Plik v1.2-RC3 Release Notes
Release Date: 2016-07-18 // almost 8 years ago-
Hi,
๐ Plik 1.2 RC-3 is targeted at security.
๐ Plik allow users to upload and serve any content as-is, but hosting untrusted HTML raises some well known security concern like phishing, xss, xsrf,... Rendering HTML and executing javascript in the context of Plik is not something we consider a feature. We try to avoid it by overriding Content-Type "text/html" to "text-plain", also the Content-Security-Policy HTTP header should disable sensible features of most recent browsers like resource loading, xhr requests, iframes,...
๐ We also strongly advise you to use the new DownloadDomain option with a separate (sub-) domain to enforce that download links do not share the same origin than the Plik web client.
๐ Changelist :
- โ Add security headers to getFileHandler to avoid HTML rendring in web browser
- Enforce download domain option
- โ Add README security section
- ๐ Display Golang version on build info
- โก๏ธ Update go version in travis build
Cheers,
The Plik team.