Auth0 headless browser sdk
Fixed
Security
Note: This release is functionally identical to the previous release, but has been released to ensure tooling no longer detects a vulnerable version of jsonwebtoken
being used (we only include it as a dev dependency and use it in some tests).
Added
Changed
Fixed
This release includes some clarification updates to the readme, as well as a culmination of security patches from dependabot.
Changed
Security
This release by default now stores additional cookies for backward compatibility when using the SameSite
attribute, for those older browsers that do not understand SameSite=None
. As well as creating the normal transaction cookies with Secure=true
and SameSite=none
, it also stores a _x_compat
cookie (where x
is the name of the original cookie) which only sets Secure=true
.
If the generation of these extra cookies is undesirable or unnecessary for your use case, you can turn them back off by setting legacySameSiteCookie: false
in the SDK configuration.
Added
Fixed
Added
xRequestLanguage
, which sends X-Request-Language header to /passwordless/start
#1210 (stevehobbsdev)Fixed
Security
Fixed