Chrome 51 arrives with new APIs and more efficient page rendering

Google today launched Chrome 51 for Windows and Mac, promising that the Linux version will “ship shortly.” This release includes the usual slew of developer features, but users should benefit from some of the improvements right away. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

First up, Google has added the Credential Management API to Chrome. In short, the new API allows developers to use Chrome’s credential managers more extensively than just for storing a saved password. Custom login flows, remembering federated identity preferences, and general interaction to improve the login experience for users is now possible. Users can sign in with one tap and automatically sign back in when returning to the site.

Next up, the Intersection Observer API allows sites to detect element intersections as an asynchronous event. Sites can receive a callback whenever any element intersects a watched element or its children. Providing viewability information in this more efficient way eliminates the need for costly document monitoring. In short, sites no longer need to implement this functionality with custom JavaScript, and they gain the benefits of improved page load and scroll performance.

Google has also reduced the overhead of offscreen rendering. Chrome no longer runs the rendering pipeline or requestAnimationFrame() callbacks for cross-origin frames that are offscreen. This eliminates unnecessary work and also reduces power consumption by up to 30 percent, according to Google’s own tests on several popular mobile sites. This essentially means that embedded content like videos, social widgets, and ads no longer create overhead that slow down the page.

Lastly, SPDY and NPN support have been removed (a little later than promised) in favor of the standards-based HTTP/2 protocol and ALPN. SPDY, which is not an acronym but just a short version of the word “speedy,” is a protocol — developed primarily at Google — to improve browsing by forcing SSL encryption for all sites and speeding up page loads. The TLS extension NPN allows servers to negotiate SPDY and HTTP/2 connections with clients, but ALPN is more secure.

Other developer features in this release include:

• Passive event listeners, which allow sites to run JavaScript in response to touch and wheel input without blocking scrolling.
• Blobs are now constructed and transferred to the browser asynchronously, allowing large data files to be moved without janking the page.
• The SameSite cookie attribute allows sites to restrict cookies to requests from the same domain.
• Support for the AES_256_GCM cipher on TLS improves security on servers that choose cipher by key size, where legacy 256-bit ciphers were used over more secure, but smaller, ciphers.
• Array.prototype.values() makes it easier to iterate over the elements of an array.
• The function name property now infers useful names for properties and methods with computed property names, making debugging easier with clearer labels and error messages.
• Iterators that are part of a for-of loop that terminates early now call a developer-provided close() method, making it easier to respond to the end of an iteration.
• Symbol.species makes subclassing built-in classes such as Array and RegExp more powerful by allowing custom constructors to be called for derived objects.
• RegExp subclasses can overwrite the exec() method to change the matching algorithm, making it easier to write custom subclasses.
• Sites can now implement their own Symbol.hasInstance() method to customize behavior of the instanceof operator.
• Sites can now retrieve a service worker’s Client object using Clients.get(id).
• ServiceWorker.postMessage() now fires an ExtendableMessageEvent on ServiceWorkerGlobalScope, allowing the message to extend the service worker lifetime and provide more accurate message sources.
• The HTML referrerpolicy attribute allows sites to control what information is sent in the referrer headers of <a>, <area>, <img>, and <iframe> elements.
• The UIEvents KeyboardEvent |key| attribute allows sites to reliably determine the meaning of the key being pressed.
• Sites can now detect the duration of batched offline audio contexts using the OfflineAudioContext.length attribute.
• The ability to customize the message shown in the onbeforeunload dialog has been removed to protect users from malicious websites and align with other browsers.
• Chrome on Android now uses the same media pipeline as desktop Chrome, improving WebAudio support and allowing sites to interact with the playback rate on <audio> and <video> tags.
• The latest version of Chrome improves web animations interoperability by supporting lists of values and removing dashed-names in keyframes.
• Chrome now requires a border style to paint border images, improving spec compliance and interoperability.
• Percentages can now be used for the sizes of flex item children.
• DHE-based ciphers have been deprecated and will be removed in Chrome 52 in favor of ECDHE ciphers to improve TLS security.

Chrome 51 also includes 42 security fixes, of which Google chose to highlight the following:

• [$7500][590118]High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
• [$7500][597532]High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
• [$7500][598165]High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
• [$7500][600182]High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
• [$7500][604901]High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
• [$4000][602970]Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
• [$3500][595259]High CVE-2016-1678: Heap overflow in V8. Credit to Christoph Diehl.
• [$3500][606390]High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
• [$3000][589848]High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
• [$3000][613160]High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
• [$1000][579801]Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to kingstonmailbox.
• [$1000][583156]Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
• [$1000][583171]Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
• [$1000][601362]Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
• [$1000][603518]Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
• [$1000][603748]Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
• [$1000][604897]Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
• [$1000][606185]Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
• [$1000][608100]Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
• [$500][597926]Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
• [$500][598077]Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
• [$500][598752]Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to jackwillzac.
• [$500][603682]Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester.
• [614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.

If you add all those up, you’ll see Google spent a massive $65,500 in bug bounties. The security fixes alone should be enough incentive for you to upgrade to Chrome 51.

Chrome 51 for Android and iOS are also on their way, but Google has not shared exactly when they will ship. Chrome 52 will arrive in early July.