Google today launched Chrome 75 for Windows, Mac, Linux, Android, and iOS. The release includes hint for low latency canvas contexts, files supported in the Web Share API, numeric separators, and more developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often have to stay on top of everything available — as well as what has been deprecated or removed.

Android and iOS

Chrome 75 for Android is rolling out slowly on Google Play. The changelog is all about passwords:

  • Generate strong and unique passwords with Chrome‚Äôs built-in password manager.
  • Quickly look up your passwords by tapping any password field and using the new keyboard option.

Chrome 75 for iOS is also slowly rolling out on Apple’s App Store. It includes two improvements:

  • To protect your privacy, links that are clicked in Incognito mode will no longer open native applications.
  • Custom search engine settings now show the search engine’s icon.

Chrome 75 is not a major mobile release.

Security fixes

Chrome 75 implements 42 security fixes. The following were found by external researchers:

  • [$5000][956597] High CVE-2019-5828: Use after free in ServiceWorker. Reported by leecraso of Beihang University and Guang Gong of Alpha Team, Qihoo 360 on 2019-04-25
  • [$500][958533] High CVE-2019-5829: Use after free in Download Manager. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2019-05-01
  • [$TBD][665766] Medium CVE-2019-5830: Incorrectly credentialed requests in CORS. Reported by Andrew Krasichkov, Yandex Security Team on 2016-11-16
  • [$TBD][950328] Medium CVE-2019-5831: Incorrect map processing in V8. Reported by yngwei(JiaWei, Yin) of IIE Varas and sakura of Tecent Xuanwu Lab on 2019-04-07
  • [$TBD][959390] Medium CVE-2019-5832: Incorrect CORS handling in XHR. Reported by Sergey Shekyan (Shape Security) on 2019-05-03
  • [$N/A][945067] Medium CVE-2019-5833: Inconsistent security UI placement. Reported by Khalil Zhani on 2019-03-23
  • [$N/A][962368] Medium CVE-2019-5834: URL spoof in Omnibox on iOS. Reported by Khalil Zhani on 2019-05-13
  • [$1000][939239] Medium CVE-2019-5835: Out of bounds read in Swiftshader. Reported by Wenxiang Qian of Tencent Blade Team on 2019-03-07
  • [$1000][947342] Medium CVE-2019-5836: Heap buffer overflow in Angle. Reported by Omair on 2019-03-29
  • [$500][918293] Medium CVE-2019-5837: Cross-origin resources size disclosure in Appcache . Reported by Adam Iwaniuk on 2018-12-30
  • [$500][893087] Low CVE-2019-5838: Overly permissive tab access in Extensions. Reported by David Erceg on 2018-10-08
  • [$500][925614] Low CVE-2019-5839: Incorrect handling of certain code points in Blink. Reported by Masato Kinugawa on 2019-01-26
  • [$N/A][951782] Low CVE-2019-5840: Popup blocker bypass. Reported by Eliya Stein, Jerome Dangu on 2019-04-11
  • [970244] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $9,000 in bug bounties for this release, which is easily the lowest amount in years. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

The canvas.getContext() method now supports a desynchronized hint, which provides a low-latency alternative to the now-deprecated NaCl/PPAPI solution. To use the new solution, which requires either 2D or WebGL context types, pass desynchronized: true in the options parameter of canvas.getContext() and specify CanvasRenderingContext2D, a WebGL2RenderingContext, or a 65WebGL2ComputeRenderingContext as the context type.

Next, files are now supported by the Web Share API. For years, Google has been working to bring native sharing capabilities to the web. The Web Share API allows web apps to invoke the same share dialog box as a native app. The implementation brings a new method and a new shareData property.

Numeric literals now allow underscores (_, U+005F) as separators to make them more readable. Underscores can only appear between digits, and consecutive underscores are not allowed.

Chrome 75 also updates the V8 JavaScript engine to version 7.5. It includes implicit caching of WebAssembly compilation artifacts, bulk memory operations in WebAssembly, numeric separators in JavaScript, and better performance. Check out the full changelog for more information.

Other developer features in this release include:

  • Allow PaymentRequest.show() to take optional detailsPromise: The detailsPromise argument is a way to signal that the browser should show a spinner or equivalent and wait on allowing user interaction until an update. Some users may not know the total or the number of line items at the time of attempting to open the payment sheet with show().
  • Animation improvements: The new Animation() constructor gives developers more control over the created animation by using the exact KeyframeEffect object. AnimationEffect and KeyframeEffect allow a developer interactive control over the target (the element being animated) and the timing properties (duration, delay, etc.).
  • AppCache: Cross-origin resource size padding: For quota accounting purposes, the size of cross-origin AppCache resources are now padded. Cross-origin resources are resources whose origin differs from the manifest’s origin. The padding size will be a random number between 0 and about 14MB. Quota accounting purposes include the size reported by the Quota API and quota enforcement. An origin’s storage API calls are blocked when the origin exceeds its quota.
  • CSP: `script-src-attr`, `script-src-elem`, `style-src-attr`, `style-src-elem` provide the functionality of the script/style directive but with more granularity, applying to elements or attributes.
  • HTMLVideoElement.playsInline: This is a hint a website may provide to a user agent to display a video content within the element’s playback area. MediaStreamTrack.getCapabilities() support for audio device-related constrainable properties. MediaStreamTrack.getCapabilities() now returns the device-related capabilities of the source associated with a MediaStreamTrack, specifically sample size, sample rate, latency, and channel count. There is also a variant InputDeviceInfo.getCapabilities(), available in the results of MediaDevices.enumerateDevices(). These devices are used as sources for MediaStreamTrack, and getCapabilities() in this case returns the same values as MediaStreamTrack.getCapabilities() for sampleSize, channelCount, and latency.
  • noreferrer attribute for window.open(): Allows a web page to use window.open() without leaking referrer information by leaving the referrer header out of page navigations.
  • Web RTC improvements: RTCDtlsTransport provides information about active transports. RTCIceTransport provides information about the state of the ICE transports used by RTCPeerConnection to send and receive media to another endpoint.
  • Service workers now appear in Chrome’s Task Manager.
  • The new stale-while-revalidate response directive is used by the Cache-Control header to define an extra window of time during which a user agent can use a stale asset during asynchronous revalidation. The revalidation of such assets bypasses the service worker. This change improves subsequent page load latencies by keeping stale assets out of the critical path.
  • FIDO CTAP2 PIN support: This feature extends Chrome’s implementation of the Web Authentication API to support local user authorization of security key operations via a user-defined PIN for keys that implement the FIDO CTAP2 protocol. Web sites using web authentication can request or require such authorization via the API’s user verification mechanisms.
  • To conform to the specification, ExtendableEvent.waitUntil() and FetchEvent.respondWith() can now be called during the microtask checkpoint at the end of event dispatch. Previously, this would throw an InvalidStateError.

For a full rundown of what’s new, check out the Chrome 75 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 76 will arrive by the end of July.