Add release notes for CSP changes

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:07:00 +02:00 · 2021-06-07 20:07:00 +02:00 · 0c6482abc5
commit 0c6482abc5
parent 52231f688d
1 changed files with 8 additions and 0 deletions
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@ -1,4 +1,12 @@
 # Release Notes
+## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> UNRELEASED
+### Security Fixes
+- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
+  they were repeatedly used to exploit security vulnerabilities.  
+  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
+  See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details.
+  
+
 ## <i class="fa fa-tag"></i> 1.8.2 <i class="fa fa-calendar-o"></i> 2021-05-11

 This release fixes two security issues. We recommend upgrading as soon as possible.