As usual, Google patched a lot of security vulnerabilities that have been discovered by various researchers during the entire development cycle of the Google Chrome 51 browser (see below for details), but there are also a couple of new features to get excited for in Chrome 51.
Google today launched Chrome 51 for Windows, Mac and promising that the Linux version will “ship shortly. The latest version of Google’s browser contains the usual bug and security fixes, but also features a new Credential Management API that improves the website login experience.
Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with its regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
Lastly, Google has reduced the overhead of offscreen rendering. Chrome no longer runs the rendering pipeline or requestAnimationFrame() callbacks for cross-origin frames that are offscreen. This eliminates unnecessary work and also reduces power consumption by up to 30 percent, according to Google’s own tests on several popular mobile sites. This essentially means that embedded content like videos, social widgets, and ads no longer create overhead that slow down the page.
Other developer features in this release include:
- Blobs are now constructed and transferred to the browser asynchronously, allowing large data files to be moved without janking the page.
- The SameSite cookie attribute allows sites to restrict cookies to requests from the same domain.
- Support for the AES_256_GCM cipher on TLS improves security on servers that choose cipher by key size, where legacy 256-bit ciphers were used over more secure, but smaller, ciphers.
- Array.prototype.values() makes it easier to iterate over the elements of an array.
- The function name property now infers useful names for properties and methods with computed property names, making debugging easier with clearer labels and error messages.
- Iterators that are part of a for-of loop that terminates early now call a developer-provided close() method, making it easier to respond to the end of an iteration.
- Symbol.species makes subclassing built-in classes such as Array and RegExp more powerful by allowing custom constructors to be called for derived objects.
- RegExp subclasses can overwrite the exec() method to change the matching algorithm, making it easier to write custom subclasses.
- Sites can now can implement their own Symbol.hasInstance() method to customize behavior of the instanceof operator.
- Sites can now retrieve a service worker’s Client object using Clients.get(id).
- ServiceWorker.postMessage() now fires an ExtendableMessageEvent onServiceWorkerGlobalScope, allowing the message to extend the service worker lifetime and provide more accurate message sources.
- The HTML referrerpolicy attribute allows sites to control what information is sent in the referrer headers of <a>, <area>, <img>, and <iframe> elements.
- The UIEvents KeyboardEvent |key| attribute allows sites to reliably determine the meaning of the key being pressed.
- Sites can now detect the duration of batched offline audio contexts using theOfflineAudioContext.length attribute.
- SPDY and ALPN support has been removed in favor of the standards-based HTTP/2 protocol.
- The ability to customize the message shown in the onbeforeunload dialog has been removed to protect users from malicious websites and align with other browsers.
- Chrome on Android now uses the same media pipeline as desktop Chrome, improving WebAudio support and allowing sites to interact with the playback rate on <audio> and <video> tags.
- The latest version of Chrome improves web animations interoperability by supporting lists of values and removing dashed-names in keyframes.
- Chrome now requires a border style to paint border images, improving speccompliance and interoperability.
- Percentages can now be used for the sizes of flex item children.
- DHE-based ciphers have been deprecated and will be removed in Chrome 52in favor of ECDHE ciphers to improve TLS security.
Chrome 51 also includes 42 security fixes, of which Google chose to highlight the following:
- [$7500]High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
- [$7500]High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- [$7500]High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
- [$7500]High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- [$7500]High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
- [$4000]Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
- [$3500]High CVE-2016-1678: Heap overflow in V8. Credit to Christoph Diehl.
- [$3500]High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
- [$3000]High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
- [$3000]High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
- [$1000]Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to kingstonmailbox.
- [$1000]Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
- [$1000]Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
- [$1000]Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
- [$1000]Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
- [$1000]Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
- [$1000]Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
- [$1000]Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
- [$1000]Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
- [$500]Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
- [$500]Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
- [$500]Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to jackwillzac.
- [$500]Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester.
-  CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.
If you add all those up, you’ll see Google spent a massive $65,500 in bug bounties. The security fixes alone should be enough incentive for you to upgrade to Chrome 51.
Chrome 51 for Android and iOS are also on their way, but Google has not shared exactly when they will ship. Chrome 52 will arrive in early July.