Skip to content

v0.10.1 — fixes, hardening, and performance

Choose a tag to compare

@jakemgold jakemgold released this 05 Jul 22:51

A bug-fix, hardening, and performance release on the 0.10 line. No new features.

Fixes

  • Dark-mode contrast on the popup Log Out item now meets WCAG AA (#52).
  • Consistent spacing above the first item in the New Content and Developer Tools popup sections (#50).
  • The block-comment parser no longer hangs the tab on crafted post content (catastrophic regex backtracking). The pattern was de-ambiguated and the input bounded.
  • The popup no longer reports a definitive "Not a WordPress site" when it opens during a first-visit page load. It waits for detection to resolve.
  • The Edit action now reflects admin-bar data merged after a background re-fetch (a stale-memoization bug left it out of date).

Security and hardening

  • The background worker trusts the browser-reported sender origin, not values from the message body, when writing the detection cache and My Sites.
  • Background messages that only the popup should send are rejected from page contexts, and a content script can read only its own origin from the cache.
  • My Sites validates stored site and icon URLs, and drops oversized or non-http(s) values.
  • URLs taken from site data (View and Preview links, plugin homepage links, REST IDs and bases) are checked before use.
  • Site requests time out, and the popup caps how much of a fallback response it reads.
  • The Safari native-message handler now defaults closed, replacing the Xcode template's echo stub.

Performance

  • The detection cache moved from a single blob to one storage key per origin, so a page load reads and writes only its own site's entry instead of the entire browsing history, and the document_start admin-bar check reads a single key.
  • The popup requests live and cached detection in parallel for faster first paint.
  • The REST nonce is resolved once per popup open and shared across consumers. Per-page preference reads were consolidated into a single read.

Maintenance

  • Duplicated logic consolidated: the nonce scanner, the admin-bar hide CSS, and the edit-URL resolver reused by the keyboard shortcut.
  • Dead code removed: an unused host-name script load in the popup, the Safari echo handler, and unreferenced localization strings.
  • "Clear all data" on the options page now clears all extension storage rather than a hand-maintained key list.
  • The test suite loads the block inspector and covers the block-comment parser, including a regression for the hang above. Smoke scenarios were renumbered.

Upgrade note: this release changes the detection cache format and discards the previous cache on upgrade. It rebuilds automatically as sites are visited. My Sites entries and preferences are unaffected.

Install

  • Chrome / Chromium: unzip wordpress-browser-extension-0.10.1-chrome.zip and load it unpacked at chrome://extensions.
  • Safari (macOS): unzip wordpress-browser-extension-0.10.1-safari.zip and move the app to Applications. It is ad-hoc signed, so Gatekeeper shows a warning on first launch. See SAFARI.md.