Google today launched Chrome 50 for Windows, Mac, and Linux, adding the usual slew of developer features. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.
Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
Before we get into what has been added, it’s worth pointing out what has been removed. As announced in November 2015, Chrome now no longer supports Windows XP, Windows Vista, OS X 10.6 Snow Leopard, OS X 10.7 Lion, nor OS X 10.8 Mountain Lion.
Google has been toying with notifications in Chrome for years. Chrome apps and extensions have supported push notifications on desktop since May 2010 (first added in Chrome 5). More recently, webpages gained the ability to send push notifications to users with the release of Chrome 42, the desktop notification center was removed in Chrome 47, and custom notification buttons were added in Chrome 48.
Now, Chrome 50 allows sites to include notification data payloads with their push messages. This eliminates the final server check — the initial version relied on service workers to proactively fetch the information for a notification from the server, leading to problems when there were multiple messages in flight or when the device was on a poor network connection. Push notification payloads, which are part of the Push API spec and already supported in Firefox, must be encrypted.
Sites can now also detect when a notification is closed by the user, resulting in better analytics and allowing for cross-device notification dismissal. Sites can also whether notifications alert the user with nothing, a vibration, or a sound. The look of notifications can also now be customized with timestamps and icons:
Earlier this year, Google shared that Chrome now delivers more than 350 million push notifications every day. The company didn’t update this figure today.
Next up, Chrome 50 brings support for declarative preload. When there are resources needed to fully display a page, but Chrome doesn’t know about them until other resources load, developers can now use the “link rel=’preload'” attribute to specify resources that should be downloaded preemptively. This should reduce the time it takes to display content.
Other developer features in this release include:
- HTMLMediaElement.play() now returns a promise, allowing sites to react more easily if automatic playback fails.
- Sites can process the image stored in a canvas element as a blob file using HTMLCanvasElement.toBlob().
- Chrome supports the creation of ImageBitmap objects, which can be quickly and asynchronously written to a canvas element.
- Absolute device orientation can be accessed via AbsoluteDeviceOrientation, while DeviceOrientation now returns relative values that don’t use the magnetometer, preventing drift caused by nearby metallic objects when tracking head motion in VR.
- The DOMTokenList supported tokens feature now enables developers to detect sandbox options or link relations on elements.
- The FormData object, which allows programmatic creation of web form data, now allows sites to inspect and modify data in addition to writing values.
- Developers can now use the ES2015 Unicode regex flag u, as well as the regex well-known symbols @@match, @@replace, @@search, and @@split, for better control over regular expression matching.
- Sites can now buffer audio and video streams without gaps using the SourceBuffer.mode attribute and the “sequence” option.
- Presentation connections can be managed more robustly with PresentationConnectionCloseEvent and PresentationConnectionCloseReason instead of the deprecated PresentationConnection.onStateChange.
- Sites can now control the first focus target when the user presses tab or shift-tab while nothing is focused.
- To improve Web Animation spec compliance, Cancel events and Animation.id are now supported, pause() uses a pause state instead of idle, and dashed-names as keys in keyframes have been deprecated.
- Parameter automation of Web Audio BiquadFilter nodes is now evaluated every sample frame, rather than once every 128 frames, making resonant filter sweeps smoother.
- Chrome no longer supports TLS version fallbacks, which allowed attackers to force all sites to use an older version of TLS.
- Chrome no longer supports geolocation services over non-secure connections.
Chrome 50 also includes 20 security fixes, of which Google chose to highlight the following:
- [$7500] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
- [$5000] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
-  Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP’s Zero Day Initiative.
- [$1500] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
- [$1500] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
- [$500] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
- [$1000] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
- [$500] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
-  CVE-2015-1659: Various fixes from internal audits, fuzzing and other initiatives.
If you add all those up, you’ll see Google spent just $17,500 in bug bounties. The security fixes alone should be enough incentive for you to upgrade to Chrome 50.
Chrome 50 for Android and iOS are also on their way, but Google has not shared exactly when they will ship.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here