v3.7.0

What's Changed

• Capture dubious CSS by @ezzak in #332
• X-Content-Type-Options header detection is now case insensitive #334 by @AadarshSree in #335

Full Changelog: v3.6.0...v3.7.0

v3.6.0

What's Changed

• Remove codepaths supporting old Whatsapp site by @ezzak in #323
• Improve manifest data attribute check to ensure both version/type are set by @ezzak in #324
• Delete old manifest checks by @ezzak in #325
• Fix an error that was being caused by a bad icon reference by @ezzak in #326
• Enable validation of service workers by @aselbie in #328

Full Changelog: v3.5.0...v3.6.0

v3.5.0

• Added Safari support!
• Improved Whatsapp checks
• Addressed a vulnerability with scripts claiming to belong to a manifest that hasn't been loaded yet
• Fixed popup flickering on chrome, fixed visuals of close buttons, cleaned up unused assets and unified icons
• Cleared a warning in builds

v3.4.0

• Fixed UI bug in download JS popup
• Added a link to download full release JS
• Added support for webRequest implementations that return multiple comma separated CSPs within one CSP header
• Fixed a bug in chrome surrounding frameID attribution when prerendering pages by the browser
• Improved security around worker CSP checks
• Added support for modern WA

v3.3.0

Features

• The extension now enforces that the page's content security policy does not allow execution of inline code.
• Improved parsing of content security policies to better match browser implementations: mixed-case values, partially invalid CSPs, and duplicate directives are all now handled correctly.
• The extension is now using TypeScript's strict mode.

Bug Fixes

• Fixed an issue where a bug in Chromium was causing an incorrect invalidation on the first load of the page.
• Fixed an issue where a script with no content at the time of parsing could incorrectly invalidate the page.
• Updated the list of known extensions to remove an incorrect entry.

v3.2.1

• Added in checks to tighten security and coverage in WebWorker contexts
• Fixed a bug where extensions files were being mistaken for Worker scripts
• Ensured extension can go from a "Warning" to "Invalid" state when violating code is detected while in a "Warning" state
• Fixed a bug where certain background scripts would not be correctly attributed to the correct manifest type
• [FB/MSGR/IG] Added in stricter checks to ensure every executable script tag has a valid data-btmanifest data attribute

v3.1.2

• Upgrades to misc third party dependencies to fix potential vulnerabilities
• Fix bug in cloudflare dependency
• Fix bug in logged out frames nested in logged in documents across origins

v3.1.0

• Code coverage improvements

v3.0.0

• Instagram.com support
• Security fixes
• Improvements to CSP and caching checks
• Misc. fixes/improvements

v2.1.1

Improved CSP coverage