Releases: paragonie/csp-builder
Releases · paragonie/csp-builder
Version 3.0.1
v3.0.1
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- #77 - prevent duplicate policies
- Updated dependencies
Version 3.0.0
v3.0.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
What's Changed
- PHP <7.4 is not supported in this new major version!
- The changes in #70 created a dependency conflict with PHP <7.4.
- Add a CSP header parser (
CSPBuilder::fromHeader) by @fritzmg in #74 - un-deprecate
frame-srcby @fritzmg in #76 - Generate nonce also when only
default-srcpolicy is applied by @fritzmg in #65 - Add PoC of report-to header by @Firesphere in #70
Full Changelog: v2.9.0...v3.0.0
Contributors
Firesphere and fritzmg
Assets 2
Version 2.9.0
v2.9.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
What's Changed
- Add support for
psr/http-messagev2 by @internalsystemerror in #73 - Fix support for script-src-{elem|attr}, Add support for style-src-{elem|attr} by @internalsystemerror in #71
New Contributors
- @internalsystemerror made their first contribution in #73
Full Changelog: v2.8.1...v2.9.0
Contributors
internalsystemerror
Assets 2
Version 2.8.1
v2.8.1
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
What's Changed
- Add 'url' type value for report-uri by @danieltott in #61
- Fix
plugin-typesgeneration by @fritzmg in #69 - report-uri should not be encoded at all by @Firesphere in #64
- Ignore PHPUnit result cache by @fritzmg in #67
- Allow 'unsafe-hashed-attributes' to be set by @fritzmg in #68
- Remove trailing semicolon by @fritzmg in #66
New Contributors
- @danieltott made their first contribution in #61
- @fritzmg made their first contribution in #69
- @Firesphere made their first contribution in #64
Full Changelog: v2.8.0...v2.8.1
Contributors
danieltott, Firesphere, and fritzmg
Assets 2
Version 2.8.0
v2.8.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
Prevent semicolon or CLRF injection. See 1a1a85f for details.
CSP-Builder is a developer tool. It is not meant to be used with user input.
However, the ability to inject CSP directives or additional headers violates the principle of least astonishment.
This was reported via user demonia on HackerOne.
Version 2.7.0
v2.7.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- CI: Build/test on PHP 8.2
- Add support for "unsafe-hashes" directive
Version 2.6.0
v2.6.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
Version 2.5.0
v2.5.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Consistently invalidate the compiled CSP cache.
- Update PHPUnit, etc.
- Dropped support for PHP 7.0. You can continue to install 2.4.0, but we will not be backporting patches into the old version. PHP 7.0 is EOL, please upgrade to 7.4 or newer.
Version 2.4.0
v2.4.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- #42 - In Chrome 76, this library's behavior with
report-todoes not work. Specifically, you cannot pass a URL as areport-todirective or Chrome will never send CSP reports, even if there is also areport-urifallback. @iangcarroll provided a pull request that fixes this behavior.
Version 2.3.0
v2.3.0
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- #21 - Add
alwaysclause to nginx header. Thanks @alainwolf - #17 - Add support for
blob:,filesystem:, anddata:URIs. - Added
CSPBuilder::fromArray()because its absence seemed confusing if you're not familiar with the constructor. - Minor documentation improvements. Not nearly enough to close #18, though.