Chrome 58 arrives with IndexedDB 2.0 and improvements to iframe navigation
Google has launched Chrome 58 for Windows, Mac, and Linux. Among the additions is support for the IndexedDB 2.0 standard and improvements to iframe navigation. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.
Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
Chrome 58 supports the IndexedDB 2.0 standard, which makes it easier to work with large data sets in the browser. Version 2.0 features new schema management, bulk action methods, and more standardized handling of failures. To simplify updates of a site’s database, object stores and indexes can now be renamed in-place after a refactoring; and for better performance, sites can use binary keys, which allow compact representations for custom keys. New methods include getKey() and openKeyCursor() for better performance when only a database key is needed, continuePrimaryKey() to divide large data access across transactions and page loads without worrying about duplicate primary keys, and getAll() and getAllKeys() for bulk recovery of entire datasets without the need for a cursor.
Chrome also now supports the new iframe sandbox keyword allow-top-navigation-by-user-activation. This keyword gives sandboxed iframes the ability to navigate the top-level page when triggered by user interaction, while still blocking auto-redirects. In this way, Chrome can still fight third-party content that automatically redirects the page while allowing developers to put third-party content inside sandboxed iframes.
Other developer features in this release include:
- Workers and SharedWorkers can now be created using data: URLs, making development with Workers more secure by giving them an opaque origin.
- PointerEvents.getCoalescedEvents() allows developers to access all input events since the last time a PointerEvent was delivered, making it easier for drawing apps to create smoother curves using a precise history of points.
- Developers can now customize Chrome’s native media controls such as the download, fullscreen and remoteplayback buttons using the new ControlsList API.
- On Chrome for Android, sites installed using the improved Add to Homescreen flow will be allowed to autoplay audio and video served from origins included in the manifest’s scope without restrictions.
- On Chrome for Android, videos using the autoplay attribute will be paused when offscreen and resumed when back in view to preserve consistency across browsers.
- Sites can now access the approximate range of colors supported by Chrome and output devices using the color-gamut Media Query.
- Instead of manually resetting multiple layout properties like float and clear, sites can now add a new block-formatting context using display: flow-root.
- Using removeRange(), a new Selection API function, developers can now programmatically remove a specified text Range.
- The PointerEvent.tangentialPressure and PointerEvent.twist attributes are now supported on Chrome for Mac to provide more information to stylus devices and painting apps.
- The WebAudio API’s new playback AudioContextLatencyCategory enables the developer to easily make conscious tradeoffs between latency, power, and CPU efficiency.
If you prefer a visual rundown, here’s the video version (note that there are also features specific to Chrome 58 for Android, which isn’t out just yet):
Chrome 58 also implements 29 security fixes. The following ones were found by external researchers:
- [$3000] High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360
- [$2000] High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani
- [$N/A] High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro’s Zero Day Initiative
- [$2000] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
- [$2000] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
- [$1500] Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous
- [$1000] Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip
- [$1000] Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar
- [$500] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani
- [$500] Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to chenchu
- [$500] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani
- [$N/A] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman
-  Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $14,000 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Google releases a new version of its browser every six weeks or so. Chrome 59 will arrive by end of June.