Release notes
7.x-1.10 full release. This is identical to 7.x-1.10-rc1.
2480527: Migrate to a better CSP report URL changes the (default) destination URL advertised for CSP reports -- from /admin/config/system/seckit/csp-report to /report-csp-violation
This setting will be updated for all sites using the old default URL. Sites which have configured a different/custom URL will not be affected.
Anyone who previously needed to make special server-side provisions for allowing incoming CSP reports to the deprecated URL may therefore need to update them accordingly.
The deprecated URL will continue to work as an alternative, so reports generated from cached pages will still be processed. It will be removed in some future release, but will remain in place for the medium term (a minimum of 1 year and 2 releases).
Other changes since 7.x-1.9:
2959208 by mcdruid, jweowu: Rework seckit_update_7107 variable cleanup
3000696 by keithdoyle9, mcdruid: X-FRAME-OPTIONS header syntax should be all caps (D7)
2959208 by mcdruid: Remove X-Content-Type-Options as core now emits that header
2656292 by progga, mcdruid, svenryen: Absolute URL for report-uri
2613426 by mcdruid, milodesc, jweowu: Trim whitelisted CSRF origins before checking against origin
2675922 by jweowu, mcdruid: tweak to de-uglify a variable name
2925376 by wrd, mcdruid, lamp5, adammalone: Add support for Referrer-Policy header
2675922 by joekers, mkhamash, benjaminbradley, ronaldmulero: frame-ancestors in Content Security Policy
2962380 by jochemh, mcdruid, nironan: Add support for the Expect-CT header (D7 backport)
2845923 by AndyF, bonus, mcdruid: Origin header is incorrectly verified for sites in subdirectories.
Don't process violation reports if the CSP feature is disabled
Don't read more than max_len bytes of a CSP report when enforcing limits
2779169 by billdacat10, jweowu: Allow-From headers are incorrect
2661644 by David_Rothstein: Integrate with upcoming Drupal core clickjacking defense
Provide limits and flood control for CSP violation reports
2689277 by milodesc, jweowu: Add ability to configure the child-src CSP directive
2687955 by milodesc, lanetterm: Field for Cross Site Forgery origin whitelist is too small
2668376 by milodesc, jweowu: Differentiate X-XSS-Protection header values "1" and "1; mode=block"
2676706 by akashjain132: Missing string translations
2281315 by stefan.r, jweowu, vinmassaro: Option to disable autocompletion on user login/registration forms
2480527 by jweowu, khaldoon_masud: Migrate to a better CSP report URL
2626230 by rooby: Invalid origin watchdog log doesn't happen if access denied callback exits
2657346 by leymannx, milodesc: Remove h1 heading from noscript message
2668642 by milodesc, jweowu: Link to sirdarckcat on admin screen is broken
2658954 by Novitsh, milodesc: Typo issue in description
2305275 by dbcollies: SimpleTest tests fail for CSP and JS-CSS tests
2406075: Document why multi-value Origins are ignored
2534660 by coltrane, jweowu: Support the HSTS Preload directive
Tidy-ups for HSTS code.
Collapse settings form fieldsets by default when those options are disabled.
Reformatting form field descriptions.
Better declaration and merging of default options.
https://www.drupal.org/project/seckit/releases/7.x-1.10
Release notes 7.x-1.10 full release. This is identical to 7.x-1.10-rc1.
2480527: Migrate to a better CSP report URL changes the (default) destination URL advertised for CSP reports -- from /admin/config/system/seckit/csp-report to /report-csp-violation
This setting will be updated for all sites using the old default URL. Sites which have configured a different/custom URL will not be affected.
Anyone who previously needed to make special server-side provisions for allowing incoming CSP reports to the deprecated URL may therefore need to update them accordingly.
The deprecated URL will continue to work as an alternative, so reports generated from cached pages will still be processed. It will be removed in some future release, but will remain in place for the medium term (a minimum of 1 year and 2 releases).
Other changes since 7.x-1.9:
2959208 by mcdruid, jweowu: Rework seckit_update_7107 variable cleanup
3000696 by keithdoyle9, mcdruid: X-FRAME-OPTIONS header syntax should be all caps (D7)
2959208 by mcdruid: Remove X-Content-Type-Options as core now emits that header
2656292 by progga, mcdruid, svenryen: Absolute URL for report-uri
2613426 by mcdruid, milodesc, jweowu: Trim whitelisted CSRF origins before checking against origin
2675922 by jweowu, mcdruid: tweak to de-uglify a variable name
2925376 by wrd, mcdruid, lamp5, adammalone: Add support for Referrer-Policy header
2675922 by joekers, mkhamash, benjaminbradley, ronaldmulero: frame-ancestors in Content Security Policy
2962380 by jochemh, mcdruid, nironan: Add support for the Expect-CT header (D7 backport)
2845923 by AndyF, bonus, mcdruid: Origin header is incorrectly verified for sites in subdirectories.
Don't process violation reports if the CSP feature is disabled Don't read more than max_len bytes of a CSP report when enforcing limits
2779169 by billdacat10, jweowu: Allow-From headers are incorrect
2661644 by David_Rothstein: Integrate with upcoming Drupal core clickjacking defense
Provide limits and flood control for CSP violation reports
2689277 by milodesc, jweowu: Add ability to configure the child-src CSP directive
2687955 by milodesc, lanetterm: Field for Cross Site Forgery origin whitelist is too small
2668376 by milodesc, jweowu: Differentiate X-XSS-Protection header values "1" and "1; mode=block"
2676706 by akashjain132: Missing string translations
2281315 by stefan.r, jweowu, vinmassaro: Option to disable autocompletion on user login/registration forms
2480527 by jweowu, khaldoon_masud: Migrate to a better CSP report URL
2626230 by rooby: Invalid origin watchdog log doesn't happen if access denied callback exits
2657346 by leymannx, milodesc: Remove h1 heading from noscript message
2668642 by milodesc, jweowu: Link to sirdarckcat on admin screen is broken
2658954 by Novitsh, milodesc: Typo issue in description
2305275 by dbcollies: SimpleTest tests fail for CSP and JS-CSS tests
2406075: Document why multi-value Origins are ignored
2534660 by coltrane, jweowu: Support the HSTS Preload directive
Tidy-ups for HSTS code. Collapse settings form fieldsets by default when those options are disabled. Reformatting form field descriptions. Better declaration and merging of default options.