Chrome 59 Released

Chrome 59 was released today and we at Browserling rushed to install it on our cross-browser testing platform so that all of you could try the new features in this release and could test your apps in this browser already.

Try it yourself on the go!

What's new?

Chrome 59 can especially brag about the following:

• Headless mode in Linux and macOS.
• Image capture API.
• Support for Animated PNG.
• Faster page load time.
• Redesigned Settings and "About Google Chrome" page.
• A number of fixes and stability/security improvements.

For iOS:

• Fixed the issue that resulted in hangs and significant slowdowns when switching tabs.
• Fixed a crash involving dialogs presented while switching tabs.

For Android:

• Manage in-progress downloads from the "Downloads" page functionality.
• View and clear your browsing data more easily on the redesigned History page.
• Long-press a link to open it in a new Chrome tab (from Chrome Custom Tabs).
• Bug fixes and performance improvements.

  ---

Headless Chrome?

The headless functionality offers you a way to run Chrome minus the UI. This can substantially help you in variety of different automated tests and/or server environments. For instance, it can be used to create a PDF of a Wikipedia page. It brings all modern web platform features provided by Chrome to the command line, which evidently is an important factor for every web developer. For more details, read: Getting Started with Headless Chrome.

Notifications on macOS

Chrome 59 will now comply with the native macOS notification system, which means it will respect your notification privacy settings as well.

Image Capture API

The older camera interaction API prior to Chrome 59 did not offer as much as we wanted. Therefore, Chrome 59 features the new and improved image capturing API. Capturing hi-res photos from developer's prospective is now better than ever! It can access a number of features of the camera including brightness, ISO, white balance, zoom, focus and much more. See this post if you want to start tinkering with this wonderful and powerful API.

Redesigning

Chrome 59 utilizes Material Design not only for the "about" page, but for the settings page as well, grouping all the settings and placing them into a single column.

Faster page load time

Due to the update of the JavaScript engine, Chrome 59 loads pages faster and all while using less memory. According to Google's metric, the new JavaScript engine allows Chrome 59 to load pages 10 to 20% faster than previous versions of Chrome.

Developer features and updates in Chrome 59

• Animated PNG - Support for animated PNG images
• CSP hash expressions can match external scripts - CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba', <script integrity="sha256-abc123" ...></script> will be allowed.
• CSP3: The 'worker-src' directive - The 'worker-src' directive restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker. It falls back to 'child-src' (which, in turn, falls back to 'default-src').
• CSP: report-sample property in violation reports - The report-sample property attempts to reach consensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive.
• CSS Box Alignment shorthands - Shorthand properties to control the alignment behavior along block and inline axes in a single declaration.
• DIALOG element has display:block style by default - The default display style of a DIALOG element is changed from inline to block.
• Deprecate SVGTests.requiredFeatures attribute - In SVG2, hasFeature always return true. So requiredFeatures attribute not doing anything useful. It has been removed from the spec and was deprecated in Chrome 54/Opera 41. Read more.
• Deprecate and Disable SDCH - SDCH is a shared dictionary compression mechanism developed by Google but not standardized. It's use in chrome is being discontinued. Intent to deprecate thread is here.
• Deprecate and remove -internal-media-controls-cast-button - internal-media-controls-cast-button selector exposes Blink internal shadow DOM to the web content. Authors that want to have a custom cast button should use custom controls and implement a cast button with the Remote Playback API.
• Deprecate and remove -internal-media-controls-text-track-list - internal-media-controls-text-track-list* selectors expose Blink internal shadow DOM to the web content. Authors that want to have a custom text track picking interface should use custom controls.
• DeviceOrientationEvent and DeviceMotionEvent constructors - The DeviceOrientationEvent and DeviceMotionEvent constructors are defined by the DeviceOrientation Event Specification but were not were not implemented in Chrome. Firefox has already shipped these constructors as specified.
• Drop support for embedded credentials in subresource requests - We should block requests for subresources that contain embedded credentials (e.g. http://ima_user:hunter2@example.com/yay.tiff). Such resources would be handled as network errors.
• Drop support for subresources with legacy protocols - We should block requests from HTTP/HTTPS documents that target "legacy" schemes (e.g. ftp://my-awesome-ftp-server.com/yay.tiff). That is, the ftp:// image referenced in example jsbin would not load, as the document itself is not served from ftp://.
• Headless mode - Headless mode allows running Chromium in a headless/server environment. Expected use cases include loading web pages, extracting metadata (e.g., the DOM) and generating bitmaps from page contents - using all the modern web platform features provided by Chromium and Blink. To use headless, start Chrome with a command line flag: $ chrome --headless --remote-debugging-port=9222 URL.
• MediaError.message - The MediaError.message DOMString field provides, if available, any additional vendor-specific error message detail to assist web authors debugging media player errors. The format and content of the string is left to vendors, though it's commonly in the form of a vendor-specific error code followed optionally by a ":" and further detail about the error. It is populated at the time of MediaError creation.
• MediaStream Image Capture - Enable taking pictures from an Image/Video Capture Device.
• Navigation preload for service workers - An API that enables the browser to send "preload" network requests for navigations before executing the fetch event handler in the service worker that intercepts the target URL. The worker has access to the preload response inside the fetch event handler. Common use cases would be to respond with the preload response directly, or use it to populate the response.
• Partial RTCRtpReceiver and RTCRtpContributingSource support - The parts of the RTC Media API that allow keeping track of contributing sources for receiving tracks. RTCPeerConnection extension: getReceivers(). RTCRtpSender support: track, getContributingSources(). RTCRtpContributingSource support: timestamp, source. Read feature document for the rest of the API.
• Presentation API: Receiver API - This is implementing the receiving side of the API in order to allow a web page to be presented and interact with the presenting web page. This is also called 1-UA mode because that mode would allow the browser to render both presenting and receiving pages locally.
• RTCConfiguration.iceCandidatePoolSize - Normally, ICE candidates are only gathered after RTCPeerConnection.setLocalDescription is called, because this is the point at which the PeerConnection knows how many ports it needs. The iceCandidatePoolSize member of RTCConfiguration instructs the PeerConnection to gather ICE candidates before this occurs, as a performance optimization. Thus, if setting the local description is delayed (by signaling, for example), interactions with STUN/TURN servers can occur in parallel.
• Referrer Policy Header for CSS - Add the ability for CSS stylesheets to specify their own referrer policy via the HTTP header.
• Remove "on-demand" value for hover/any-hover media queries - Remove the support for "hover: on-demand" and "any-hover: on-demand" media queries. The "on-demand" value used to satisfy for the pointing devices that, for example, "can't normally hover, but will activate hover on a long press". The "on-demand" value for hover/any-hover media queries has been removed from the spec in early 2016.
• Remove FileReaderSync from service workers - The Service Worker spec has always had the (non-normative) note that "any type of synchronous requests must not be initiated inside of a service worker", to avoid blocking the service worker (as blocking the service worker would block all network requests from controlled pages). However synchronous APIs such as FileReaderSync were still available in service workers. So we'd like to fix that by removing this API from service workers. This was deprecated in Chrome 57.
• Response.redirected and a new security restriction - Add .redirected attribute to Response class of Fetch API. Web developers can check it to avoid untrustworthy responses. - To avoid the risk of open redirectors introduce a new security restriction which disallows service workers to respond to requests with a redirect mode different from "follow".
• Screen.colorDepth and Screen.pixelDepth can return other value than 24 - The Screen object is no longer required to return 24 for colorDepth and pixelDepth. It enables websites to have a better idea of the number of bits being used to display a color on the screen.
• Streams API: Piping - ReadableStream's pipeTo() is the standard way to compose readable and writable streams. It reads data from the ReadableStream and writes it to a WritableStream while respecting backpressure. pipeThrough() is a simple wrapper around pipeTo() that provides elegant syntax for chaining multiple streams.
• Streams API: WritableStream - WritableStream is part of the Streams API for creating, composing, and consuming streams of data. It is the writable counterpart to ReadableStream, which is already shipping in Chrome. It provides a standard abstraction for writing streaming data to a sink, with built-in backpressure and queuing. This is expected to be on by default in Chrome 59.
• Temporarily stop permission requests after 3 dismissals - Temporarily stop an origin from requesting a permission following the third dismissal of a permission prompt. The stop will be lifted after some amount of time has passed (initially 1 week), after which the origin may request the permission again. A further dismissal will apply the temporary stop again. For web developers who are testing features, the block can also be removed by changing the permission's setting in the lock icon's page info dialog, or by clearing your browsing data.
• WebAudio: decodeAudioData detaches ArrayBuffer - According to the spec, decodeAudioData detaches the given ArrayBuffer before decoding. This means that the ArrayBuffer no longer has any contents and can't be reused or examined. If it's important to keep the data, user ArrayBuffer.slice(0) to make a copy for decodeAudioData.
• rAF Aligned Touch Input - Align touchmove events so that they occur close to requestAnimationFrame() as possible.
• self.origin - self.origin returns the Unicode serialization of the origin of the settings object of the global represented by "self" (a Window or WorkerGlobalScope). This gives scripts a consistent way of getting their origin in both situations. Note that unlike location.origin this represents the actual origin of the global, not the origin of the URL it's loaded from. The difference can be substantial in the case of sandboxing, for example.

Security Improvements

There are three major improvements regarding security:

1. Google has finally blocked pages that are embedded using iframes from sending notifications.
2. Chrome will no longer allow pages to embed content from FTP.
3. Chrome will block requests for sub-resources that contain embedded credentials.

Bug fixes

High-threat bug fixes:

• CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16.
• CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26.
• CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07.
• CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28.
• CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09.

Medium-threat bug fixes:

• CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05.
• CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16.
• CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06.
• CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28.
• CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on - 2017-04-12.
• CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20.
• CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05.
• CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07.

Low-threat bug fixes:

• CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11.
• CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24.
• CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15.

[source]

Now that you know what Chrome version 59 is all about, you can go ahead and start cross-browser testing in it. Have fun!