v0.10.1 — fixes, hardening, and performance
A bug-fix, hardening, and performance release on the 0.10 line. No new features.
Fixes
- Dark-mode contrast on the popup Log Out item now meets WCAG AA (#52).
- Consistent spacing above the first item in the New Content and Developer Tools popup sections (#50).
- The block-comment parser no longer hangs the tab on crafted post content (catastrophic regex backtracking). The pattern was de-ambiguated and the input bounded.
- The popup no longer reports a definitive "Not a WordPress site" when it opens during a first-visit page load. It waits for detection to resolve.
- The Edit action now reflects admin-bar data merged after a background re-fetch (a stale-memoization bug left it out of date).
Security and hardening
- The background worker trusts the browser-reported sender origin, not values from the message body, when writing the detection cache and My Sites.
- Background messages that only the popup should send are rejected from page contexts, and a content script can read only its own origin from the cache.
- My Sites validates stored site and icon URLs, and drops oversized or non-http(s) values.
- URLs taken from site data (View and Preview links, plugin homepage links, REST IDs and bases) are checked before use.
- Site requests time out, and the popup caps how much of a fallback response it reads.
- The Safari native-message handler now defaults closed, replacing the Xcode template's echo stub.
Performance
- The detection cache moved from a single blob to one storage key per origin, so a page load reads and writes only its own site's entry instead of the entire browsing history, and the document_start admin-bar check reads a single key.
- The popup requests live and cached detection in parallel for faster first paint.
- The REST nonce is resolved once per popup open and shared across consumers. Per-page preference reads were consolidated into a single read.
Maintenance
- Duplicated logic consolidated: the nonce scanner, the admin-bar hide CSS, and the edit-URL resolver reused by the keyboard shortcut.
- Dead code removed: an unused host-name script load in the popup, the Safari echo handler, and unreferenced localization strings.
- "Clear all data" on the options page now clears all extension storage rather than a hand-maintained key list.
- The test suite loads the block inspector and covers the block-comment parser, including a regression for the hang above. Smoke scenarios were renumbered.
Upgrade note: this release changes the detection cache format and discards the previous cache on upgrade. It rebuilds automatically as sites are visited. My Sites entries and preferences are unaffected.
Install
- Chrome / Chromium: unzip
wordpress-browser-extension-0.10.1-chrome.zipand load it unpacked atchrome://extensions. - Safari (macOS): unzip
wordpress-browser-extension-0.10.1-safari.zipand move the app to Applications. It is ad-hoc signed, so Gatekeeper shows a warning on first launch. See SAFARI.md.