v2.8.0

• Fixed deprecated/invalid method usage on logger interface
• Drop tests for PHP 5.4

2.7.0

• Use base64 for encoding nonces
• Support more CSP level 3 keywords
• Allow configuring a report URI for XSS

2.6.0

• Support random_compat v9.99.99
• Don't ship unneeded files for composer installs
• Change controller action reference
• Add worker-src directive
• Fix deprecation for symfony/config 4.2+

2.5.1

• Abort CSP compiler pass when CSP is not enabled

2.5.0

• Allows matching the query parameter for clickjacking protection
• Cleanup content type restrictable listener
• Added Symfony 4 support
• Added support for 'worker-src' CSP directive
• Removed PHP 5.3 support guarantees
  F- ix CSP noise filter compiler pass registration

2.4.0

• Deprecate calling ContentSecurityPolicyListener::getNonce without usage ('script' or 'style')
• Added forced_ssl > redirect_status_code option to allow switching to permanent redirect (301) responses
• Fixed HSTS header being sent even in non-secure responses unnecessarily
• Fixed URLs with whitespace prefix not being seen as external redirects

2.3.1

• Fix arguments for Twig extension

2.3.0

• Add support for script-src 'strict-dynamic' (see https://w3c.github.io/webappsec-csp/#strict-dynamic-usage)
• Improve CSP filtering
• Remove Twig extension compiler pass in favor of tag
• Use symfony/phpunit-bridge for testing on IC

2.2.4

• Fix exceptions thrown by Report::fromRequest

2.2.3

• Improve CSP filtering