-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore/1.0.0 #317
Chore/1.0.0 #317
Conversation
fix(csrf): replace CSRF option `false` with `boolean`
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
feat(doc): extend FAQ with Prismic
Do you have any objections regarding releasing 1.0.0 tomorrow? If you give a 🟢 I think we could proceed with releasing and giving users a stable 1.0.0 to work with :) |
@Baroshem We have 2 reported regressions, let me fix these first as they were introduced by me on rc5 |
fix(chore): hidePoweredBy error
Let me know if there is a 🟢 light from you :) |
fix: csp false in rc5 removes custom csp header
I have tested all steps. Everything is fine from my side. Do you think we should release a version today or should we wait until the next week? :) |
Hi @Baroshem Suppose someone has defined headers using traditional Nuxt route rules syntax : routeRules: {
'some-route': {
headers: {
'Strict-Transport-Security': 'max-age=123456'
}
}
} Presumably the user wants STS applied to all assets. But the fix I implemented in PR #322 was deleting this rule from the nitro config object. This worked well for HTML pages but not for other assets. I did not like the idea of modifying the route rules directly in the nitro config, so instead here I'm not deleting the rules anymore. I think it is cleaner, and it covers the edge case above. To give you some background on why I am making this change:
However as evidenced in #321, the removal was too intrusive.
It's a bit of an unlikely case, because it means that somebody has simultaneously defined the same header in 3 different places, with 3 different settings: in the native With #323 I'm reverting to the simpler logic of rc.5 which I think is cleaner because it is based on not touching the native I think we can release now, let me know |
Thanks for this additional research from you side and solving the edge case! Let's merge this PR and test it next week. I think we can postpone the release to next week (for example wednesday) to see if there will be more bugfixes reported over the weekend. |
improve implementation and add tests
Documentation typo change from route roules to route rules
I have tested all my paths and this seems to be working well. There is one small bug that I will open that we can fix for the 1.0.1 version which is about frame-ancestors in SSG does is ignored so we could programatically remove it from the meta tag. So it is some sort of a feature/bugfix. Let me know if we have a 🟢 light from you and if so I will proceed with the release :) |
Yes, let’s release !!! |
Huge kudos to you @vejja 🚀 You are doing an amazing work making this module more secure than ever! So happy to have you as a maintainer and core part of the module 💚 |
Types of changes
Description
Checklist: