Google heeft versie 46 van zijn webbrowser Chrome uitgebracht. Google Chrome is beschikbaar voor Windows, Linux en OS X. Er zijn ook versies voor Android en iOS, maar die volgen een iets ander releaseschema. In versie 46 treffen we onder meer nieuwe new CSS animation features aan, verbeterde performance controls en een groot aantal api-tweaks. Daarnaast zijn er weer 24 beveiligingsproblemen verholpen en diverse bugfixes doorgevoerd. De releasenotes voor deze uitgave zien er als volgt uit:
Animating objects along author specified paths
Optimized image loading and service worker instrumentation
Tools like srcset allow developers to serve an optimized image variant in a responsive way, but it can be cumbersome and inefficient to use in practice. Developers can now negotiate with the server to download the best image variant for a device using straightforward HTTP request headers. These headers communicate DPR, Viewport-Width, and the intended display width of the resource being fetched to the server.
In addition to improving image loading, developers can now instrument service workers to gather detailed fetch and script timing. Developers can also measure the startup time of service workers more accurately.
Other updates in this release
Security Fixes and Rewards
- As part of Chrome’s ongoing efforts to ship features from the ES2015 specification, Chrome now supports the spread operator and new.target.
- To prevent user annoyance and conserve power, Chrome will now defer playback of autoplay videos in background tabs until the first time the tab is foregrounded.
- Developers can now disable Chrome’s default scroll restoration behavior on history navigation when it interferes with the app’s user experience.
- Sites can specify origins that Chrome should preconnect to in order to improve performance.
- Sites launched from the home screen can now modify the default color of Chrome’s UI by specifying a theme color in their web manifest instead of a meta tag.
- Sites that have been added to the homescreen can now set a background color to show while resources load.
- Developers can now specify a URI for Chrome to report HTTP Public Key Pinning violations to, making man-in-the-middle attacks easier to find.
- Events generated by user action can be differentiated from events generated by script using Event.isTrusted(), allowing developers to protect against fake clicks.
- Developers can now use CSS.escape(), eliminating the need for complicated string escape code while handling user generated identifiers.
- Modal dialogs are now blocked by default in sandboxed iframes, preventing embedded content from abusing APIs like alert.
- Sites can now set an iframe attribute that allows sandboxed content to launch unrestricted windows.
- As part of our continuing policy to remove powerful APIs on insecure origins, the Cache API is now restricted to HTTPS.
- Cache.addAll() is now supported, removing the need for polyfills enabling bulk interactions with the cache.
- The Fetch API now supports Request.redirect, allowing more control over redirects.
- DOMExceptions can now be constructed from scripts, making polyfills easier to build for specs that require exceptions.
- Timer-based polling is no longer necessary to use WebRTC DataChannels, making them more efficient and convenient.
- DevTools now has better tool tips and custom network profiles.
- Resource Timing extensions to the Performance interface are now available without prefixes.
- The CSS intrinsic sizing values, which allow boxes to fit their contents, are no longer prefixed.
- Request.context has been removed until the the spec has stabilized.
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 24 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. The total value of additional rewards and their recipients will updated here when all reports have gone through the reward panel. As usual, our ongoing internal security work was responsible for a wide range of fixes:
-  High CVE-2015-6755: Cross-origin bypass in Blink.
-  High CVE-2015-6756: Use-after-free in PDFium.
-  High CVE-2015-6757: Use-after-free in ServiceWorker.
-  High CVE-2015-6758: Bad-cast in PDFium.
-  Medium CVE-2015-6759: Information leakage in LocalStorage.
-  Medium CVE-2015-6760: Improper error handling in libANGLE.
- [447860 & 532967] Medium CVE-2015-6761: Memory corruption in FFMpeg.
-  Low CVE-2015-6762: CORS bypass via CSS fonts.
-  CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 18.104.22.168).