New features in 2.4.0.beta10
When 1-3 emoji exists on their own line, they’re now automatically made larger! Now you can communicate in emoji without needing to squint as much.
Award a badge to a set of users
Badges now support “bulk award”, allowing admins to upload a list of user emails which will all be granted a badge. For full details, see
MaxMind DB downloads now require a license key
Discourse uses the free MaxMind GeoLite2 IP database to provide location information for users and admins. This powers features like Recently Used Devices in user preferences, and IP lookup on user admin pages. Due to changes required by the CCPA, MaxMind has changed the download process. To download the database admins must now register for an account and receive a (free) license key. More details in Upgrade / Rebuilds Fail due to MaxMind DB EOL.
Internet Explorer 11 Deprecation
Discourse will be ending support for IE11 on June 1, 2020. Users are strongly encouraged to move to a supported browser to continue using Discourse without interruption. Discourse will start showing a warning to users that IE11 support is ending at the top of the site. For full details, see Discourse is ending support for Internet Explorer 11 (IE11) on June 1, 2020
CSP enabled by default
At the start of 2019 Discourse first supported a Content Security Policy (CSP), an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. CSP has been enabled for new sites over the last year, but older sites did not have CSP enabled without explicit admin action. With beta10 CSP will be enabled for all sites, unless explicitly disabled by an admin (strongly discouraged). Sites with external scripts running, for example Google Analytics, Ads, tracking, etc. may need configuration updates to continue working. See Mitigate XSS Attacks with Content Security Policy for full details on CSP, and how to configure scripts to work.
This beta includes 4 security fixes for issues reported by our community and HackerOne. It is highly recommended that sites update to receive these patches.
- 2FA with U2F / TOTP
- Use strict JSON parsing when parsing backup metadata
- Improve second factor auth logic
- Privacy leak with staged user and closed category