Chrome 57 arrives with CSS Grid Layout and API improvements

Google has launched Chrome 57 for Windows, Mac, and Linux. Among the additions is CSS Grid Layout, API improvements, and other new features for developers. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

Update on March 14: Google today revealed that Chrome 57 also limits the timer fire rate for background tabs using excessive power. Chrome, like many browsers, limits timers in the background to only run once per second. The new throttling policy delays timers to limit average CPU load to 1 percent of a core if an application uses too much CPU in background — tabs playing audio or maintaining real-time connections like WebSockets or WebRTC won’t be affected. Background tabs consume a third of Chrome’s power usage on desktop, and this change results in 25 percent fewer busy background tabs.

Chrome 57 implements CSS Grid Layout, a two-dimensional grid-based layout system for responsive user interface design. Elements within the grid can be specified to span multiple columns or rows, plus they can also be named so that layout code is easier to understand. The goal is to give developers more granular control, especially as websites are increasingly accessed on various screen sizes, so they can slowly move away from complex code that is difficult to maintain.

Other developer features in this release include:

• The WebAssembly API has been enabled by default, allowing developers to run near-native code in the browser without a plugin.
• When a video enters fullscreen on an Android device, Chrome now automatically locks the screen orientation according to the aspect ratio of the video.
• Sites using continuous setTimeout() will now be throttled when using loops to drive out-of-view frame animations, improving performance for users.
• The Fetch API Response class now supports the .redirected attribute to help web developers avoid untrustworthy responses and reduce the risk of open redirectors.
• The new padStart and padEnd formatting tools enable text padding, facilitating tasks like aligning console output or printing numbers with a fixed number of digits.
• Service Worker Navigation Preload is now available as an Origin Trial, allowing developers to parallelize the network request for the main resource alongside service worker startup.
• The Payment Request API can be made available inside an iframe by adding the allowpaymentrequest attribute.
• PaymentMethodData now supports basic-card, so developers can refer to all card types with a single method identifier, rather than individual data types.
• To simplify the migration from HTTP to HTTPS, stored credentials for HTTP forms are now transferred to the HTTPS version of the site, and the Credential Management API now supports filling credentials from matching subdomains.
• The caret-color property enables developers to specify the color of the text input cursor.
• To preserve consistency with other on<event> attributes, ongotpointercapture and onlostpointercapture are now part of the GlobalEventHandlers mixin.
• Support is now available for text-decoration-skip: ink to make underlines skip descenders, the portion of letters that extend below the text’s baseline.
• New text-decoration properties are now available, allowing developers to specify visual effects such as line color and style.
• The PresentationRequest constructor has been modified to accept multiple URLs via a sequence<DOMString>, in addition to the existing constructor that takes a single URL.
• The new AudioContext.getOutputTimestamp() method enables developers to synchronize DOMHighResTimeStamp and AudioContext.currentTime values.
• AudioBufferSourceNode, OscillatorNode, and ConstantSourceNode now inherit from AudioScheduledSourceNode, consolidating functionality.
• The new cancelAndHoldAtTime function cancels future AudioParam events with times greater than or equal to cancelTime, allowing developers to preserve the value of the scheduled time in a direct way.
• Developers can now construct WebAudio-specific events such as OfflineAudioCompletionEvent and AudioProcessEvent.
• To increase user security, Chrome’s XSS Auditor now blocks entire suspicious pages by default, rather than selectively filtering out the suspected reflected XSS on the page.

If you prefer a visual rundown, here’s the video version (note that there are also features specific to Chrome 57 for Android, but that isn’t out just yet):

Chrome 57 also implements 36 security fixes. The following were found by external researchers:

• [$7500][682194] High CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka
• [$5000][682020] High CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang
• [$3000][668724] High CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari – Project Srishti
• [$3000][676623] High CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek
• [$3000][678461] High CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB
• [$3000][688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado
• [$3000][691371] High CVE-2017-5036: Use after free in PDFium. Credit to Anonymous
• [$1000][679640] High CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to Yongke Wang of Tencent’s Xuanwu Lab (xlab.tencent.com)
• [$500][679649] High CVE-2017-5039: Use after free in PDFium. Credit to jinmo123
• [$2000][691323] Medium CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han
• [$1000][642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel
• [$1000][669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to Nicolai Grødum
• [$1000][671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike Ruddy
• [$1000][695476] Medium CVE-2017-5038: Use after free in GuestView. Credit to Anonymous
• [$1000][683523] Medium CVE-2017-5043: Use after free in GuestView. Credit to Anonymous
• [$1000][688987] Medium CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah of Fortinet’s FortiGuard Labs
• [$500][667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval Kapil (vampire)
• [$500][680409] Medium CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa
• [699618] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $38,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Google releases a new version of its browser every six weeks or so. Chrome 58 will arrive in mid April.