IMPORTANT for existing users: New functionality requires 1 additional API permissions in order to use the new function. You can go to your
Cloudflare API Tokens, edit the token you have and
add the following permission:
At this point, you should have a total of 19 permissions for your API token.
- Added sanity check to make sure attachment data exists when using presigned URLs for R2 attachments (helpful in certain cases when using XFMG).
- Added ability to use Token Authentication system for attachments stored in R2 (needs new permission... see above). This only works for zones that are not on the Free tier (which is why the billion permission is needed to check if the zone is on a paid plan or not).
- Update Chart.js to v4.4.0
- All JavaScript has been rewritten to be "native" (does not use jQuery) in preparation for removal of jQuery in XenForo 2.3.
- When using guest page caching, no longer try to fetch a new CSRF token for the user with a quick synchronous AJAX request (using Sec-Fetch-Site HTTP request header [a more modern replacement for CSRF tokens])
Made a fairly substantial internal change to the guest page caching system... it no longer needs to do a quick AJAX request to fetch a CSRF token for guests. Instead we are using the Sec-Fetch-Site HTTP request header which is
more or less supported by all browsers now (CSRF tokens aren't really needed anymore).
Was going down the path of trying to do a synchronous AJAX request in native JavaScript (rewriting for XF 2.3) and then trying to handle a bunch of one-off situations where XenForo is injecting CSRF tokens into certain GET requests because they are using GET to mutate user state for some reason... just was getting too kludgey and cumbersome. And since CSRF isn't really needed anymroe these days, I decided to take the cleaner/simpler route (which will also make sites faster). Just use Sec-Fetch-Site
instead of CSRF... problem solved.
Maybe it's worthwhile to check out the suggestion that XenForo does away with CSRF in it's core:
https://xenforo.com/community/threa...ion-cloudflare-full-html-page-caching.202315/