As usual, Google patched a lot of security vulnerabilities that have been discovered by various researchers during the entire development cycle of the Google Chrome 51 browser (see below for details), but there are also a couple of new features to get excited for in Chrome 51.

Google today launched Chrome 51 for Windows, Mac and promising that the Linux version will “ship shortly. The latest version of Google’s browser contains the usual bug and security fixes, but also features a new Credential Management API that improves the website login experience.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

First up, Google has added the Credential Management API to Chrome. In short, the new API allows developers to add use Chrome’s credential managers more extensively than just for storing a saved password. Custom login flows, remembering federated identity preferences, and general interaction to improve the login experience for users is now possible. Users can sign in with one tap and automatically sign back in when returning to the site.chrome_credential_management_apiNext up, the Intersection Observer API allows sites to detect element intersections as an asynchronous event. Sites can receive a callback whenever any element intersects a watched element or its children. Providing viewability information in this more efficient way eliminates the need for costly document monitoring. In short, sites no longer need to implement this functionality with custom JavaScript, and gain the benefits of improved page load and scroll performance.

Lastly, Google has reduced the overhead of offscreen rendering. Chrome no longer runs the rendering pipeline or requestAnimationFrame() callbacks for cross-origin frames that are offscreen. This eliminates unnecessary work and also reduces power consumption by up to 30 percent, according to Google’s own tests on several popular mobile sites. This essentially means that embedded content like videos, social widgets, and ads no longer create overhead that slow down the page.

Other developer features in this release include:

Chrome 51 also includes 42 security fixes, of which Google chose to highlight the following:

  • [$7500][590118]High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
  • [$7500][597532]High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [$7500][598165]High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
  • [$7500][600182]High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [$7500][604901]High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
  • [$4000][602970]Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
  • [$3500][595259]High CVE-2016-1678: Heap overflow in V8. Credit to Christoph Diehl.
  • [$3500][606390]High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
  • [$3000][589848]High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
  • [$3000][613160]High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
  • [$1000][579801]Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to kingstonmailbox.
  • [$1000][583156]Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
  • [$1000][583171]Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
  • [$1000][601362]Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
  • [$1000][603518]Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
  • [$1000][603748]Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
  • [$1000][604897]Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
  • [$1000][606185]Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
  • [$1000][608100]Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
  • [$500][597926]Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
  • [$500][598077]Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
  • [$500][598752]Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to jackwillzac.
  • [$500][603682]Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester.
  • [614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.

If you add all those up, you’ll see Google spent a massive $65,500 in bug bounties. The security fixes alone should be enough incentive for you to upgrade to Chrome 51.

Chrome 51 for Android and iOS are also on their way, but Google has not shared exactly when they will ship. Chrome 52 will arrive in early July.

LEAVE A REPLY