Software Update: Google Chrome 46.0.2490.71

Google has released version 46 of its Chrome web browser. Google Chrome is available for Windows, Linux, and OS X. There are also versions for Android and iOS, but they follow a slightly different release schedule. Version 46 includes new new CSS animation features, improved performance controls and a large number of API tweaks. In addition, 24 security vulnerabilities have been fixed and various bug fixes have been implemented. The release notes for this release are as follows:

Animating objects along author specified paths
Previously, animating objects along an author-specified path required complex javascript code that could block important events like rendering and input. Developers can now animate any graphical object along an arbitrary path declaratively as a CSS propertyallowing simpler code that doesn’t block rendering or input.

Optimized image loading and service worker instrumentation
Tools like srcset allow developers to serve an optimized image variant in a responsive way, but it can be cumbersome and inefficient to use in practice. Developers can now negotiate with the server to download the best image variant for a device using straightforward HTTP request headers. These headers communicate DPR, Viewport-Widthand the intended display width of the resource being fetched to the server.

In addition to improving image loading, developers can now instrument service workers to gather detailed fetch and script timing. Developers can also measure the startup time of service workers more accurately.

Other updates in this release

• As part of Chrome’s ongoing efforts to ship features from the ES2015 specificationChrome now supports the spread operator and new.target.
• To prevent user annoyance and conserve power, Chrome will now defer playback or autoplay videos in background tabs until the first time the tab is foregrounded.
• Developers can now disable Chrome’s default scroll restoration behavior on history navigation when it interferes with the app’s user experience.
• Sites can specify origins that Chrome should preconnect to in order to improve performance.
• Sites launched from the home screen can now modify the default color of Chrome’s UI by specifying a theme color in their web manifest instead of a meta tag.
• Sites that have been added to the homescreen can now set a background color to show while resources load.
• Developers can now specify a URI for Chrome to report HTTP Public Key Pinning violations to, making man-in-the-middle attacks easier to find.
• Events generated by user action can be differentiated from events generated by script using Event.isTrusted()allowing developers to protect against fake clicks.
• Developers can now use css.escape()eliminating the need for complicated string escape code while handling user generated identifiers.
• Modal dialogs are now blocked by default in sandboxed iframespreventing embedded content from abusing APIs like alert.
• Sites can now set an iframe attribute that allows sandboxed content to launch unrestricted windows.
• As part of our continuing policy to remove powerful APIs on secure originsthe Cache API is now restricted to HTTPS.
• Cache.addAll() is now supported, removing the need for polyfills enabling bulk interactions with the cache.
• The Fetch API now supports Request.redirectallowing more control over redirects.
• DOMExceptions can now be constructed from scriptsmaking polyfills easier to build for specs that require exceptions.
• Timer-based polling is no longer necessary to use WebRTC DataChannels, making them more efficient and convenient.
• DevTools now has better tool tips and custom network profiles.
• Resource Timing extensions to the Performance interface are now available without prefixes.
• the CSS intrinsic sizing valueswhich allow boxes to fit their contents, are no longer prefixed.
• Request.context has been removed until the the spec has stabilized.

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 24 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

• [519558] High CVE-2015-6755: Cross-origin bypass in Blink.
• [507316] High CVE-2015-6756: Use after free in PDFium.
• [529520] High CVE-2015-6757: Use after free in ServiceWorker.
• [522131] High CVE-2015-6758: Bad cast in PDFium.
• [514076] Medium CVE-2015-6759: Information leakage in LocalStorage.
• [519642] Medium CVE-2015-6760: Improper error handling in libANGLE.
• [447860 & 532967] Medium CVE-2015-6761: Memory corruption in FFMpeg.
• [512678] Low CVE-2015-6762: CORS bypass via CSS fonts.

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. The total value of additional rewards and their recipients will updated here when all reports have gone through the reward panel. As usual, our ongoing internal security work was responsible for a wide range of fixes:

• [542517] CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives.
• Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23).