v1.1.1

What's Changed

• Fix issue where "self" was removed from connect-src CSP directive in 1.1.0 by @kadamwhite in #18

v1.1.0

What's Changed

• 1.1.0 updates by @kadamwhite in #17
  • Fix a typo in the README sample code which prevented it from working out of the box
  • Fix a bug where a colon would be stripped out of URLs containing ports (fixes WIKI-965)
  • Allow injection of valid keyword source strings like 'strict-dynamic' using this plugin
  • Allow configuration of worker-src directives using this plugin
  • Permit blob: URLs for use in worker-src directive (supports Report plugin)
  • Remove web-project-specific environment URLs (fixes #13)
  • Alter how 'self' directive is added to the directive array to permit it to be filtered later if needed
  • Only allow insecure http: and ws: schemes in local environments
  • Set object-src 'none' as recommended by MDN
  • Allow *.wikimedia.org in connect-src by default to permit first-party instrumentation

Full Changelog: v1.0.0...v1.1.0

v1.0: Initial release

What's Changed

• Port initial security logic from Foundation site and Shiro theme
• Improve CSP generation logic to streamline exceptions by @kadamwhite in #7
• Enable CSP module and fix logical errors in CSP generation by @kadamwhite in #8
• Implement REST API access control within security plugin by @kadamwhite in #9
• Bundle disable emojis plugin by @kadamwhite in #10
• Permit opting a site in to unsafe-eval when necessary by @kadamwhite in #11
• Document public_endpoint REST filter by @kadamwhite in #12

New Contributors

• @varnent made their first contribution in #1

Full Changelog: https://github.com/wikimedia/wikimedia-wordpress-security-plugin/commits/v1.0.0