v1.10.2
Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We removed setting Access-Control-Allow-Origin
to *
be default. This allowed evil websites to access your assets.
Instead we ask you to set Access-Control-Allow-Origin
manually to your host if required in your setup.
Use the headers
option to do so.
middleware(compiler, {
headers: {
"Access-Control-Allow-Origin": "your-host"
}
})
Read more about CORS here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Bugfixes:
- Remove
Access-Control-Allow-Origin
=*
default