Chrome 54 arrives with new developer features and YouTube Flash embed rewriting to HTML5

Google today launched Chrome 54 for Windows, Mac, and Linux. This release is mainly focused on developers, but the improvements to how the browser handles YouTube embeds are also noteworthy. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

Chrome 54 rewrites YouTube Flash players to use the YouTube HTML5 embed style. YouTube ditched Flash for HTML5 by default in January 2015, but the old embeds still exist all over the web. Google says the change improves both performance and security for its desktop browser.

Chrome also now provides support for the custom elements V1 spec. Custom elements allow developers to create custom HTML tags, as well as defining their API and behavior in JavaScript. The V0 API will be supported until enough developers have moved to V1, though Google didn’t provide details.

Lastly, the BroadcastChannel API has been implemented to allow one-to-many messaging between windows, tabs, iframes, web workers, and service workers. In other words, this API allows scripts to establish named channels to send messages between browsing contexts of the same origin. This is mainly aimed at sites that leverage multiple browser windows or tabs that let users perform more complex tasks.

Other developer features in this release include:

• Navigations initiated in an unload handler will be blocked, and any prior navigation will continue.
• The imageSmoothingQuality attribute for CanvasRenderingContext2D allows developers to balance performance and image quality by adjusting resolution when scaling.
• Sites can use Node.getRootNode(options) to obtain the root for a given node.
• Using PushSubscription.options, sites can track applicationServerKeys without having to store them offline.
• The Resource Timing API now supports transfer, encoded, and decoded size attributes, allowing developers to measure cache hit rates and byte usage.
• The user-select property enables developers to specify which elements can be selected by the user and how.
• Foreign Fetch and WebUSB are available for experimentation as origin trials.
• The text-size-adjust property allows sites to control whether font size automatically scales on mobile devices.
• CacheQueryOptions now conforms to spec across all CacheStorage methods.
• initTouchEvent has been removed in favor of the new TouchEvent() constructor.
• SVGZoomEvent has been removed, as it is no longer part of the SVG 2.0 spec.
• SVGSVGElement.currentView, SVGSVGElement.useCurrentView, SVGViewSpec interface, and SVGSVGElement.viewport have been removed, as they are no longer part of the SVG 2.0 spec.
• SVGTests.requiredFeatures attribute has been deprecated, since it no longer provides useful functionality in the SVG 2.0 spec.
• SVGElement now supports the dataset property.
• The KeyEvent.keyIdentifier field has been removed in favor of the KeyboardEvent.key field.
• window.external.IsSearchProviderInstalled() and AddSearchProvider() are now no-ops, since they are unsupported in most other browsers.

Chrome 54 also implements 21 security fixes, of which Google chose to highlight the following:

• [$7500][645211] High CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous
• [$5500][638615] High CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN
• [$3000][645122] High CVE-2016-5183: Use after free in PDFium. Credit to Anonymous
• [$3000][630654] High CVE-2016-5184: Use after free in PDFium. Credit to Anonymous
• [$3000][621360] High CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer
• [$1000][639702] High CVE-2016-5187: URL spoofing. Credit to Luan Herrera
• [$3133.7][565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan Herrera
• [$1000][633885] Medium CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou@gmail.com
• [$500][646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent’s Xuanwu Lab
• [$500][644963] Medium CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab)
• [$500][639126] Medium CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes
• [$N/A][642067] Medium CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG
• [$500][639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96)
• [654782] CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives

If you add all those up, you’ll see Google spent $28,633.70 in bug bounties this time around — and that number is lowballed, given all the rewards that have yet to be decided. As always, the security fixes alone should be enough incentive for you to upgrade.

Chrome 54 for Android and iOS are also on their way, but Google has not shared exactly when they will ship. Chrome 55 will arrive in late November.