common
| Commit | Description |
|---|---|
| add upper bounds for digitsInfo | |
| sanitize placeholder |
compiler
| Commit | Description |
|---|---|
| normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925) | |
| prevent namespaced SVG <style> elements from being stripped | |
| sanitize dynamic href and xlink:href bindings on SVG a elements (#68925) | |
| strip namespaced SVG script elements during template compilation (#68925) |
core
| Commit | Description |
|---|---|
| normalize tag names in runtime i18n attribute security context lookup (#68925) | |
| sanitize meta selectors | |
| support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925) | |
| synchronize core sanitization schema with compiler (#68925) |
http
| Commit | Description |
|---|---|
| exclude withCredentials requests from transfer cache | |
| skip TransferCache for cookie-bearing requests by default |
platform-server
| Commit | Description |
|---|---|
| prevent SSRF bypasses via backslash URLs in HttpClient | |
| secure location and document initialization against SSRF and path hijack |
service-worker
| Commit | Description |
|---|---|
| Preserves explicit 'credentials: omit' in asset requests | |
| Preserves HTTP cache mode in asset group requests |