35 lines
1.4 KiB
Markdown
35 lines
1.4 KiB
Markdown
# AOC v1.7.13 Release Notes
|
||
|
||
**Release Date:** 2026-04-27
|
||
|
||
## Security Hardening: Alpine.js CSP Build
|
||
|
||
This release removes `unsafe-eval` from the Content-Security-Policy by switching the frontend to Alpine.js's CSP-compatible build.
|
||
|
||
### Changes
|
||
|
||
- **Frontend:** Switched from `alpinejs@3.x.x/dist/cdn.min.js` to `alpinejs@3.x.x/dist/csp.min.js`
|
||
- **Frontend:** Added explicit `Alpine.start()` call on `DOMContentLoaded` (required by CSP build)
|
||
- **Backend CSP:** Removed `'unsafe-eval'` from `script-src` directive
|
||
|
||
### Why this matters
|
||
|
||
The previous v1.7.11–1.7.12 releases included `'unsafe-eval'` in the CSP because the standard Alpine.js CDN build uses `new Function()` internally for reactive expression evaluation. The CSP build eliminates this requirement, further hardening the application against XSS and injection attacks.
|
||
|
||
### Compatibility
|
||
|
||
All existing Alpine.js directives (`x-data`, `x-init`, `x-show`, `x-text`, `x-for`, `x-if`, `x-model`, event handlers) continue to work unchanged. The CSP build uses a safe expression evaluator that produces identical behavior without `eval`/`new Function`.
|
||
|
||
## Files Changed
|
||
|
||
| File | Change |
|
||
|------|--------|
|
||
| `backend/frontend/index.html` | Alpine.js src → `csp.min.js`; added `Alpine.start()` |
|
||
| `backend/main.py` | Removed `'unsafe-eval'` from `script-src` CSP |
|
||
| `VERSION` | Bumped to 1.7.13 |
|
||
|
||
## Test Results
|
||
|
||
- **80/80 pytest tests passing**
|
||
- Ruff lint/format clean
|