Chrome 42 launches with push notifications that sites can send even after users close the page

Google today launched Chrome 42 for Windows, Mac, and Linux with new developer tools. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With hundreds of millions of users, it’s a major platform that web developers have to consider. In fact, with regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

The biggest addition in this release is support for native push notifications:

Chrome 42 offers two new APIs (Push API and Notifications API) that together allow sites to send notifications to their users even after the given page is closed. As we noted in the beta release, while this is a quite intrusive feature for a browser, Google promises the users have to first grant explicit permission before they receive such a message.

Once given the green light, a developer can use Google Cloud Messaging to remotely wake up their service worker, which in turn can run JavaScript for a short period. For now at least, Google requires showing a user-visible notification that includes a “Site Settings” button where users can easily disable notifications.

The next biggest change is part of Google’s plan to remove Netscape Plugin Application Programming Interface (NPAPI) plugins from Chrome in the hope of improving the browser’s security, speed, and stability, as well as reduce complexity in the code base. Google first announced in September 2013 that it was planning to drop NPAPI, though delays (adoption was still relatively high for many months) pushed back its plans until this year.

In Chrome 40, NPAPI plugins were blocked by default, though users could still allow them for specific sites by clicking on the “Plug-in blocked” message in the URL bar and choosing “Always allow plug-ins on [website].” Here is how that looked:

In Chrome 42, the above workaround has been removed, and NPAPI support is disabled by default in Chrome. This is what happens when you try to use a plugin like Java or Silverlight:

Google has also begun unpublishing extensions requiring NPAPI plugins from the Chrome Web Store. That said, Google still provides an override for advanced users (via an “enable-npapi” flag) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI.

In September 2015, Google will scrap the workarounds and permanently remove NPAPI support from Chrome. NPAPI plugins will simply no longer load, regardless of whether they are needed by websites or extensions. Web developers who use or build these plugins can find out more information in the NPAPI deprecation guide.

Aside from the above, Chrome 42 is supposed to be a “performance-focused build.” A Google Groups posting states many Chrome component teams have made performance improvements a priority for this release, though your mileage will undoubtedly vary depending on your computer and operating system.

Chrome 42 also includes 45 security fixes, of which Google chose to highlight the following:

• [$7500][456518] High CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous.
• [$4000][313939] Medium CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo.
• [$3000][461191] High CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani.
• [$2000][445808] High CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer.
• [$1000][463599] Medium CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil.
• [$1000][418402] Medium CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston of Sandfield Information Systems.
• [$500][460917] High CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com.
• [$500][455215] Medium CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy.
• [$500][444957] Medium CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani.
• [$500][437399] Medium CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen of OUSPG.
• [$500][429838] Medium CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn.
• [$500][380663] Medium CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta (VittGam).
• [476786] CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives. Multiple vulnerabilities in V8 fixed at the tip of the 4.2 branch (currently 4.2.77.14).

If you add all those up, you’ll see Google spent $21,500 in bug bounties for this release. The security improvements alone should be enough for you to upgrade to Chrome 42.