Chrome 47 brings new developer features, over $100,000 in security fixes, and removes the notification center

Google today launched Chrome 47 for Windows, Mac, and Linux with cooperative multitasking, automatic dismissal of desktop notifications, security improvements, and new developer features. It also removes the desktop notification center. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

First up, Google has removed the desktop notification center from Chrome. The company announced these plans last month.

The notification center started showing up in 2013, largely with the goal of supporting Google Now for the desktop. It even worked when Chrome was closed, because Google wanted to help users keep track of notifications, especially so they could catch up on information that apps and extensions had sent while they were away. But many Chrome users (myself included) made a point of disabling the notification center immediately. Having the browser bother you outside the browser was simply annoying.

If you’re a developer, you’ll want to read the new notifications documentation, which reflects changes that affect Chrome apps and extensions. In short, notifications sent solely to the notification center will now result in an error, and API events tied to the notification center will no longer work. All other notifications will continue to function, no changes required.

In fact, Chrome now allows developers to configure automatic dismissal of desktop notifications. Sites can set NotificationOptions.requireInteraction to indicate that the notification should remain onscreen until the user dismisses it. Google added push notifications in Chrome 42, and now, for sites that generate a large number of push notifications and take over your screen, it’s cleaning up the experience.

Developers can now also explicitly set work to run during idle time using requestIdleCallback(). Functions registered with requestIdleCallback() are given a deadline and can return before that limit is reached, registering for another requestIdleCallback() to continue work during the next idle period.

In other words, developers no longer have to guess when performance-critical tasks like rendering will finish and use timers to schedule around them. Such estimates, of course, are never guaranteed, given that the time necessary to complete some events (like scrolling) simply cannot be predicted.

As always, Google Developers explains the latest browser features in a nerdy video with code examples:

Other developer features in this release include:

• Array.prototype.includes() simplifies the syntax for checking array membership.
• The rest parameters syntax allows functions with an indefinite number of arguments to be called using arrays.
• Cache.matchAll() simplifies bulk searching of the cache and removes the need for polyfills.
• RequestInit.referrer allows requests captured by service workers to match the original referrer.
• The new Navigator.MediaDevices interface allows developers to enumerate connected media devices such as audio output.
• Updated values for request properties in navigation FetchEvents offer improved spec compliance.
• MouseEvent.getModifierState() makes input processing more powerful and consistent across MouseEvent and KeyboardEvent.
• Developers can now more accurately detect input device capabilities using UIEvent.sourceCapabilities and InputDeviceCapabilities.firesTouchEvents.
• Several SVG methods have been removed, including pixel conversions and hasExtension() methods on several elements.
• Prefixed encrypted media extensions are now disabled in favor of unprefixed EMEs, which have more capabilities and conform to the spec.
• Chrome no longer highlights the gaps between content when painting selections.

Chrome 47 also includes 41 security fixes, of which Google chose to highlight the following:

• [$10000][558589] Critical CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous.
• [$11337][551044] High CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous.
• [$10000][554908] High CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous.
• [$8000][556724] High CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
• [$7500][534923] High CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski.
• [$7500][541206] High CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
• [$7500][544991] High CVE-2015-6771: Out of bounds access in v8. Credit to anonymous.
• [$7500][546545] High CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
• [$7500][554946] High CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong of Qihoo 360 via pwn2own.
• [$5000][491660] High CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer.
• [$5000][549251] High CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous.
• [$3500][529012] High CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen of OUSPG.
• [$3000][457480] High CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Böck.
• [$3000][544020] High CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu of Qihoo 360Vulcan Team.
• [$2000][514891] Medium CVE-2015-6778: Out of bounds access in PDFium. Credit to Karl Skomski.
• [$2000][528505] Medium CVE-2015-6779: Scheme bypass in PDFium. Credit to Ullrich Tiljasper.
• [$1000][490492] Medium CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani.
• [$1000][497302] Medium CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz.
• [$1000][536652] Medium CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera.
• [$1000][537205] Medium CVE-2015-6783: Signature validation issue in Android Crazy Linker. Credit to Michal Bednarski.
• [$500][503217] Low CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire.
• [$500][534542] Low CVE-2015-6785: Wildcard matching issue in CSP. Credit to mficarra@shapesecurity.com.
• [$500][534570] Low CVE-2015-6786: Scheme bypass in CSP. Credit to mficarra@shapesecurity.com.
• [563930] CVE-2015-6787: Various fixes from internal audits, fuzzing and other initiatives.
• Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch (currently 4.7.80.23).

If you add all those up, you’ll see Google spent a massive $105,837 in bug bounties for this release (and there are additional bounties that still don’t have a reward amount set). The security improvements alone should be enough incentive for you to upgrade to Chrome 47.

Chrome 47 for Android is also coming soon, featuring splash screens, and we’ll update you when it’s live.

Update on December 2: Google has launched Chrome 47 for Android. You can download the new version now directly from Google Play.

The biggest change is the addition of splash screens. When not abused, they can allow apps to show something meaningful to users as the app loads, which in turn improves perceived performance.

Chrome for Android brings splash screens to web apps when a site is launched from the Android home screen. The splash screen is shown immediately, even while Chrome itself is loading, and developers can customize it by setting a name, icon, background color, and notification bar color in the web app manifest. Once the web app begins to draw to the screen, the splash screen disappears.