Google also removes the Chrome App launcher

Jul 21, 2016 00:12 GMT  ·  By

Google has released Chrome 52.0.2743.82 today, promoting the 52.x branch to the Stable Channel and making it Chrome's official version.

This new release is a little bit light on visible UI features but brings a lot for developers who like to tinker on websites and are, generally, more interested in what's under the browser's hood.

Back in early June, Google engineers drew out a plan of what features users should expect in Chrome 52.

New CSS contain property

The team didn't stray much from their plan, and now Chrome features support for CSS containment, via the CSS contain property, which prevents child elements from showing up outside the boundaries of their parent element.

A good reason for developers to implement CSS containment on their websites is to speed up page load times. Google engineers played around and detailed the advantages of using the contain property in a blog post in June.

CSS contain support is only available in Chrome 52 and Opera 40 (alpha stage). Firefox devs have shown public interest in integrating the property into their browser, but no code to support it has landed in the browser until now.

Simpler and more efficient process for gathering performance metrics

The second big feature Google engineers added is the PerformanceObserver API, which allows Web developers to fine-tune the performance metrics gathering process.

Until now, developers wanting to collect performance metrics have had to rely on Chrome's DevTools, which is not a tool specifically designed for such a process.

With the integration of this new API, developers can specify which performance metrics they want Chrome to collect, and avoid situations when the browser gathers information that is never used and wasting memory space. Google devs explained how this feature works this past June.

VAPID Support and the Streams API

Chrome 52 also supports the VAPID specification (Voluntary Application Server Identification for Web Push).

VAPID allows a site that uses push notifications to authenticate much more easily with Web Push services that interact with your desktops or mobile devices.

Additionally, the Streams API also introduced with Chrome 52 will allow the browser to start rendering page content even if the entire HTTP request has finished downloading. This basically means that CSS code is already used on the page, even before the entire stylesheet has been downloaded.

As seen in the video above, this improves page loading times, something Google engineers will never stop trying to improve.

Deprecations and removals

The first thing you will notice missing from Chrome 52 is the company's Chrome App Launcher that allowed the user to launch Chrome apps even if the browser was closed.

Google announced the deprecation of this feature at the start of the year, but people who love it can still use it inside Chrome OS.

Other things that were removed or deprecated include support for the MediaStream ended event and attribute, the MediaStream onended attribute, overload of postMessage(), X-Frame-Options intags, non-primary button click event, requestAutocomplete(), and the ability to block cross-origin iframes during touch events except during a tap gesture.

Security bugs and other smaller updates

Google's security team didn't slack either, and based on their own audits and reported bugs, the engineers fixed 48 security issues, handing out $21,000 to contributors along the way.

Below is the full list of security bugs, followed by a selection of smaller changes also included in Chrome 52's full changelog.

[$15000][610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie
[$3000][622183] High CVE-2016-1707: URL spoofing on iOS. Credit to xisigr of Tencent's Xuanwu Lab
[$TBD][613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
[$TBD][614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
[$TBD][616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
[$TBD][618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
[$TBD][619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
[$TBD][620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
[$TBD][623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
[$TBD][623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
[$1000][607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
[$1000][613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
[$500][593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
[$500][605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
[$TBD][625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
[$TBD][625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu
Other Changed Features