Chrome 59

Google released today Google Chrome 59, a new version of the Chrome browser, which this month comes with a complete revamp of the Settings section.

Starting v59, Chrome uses Material Design, which is Google's internal UI that the company developed three years back as a universal design language for all of its official apps.

Chrome was one of the last Google products not to feature a Material Design-inspired UI, which has until now made its way into Android, Gmail, Google Search, AdSense, and most of the company's best-selling products.

Headless Chromium &  native notifications on macOS

Besides the revamped Settings section UI, Chrome 59 also includes some hidden gems. The first of these is support for a headless mode in Chrome.

A headless mode for Chrome means software testers can now script Chrome interactions. Testers can load just the Chrome inner-working parts, its engines, without starting its UI. Automated scripts perform actions in this headless (UI-less) Chrome mode, record actions and report on the findings. The results are then used to evaluate software or test problematic code.

Google started working on a headless Chromium mode last year, and the company announced the feature last month.

In addition, Google Chrome 59 also added native support for notifications on macOS. Starting this version, Chrome will show desktop notifications on macOS devices using the operating system's Notifications API, instead of Chrome's Notifications API. The only difference here is at the visual level, where Chrome notifications will look like macOS notifications.

Chrome notifications on macOS [before Chrome 59 - left; in Chrome 59 - right]
Chrome notifications on macOS [before Chrome 59 - left; in Chrome 59 - right]

Other features in this release

  • Developers can now use MediaError.message to obtain greater detail about a MediaError produced by < audio > or < video >.
  • WritableStreams are now available as part of the Streams API for processing streams of data, while providing a standard abstraction for writing streaming data to a sink with built-in backpressure and queuing.
  • The Streams API has been expanded with the ability to pipe between ReadableStreams and WritableStreams via the pipeTo() and pipeThrough() methods, allowing easier consumption of streaming data.
  • Developers can now use the getInstalledRelatedApps function to smartly consolidate push notifications between related web and native apps by suggesting when and on which platform to offer them.
  • The Image Capture API now allows sites to take higher resolution images than before, providing full control over camera settings such as zoom, ISO, and white balance.
  • To provide enhanced privacy, CSS stylesheets can now specify their own referrer policy via the HTTP header, rather than always inheriting the referrer policy of the document that originally referenced it.
  • To avoid over-prompting users, Chrome will now temporarily stop an origin from requesting a permission following the third dismissal of that permission request.
  • Touch events are now aligned to requestAnimationFrame, ensuring that input is processed as part of the document lifecycle and creating a more efficient and adaptive input response.
  • The new worker-src Content Security Policy directive restricts which URLs may be loaded as a Worker, SharedWorker, or ServiceWorker.

Deprecations and interoperability improvements

  • The < dialog > element has changed from display: inline to block by default to better align with the spec.
  • Following removal from the Media Queries spec, support for hover: on-demand and any-hover: on-demand media queries have been removed.
  • To better align with spec and help avoid race conditions, decodeAudioData now detaches the given ArrayBuffer before decoding, removing all content from the object and making it unable to be reused or examined.
  • To increase security, Chrome no longers supports requesting notification permission over HTTP.
  • The -internal-media-controls-cast-button CSS selector has been removed in favor of the Remote Playback API.
  • The -internal-media-controls-text-track-list* CSS selectors have been removed in favor of custom-built video controls.
  • The SVGTests.requiredFeatures attribute has been deprecated following its removal from the spec.
  • initDeviceMotionEvent() and initDeviceOrientationEvent() were removed in favor of DeviceOrientationEvent() and  DeviceMotionEvent(), following a spec trend of moving away from initialization functions and toward constructors.
  • To preserve consistency across browsers, the sample property will now be included in a violation report (and associated SecurityPolicyViolationEvent object) if a report-sample expression is present in the violated directive.
  • To increase security, Chrome will now block requests for subresources that contain embedded credentials, and instead handle them as network errors.
  • To increase security, Chrome will now block requests from HTTP/HTTPS documents to ftp: URLs.
  • To preserve consistency across browsers, injecting JavaScript via AppleScript is longer supported in Chrome for Mac.
  • The ability to call Notification.requestPermission() from non-main frames has been deprecated to align the requirements for notification permission with requirements for push notifications, and ease friction for developers.
  • Support for Shared Dictionary Compression (SDCH) has been disabled until a stable API has been standardized.

Security Fixes and Rewards

Last, but definitely not least, this update also includes 30 security updates. The full list of security updates are described below:

[$7500][722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16
[$3000][715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26
[$3000][709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07
[$2000][716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28
[$1000][700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09
[$2000][678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05
[$1000][722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16
[$1000][719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06
[$1000][716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28
[$1000][711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12
[$500][713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20
[$500][708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05
[$N/A][672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07
[$N/A][721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11
[$N/A][714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24
[$N/A][692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15

 Google's ongoing internal security work was responsible for the following fix:

  • [729639] Various fixes from internal audits, fuzzing and other initiatives

Related Articles:

Chrome Enterprise gets Premium security but you have to pay for it

Google fixes one more Chrome zero-day exploited at Pwn2Own

New Chrome feature aims to stop hackers from using stolen cookies

Google agrees to delete Chrome browsing data of 136 million users

Google fixes Chrome zero-days exploited at Pwn2Own 2024