github emdash-cms/emdash @emdash-cms/cloudflare@0.7.0
on GitHub

latest releases: @emdash-cms/blocks@0.7.0, @emdash-cms/plugin-embeds@0.1.7, create-emdash@0.7.0...
10 hours ago

Patch Changes

  • #740 63509e1 Thanks @ascorbic! - Sandboxed plugin HTTP requests now follow redirects manually and re-validate the destination at every hop. The allowedHosts list is checked on each redirect target (not just the initial URL), so an allowed host that 302s to a disallowed one no longer bypasses the scope. Credential headers (Authorization, Cookie, Proxy-Authorization) are stripped on cross-origin redirects. network:fetch:any and allowedHosts: ["*"] now still reject literal private IPs, cloud-metadata addresses, and known internal hostnames — the allowlist scopes which public hosts a plugin may reach, not whether SSRF protection applies. Non-http(s) URL schemes are rejected. Caps redirect chains at 5 hops.

  • Updated dependencies [8ebdf1a, 7186961, e9ecec2, e3e18aa, fae63bd, 30d8fe0, d4a95bf, a31db7d, adb118c, 080a4f1, 81fe93b, c26442b]:

    • emdash@0.7.0
Check out latest releases or
releases around emdash-cms/emdash @emdash-cms/cloudflare@0.7.0

Don't miss a new emdash release

NewReleases is sending notifications on new releases.

Get notifications