Releases: facebookincubator/meta-code-verify
Releases · facebookincubator/meta-code-verify
v4.0.0
v3.7.0
What's Changed
- Capture dubious CSS by @ezzak in #332
- X-Content-Type-Options header detection is now case insensitive #334 by @AadarshSree in #335
Full Changelog: v3.6.0...v3.7.0
v3.6.0
What's Changed
- Remove codepaths supporting old Whatsapp site by @ezzak in #323
- Improve manifest data attribute check to ensure both version/type are set by @ezzak in #324
- Delete old manifest checks by @ezzak in #325
- Fix an error that was being caused by a bad icon reference by @ezzak in #326
- Enable validation of service workers by @aselbie in #328
Full Changelog: v3.5.0...v3.6.0
v3.5.0
- Added Safari support!
- Improved Whatsapp checks
- Addressed a vulnerability with scripts claiming to belong to a manifest that hasn't been loaded yet
- Fixed popup flickering on chrome, fixed visuals of close buttons, cleaned up unused assets and unified icons
- Cleared a warning in builds
v3.4.0
- Fixed UI bug in download JS popup
- Added a link to download full release JS
- Added support for
webRequest
implementations that return multiple comma separated CSPs within one CSP header - Fixed a bug in chrome surrounding frameID attribution when prerendering pages by the browser
- Improved security around worker CSP checks
- Added support for modern WA
v3.3.0
Features
- The extension now enforces that the page's content security policy does not allow execution of inline code.
- Improved parsing of content security policies to better match browser implementations: mixed-case values, partially invalid CSPs, and duplicate directives are all now handled correctly.
- The extension is now using TypeScript's strict mode.
Bug Fixes
- Fixed an issue where a bug in Chromium was causing an incorrect invalidation on the first load of the page.
- Fixed an issue where a script with no content at the time of parsing could incorrectly invalidate the page.
- Updated the list of known extensions to remove an incorrect entry.
v3.2.1
- Added in checks to tighten security and coverage in WebWorker contexts
- Fixed a bug where extensions files were being mistaken for Worker scripts
- Ensured extension can go from a "Warning" to "Invalid" state when violating code is detected while in a "Warning" state
- Fixed a bug where certain background scripts would not be correctly attributed to the correct manifest type
- [FB/MSGR/IG] Added in stricter checks to ensure every executable
script
tag has a validdata-btmanifest
data attribute