- Do not require SQLite to support
WITHOUT ROWID.
- Fix deprecation warnings.
- Fix deprecation warnings.
- Prevent duplication of self-closing
<meta charset>tags.
- Set
Content-Type: application/jsonheader on bundler responses. - Remove
X-Robots-Tagheader.
- Set
X-Robots-Tag: noneheader on bundler responses to prevent search engines from indexing them.
- Improve CSP support.
- Use SQLite3 database for caching instead of a file tree.
- Update CA bundle.
- Don't rewrite dynamically inserted
modulescripts.
- Ensure the security token never gets reset when the cache grows too large. This prevents resource URLs from changing suddenly.
- Send 403 and 404 status codes for unauthorized and not found resource URLs respectively, if they cannot be safely redirected to the original resource.
- Prefix
async,deferattributes withdata-phast-to please W3C validator.
- Fix open redirect on
phast.php. This would allow a malicious person to redirect someone to a third-party site viaphast.phpby sending them a link. This can enable phishing attacks if the user is mislead by the hostname of the initial URL. It does not compromise the security of your site itself.
- Don't emulate
document.currentScriptfor scripts that are executed normally. This prevents some scripts from seeing the wrongcurrentScriptaccidentally.
- Do not rewrite
<img>elementsrcwhen it has arev-slidebgclass and points totransparent.png. This is because Revolution Slider's JavaScript depends on the image filename for its logic.
- Add option
optimizeJSONResponsesto optimize JSON objects with ahtmlkey, for Ajax handlers.
- Don't optimize snippets if they look like JSON objects, ie, start with
{".
- Support whitespace in
url()in CSS. Eg,url( 'file.jpg' )is not processed correctly.
- Make message about inability to override
document.readyStatea warning rather than an error, to avoid spurious complaints from PageSpeed Insights.
- Correctly support additional arguments when using setTimeout. This fixes a regression in version 1.83.
- Ensure error pages are always interpreted as UTF-8.
- Simplify
PATH_INFOcalculation if the environment variable is missing. This is now determined by splitting the path component ofREQUEST_URIon.php/. - Improve error messages, hopefully aiding troubleshooting when
phast.phpisn't doing it's job.
- Fix handling of closing parenthesis and string literal separated by newline in JSMin.
- Use
text/plainMIME type for the bundled CSS and JS responses. This helps apply automatic response compression in some server configurations (specifically o2switch).
- Raise maximum page size to 2 MiB.
- Detect WOFF2 support using a feature test, instead of relying on the user agent. This fixes Google Fonts on iOS 9 and earlier.
- Handle setTimeout chains without relying on setTimeout IDs always being offset by one, and without using setTimeout when it isn't needed.
- Make sure setTimeout chains in DOMContentLoaded are completely executed before the load event is triggered. This fixes some uses of jQuery's ready event.
- Use Base64-based path info for server-generated URLs.
- Encode characters that cannot occur in URLs. This fixes canonical URLs for optimized images if those URLs contained special characters.
- Support
document.currentScriptin optimized scripts. - Prevent (suppressed) notice from
ob_end_clean.
- Handle
<!doctype html ...>declarations correctly, and don't insert<meta charset>before them. (This broke pages using old XHTML doctypes.)
- Insert
<meta charset=utf-8>tag right after<head>and remove existing<meta charset>tags. This fixes an issue where the<meta charset>tag appears more than 512 bytes into the document, causing encoding issues.
- Stop proxying external scripts.
- Insert path separators (
/) into bundler URLs in order to avoid Apache's 255 character filename limit.
- Ignore calls to
document.writefromasyncordeferscripts, in line with normal browser behaviour.
- Prevent service loops by adding
CDN-Loopheader. - URL-decode paths to local files to handle filenames with spaces or special characters correctly.
- Support
PHAST_SERVICEenvironment variable for transparent optimization via.htaccess. - Don't defer inling scripts that start with
'phast-no-defer'.
- Don't resize images based on
width/heightattributes onimgtags.
- Only process JPEG, GIF and PNG images. (Fix regression in 1.65.)
- Add Last-Modified header to service response.
- Fix CSS proxy URL generation not to include
__p__filename twice.
- Support URLs generated via Retina.js (when path info is enabled).
- Implement rotating text file logger for use in PhastPress.
- Fix IE 11 stylesheet fallbacks.
- Convert
<link onload="media='all'">to<link media="all">before inlining. - Elide
mediaattribute on generatedstyletags if it isall.
- Use path info URLs for bundler and dynamically inserted scripts.
- Don't whitelist local URLs but check that the referenced files exist.
- Preserve control characters in strings in minified JavaScript.
- Use JSON_INVALID_UTF8_IGNORE on PHP 7.2+ instead of regexp-based invalid UTF-8 character removal.
- Optimize images in AMP documents.
- Add LazyImageLoading filter that adds
loading=lazyattribute to images.
- Add
compressServiceResponseconfiguration option to allow disabling gzip compression of service response.
- Ensure that requestAnimationFrame callbacks run before onload event.
- Don't rewrite anchor URLs (like
#whatever) in CSS.
- Rewrite each URL in a CSS rule, not just the first one.
- Revert: Add mktdplp102cdn.azureedge.net (Dynamics 365 SDK) to scripts whitelist.
- Add mktdplp102cdn.azureedge.net (Dynamics 365 SDK) to scripts whitelist.
- Only rewrite image URLs in arbitrary attributes inside the
<body>tag. - Don't optimize image URLs in attributes of
<meta>tags. - When optimizing images, send the local PHP version to the API, to investigate whether PHP 5.6 support can be phased out.
- Fix writing existing read-only cache files (on Windows).
- Fix writing existing read-only cache files.
- Fix caching on Windows by not setting read-only permissions on cache files.
- Add a checksum to cache files to prevent accidental modifications causing trouble.
- Rewrite image URLs in any attribute, as long as the URL points to a local file and ends with an image extension.
- Ignore
linkelements with emptyhref, or one that consists only of slashes. - Replace
</styleinside inlined stylesheets with</ styleto prevent stylesheet content ending up inside the DOM. - Add
font-swap: blockfor Ionicons. - Remove UTF-8 byte order mark from inlined stylesheets.
- Send uncompressed responses to Cloudflare. Cloudflare will handle compression.
- Stop excessive error messages when IndexedDB is unavailable.
- Process image URLs in
data-src,data-srcset,data-wood-srcanddata-wood-srcsetattributes onimgtags.
- Whitelist
cdnjs.cloudflare.comfor CSS processing.
- Use
font-display: blockfor icon fonts (currently Font Awesome, GeneratePress and Dashicons).
- Support
data-pagespeed-no-deferanddata-cfasync="false"attributes on scripts for disabling script deferral (in addition todata-phast-no-defer). - Leave
data-{phast,pagespeed}-no-deferanddata-cfasyncattributes in place to aid debugging.
- Base64 encode the config JSON passed to the frontend, to stop Gtranslate or other tools from mangling the service URL that is contained in it.
- Speed up script load, and fix a bug with setTimeout functions running before the next script is loaded.
- Support compressed external resources (ie, proxied styles and scripts).
- Add s.pinimg.com, google-analytics.com/gtm/js to script proxy whitelist.
- Remove blob script only after load. This fixes issues with scripts sometimes not running in Safari.
- Fixed a regression causing external scripts to be executed out of order.
- Execute scripts by inserting a
<script>tag with a blob URL, instead of using global eval, so that global variables defined in strict-mode scripts are globally visible.
- Clean any existing output buffer, instead of flushing it, before starting Phast output buffer.
- Use all service parameters for hash-based cache marker.
- Add the option to cancel processing by Phast by calling cancel() on the OutputBufferHandler returned from PhastDocumentFilters::deploy().
- Stop proxying dynamically inserted scripts after onload hits.
- Combine the hash-based cache marker with the original modification time-based cache marker.
- Remove comment tags (
<!-- ... -->) from inline scripts. - Send
Content-Lengthheader for images.
- Use hash-based cache marker (see last release) when local files are addressed with a query string.
- Change CSS cache marker when dependencies (eg, images) change. This prevents showing old images because CSS referencing an old optimized version is cached.
- Trick mod_security into accepting script proxy requests by replacing
src=http://...withsrc=hxxp://....
- Regression fix: Send
Vary: Acceptfor JPEGs that could be WebPs.
- Don't send WebP images via Cloudflare. Cloudflare does not support
Vary: Accept, so sending WebP via Cloudflare can cause browsers that don't support WebP to download the wrong image type. Use Cloudflare Polish instead.
- Keep
idattributes onstyleelements.
- Keep newlines when minifying HTML.
- Send Content-Security-Policy and X-Content-Type-Options headers on resources to speculatively prevent any XSS attacks via MIME sniffing.
- Make CSS filters configurable using switches.
- Remove empty media queries from optimize CSS.
- Use token to refer to bundled resources, to shorten URL length.
- Clean up server-side statistics.
- Add HTML minification (whitespace removal).
- Add inline JavaScript and JSON minification (whitespace removal).
- Add a build system to generate a single PHP file with minified scripts.
- Don't attempt to optimize CSS selectors containing parentheses, avoiding a bug removing applicable :not(.class) selectors.
- Use valid value for script
typeto quiet W3C validator.
- Add *.typekit.net, stackpath.bootstrapcdn.com to CSS whitelist.
- Don't apply rot13 on url-encoded characters.
- Don't rewrite page-relative fragment image URLs like
fill: url(#destination).
- Restore
scriptattributes in sorted order (that is,srcbeforetype) to stop Internet Explorer from running scripts twice when they havesrcandtypeset.
- Encode bundler request query to avoid triggering adblockers.
- Use a promise to delay bundler requests until the end of the event loop, rather than setTimeout.
- Scripts can now be loaded via
document.write. This restores normal browser behaviour.
document.writenow immediately inserts the HTML into the page. This fixes compatibility with Google AdSense.
- Remove query strings from the URLs passed to the JS, CSS bundler.
- Remove query strings from URLs to stylesheets and scripts loaded from the local server. It is redundant, since we add the modification time to the URL ourselves.
- Increase timeouts for API connection.
- Don't use IndexedDB-backed cache on Safari.
- Rewrite
data-lazy-src,data-lazy-srcsetattributes onimg,picture > sourcetags.
- Proxy CSS for maxcdn.bootstrapcdn.com, idangero.us, *.github.io.
- Proxy icon fonts and other resources from fonts.googleapis.com.
- Improve log messages from image filter.
- Do not proxy maps.googleapis.com, to fix NotLoadingAPIFromGoogleMapError.
- Moved image processing filters to API.
- Removed
srcattribute from scripts that are loaded through the bundler, so that old versions of Firefox do not make extraneous downloads.
- Check that the bundler returns the right amount of responses.
- Per-script debugging message when executing scripts.
- Animated GIFs are no longer processed, so that animation is preserved.
<!--comments in inline scripts are removed only at the beginning.
- Empty scripts are cached correctly.
- Async scripts are now not loaded before sync scripts that occur earlier in the document.
- Scripts are now retrieved in a single request.
- Non-existent filter classes are ignored, and an error is logged.
- A 'dummy filename' such as
__p__.jsis appended to service requests to trick Cloudflare into caching those responses.
- The maximum document size for filters to be applied was corrected to be 1 MiB, not 1 GiB
- Bundle URLs are now much shorter, allowing more resources per request.
- Add
font-display: swapto@font-faceelements for immediate text rendering.
- Changed cache size threshold from 100 GiB to 500 MiB.
- Support for
<PICTURE>elements. retrieverMappath prefixes are now regexes.- Bundle the
Requestslibrary and Mozilla CA certificates and use them as default HTTP client engine.
- A configuration variable for toggling HTML document detection before applying filters.
- Unify the filter application logic when doing output buffering and on-demand application.
- Reverted REQUEST_URI parsing to determine PATH_INFO.
- Process HTML where one or more comments occur before the doctype declaration.
Phast will now fallback to using REQUEST_URI if DOCUMENT_URI is not available.Reverted in 1.5.6.Phast will now use full DOCUMENT_URI or REQUEST_URI if PHP_SELF is not part of them.Reverted in 1.5.6.
- An empty response from the image optimization API is now considered an error.
- Phast now sends the
Expiresheader, in addition toCache-Control, so that mod_expires doesn't add its own.
- Phast now correctly locates resources on setups where DOCUMENT_ROOT is wrong, but SCRIPT_NAME and SCRIPT_FILENAME are congruent.
- Inline scripts that begin with
<!--now work on IE.
- The
Content-Encoding: identityheader is no longer sent. - The bundler request is now flushed before it gets larger than 4.5K or so.
- Only optimized versions of images are now inlined.
- We do not rely on
finfofor determining file types anymore. - Non-cached non-local styles won't cause a flicker on first load anymore.
- Support for the Requests library that is bundled by WordPress.
- The bundler service does now not fail entirely when cURL is missing and remote resources are requested.
- Phast is no longer dependent on the ctype extension.
- A regression on IE 11 due to a missing
Promiseimplementation was fixed. - URL parsing no longer fails on malformed URLs. (For PhastPress.)
- Phast now works when Fileinfo extension is not installed.
- Attributes with JSON values are now quoted with single quotes for better readability.
- Phast now works on Windows.
PhastDocumentFilters::apply()method for integration in view rendering.- Removal of
Content-Lengthheader when filters are applied. - Inlined CSS from
maxcdn.bootstrapcdn.com. - Cross-domain requests to the service are allowed. (
Access-Control-Allow-Origin: *) - Cache control and other default headers for CSS bundler service.
- Processing of multiple images in one CSS rule. (
background: url(...), url(...)) - Proxy Google Maps API JS, DoubleClick stats JS
- Path format queries are now serialized the same way as normal queries (via
http_build_query()).urlencode()serializesfalsedifferently, breaking token verification. - An error was thrown during image processing when pngquant or jpegtran were missing. This was fixed.
- Inlining of small images in HTML, CSS.
- CSS request bundling.
- First byte time optimization.
<base>tag support.- X-Accel-Expires header.
- HTML processing using a regex-based tokenizer, rather than DOMDocument.
- Cache garbage collection is improved and sets a hard limit on the cache size.
- IFrame lazy loading compatibility with already existing implementations.