From ae4dab65e48e1681290d98c295b015610e9798e3 Mon Sep 17 00:00:00 2001 From: Nick Steel Date: Sun, 15 Apr 2018 17:46:46 +0100 Subject: [PATCH] docs: added changelog entry --- docs/changelog.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/changelog.rst b/docs/changelog.rst index eddbeed6..f858fe16 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -27,6 +27,12 @@ Feature release. - File: Fix extraneous encoding of path. (PR: :issue:`1611`) +- HTTP: Protect RPC and Websocket interfaces against CSRF by blocking requests + that originiate from servers other than those specified in the new config + value :confval:`http/allowed_origins`. An artifact of this is that all + JSON-RPC requests must now always set the header + ``Content-Type: application/json``. (PR:1668 :issue:`1659`) + - MPD: Added ``idle`` to the list of available commands. (Fixes: :issue:`1593`, PR: :issue:`1597`)