Skip to content

v1.10.2
Compare
Choose a tag to compare
@sokra sokra released this 22 Apr 10:01
· 1255 commits to master since this release
v1.10.2
9b03d79

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We removed setting Access-Control-Allow-Origin to * be default. This allowed evil websites to access your assets.
Instead we ask you to set Access-Control-Allow-Origin manually to your host if required in your setup.
Use the headers option to do so.

middleware(compiler, {
    headers: {
        "Access-Control-Allow-Origin": "your-host"
    }
})

Read more about CORS here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Bugfixes:

  • Remove Access-Control-Allow-Origin = * default
Assets 2