Chrome 52 arrives with new developer features and removes the app launcher

Google today launched Chrome 52 for Windows, Mac, and Linux. This release is mainly focused on developers, but users should benefit from some of the improvements right away. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

As promised, in this release Google has removed the last instances of the Chrome app launcher. The tool, which let users launch Chrome apps even if the browser is not running, will continue to live on in Chrome OS.

Next, the new CSS contain property allows developers to prevent an element’s children from displaying outside of its bounds. When an element updates, Chrome can ignore any element outside the parent node during rendering. The goal is faster rendering times — Chrome uses heuristics to determine which parts of a page have changed and should be updated, but because elements can display outside the bounds of their parents, changes to one element can affect elements anywhere else in the document. CSS Containment lets Chrome consider fewer elements while rendering.

The PerformanceObserver API allows sites to collect real-user measurement (RUM) at runtime by declaring which metrics they’re interested in. Instead of polling for updates, the browser simply notifies the site when new data points for those metrics become available. This is superior to Chrome’s DevTools local site testing as it can be used to determine how a site performs for real users with varied devices.

Service workers have gained streaming support. Sites can now use the Streams API to gain obvious speed benefits:

https://www.youtube.com/watch?v=Byvwbo1YyEU

Lastly, Chrome now supports VAPID, an open standard for authenticating a site’s server with a push service. Sites are given a Firebase Cloud Messaging endpoint that supports the cross-browser web push protocol.

Other developer features in this release include:

• Chrome now pauses animations while showing modal dialog boxes.
• HTTP alternative services allow sites to specify additional origins that can be used to reach a certain resource, enabling easier protocol upgrades and load balancing.
• ImageBitmaps can be created more easily using ImageBitmapOptions to specify configurations on construction.
• Sites can now free the memory consumed by an ImageBitmap using ImageBitmap.close().
• Chrome now supports OpenType small capitals and easier styling of numbers using the font-variant-caps and font-variant-numeric properties.
• Touch gestures inside a cross-origin iframe can no longer trigger popups unless they correspond to a tap gesture, preventing accidental pop-ups during scrolling.
• Now only secure origins can create or delete secure cookies on Chrome for Android.
• The latest version of Chrome supports -webkit-appearance:none, which disables the default rendering of HTML5 meter elements and allows easier custom CSS styling.
• The unsafe-dynamic Content Security Policy expression allows sites to use single-use or hash-based whitelists to verify script sources, making it easier to protect against cross-origin scripting attacks.
• Sites can now use the Fetch API to programmatically set the referrer policy for a request.
• CanvasRenderingContext2D now supports the filter attribute, allowing sites to apply effects to primitives drawn to the canvas.
• Sites can now test whether or not a key exists within the bounds of an IDBKeyRange using IDBKeyRange.includes().
• The HTMLMediaElement.srcObject attribute simplifies associating a MediaStream with a media element.
• AudioParam now supports the read-only min and max attributes to simplify introspection.
• RTCCertificates can now be stored in IndexedDB.
• PannerNode and AudioListener now support automation methods, allowing smooth audio transitions.
• Stylesheets can now specify alpha values for colors using eight- and four-bit hexadecimal values instead of the longer rgba() syntax.
• Sites can now experiment with persistent storage as an origin trial, allowing a site to disable automatic storage clearing when bookmarked.
• Multiple WebVTT tracks will now be presented as user options in the default media controls, enabling language selection for captions and subtitles.
• postMessage overrides of the form postMessage(message,transferables,targetOrigin) have been deprecated.
• The MediaStream ended event and the corresponding onended attribute have been deprecated.
• The web app manifest icons entry no longer supports the density property.
• The DynamicsCompressorNode.reduction attribute is now a readonly float instead of an AudioParam.
• flexbox children with position:absolute will now be positioned using justify and align if the element does not have a left:, right:, top:, or bottom: position specified.
• requestAutocomplete() has been deprecated and removed due to low usage numbers.
• X-Frame-Option will no longer be supported in the meta tag to support a more secure implementation.
• Invalid values for track-kind are now treated as metadata instead of subtitles to improve media behavior in older user agents.

Chrome 52 also includes 48 security fixes, of which Google chose to highlight the following:

• [$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
• [$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent’s Xuanwu Lab
• [$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
• [$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
• [$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
• [$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
• [$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
• [$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
• [$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
• [$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
• [$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
• [$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
• [$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
• [$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
• [$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
• [$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
• [$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu
• [629852] CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives.

If you add all those up, you’ll see Google spent just $21,000 in bug bounties this time around — but that number is lowballing it given all the rewards that have yet to be decided. As always, the security fixes alone should be enough incentive for you to upgrade.

Chrome 52 for Android and iOS are also on their way, but Google has not shared exactly when they will ship. Chrome 53 will arrive in September.