Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":1846533,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,dev,security,","session":"D"}']

Chrome 47 brings new developer features, over $100,000 in security fixes, and removes the notification center

Google today launched Chrome 47 for Windows, Mac, and Linux with cooperative multitasking, automatic dismissal of desktop notifications, security improvements, and new developer features. It also removes the desktop notification center. You can update to the latest version now using the browser’s built-in silent updater or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1846533,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,dev,security,","session":"D"}']

First up, Google has removed the desktop notification center from Chrome. The company announced these plans last month.

The notification center started showing up in 2013, largely with the goal of supporting Google Now for the desktop. It even worked when Chrome was closed, because Google wanted to help users keep track of notifications, especially so they could catch up on information that apps and extensions had sent while they were away. But many Chrome users (myself included) made a point of disabling the notification center immediately. Having the browser bother you outside the browser was simply annoying.

If you’re a developer, you’ll want to read the new notifications documentation, which reflects changes that affect Chrome apps and extensions. In short, notifications sent solely to the notification center will now result in an error, and API events tied to the notification center will no longer work. All other notifications will continue to function, no changes required.

In fact, Chrome now allows developers to configure automatic dismissal of desktop notifications. Sites can set NotificationOptions.requireInteraction to indicate that the notification should remain onscreen until the user dismisses it. Google added push notifications in Chrome 42, and now, for sites that generate a large number of push notifications and take over your screen, it’s cleaning up the experience.

Developers can now also explicitly set work to run during idle time using requestIdleCallback(). Functions registered with requestIdleCallback() are given a deadline and can return before that limit is reached, registering for another requestIdleCallback() to continue work during the next idle period.

In other words, developers no longer have to guess when performance-critical tasks like rendering will finish and use timers to schedule around them. Such estimates, of course, are never guaranteed, given that the time necessary to complete some events (like scrolling) simply cannot be predicted.

As always, Google Developers explains the latest browser features in a nerdy video with code examples:

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1846533,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,dev,security,","session":"D"}']

Other developer features in this release include:

Chrome 47 also includes 41 security fixes, of which Google chose to highlight the following:

  • [$10000][558589] Critical CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous.
  • [$11337][551044] High CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous.
  • [$10000][554908] High CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous.
  • [$8000][556724] High CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [$7500][534923] High CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski.
  • [$7500][541206] High CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [$7500][544991] High CVE-2015-6771: Out of bounds access in v8. Credit to anonymous.
  • [$7500][546545] High CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [$7500][554946] High CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong of Qihoo 360 via pwn2own.
  • [$5000][491660] High CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer.
  • [$5000][549251] High CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous.
  • [$3500][529012] High CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen of OUSPG.
  • [$3000][457480] High CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Böck.
  • [$3000][544020] High CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu of Qihoo 360Vulcan Team.
  • [$2000][514891] Medium CVE-2015-6778: Out of bounds access in PDFium. Credit to Karl Skomski.
  • [$2000][528505] Medium CVE-2015-6779: Scheme bypass in PDFium. Credit to Ullrich Tiljasper.
  • [$1000][490492] Medium CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani.
  • [$1000][497302] Medium CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz.
  • [$1000][536652] Medium CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera.
  • [$1000][537205] Medium CVE-2015-6783: Signature validation issue in Android Crazy Linker. Credit to Michal Bednarski.
  • [$500][503217] Low CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire.
  • [$500][534542] Low CVE-2015-6785: Wildcard matching issue in CSP. Credit to mficarra@shapesecurity.com.
  • [$500][534570] Low CVE-2015-6786: Scheme bypass in CSP. Credit to mficarra@shapesecurity.com.
  • [563930] CVE-2015-6787: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch (currently 4.7.80.23).

If you add all those up, you’ll see Google spent a massive $105,837 in bug bounties for this release (and there are additional bounties that still don’t have a reward amount set). The security improvements alone should be enough incentive for you to upgrade to Chrome 47.

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":1846533,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,dev,security,","session":"D"}']

Chrome 47 for Android is also coming soon, featuring splash screens, and we’ll update you when it’s live.

Update on December 2: Google has launched Chrome 47 for Android. You can download the new version now directly from Google Play.

The biggest change is the addition of splash screens. When not abused, they can allow apps to show something meaningful to users as the app loads, which in turn improves perceived performance.

[aditude-amp id="medium3" targeting='{"env":"staging","page_type":"article","post_id":1846533,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,dev,security,","session":"D"}']

Chrome for Android brings splash screens to web apps when a site is launched from the Android home screen. The splash screen is shown immediately, even while Chrome itself is loading, and developers can customize it by setting a name, icon, background color, and notification bar color in the web app manifest. Once the web app begins to draw to the screen, the splash screen disappears.