Chrome 44 launches with Android home screen banner improvements, tweaks to push messaging and notifications

Google today launched Chrome 44 for Windows, Mac, and Linux with new developer tools. You can now update to the latest version using the browser’s built-in silent updater or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With hundreds of millions of users, it’s a major platform that web developers have to consider. In fact, with regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

First and foremost, let’s talk about home screen banner improvements on Android. While Chrome 44 for Android isn’t out yet, developers can start leveraging the improvements now.

Chrome 32 introduced the ability for Android users to add home screen shortcuts to their favorite websites via a menu item. Chrome 42 took the functionality a step further by showing a banner — users who frequently visit a high-quality web app can be asked if they want to add the site to their home screen with one tap:

In Chrome 44, developers can now track to see if users added their app (Chrome now fires a cancellable beforeinstallprompt event before the banner is shown) and disable the banner completely. More details are available on GitHub: check the banner and prevent the banner.

Next up, push messaging is changing slightly with this release and the next. Here is what developers need to know:

When push was first implemented in Chrome 42, the spec also defined a subscriptionId, which Chrome used to pass a GCM ID to the web app. The spec has since changed and removed subscriptionId, so in Chrome 44 the subscriptionId is appended to the endpoint object with a ‘/’ inbetween, but is still accessible in Chrome 44 legacy reasons. In Chrome 45, the subscriptionId will be completely removed.

Lastly, Notfication.data and ServiceWorkerRegistration.getNotifications() have been added. These should give developers more control: Sites can now use getNotifications to observe which of their notifications are still being displayed and Notification.data to store a payload with a notification so they can determine which notification was clicked.

All of the above is explained with code examples in this nerdy Google Developers video (if you’re wondering, this is the best part):

Other developer features in this release include:

• Chrome’s implementation of the Push API has undergone several minor breaking changes in order to keep up to date with the evolving specification.
• ES6 extended Unicode escape sequences allow developers to use the extended set of Unicode characters in JavaScript string literals, where previously characters whose escape sequences contain more than four hexadecimal values were unable to be denoted.
• This release includes a new implementation of multi-column layout by Opera engineer Morten Stenshorne, solving historic issues with incorrect column balancing.
• Developers should now use the scroll attributes of 1155cc; font-family: ‘Courier New’; font-size: 13.333333333333332px; font-style: nodocument.scrollingElement instead of document.body as the latter has several well known issues.

Chrome 44 also includes 43 security fixes, of which Google chose to highlight the following:

• [$3000][446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.
• [$3000][459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.
• [$TBD][461858] High CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi.
• [$7500][462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte) of Baidu X-Team.
• [$TBD][472614] High CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.
• [$5500][483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.
• [$5000][486947] High CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.
• [$1000][487155] High CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.
• [$TBD][487928] High CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.
• [$TBD][492052] High CVE-2015-1283: Heap-buffer-overflow in expat. Credit to sidhpurwala.huzaifa.
• [$2000][493243] High CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen of OUSPG.
• [$7500][504011] High CVE-2015-1286: UXSS in blink. Credit to anonymous.
• [$1337][419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.
• [$1000][444573] Medium CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen of OUSPG.
• [$500][451456] Medium CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva.
• [479743] Medium CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.
• [$500][482380] Medium CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.
• [$1337][498982] Medium CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.
• [$500][479162] Low CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to mike@michaelruddy.com.
• [512110] CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives.

If you add all those up, you’ll see Google spent at least $39,674 in bug bounties for this release (there are three bounties that still don’t have a price set). The security improvements alone should be enough incentive for you to upgrade to Chrome 44.