common
| Commit | Description |
|---|---|
| add upper bounds for digitsInfo | |
| sanitize placeholder |
compiler
| Commit | Description |
|---|---|
| normalize tag names with custom namespaces in DomElementSchemaRegistry (#68926) | |
| sanitize dynamic href and xlink:href bindings on SVG a elements (#68926) | |
| strip namespaced SVG script elements during template compilation (#68926) |
core
| Commit | Description |
|---|---|
| normalize tag names in runtime i18n attribute security context lookup (#68926) | |
| reject script element as a dynamic component host (#68926) | |
| sanitize meta selectors | |
| support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68926) | |
| synchronize core sanitization schema with compiler (#68926) |
http
| Commit | Description |
|---|---|
| exclude withCredentials requests from transfer cache | |
| skip TransferCache for cookie-bearing requests by default |
platform-server
| Commit | Description |
|---|---|
| secure location and document initialization against SSRF and path hijack |
service-worker
| Commit | Description |
|---|---|
| preserve redirect policy on reconstructed asset requests | |
| Preserves explicit 'credentials: omit' in asset requests | |
| Preserves HTTP cache mode in asset group requests |