Releases: facebookincubator/meta-code-verify
Releases · facebookincubator/meta-code-verify
v4.1.0
What's Changed
- When checking CSP ensure other whitespace characters are accounted for by @ezzak in #348
- bump form-data to 4.0.4 by @m-lyons in #349
- Update getCFRootHash.ts to new hostname by @ThePlexus in #350
- Add history tracking storage functionality for violation by @ezzak in #351
- Remove manifest timeout by @ezzak in #352
- Rewrite UI with Web Components by @ezzak in #353
- More effectively handle sourceURL comments by @ezzak in #354
- Create a new Violation panel listing out details of past/current violations by @ezzak in #355
- Fix menu UI by @ezzak in #356
- Add link from Violations state to Violations page by @ezzak in #357
- Fix multiple issues relating to async/await by @ezzak in #358
- Enable downloads on all browser by @ezzak in #359
Full Changelog: v4.0.0...v4.1.0
Contributors
m-lyons, ezzak, and ThePlexus
Assets 2
v4.0.0
v3.7.0
What's Changed
- Capture dubious CSS by @ezzak in #332
- X-Content-Type-Options header detection is now case insensitive #334 by @AadarshSree in #335
Full Changelog: v3.6.0...v3.7.0
Contributors
AadarshSree and ezzak
Assets 2
v3.6.0
What's Changed
- Remove codepaths supporting old Whatsapp site by @ezzak in #323
- Improve manifest data attribute check to ensure both version/type are set by @ezzak in #324
- Delete old manifest checks by @ezzak in #325
- Fix an error that was being caused by a bad icon reference by @ezzak in #326
- Enable validation of service workers by @aselbie in #328
Full Changelog: v3.5.0...v3.6.0
Contributors
aselbie and ezzak
Assets 2
v3.5.0
- Added Safari support!
- Improved Whatsapp checks
- Addressed a vulnerability with scripts claiming to belong to a manifest that hasn't been loaded yet
- Fixed popup flickering on chrome, fixed visuals of close buttons, cleaned up unused assets and unified icons
- Cleared a warning in builds
v3.4.0
- Fixed UI bug in download JS popup
- Added a link to download full release JS
- Added support for
webRequestimplementations that return multiple comma separated CSPs within one CSP header - Fixed a bug in chrome surrounding frameID attribution when prerendering pages by the browser
- Improved security around worker CSP checks
- Added support for modern WA
v3.3.0
Features
- The extension now enforces that the page's content security policy does not allow execution of inline code.
- Improved parsing of content security policies to better match browser implementations: mixed-case values, partially invalid CSPs, and duplicate directives are all now handled correctly.
- The extension is now using TypeScript's strict mode.
Bug Fixes
- Fixed an issue where a bug in Chromium was causing an incorrect invalidation on the first load of the page.
- Fixed an issue where a script with no content at the time of parsing could incorrectly invalidate the page.
- Updated the list of known extensions to remove an incorrect entry.
v3.2.1
- Added in checks to tighten security and coverage in WebWorker contexts
- Fixed a bug where extensions files were being mistaken for Worker scripts
- Ensured extension can go from a "Warning" to "Invalid" state when violating code is detected while in a "Warning" state
- Fixed a bug where certain background scripts would not be correctly attributed to the correct manifest type
- [FB/MSGR/IG] Added in stricter checks to ensure every executable
scripttag has a validdata-btmanifestdata attribute