Posted by October 10, 2016
on Chrome 54 was released today. We just installed it in our browser cloud and it's available for cross-browser testing your websites, javascript code and designs.
Try Chrome 54 in Browserling now!
What are the key new features and changes in Chrome 54?
- "Other bookmarks" tab has changed appearance.
- The message "Right-click to play Adobe Flash Player" now appears while pages with Adobe Flash Player are loading.
- Bug fixes and speedy performance improvements (Android).
- View article suggestions for you on the new tab page (Android).
- Play media in the background for sites that support it (Android).
- Update saved passwords when you change or reset your password (Android).
- No internet connection? Smile and tap the dinosaur (iOS).
- Fixed bookmark icons not displaying correctly (iOS).
- Fixed phone number detection issues in web pages (iOS).
- Stability improvements and bug fixes (iOS).
What are the new web features in Chrome 54?
- DOM: Align behavior of window.external.IsSearchProviderInstalled and window.external.AddSearchProvider with the spec - window.external.IsSearchProviderInstalled and window.external.AddSearchProvider will both be defined as methods that are no-ops. This was never implemented in Safari. In IE10, these methods are (mostly) no-ops: IsSearchProviderInstalled always returns 2, and AddSearchProvider always returns S_OK. Firefox still implements this, but notes that it may be removed at any time.
- Misc: Blocking sync XHR during microtask execution (removed) - Certain blocking APIs spin up nested message loops. Invoking those APIs during microtask execution has undesirable effects, e.g., it is possible that events are dispatched during microtasks. Those APIs currently are alert, prompt, confirm, print, and send() on synchronous XHRs.
- Realtime / Communication: BroadcastChannel - BroadcastChannel allows scripts from the same origin but other browsing contexts to send each other messages. Channels are scoped to an origin and have a name, messages posted to a channel will be delivered to all listeners of that channel in all documents.
- Network / Connectivity: CECPQ1 in TLS - CECPQ1 is a post-quantum cipher suite: one that is designed to provide confidentiality even against an attacker who possesses a large quantum computer. It is a key-agreement algorithm plugged into TLS that combines X25519 and NewHope, a ring-learning-with-errors primitive. Even if NewHope turns out to be breakable, the X25519 key-agreement will ensure that it provides at least the security of our existing connections. This is only an experiment and will only be used on a small fraction of HTT.
- CSS: CSS text-size-adjust - The text-size-adjust property lets authors control and disable the text autosizing feature which increases font sizes on mobile.
- Offline / Storage: CacheStorage CacheQueryOptions support - CacheQueryOptions (ignoreMethod, ignoreVary, ignoreQuery, and cacheName) have been exposed but worked inconsistently across the various CacheStorage methods. As of M54 they are all supported as specified.
- Web Components: Custom Elements v1 - Custom Elements let web authors define their own tags. Chrome shipped an implementation based on the working draft of the spec in M33. The current editor's draft of the spec has significant updates based on web developer and implementer feedback.
- DOM: Deprecate SVGSVGElement.viewport attribute (deprecated) - The implementation is trivial but entirely useless and has been since 2012. The attribute is not present at all in Gecko.
- DOM: Deprecate SVGTests.requiredFeatures attribute (deprecated) - In SVG2, hasFeature always return true. So requiredFeatures attribute not doing anything useful.
- DOM: Deprecate and Remove SVGZoomEvent (removed) - SVGZoomEvent has been removed from the SVG 2.0 specification and has a non-functional implementation in Chromium. Since it doesn't work but is still feature detectable, it's in a confusing state right now and should be removed.
- User input: Deprecate and remove initTouchEvent (removed) - Chrome's initTouchEvent is not interoperable with Safari's or Firefox's version of initTouchEvent.
- Misc: Disable navigations in the unload handler. - When a navigation is initiated in the unload handler, it should be blocked and the previous navigation should continue.
- Network / Connectivity: Enterprise flag to allow continued use of SHA-1 certificates by private PKIs - Private PKIs are not bound by the CA/Browser Forum's Baseline Requirements, and many not have completed the process to deprecate SHA-1 by Jan 2017, after which we'll start showing interstitials. Provide an enterprise flag that would cause SHA-1 certificates that chain to a locally installed trust anchor to display the standard HTTP page icon after Jan 2017.
- Network / Connectivity: Foreign Fetch - Foreign Fetch is a proposal to enable third party Service Workers.
- Misc: Link rel=serviceworker - Add support for LINK rel=serviceworker as an element and header to allow the installation of Service Worker declarative in a document or via a header.
- Multimedia: MediaStream ended event and onended attribute (removed) - The ended event and the corresponding onended attribute have been removed from the MediaStream spec.
- DOM: Node.getRootNode(options) - The getRootNode(options) attribute's getter must return context object's shadow-including root if options's composed is true, and context object's root otherwise.
- JavaScript: Object.entries() and Object.values() - These methods are siblings to the Object.keys() function, and aim to provide Objects with the same set of iteration methods that exist for other ES2015 types (Array, Map, and Set).
- Realtime / Communication: PushSubscription.options - An "options" attribute is added to PushSubscription objects that the PushManager.subscribe(...) and getSubscription() promises resolve to. It reflects the options passed in when subscribing. This allows web developers to see what applicationServerKey each PushSubscription is associated with, and hence what key their server will need to present when sending messages. Previously web developers with more than one applicationServerKey had to keep track of this separately (e.g. in IndexedDB).
- User input: Remove KeyEvent.keyIdentifier (removed) - Remove the WebKit specific KeyEvent.keyIdentifier field. It is not specified in a current specification and has a number of interoperability concerns. The KeyboardEvent.key field is a suitable specified replacement for this field.
- Misc: Request fullscreen on orientation change - Allow web pages to request fullscreen while an orientation change event handler is running. This will allow pages to go fullscreen when the user turn their device.
- Performance: Resize Observer - The Resize Observer API can be used to observe changes to Element's content rect.
- Security: SRI: The
require-sri-for
CSP directive. - Therequire-sri-for
directive gives developers the ability to assert to the browser that every resource of a given type ought to be integrity checked. If a resource of that type is loaded without integrity metadata, it will be rejected without triggering a network request. - Performance: Size related attributes to Resource Timing API - Add size related attributes transfer, encoded, decoded to Resource Timing API Changes to API surface.
- CSS: Unprefixed CSS user-select - The user-select property enables authors to specify which elements in the document can be selected by the user and how. Chrome has supported only prefixed version: -webkit-user-select.
- Device: WebUSB API - The web platform API to support programming USB devices.
- Graphics: imageSmoothingQuality attribute for CanvasRenderingContext2D - It allows a web developer to choose the quality/performance tradeoff when scaling images. There are 3 options in total: low, medium and high.
What security flaws were fixed in Chrome 54?
- CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou.
- CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96).
- CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab).
- CVE-2016-5188: UI spoofing. Credit to Luan Herrera.
- CVE-2016-5184: Use after free in PDFium. Credit to Anonymous.
- CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG.
- CVE-2016-5187: URL spoofing. Credit to Luan Herrera.
- CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent's Xuanwu Lab.
- CVE-2016-5183: Use after free in PDFium. Credit to Anonymous.
- CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN.
- CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer.
- CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous.
- CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes.
Happy cross-browser testing in Chrome 54!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!