Google today launched Chrome 43 for Windows, Mac, and Linux with new developer tools. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.
Chrome is arguably more than a browser: With hundreds of millions of users, it’s a major platform that web developers have to consider. In fact, with regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
Chrome 43 adds support for MIDI hardware. This means you can create music without installing any specialized software, as the new Web MIDI API allows websites to communicate with connected MIDI devices (such as a USB-MIDI instrument plugged into your computer, tablet, or phone).
MIDI stands for Musical Instrument Digital Interface, a technical standard that describes a protocol, digital interface, and connectors. It lets various electronic musical instruments and related devices connect to, and communicate with, computers.
Next up is the new Permissions API, which lets developers query and observe changes to their permission status for Geolocation, Push, Notifications, and Web MIDI. Asking for permission in context means fewer unnecessary and untimely prompts for the user.
Before the Permissions API, websites could not determine the permission state of APIs. Sites would thus attempt to use APIs immediately after page load without pre-existing permission, causing users to see confusing permission prompts without an explanation.
A new CSP directive, “upgrade-insecure-resources,” causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. Transitioning large collections of unmodifiable legacy content to HTTPS connections can trigger mixed content warnings because of links to insecure resources. This change should help with this as developers can serve their hard-to-update legacy content via HTTPS more easily.
Chrome 43 also includes 37 security fixes, of which Google chose to highlight the following:
- [$16337] High CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous.
- [$7500] High CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous.
- [$3000] High CVE-2015-1254: Cross-origin bypass in Editing. Credit to email@example.com.
- [$3000] High CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani.
- [$2000] High CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen of OUSPG.
- High CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined working with HP’s Zero Day Initiative.
- [$1500] Medium CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz.
- [$1000] Medium CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer.
- [$1000] Medium CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen of OUSPG.
- [$1000] Medium CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani.
- [$500] Medium CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen.
- [$500] Medium CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz.
- [$500] Low CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy.
- [$500] Low CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L.
- CVE-2015-1265: Various fixes from internal audits, fuzzing and other initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch (currently 126.96.36.199).
If you add all those up, you’ll see Google spent $38,337 in bug bounties for this release. The security improvements alone should be enough for you to upgrade to Chrome 43.