Skip to content

1.3.0
Compare
Choose a tag to compare
@castarco castarco released this 27 Mar 17:04
· 80 commits to main since this release
1.3.0
504c88b
This commit was signed with the committer’s verified signature.
castarco Andrés Correa Casablanca
GPG key ID: 3B81946DCB3E0C65
Learn about vigilant mode.

Security Fixes

If you were using Astro-Shield 1.2.0, it is quite relevant to upgrade to this new 1.3.0 version.

In this release we introduce many mitigations to some risks that were accidentally introduced in the past release with the new CSP headers generation for SSR content.

  • Now it will be mandatory to explicitly allow-list any cross-origin resource that might be loaded from dynamically generated pages. This is necessary to avoid the possibility that Astro-Shield accidentally "signs" malicious injected scripts or stylesheets.
  • It will also be possible to disallow SRI hashes generation for inline scripts or stylesheets, although we still allow them by default (we could change the default behavior in future releases, but we didn't want to introduce too many disruptive changes in a single release). The reason to disallow inline scripts in SSR content is the same as for the previous point, to protect the site against potential injections.

Other Changes

  • We introduced a new way to define the SRI configuration, while keeping the old way for now (with warning messages about future deprecation).

Autogenerated Changelog

Full Changelog: 1.2.0...1.3.0

Contributors

castarco
Assets 2
Loading