Releases: shapesecurity/salvation
Releases · shapesecurity/salvation
Version 3.0.0
NOTE: This release is a breaking change and is therefore under a new package name, com.shapesecurity.salvation2.
Version 2.7.1
Version 2.7.0
- Introduce
-- script-src-elem, script-src-attr
-- style-src-elem, style-src-attr - Adopt renaming 'unsafe-hashed-attributes' to 'unsafe-hashes'
- Improvements around policy optimisation
- Bug fix around union merging
Version 2.6.0
- Incorrect behavior when union merging policies that don't contain fetch directives (#210)
- Add linting
Version 2.5.0
Version 2.4.0
Version 2.3.0
- Allow "*" to match scheme of protected resource (#157)
- Support for 'strict-dynamic' (#162)
- Allow secure variant of scheme when only insecure is given (#91)
- Refactor path-part matching algorithm to strictly follow latest specification (#166)
- Refactor host-part matching algorithm to strictly follow latest specification (#168)
- Rephrase messages about side-effects of unsafe-dynamic and unsafe-inline, change level from Warn to Info (#170)
- Warn about deprecation of referrer directive (#173)
- Support worker-src directive, reflect specification changes around worker-src and frame-src (#147)
- Support for 'unsafe-hashed-attributes' (#150)
Salvation 2.2.0
Salvation 2.1.0
- The source expression matching has been changed to require explicit whitelisting of any non-network scheme, rather than local scheme, as described here - #129
- Remove "'unsafe-inline'" if source-list contains both "'unsafe-inline'" and
hash-sourceornonce-source- #130 - Warn about disabled "'unsafe-inline'" in a source list containing
hash-sourceornonce-source- #130 - Do not assume that empty policy is equivalent to
default-src *- #135 - Better
base64-valuevalidation errors - #139 postprocessOptimisation()- #138