New features in 2.4.0.beta9
Feature topic on profile
Users can now select a topic they wish to feature on their profile. The topic will appear on their user card, as well as on their profile page. Users can add a topic from their Preferences, Profile tab.
unsafe-eval from CSP
We’re always looking for ways we can make Discourse even more secure. Late last year we added support for Content Security Policy to Discourse. CSPs help mitigate XSS attacks, one of the most common web vulnerabilities. In order to fully support existing Discourse features and plugins, we included the
unsafe-eval directive. We’ve now removed all usage of
eval() from Discourse in production, as well as our official plugins, so we’ve removed
unsafe-eval from our CSP, making our CSP even stricter.
Hash API keys in the Database
API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.
Move Internet Explorer support to core plugin
Discourse will be dropping support for Internet Explorer in June 2020. (A formal announcement will be made mid-January). In preparation for this, Internet Explorer specific code has been moved into a plugin, making it easier to remove come June.
Warning when theme component is installed but not added to a theme
When creating or installing a theme component, users may forget that it needs to be added to a theme in order to become active. After the initial creation/installation only, users will be warned should they attempt to navigate away from the theme component without first adding it to a theme.