New features in 2.4.0.beta9

Feature topic on profile

Users can now select a topic they wish to feature on their profile. The topic will appear on their user card, as well as on their profile page. Users can add a topic from their Preferences, Profile tab.

Remove unsafe-eval from CSP

We’re always looking for ways we can make Discourse even more secure. Late last year we added support for Content Security Policy to Discourse. CSPs help mitigate XSS attacks, one of the most common web vulnerabilities. In order to fully support existing Discourse features and plugins, we included the unsafe-eval directive. We’ve now removed all usage of eval() from Discourse in production, as well as our official plugins, so we’ve removed unsafe-eval from our CSP, making our CSP even stricter.

Hash API keys in the Database

API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.

Move Internet Explorer support to core plugin

Discourse will be dropping support for Internet Explorer in June 2020. (A formal announcement will be made mid-January). In preparation for this, Internet Explorer specific code has been moved into a plugin, making it easier to remove come June.

Warning when theme component is installed but not added to a theme

When creating or installing a theme component, users may forget that it needs to be added to a theme in order to become active. After the initial creation/installation only, users will be warned should they attempt to navigate away from the theme component without first adding it to a theme.

is this any part of a trend or anything? or are they the vanguard?

Funny you should ask, it has caused some passionate discussion.

Discourse team members point out, among other observations, is they aren’t prohibiting IE from working, they just aren’t going to dedicate engineering resources to bug fixes. Which I’d say is a pretty generous accommodation. Discourse is a modern Javascript web app, it has requirements, makes sense to me.