source live streams - This API lets MediaSource apps more effectively customize the HTMLMediaElement.seekable range logic by providing (or removing) a single seekable range that is union'ed with the current buffered ranges to result in a single seekable range which fits both, when media duration is infinite.
- Misc: Apply Unicode flag to `pattern' content attribute of INPUT element - Apply the unicode flag to `pattern' attribute values. Syntax checking will be stricter, and '.' matches to a surrogate pair, and some other benefits.
- Multimedia: Autoplay muted videos (Android) - Relax autoplay restrictions to allow muted videos to autoplay. They will only be able to play while muted and unmuting will pause if not coming from a user gesture.
- CSS -webkit-user-select:all - The user-select property enables authors to specify which elements in the document can be selected by the user and how. Chrome has supported only prefixed version: -webkit-user-select. With -webkit-user-select:all value, the content of the element must be selected atomically: If a selection would contain part of the element, then the selection must contain the entire element including all its descendants.
- Misc: Deprecate PaymentAddress.careOf (removed) - The PaymentAddress interface has a careOf field which is non-standard (no well-known address standards support it, see below). The careOf field is unnecessary, the recipient and organization fields sufficiently support all necessary use cases. Adding careOf poses significant issues in terms of interoperability with existing postal address schemas and APIs.
- DOM: Do not perform default action on un-trusted events - According to the UI Events specification un-trusted events (i.e. those created by JavaScript) should not invoke the default action. 'click' is the only event that is a legacy permitted case.
- Misc: Drop LABEL element from form-associated elements (removed) - The HTML specification was changed so that LABEL element isn't a form-associated element. Remove
form' content attribute support from LABEL element. Change the behavior of
form' IDL attribute of LABEL element so that it returns the form owner of the associated control. - Performance: Force flattening for elements with opacity < 1 - 3D-positioned descendants will be flattened by an ancestor that has opacity. Previously it did not, if that ancestor also specified transform-style: preserve-3d
- Multimedia: Media Capture from HTML Media Element (<video>/<audio>) - "Media Capture from DOM Elements" document by W3C defines captureStream() method that allows the capture of a <video>/<audio> element in the form of a MediaStream. We want to implement the necessary Blink and Chromium sections that would create this stream by accessing the <video>/<audio> output according to the given play back constraints.
- Multimedia: MediaStreamTrack constraints API - Support for the new format of MediaStreamTrack constraints. Support for the API calls for getting, setting and querying constraints on a MediaStreamTrack.
- Realtime/Communication: Notification badges - A badge image may be used to represent a notification when there is not enough space to display the notification itself. It may also be displayed inside the notification, but then it should have less visual priority than the notification icon.
- Misc: PaymentRequest - An API that allows browsers to act as an intermediary between the three key parties in a financial transaction: the merchant (e.g. an online web store), the buyer (e.g. the user buying from the online web store), and the Payment Method (e.g. credit card). Information necessary to process and confirm a transaction is passed between the Payment Method and the merchant via the browser with the buyer confirming and authorizing as necessary across the flow.
- Multimedia: Promise-based getUserMedia - Adds the API navigator.mediaDevices.getUserMedia(), which returns a promise. As part of this feature, also release the unprefixed version of navigator.getUserMedia(), which uses callbacks.
- Graphics: Raster on composited layer scale change, except if will-change: transform or an accelerated animation is present - All content will be re-rastered when its transform scale changes, iff it does not have the will-change: transform CSS property. In other words,
will-change: transform
means "please animate it fast". This only applies to transforms scales that happen via script manipulation, and does not apply to CSS animations. This means your site will likely get better-looking content, but it may also be slower without some simple changes outlined below. - Security: Remove DHE-based ciphers (removed) - Last year, we raised the minimum TLS Diffie-Hellman group size from 512-bit to 1024-bit. As mentioned then, 1024-bit is insufficient for the long-term. However, metrics report that around 95% of DHE connections seen by Chrome use 1024-bit DHE. This, compounded with how DHE is negotiated in TLS, makes it difficult to move past 1024-bit. Servers should upgrade to ECDHE if available. Otherwise, ensure a plain-RSA cipher suite is enabled.
- File APIs: Remove FileError interface (deprecated) - FileError was removed from File API after Chrome shipped the feature. This surfaces on: FileReader.error, FileWriter.error, and in the FileSystem API passed to the ErrorCallback (async) and thrown (sync). Other browsers do not use this, returning DOMError instead, which is itself being deprecated in favor of DOMException. The interface has been deprecated since 2013. In Chrome 53 we're adding a console warning. Removal is anticipated in Chrome 54.
- Web Components: Shadow DOM v1 - The new Shadow DOM APIs, called v1, including: Element.attachShadow. New HTML Element: HTMLSlotElement. Slotable.assignedSlot. Event.composed and Event.composedPath().
- Misc: TextEncoder API: drop support for legacy encodings (removed) - The TextEncoder API never supported legacy encodings (such as 'shift_jis', 'windows-1252', etc) except for two UTF-16 variants ('utf-16', 'utf-16be'). Usage was minimal and support was removed from the spec. The TextEncoder constructor will no longer take an argument (if one is passed it is ignored, as is the standard for DOM APIs), and will always encode to "the encoding" (utf-8).
- CSS: Unprefixed CSS Filters - CSS Filters without the webkit prefix.
- Multimedia: WebAudio: New lowpass and highpass BiquadFilter implementation - The existing lowpass and highpass BiquadFilter implementation has a defect where valid filters cannot be represented. To fix this, the filter formulas were updated. However, the new formulas will cause a change in the output of the filters.
The new release also includes 33 security fixes. The following fixes were features by Chrome team:
- CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go of Stealien.
- CVE-2016-5161: Type confusion in Blink. Credit to 62600BCA031B9EB5CB4A74ADDDD6771E.
- CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic.
- CVE-2016-5155: Address bar spoofing. Credit to anonymous.
- CVE-2016-5151: Use after free in PDFium. Credit to anonymous.
- CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch PTCL Etisalat.
- CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal.
- CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal.
- CVE-2016-5147: Universal XSS in Blink. Credit to anonymous.
- CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen of OUSPG.
- CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go of Stealien.
- CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien.
- CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous.
- CVE-2016-5148: Universal XSS in Blink. Credit to anonymous.
- CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous.
- CVE-2016-5149: Script injection in extensions. Credit to Max Justicz .
- CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally.
- CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous.
- CVE-2016-5150: Use after free in Blink. Credit to anonymous.
- CVE-2016-5156: Use after free in event bindings. Credit to jinmo123.
Happy cross-browser testing in Chrome 53!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!