Posted by January 1, 2017
on Today Google released Chrome 56 on Windows, Mac and Linux platforms. We just deployed Chrome 56 to all servers and it's now available to all our paying customers and free users. You can already cross-browser test your sites in this version!
Try Chrome 56 in Browserling now!
Chrome 56 has several key new features and changes:
- HTML5 is by default enabled for all users.
- Adobe Flash Player is automatically blocked for most sites that require the plugin.
- Unsecured HTTP sites are now labeled.
- CSS property
position: sticky
is back. This property makes it easy to create elements that scroll normally until sticking to the top of the viewport. - Users can now select Bluetooth Low Energy devices to connect to web sites that use the Web Bluetooth API.
Here'a a list of all Chrome 56 features and updates:
- CSS: "system-ui" generic font family - This generic font family allows authors to style contents so it fits within the system UI.
- DOM: 2nd arg of document.createElement should be an object - This feature adds a dictionary as a second argument for document.createElement. The dictionary 'is' member is used to set custom element attribute.
- Security: CSP 'referrer' directive - The CSP 'referrer' directive allows site owners to set a Referrer Policy (https://w3c.github.io/webappsec-referrer-policy/) for their page from an HTTP header. The 'referrer' directive has been removed from the spec and replaced with the Referrer-Policy header.
- Security: CSP: SecurityPolicyViolationEvent for Workers - When a Worker's CSP is violated, we should fire a 'SecurityPolicyViolation' event at its global object.
- CSS: border-image-repeat: space support - Previously, "space" was implemented the same as "repeat".
- CSS: position: sticky - Sticky is a new way to position elements and is conceptually similar to position: fixed. The difference is that a stickily positioned element behaves like position: relative within its parent, until a given offset threshold is met.
- CSS: New names for motion path properties - Motion paths allow authors to animate any graphical object along an author-specified path. The CSS properties are being named: offset-path offset-distance offset-rotate.
- CSS: CSSConditionRule interface - The CSSConditionRule interface inherits from CSSGroupingRule. CSSMediaRule and CSSSupportsRule both inherit from CSSConditionRule. Before the introduction of CSSConditionRule in Blink, CSSMediaRule inherited from CSSGroupingRule, while CSSSupportsRule inherited from CSSRule and duplicated the members of CSSGroupingRule.
- DOM: Deprecate SVGSVGElement.currentView/useCurrentView and SVGViewSpec interface - SVGSVGElement.currentView/useCurrentView and SVGViewSpec interface are removed from SVG2.0 spec.
- Security: Deprecate
reflected-xss
CSP directive - Early drafts of CSP2 contained areflected-xss
directive, which is little more than syntactic sugar for theX-XSS-Protection
header. It offered no additional functionality beyond that header, just a better syntax. - Network/Connectivity: Deprecate all fetches for scripts with invalid type/language attributes - Right now, the preload scanner will send fetches for script tags regardless of type/language, but the script will not execute when parsed. Often, sites will use these custom tags combined with XHR, resulting in double downloads. By deprecating the fetch, the preload scanner and the parser will have the same semantics, and we will not be initiating fetches for scripts we will not execute. To work around this issue and maintain the fetch, sites should use link preload.
- DOM: Deprecate and Remove SVGViewElement.viewTarget attribute - As per SVG2.0, SVGViewElement.viewTarget is removed.
- Relatime/Communication: Deprecate and remove MediaStreamTrack.getSources() - Remove support for the MediaStreamTrack.getSources() method. This method was removed from the spec in favor of MediaDevices.enumerateDevices().
- DOM: Dispatch synthetic events (at least until its root) when target and relatedTarget are identical - So far, Blink does not dispatch synthetic events if all of the following conditions are satisfied: 1) event's target is in a shadow tree 2) event has relatedTarget 3) event's target and event's relatedTarget are identical. The new behavior will dispatch synthetic events even if the all conditions are satisfied.
- Multimedia: FLAC codec support for - Enables support for the FLAC audio codec within the FLAC and Ogg containers for the HTML5
- Performance: Fire VisibilityChange event on document unloading - Visibilitychange event should fire as part of unload process and document.visibilityState should report 'hidden'.
- User input: Fractional coordinates in MouseEvents - Update the types of all coordinates in MouseEvents from long to double to make the coordinates more precise for PointerEvents on high-DPI devices. Note, however, that the only browser-fired events that will change are PointerEvents. MouseEvents will continue to have integral coordinates for backward compatibility.
- CSS: Inert URL Bar - Hiding and Showing the URL bar will no longer resize the initial containing block or elements sized with vh units. This matches iOS Safari.
- Misc: Intervention - Scroll Anchoring - Scroll anchoring adjusts the scroll position to prevent visible jumps (or "reflows") when content changes above the viewport. Scroll anchoring introduces CSS "overflow-anchor" as an opt-out for developers.
- User input: KeyboardEvent.isComposing - Allows an app to determine if there is an active composition outstanding for keyboard events being generated without monitoring composition events directly.
- Performance: Link header support for the "prefetch" rel value - The proposed change will add support for the "prefetch" rel value in Link headers, enabling easy addition of such resource hints and therefore easier hinting of resources needed for next navigation.
- Multimedia: MediaStream Image Capture - Enable taking pictures from an Image/Video Capture Device.
- Device: Notification image - Allows developers to show a large image as part of the content of a notification (whereas the existing
icon
andbadge
properties tend to be icons and are rendered smaller). - Multimedia: OPUS codec support in WebAudio's decodeAudioData() API. - Extends support for OPUS to WebAudio's decodeAudioData() API.
- Misc: PaymentRequest.canMakePayment() - A method in PaymentRequest, canMakePayment(), that returns back a boolean indicating whether or not the user has the ability to make a payment at the time PaymentRequest.show() is called.
- Security: RSA-PSS for TLS - In preparation for TLS 1.3, ship RSA-PSS signature algorithms in our TLS implementation. This will improve the options available for signing with RSA keys in TLS 1.2 (aligning with QUIC and TLS 1.3) and, more importantly, pave the road for TLS 1.3 by ensuring the ecosystem can handle new signature algorithms.
- Network/Connectivity: RTCConfiguration iceTransportPolicy member - RTCConfiguration is the type of the optional first argument to the RTCPeerConnection constructor. Previously only 'iceTransports' was supported, but now the standard 'iceTransportPolicy' will also be supported.
- Network/Connectivity: RTCPeerConnection unprefixed interface - This entry track exposing the unprefixed RTCPeerConnection. webkitRTCPeerConnection has been exposed for a long time, and removing it is not part of this entry.
- Security: Referrer-Policy header - The Referrer-Policy header allows pages to set a referrer policy by sending an HTTP response header.
- Multimedia: Remote Playback API - This specification defines an API extending the HTMLMediaElement that enables controlling remote playback of media from a web page. In M56, this will work on Android only (desktop will report no devices available) with the desktop backend being added later.
- Security: Remove CBC-mode ECDSA ciphers in TLS - Remove ECDHE_ECDSA_WITH_AES_128_CBC_SHA and ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS cipher suites. TLS's CBC-mode construction is flawed, making it fragile and very difficult to implement securely. Although CBC-mode ciphers are still widely used with RSA, they are virtually nonexistent with ECDSA.
- Security: Remove TLS 1.2 ECDSA with SHA-1 and SHA-512 signature algorithms - In most modes, TLS 1.2 uses a signature in the ServerKeyExchange message to prove ownership of the private key. (Note this is NOT related to SHA-1 certificates.) There is an extension, signature_algorithms, to negotiate which signature algorithms are acceptable. To reduce dependencies on SHA-1 and prepare for TLS 1.3's new ECDSA handling, we intend to remove ECDSA with SHA-1 and ECDSA with SHA-512, leaving only SHA-256 and SHA-384 for ECDSA.
- DOM: Remove case-insensitive matching for radio button group names - "Compatibility caseless" had been applied to radio button group name matching. The specification was updated so that case-sensitive matching is applied.
- Network/Connectivity: Rename RTCIceCandidateEvent to RTCPeerConnectionIceEvent and expose - This entry track renaming RTCIceCandidateEvent (implemented and shipped) to RTCPeerConnectionIceEvent and exposing RTCPeerConnectionIceEvent constructor.
- CSS: Render Unicode control characters - Currently Chrome and other browsers do not render unicode control characters. This violates the unicode spec and the handling in other software. With this change non-white-space control characters will be rendered.
- Network/Connectivity: Stop Trusting SHA-1 Certificates - Protect Chrome users from attackers who might use the broken SHA-1 hash algorithm to obtain counterfeit website authentication certificates.
- DOM: Stop re-signaling a slotchange event. - Blink no longer re-fires a slotchange event at a slot's assignedSlot (or parent slot).
- Security: Supporting chrome_settings_overrides API on OS X - The API is currently only available on Windows. This change will enable it on OS X as well.
- Security: TLS 1.3 - The latest version of the Transport Layer Security (TLS) protocol. In this initial release, we'll support 1-RTT based on draft-18 for a fraction of users under a field trial.
- Graphics: The ImageBitmap rendering context for canvas elements - The interface ImageBitmapRenderingContext is a low overhead path for bringing pixel data in the form of an ImageBitmap object to the display. It uses transfer semantics to avoid memory copy and compositing ovehead and to reduce memory consumption.
- CSS: Throttle the rendering pipeline during page load when there's pending sheets. - Delay running the rendering pipeline (style, layout, paint) and executing requestAnimationFrame callbacks inside iframes until pending stylesheets have finished loading.
- CSS: Touch-action: pinch-zoom CSS property - Support the touch-action: pinch-zoom CSS property. The user agent MAY consider touches that begin on the element for the purposes of continuous zooming and immediately execute the default action instead of waiting for an event handler to not cancel it.
- DOM: Treat Document Level Touch Event Listeners as Passive - AddEventListenerOptions defaults passive to false. With this change touchstart and touchmove listeners added to the document will default to passive:true (so that calls to preventDefault will be ignored). If the value is explicitly provided in the AddEventListenerOptions it will continue having the value specified by the page.
- User input: User gesture for touch scrolling - No longer allow opening pop-ups (and other sensitive operations) to occur during input events which represent a touch scroll. In particular, touchstart and touchmove listeners now never have a user gesture. touchend listeners do have a user gesture unless the user was scrolling / pinching.
- Device: Web Bluetooth API - Allows web sites to communicate over GATT with nearby user-selected Bluetooth devices in a secure and privacy-preserving way.
- Device: Web MIDI MIDIMessageEvent.receivedTime deprecation - Deprecate receivedTime property from MIDIMessageEvent. This is because the attribute was introduced to represent a high-resolution timestamp for real-time MIDI processing, but DOM Event started using hi-resolution monotonic time instead of epoch time for Event.timeStamp that can cover our use-case too.
- Multimedia: WebAudio: Add ConstantSourceNode - Add a new ConstantSourceNode that produces a constant output mixed with an AudioParam. This node serves as a constant source and also as a "constructible AudioParam".
- Multimedia: WebAudio: ChannelSplitterNode channelCount and channelCountMode are constant - The channelCount and channelCountMode attributes for a ChannelSplitterNode are fixed to the number of outputs and "explicit", respectively. They cannot be changed.
- Multimedia: WebAudio: PannerNode.rolloffFactor clamps to nominal range. - The PannerNode.rolloffFactor clamps to the nominal range which depends on the distance model being used.
- Multimedia: WebAudio: Remove Doppler API - Remove the deprecated Doppler API. This includes removing speedOfSound, dopplerFactor, and setVelocity from the WebAudio API. This was removed from the WebAudio spec quite a while ago. The actual effect was removed a while ago, but the API remained. The API is being removed now.
- Graphics: WebGL 2 - OpenGL ES 3.0 level rendering capabilities via the <canvas> element.
- DOM: document.rootScroller - Allow a non-document (or <body>) element to hide URL bar, generate overscroll glow, etc. on scrolling, effects normally reserved for "viewport scrolling" only.
- JavaScript: window.prompt() will not activate parent page - If a document in a background tab calls window.prompt() then the call to prompt() will return immediately, and no dialog will be shown to the user for that call to prompt(). If the tab is foremost (if it is the active tab in the front window), then the call will show a dialog. Specifically, this removes the ability to use window.prompt() to bring a tab to the front against the user's will.
The new release also includes 51 security fixes. The following fixes were highlighted in Chrome release notes:
- CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski.
- CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou.
- CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang (@gnehsoah).
- CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar.
- CVE-2017-5025: Heap overflow in FFmpeg. Credit to Paul Mehta.
- CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy (Tresorit).
- CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski.
- CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu.
- CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah).
- CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to evi1m0#ly.com.
- CVE-2017-5024: Heap overflow in FFmpeg. Credit to Paul Mehta.
- CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani.
- CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip.
- CVE-2017-5017: Uninitialised memory access in webm video. Credit to Dan Berman.
- CVE-2017-5023: Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC).
- CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu.
- CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford.
- CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski.
- CVE-2017-5027: Bypass of Content Security Policy in Blink.
- CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu.
- CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski.
- CVE-2017-5026: UI spoofing. Credit to Ronni Skansing.
Happy cross-browser testing in Chrome 56!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!