What’s Changed
Improvements
- Set security headers by @InfiniteStash in Set security headers by InfiniteStash · Pull Request #961 · stashapp/stash-box · GitHub
Full Changelog: Comparing v0.6.12...v0.6.13 · stashapp/stash-box · GitHub
This breaks
- Stashdb-rm
- Stashlist userscript
- GitHub - peolic/stashdb-backlog-userscript
- GitHub - timo95/stash-checker: Userscript to check if a Scene/Performer is present in Stash
- Db-noto-color
- Stashdb-tag-vid
as well as the css embedded on the site. Various other userscripts can bypass this since CSS/JS is injected inline
1 Like
Full disclosure, the security issue raised was on the back of my observation that images could be loaded remotely that would leak user’s IP addresses.
1 Like