Posted by March 3, 2017
on Over the weekend Google released Chrome 57 on Windows, OSX and Linux platforms. We just installed Chrome 57 to our cross-browser testing cloud. You can already try the new browser and start testing your websites and code!
Try Chrome 57 in Browserling now!
Key changes in Chrome 57
- WebAssembly has now been enabled (two days after Firefox enabled it in Firefox 52).
- CSS grid layouts.
- Improved "Add to Home" screen.
- Media Session API (Application Programming Interface).
Developer features and updates in Chrome 57
- Multimedia: Add sequence <DOMString> constructor to PresentationRequest and PresentationConnection.url - This change adds a new constructor to PresentationRequest taking taking multiple URLs (sequence<DOMString>), in addition to the existing constructor that takes a single URL. It also adds the url attribute to PresentationConnection to tell the site what URL was presented.
- Security: CSP3: The 'worker-src' directive - The 'worker-src' directive restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker. It falls back to 'child-src' (which, in turn, falls back to 'default-src').
- CSS ::placeholder pseudo element - Unprefixed version of ::-webkit-input-placeholder.
- CSS Grid Layout - A two-dimensional grid-based layout system, optimized for user interface design.
- CSS UI: caret-color property - This property allows coloring the insertion caret.
- CSS3 Text Decorations - CSS3 Text Decoration specification provides new properties that implements new text decoration styling features such as lines, color and style.
- CSS: Child-indexed pseudo-classes matching elements without a parent - Change how the child-indexed pseudo-class selectors are matched so they also match elements without a parent. This is a change in the spec from selectors-3 to selectors-4. The reasoning for this is explained in the spec.
- Misc: Remove webkitCancelRequestAnimationFrame - webkitCancelRequestAnimationFrame is an obsolete, vendor-specific API. Authors should use cancelAnimationFrame instead.
- CSS: Deprecate internal-media-controls-cast-button - -internal-media-controls-cast-button selector exposes Blink internal shadow DOM to the web content. Authors that want to have a custom cast button should use custom controls and implement a cast button with the Remote Playback API.
- CSS: Deprecate internal-media-controls-overlay-cast-button - -internal-media-controls-overlay-cast-button selector exposes Blink internal shadow DOM to the web content. Authors that want to have a custom cast button should use custom controls and implement a cast button with the Remote Playback API. Authors that have custom controls and want to hide the overlay can use the
disableRemotePlayback
attribute. - CSS: Deprecate internal-media-controls-text-track-list - -internal-media-controls-text-track-list* selectors expose Blink internal shadow DOM to the web content. Authors that want to have a custom text track picking interface should use custom controls.
- Network/Connectivity: Drop support for embedded credentials in subresource requests - We should block requests for subresources that contain embedded credentials. Such resources would be handled as network errors.
- CSS: FontFaceSetLoadEvent Constructor - This entry tracks exposing FontFaceSetLoadEvent constructor.
- Multimedia: Fullscreen Media Orientation - Automatically lock the screen orientation when a video with default controls go fullscreen in order to maximize the screen usage. The orientation of the screen will match the aspect ratio of the video.
- DOM: HTMLIFrameElement.allowpaymentrequest - IFrame support for web payments.
- Multimedia: Intervention: Block audible cross-origin autoplay - This is an intervention that intends to block cross-origin iframes from autoplaying audible media. In other words, cross-origin iframes on desktop will behave like mobile currently behaves: only muted/inaudible autoplay will be allowed.
- User input: Intervention: Passive Touch Event Listeners During Fling - Passive Event Listeners is a way to improve the scroll performance by unblocking scrolling on touch and wheel event listeners, so that scrolling happens immediately while the events are processed by javascript.
- Performance: Intervention: Throttle expensive background timers - As an intervention we want to limit how much CPU a background page is allowed to use and to throttle timer queues when this limit is violated. Current target is that background page CPU load level should be under 1%.
- Performance: Intervention: Throttle timers in out-of-view frames - As an intervention we want to limit the rate at which timers in out-of-view, cross-origin frames are able to fire. Until very recently it wasn't possible for script authors to easily determine whether their content was visible to the user or not. A common pattern therefore is to use a continuous setTimeout() loop for driving animations without considering visibility, which can be very costly for performance.
- DOM: Remove legacy constants on Event. - There are 16 numeric constants on Event, Event.MOUSEDOWN and others. These constants no longer serve any purpose.
- Multimedia: Media Session - Enable websites to customize media metadata so they can control the notification and lock screen UI. Also, allow them to control media in the page from outside the page, such as platform UIs and media keys.
- Multimedia: MediaStreamTrack Content Hints - This feature extends MediaStreamTrack to provide a media-content hint attribute. This optional hint permits MediaStreamTrack consumers such as PeerConnection or MediaRecorder to encode or process track media with methods more appropriate to the type of content that is being consumed.
- Network/Connectivity: Navigation preload for service workers - An API that enables the browser to send "preload" network requests for navigations before executing the fetch event handler in the service worker that intercepts the target URL. The worker has access to the preload response inside the fetch event handler. Common use cases would be to respond with the preload response directly, or use it to populate the response.
- Misc: PaymentDetails.error - When the payment request is updated using updateWith, the PaymentDetails can contain a message in the error field that will be displayed to the user. For example, this might commonly be used to explain why goods cannot be shipped to the chosen shipping address. The error field cannot be passed to the PaymentRequest constructor. Doing so will cause a TypeError to be thrown.
- Performance: Remove prefixed resource timing buffer-management API - Support for webkitClearResourceTimings(), webkitSetResourceTimingBufferSize(), and onwebkitresourcetimingbufferfull is removed from the Performance interface, in favor of clearResourceTimings(), setResourceTimingBufferSize(), and onresourcetimingbufferfull. Currently warnings are produced, but upon removal, the prefixed versions will no longer exist.
- Network/Connectivity: RTCDataChannelEvent constructor - This entry track exposing RTCDataChannelEvent constructor. RTCDataChannel and RTCDataChannelEvent was implemented and shippped before the current process.
- Offline/Storage: Deprecate FileReaderSync in service workers - The Service Worker spec has always had the (non-normative) note that "any type of synchronous requests must not be initiated inside of a service worker", to avoid blocking the service worker (as blocking the service worker would block all network requests from controlled pages). However synchronous APIs such as FileReaderSync were still available in service workers. So we'd like to fix that by removing this API from service workers. Removal is anticipated in Chrome 59.
- DOM: Remove Key Generation Element - Since Chrome 49, <keygen>'s default behaviour has been to return the empty string, unless a permission was granted to this page. Removal is anticipated in Chrome 57.
- Misc: Remove ServiceWorkerMessageEvent in favor of using MessageEvent - As HTML spec extended MessageEvent to allow ServiceWorker as a type of the source attribute, client.postMessage(message, transfer) and creation of custom message events are changed to use MessageEvent instead of ServiceWorkerMessageEvent. It is expected that MessageEvent will ship in Chrome 57 and ServiceWorkerMessageEvent will be removed in Chrome 58.
- Offline/Storage: Remove webkit-prefixed IndexedDB global aliases - The IndexedDB entry point and global constructors were exposed with
webkit
prefixes as was the custom at the time, circa Chrome M11: webkitIndexedDB (main entry point) webkitIDBKeyRange (non-callable global constructor, but has useful static methods) webkitIDBCursor webkitIDBDatabase webkitIDBFactory webkitIDBIndex webkitIDBObjectStore webkitIDBRequest webkitIDBTransaction (non-callable global constructors) The non-prefixed API shipped in M24 and the prefixed versions deprecated in M38. - Network/Connectivity: Response.redirected and a new security restriction - Add .redirected attribute to Response class of Fetch API. Web developers can check it to avoid untrustworthy responses. To avoid the risk of open redirectors introduce a new security restriction which disallows service workers to respond to requests with a redirect mode different from "follow".
- Graphics: Remove SVGCursorElement - The <cursor> element. Can be referenced from the 'cursor' property to provide a use-defined cursor image.
- CSS: Shape Detection API - Photos and images constitute the largest chunk of the Web, and many include recognisable features, such as human faces or QR codes. Detecting these features is computationally expensive, but, particularly on mobile devices, hardware manufacturers have long been supporting these features. This API allows accessing hardware-accelerated detectors where available. This is expected to be in origin trials in Chrome 58.
- Performance: Ship Navigation Timing 2 - Navigation Timing 2 (NT2) enables obtaining accurate timing data related to the navigation of the document.
- JavaScript: String.prototype.padStart() / String.prototype.padEnd() - String formatting tools which returns a target/receiver string prepended or appended with a repeating pattern of characters: "foo".padStart(10, "0"); -> "0000000foo"; "foo".padEnd(10, "0"); -> "foo0000000";
- JavaScript: WebAssembly - WebAssembly, or wasm, is an experimental efficient low-level programming language for in-browser client-side scripting, which is currently in development. Its initial aim is to support C/C++, though other languages are also intended to be supported. WebAssembly is a portable abstract syntax tree which is designed to be faster to parse than JavaScript, as well as faster to execute.
- Multimedia: WebAudio: Add AudioContext.getOutputTimestamp() method - The AudioContext.getOutputTimestamp() method helps to synchronize DOM time and AudioContext time values. It is used to estimate DOMHighResTimeStamp value of the audio output stream position for the given AudioContext.currentTime value, or do the opposite: estimate AudioContext.currentTime value of the audio output stream position for the given DOMHighResTimeStamp value.
- Multimedia: WebAudio: Add AudioScheduledSourceNode base class for source nodes - Add AudioScheduledSourceNode as a base class of AudioBufferSourceNode, OscillatorNode, and ConstantSourceNode. This is a small change to capture the common features of the source nodes into a base class.
- Multimedia: WebAudio: AudioParam cancelAndHoldAtTime - cancelAndHoldAtTime cancels future AudioParam events and holds the value of the AudioParam at the value at the scheduled time.
- Multimedia: WebAudio: Event Constructors - Allow WebAudio-specific events to be constructed. Specifically, OfflineAudioCompletionEvent and AudioProcessEvent can be constructed.
- Multimedia: WebAudio: Remove prefixed AudioContext and OfflineAudioContext - Support for webkitAudioContext and webkitOfflineAudioContext is removed in favor of AudioContext and OfflineAudioContext. Currently warnings are produced, but upon removal, the prefixed versions will no longer exist.
- Security: XSS Auditor blocks by default - Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.
- Misc: basic-card support in PaymentRequest - Support the "basic-card" method for web payments.
- DOM: fieldset.elements returns an HTMLCollection, not an HTMLFormControlsCollection - The specification was changed so that fieldset.elements returns an HTMLCollection instead of an HTMLFormControlsCollection.
- User input: ongot/lostpointercaptures in GlobalEventHandlers - Previously in PointerEvents spec v1 we had ongotpointercapture and onlostpointercapture attributes as part of the Element. Now we are moving them to GlobalEventHandlers to make them consistent with the other on'event' attributes as the capture events will also bubble similar to other events. Note that this way of listening to the events through on'event' attributes are legacy and should not be mostly used. But this change makes sure they are all consistent.
- User input: rAF Aligned Touch Input - Align uncancelable touchmove events so that they occur close to the rAF as possible.
- CSS: text-decoration-skip - Implement partial support for text-decoration-skip. Currently, this property is not parsed or functional. Without any changes, the current default behavior matches the "objects" property value. This is a proposal to add support for: "objects" and "ink" values for this property.
Security fixes in Chrome 57
The new release also includes 36 security fixes. The following fixes were highlighted in Chrome release notes:
- CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah of Fortinet's FortiGuard Labs.
- CVE-2017-5036: Use after free in PDFium. Credit to Anonymous.
- CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
- CVE-2017-5039: Use after free in PDFium. Credit to jinmo123.
- CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han.
- CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang.
- CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to Yongke Wang.
- CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel.
- CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari - Project Srishti.
- CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado.
- CVE-2017-5043: Use after free in GuestView. Credit to Anonymous.
- CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to Nicolai Grodum.
- CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek.
- CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka.
- CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike Ruddy.
- CVE-2017-5038: Use after free in GuestView. Credit to Anonymous.
- CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval Kapil (vampire).
- CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa.
Happy cross-browser testing in Chrome 57!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!