Apache PageSpeed (incubating) Release Notes
Please read the WIP-DISCLAIMER before using the Apache PageSpeed (incubating) releases below.
Release 1.14.36.1
This release published July 2020.
Changes
- Updated Chromium url parser
- pagespeed_libraries.conf: add jquery 3.4.1 (#1938)
- Upgrade our re2 dependency to release 2019-07-01 (#1915)
- Support data-srcset in img and amp-img (#1899)
- Add support for specifying a TTL for redis keys (#1854)
- Fix mismatch between decompression and headers (#1785)
- Handle Apache >2.4 mod_authz_host (#1703)
- Redis: Use Redis DB-Index when computing the SystemCache lookup key (#1776)
- libwebp: update from v0.5.1 to v0.6.1 (#1759)
- third party gprc library upgraded to version 1.6.0 (#1747)
- upgrade libpng1.2 to 1.6
Any releases offered below are pre-apache releases.
Release 1.13.35.2-stable
This release made February 5, 2018. It is a clone of the 1.13.35.2-beta release.
Release 1.13.35.2-beta
This release was made January 10, 2018.
Issues Resolved
Issues Affecting both Nginx and Apache
- #1514 Reliability fix for handling srcset attributes.
Issues Affecting only Nginx
- #1503 CentOS 6: error: 'F_SETPIPE_SZ' was not declared in this scope .
Release 1.13.35.1-beta
This release was made November 8, 2017.
New Features
- Content Security Policy Support
- Opt-in feature enabling optimizations to adapt to Content Security Policies.
- Support specifying a Redis Database
- It is now possible to specify which database will be used when configuring Redis as a cache.
- Sync with WebP change in Chromium
-
The webp decoder is being updated to correct an issue where it can't play an animation exactly once, and requires an encoder update.
Background: - Log errors if serf error rate seems too high.
- When over 50% of http fetch attempts inside a 30-minute period fail, pagespeed will now emit an error entry to the logs.
- Off has been replaced by Standby
- In standby mode PageSpeed is off, except it serves .pagespeed. resources and PageSpeed query parameters are interpreted. This is equivalent to "off" in mod_pagespeed. Previously, ngx_pagespeed had no equivalent. With this change, "off" in mod_pagespeed is deprecated, and "standby" should be used instead.
- Allow UrlValuedAttribute:image on elements with children
- Tags that have children are now considered acceptable targets for image optimization.
Deprecations
- Standby has replaced Off
- Pagespeed off has been deprecated and replaced with pagespeed standby.
- Ubuntu 12.04 end of life
- The platform used to build .deb files has moved to Ubuntu 14.04. This introduced a dependency on a glibc version which is not compatible with Ubuntu 12.04. Building from source is still possible.
Issues Resolved
Issues Affecting both Nginx and Apache
- #1207 Don't emit type=text/javascript on script tags.
- #1609 Specify which Redis DB to use when confiuring Redis as a caching backend.
- #1153 Pedantic filter should prevent inlining CSS into the body.
- #1538 CSS Minification - 0 followed by a unit is rewritten to 0 without a unit .
- #1572 CSS minifier breaks unicode-range values.
- #1585 Don't special-case sending webp to PSI.
- #1553 Debug builds may abort() when revalidating expired output resources.
- #1418 LoadFromFileCacheTtlMs is not honored after first request.
- #1382 In amp pages inline_google_font_css must be disabled.
- #1496 Attempting to extend cache for SVGs returns bad headers/content.
- #1405 ERROR: Invalid inlined_image_type in cached_result.
Issues Affecting only Nginx
- #1380 Nginx worker 100% cpu usage (spinning on write returning EAGAIN).
- #1375 Don't respond with an entity body to HEAD requests for html.
- #1465 Fix ignored return code in ps_simple_handler().
Release 1.12.34.3-stable
This nginx-only release made September 28, 2017. As of nginx 1.13.4 building the module would fail. This release resolves the problem.
Issues Affecting Nginx
- Issue 1451 nginx 1.13.4 "ngx_http_core_try_files_phase" was not declared in this scope
Release 1.12.34.2-stable
This release was made June 19, 2017. It is a clone of the 1.12.34.2-beta release.
Release 1.12.34.2-beta
This nginx-only bug-fix release was made December 15, 2016. It allows the
precompiled PSOL library to be used with nginx's --with-debug
.
Issues Resolved
Issues Affecting Nginx
-
Issue 1333
Release 1.12.34.1 not compatible with
--with-debug
(80c4b7e9
)
Release 1.12.34.1-beta
This release was made December 7, 2016.
New Features
- Redis Support
- Support for Redis Cache and Redis Cluster as external caches.
- Add preload hints
- This is a new filter, off by default, that looks for declaratively included stylesheets and javascript to figure out the page's dependencies, and inserts preload headers so the browser can start loading them immediately.
- Optimize Srcsets
-
PageSpeed now optimizes images referenced in
srcset
attributes. - Set
s-maxage
-
To prevent CDNs and other shared caches from caching the unoptimized
version of resources for a long time, PageSpeed now
adds
s-maxage=10
to the cache-control headers for unoptimized resources that we intend to optimize in-place. - Allow combining stylesheets with IDs
-
PageSpeed would previously refuse to combine stylesheets with IDs, which
interacted poorly with WordPress and other content management systems
putting IDs on all their CSS files. Setting
PermitIdsForCssCombining
wildcards allows you to indicate to PageSpeed which IDs on CSS files are ok to ignore. -
FinderPropertiesCacheExpirationTimeMs
- Configures the length of time the prioritize_critical_css beacons are valid.
-
AddResourceHeader
- Allows setting headers on optimized resources for CORS support.
- Shared Memory Cache Checkpointing
- The shared memory metadata cache now checkpoints to disk every few minutes instead of writing all changes through as they happen. In our testing this improved performance on workloads that require many metadata writes by 21%.
Deprecations
- Support for disabling
InheritVHostConfig
-
For historical reasons, mod_pagespeed on Apache doesn't respect the global
PageSpeed configuration when interpreting VHost configuration. Since
1.1 in 2012, however, it has shipped with a default configuration file
that fixed this by setting
InheritVHostConfig
to "on". For the minority of installations that don't use the default configuration file, or explicitly setInheritVHostConfig
to "off", PageSpeed will now log an error on startup warning that the setting will soon change. With the next major version releaseInheritVHostConfig
will be forced to "on". - Centos 5 Support
- CentOS 5, released in 2007, goes end-of-life at the end of March 2017. The 1.12 rpm packages are for CentOS 6 and later, and will fail to install on CentOS 5. The stable release track, 1.11, continues to support CentOS 5.
Issues Resolved
Issues Affecting both Nginx and Apache
- Issue 1127 Don't accumulate waveforms that won't be displayed
- Issue 1263 Minimal AMP support: don't invalidate AMP
- Issue 1321 IPRO can change the content types of JavaScript resources
- Issue 1337 Multiple instances of the cache cleaner can run simultaneously on large caches
- Issue 1350 rewrite_domains doesn't apply to static assets
- Issue 1373 RespectVary ignored when cache-extending
- Issue 1386 LoadFromFile crashes on resources too big for memory
- Issue 1405 Unexpected tag <head/> inside pages
- Issue 1409 IPRO Records Resources of Unoptimizable Content Types
Release 1.11.33.5-stable
This bug-fix release was made November 14, 2016. It is a clone
of the 1.11.33.5-beta release and
rebuilds the .deb
packages to fix auto-updating for Ubuntu
16.10.
This release is only applicable to Debian and Ubuntu; release 1.11.33.4 is still the most up-to-date stable release for RedHat, CentOS, PSOL, and ngx_pagespeed.
Release 1.11.33.5-beta
This bug-fix release was made November 14, 2016. It rebuilds
the .deb
packages to fix auto-updating for Ubuntu 16.10.
This release is only applicable to Debian and Ubuntu; release 1.11.33.4 is still the most up-to-date beta release for RedHat, CentOS, PSOL, and ngx_pagespeed.
Issues Resolved
-
Issue 1428
Auto-updating broken with new
.deb
systems (36d4a38
)
Release 1.11.33.4-stable
This release was made October 3, 2016. It is a clone of the 1.11.33.4-beta release.
In addition to being the latest stable release for Apache, this is the first stable release for Nginx.
Release 1.11.33.4-beta
This bug-fix release was made September 15, 2016.
Issues Resolved
-
Issue 1392
and
Issue 1393
All existing preload hints are stripped
(
95ef580
) -
Issue 1396
Can't build from source because Chromium svn is gone
(
3f47828
,269ed10
) -
Issue 1397
ImageMaxRewritesAtOnce of -1 should allow unlimited image rewrites
(
18d5549
)
Release 1.11.33.3-beta
This bug-fix release was made August 16, 2016.
Issues Resolved
-
Issue 1149
PageSpeed output resources cannot be cached in Google Cloud
(
f56391
) (9711b5
) -
Issue 1192
Cache-purging does not work for in-place resource optimization
(
d1972f
) (07a664
) -
Issue 674
Serf spin causes 100% CPU usage
(
921fd7
) -
Issue 1022
image-inline: don't inline shortcut images
(
203865
) -
Issue 1324
Support UrlValuedAttribute with CSS
(
59a1982
) (787239
) -
Issue 1054
defer_js loads javascript twice
(
e2aa6f
) -
Issue 1327
Remove rel=preload hints which wastefully download unused resources when using PageSpeed
(
dbde98
) -
Issue 1305
ImageMaxRewritesAtOnce ignored (but displays correct configured value in admin interface)
(
19cf3b
) (e0a3bf
) -
Issue 1311
ngx_pagespeed crashes on start if there is no http block in config
(
ff8969
) -
Issue 1338
Recognize dc.js as a synonym for ga.js
(
1ff43e
) -
Issue 1307
Don't mangle files that start with the gzip magic bytes
(
6dfe52
) -
Issue 1294
PageSpeed URL control wildcards don't work properly
(
065474
) -
Issue 1348
Insert dns-prefetch for safari
(
d05a8b
) -
Issue 1222
Pagespeed eats CSS font-face declarations when defined in imported files
(
8fca3b
) -
Issue 1343
allow people to turn off cache cleaning
(
ccea83
) -
Issue 1371
PageSpeed can serve gzipped content without Content-Encoding header via IPRO
(
0bd84a
) -
Issue 1190
Adding ?PageSpeedFilters=+debug to URL enables other filters
(
2a3b12
) (2af203
) -
Issue 1369
dedup_inline_images filter is broken for images that don't already have an id
(
c1827b
)
Release 1.11.33.2-stable
This release was made May 12, 2016. It is a clone of the 1.11.33.2-beta release.
Release 1.11.33.2-beta
This security update release was made May 12, 2016.
Issues Resolved
Release 1.11.33.1-stable
This bug-fix release was made May 2nd, 2016. It is a clone of the 1.11.33.1-beta release.
This release depends on glibc >= 2.14 and will no longer run on Debian Wheezy, (7.0) which is also no longer officially supported by the Debian security team.
Release 1.11.33.1-beta
This bug-fix release was made May 2nd, 2016.
Issues Resolved
-
Issue 1288
Experiment reporting broken with ga.js
(
650675
) -
Issue 1298
Experiment injection for GA tracker always sets variation 1
(
a2b10e4
)
Release 1.11.33.0-beta
This release was made March 30, 2016.
This release targets users on mobile devices and low-bandwidth networks by adding Save-Data support. Save-Data is a new Client Hint that allows site visitors to indicate that they would prefer lower-quality resources in order to save data. Sites are most likely to see requests to save data today from visitors who have turned on Data Saver mode in Chrome or the equivalents in Opera and Yandex Browser, often because they're on slow or expensive connections. Now, with 1.11, when such a user comes to your site asking it to save data, mod_pagespeed will compress images to a lower quality level than it would typically, decreasing their size further at the cost of slightly more image distortion.
New Features
- Save-Data Support
- Serve more thoroughly compressed images to browsers that request lowered data usage via client hints.
Issues Resolved
Issues Affecting both Nginx and Apache
-
Issue 973
Strip subresource hints
(
d0bae68
,08e284f
) -
Issue 1214
PageSpeed console blank
(
2bd239d
) -
Issue 1276
CSS Parser has off-by-one heap read
(
0bc4ce7
) -
Issue 1277
Google Fonts CSS inlining broken
(
e3aa7b7
)
Issues Affecting Nginx
-
Issue 1064
Multiple Vary headers emitted (partial fix,
b081bb7
) -
Issue 1151
Unclear message on ParseUrl failure
(
6634754
)
Release 1.10.33.7-beta
This security update release was made March 28, 2016. It resolves the same issues as the 1.9.32.14 stable release, and has the same patch.
Release 1.9.32.14-stable
This security update release was made March 28, 2016.
All previously released versions of PageSpeed are vulnerable to CVE-2016-3626. This permits a hostile third party to trick PageSpeed into making arbitrary HTTP requests on arbitrary ports and re-hosting the response, allowing cross site scripting. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resources.
Users are strongly encouraged to update immediately. If this isn't possible, a workaround is available.
Issues Resolved
Issues Affecting both Nginx and Apache
-
announce-sec-update-201603
Fetching and XSS vulnerability. (
52e184b
)
Release 1.10.33.6-beta
This bug-fix release was made March 3, 2016, and is Nginx-only
Several nginx-specific bug-fixes were accidentally ommitted from the 1.10.33.5 ngx_pagespeed release. This release contains those fixes, plus an additional nginx-specific memory safety fix.
Issues Resolved
Issues Affecting Nginx
-
Issue 1081
Crashes on custom 404s for .pagespeed. resources
(
1964ef
) -
Issue 1096
IPRO check-fails on some connection errors
(
b88e06
,60c1f4
) -
Issue 1120
Fix shutdown when ngx_pagespeed is completely disabled.
(
f60c754
) -
Issue 1138
IPRO responses sometimes forward a bad cache control value
(
85d0db2
)
Release 1.10.33.5-beta
This bug-fix release was made February 16, 2016
This bug-fix release fixes several bugs in both ngx_pagespeed and mod_pagespeed. The release allows ngx_pagespeed to be built as a dynamic module, for compatibility with nginx version 1.9.11.
Update 2016-03-02: This release accidentally ommited fixes for ngx_pagespeed issues 1081, 1096, and 1099. Release 1.10.33.6 includes these fixes.
Issues Resolved
Issues Affecting both Nginx and Apache
-
Issue 1080
inline_google_font_css uses .ttf instead of .woff for IE11
(
f3639e
,1964ef
) -
Issue 1252
Images may be rewritten multiple times when requested simultaneously via
IPRO
(
62d24f
) -
Issue 1253
Tests can flake because of best effort locking
(
c368ef
) -
Issue 1254
Fallback value not decompressed when necessary
(
bcf63ac
,d3851dd
) -
Issue 1261
CSS minification incorrectly transforms 0% to 0
(
7c30b7
)
Issues Affecting Apache
-
Issue 1229
pagespeed default config fails to load on 2.4 unless mod_access_compat
is loaded
(
02e8f7
)
Issues Affecting Nginx
Issue 1081 Crashes on custom 404s for .pagespeed. resources(1964ef
)Issue 1096 IPRO check-fails on some connection errors(b88e06
,60c1f4
)-
Issue 1099
Duplicate Location headers after 302 redirects
(
059dd2
) -
Issue 1110
Can't build with nginx 1.9.11+
(
daa603
) -
Issue 1115
Can't build as a dynamic module.
(
fbde0a
)
Release 1.10.33.4-beta
This security update release was made February 3rd, 2016. It resolves the same issues as the 1.9.32.13 stable release, and has the same patches.
Release 1.9.32.13-stable
This security update release was made February 3rd, 2016.
All previously released versions of PageSpeed are vulnerable to HTTPS-fetching vulnerability CVE-2016-2092. This permits a hostile third party who can man-in-the-middle the connection between PageSpeed and an HTTPS server to substitute arbitrary content in responses. PageSpeed is not vulnerable in its default configuration, but several filters and options can enable this vulnerability. See our CVE-2016-2092 announcement for more details and workarounds.
LibPNG has been updated to 1.2.56. Previous versions had an out-of-bounds read (CVE-2015-8540) which a hostile third party could trigger if they were in a position to supply images for PageSpeed to optimize.
The latest version of Chrome for iOS (M48) switched to the WKWebView for rendering, dropping support for WebP images. Prior versions of PageSpeed will send WebP to Chrome on iOS, giving broken images to these users. While this isn't a security vulnerability, this is a serious enough breakage that we're including it in this security release.
Issues Resolved
Issues Affecting both Nginx and Apache
-
announce-sec-update-201601
HTTPS fetching vulnerability. (
4af5e65
) -
CVE-2015-8540
LibPNG out-of-bounds read in
png_check_keyword()
. (79aaa94
) -
Issue 1139
Link SSL library correctly.
(
5b8253
) -
Issue 1256
Don't send WebP to Chrome on iOS
(
23947d
)
Issues Affecting Apache
-
Issue 1248
Crash on very long urls
(
befa494
)
Release 1.10.33.2-beta
This bug-fix release was made December 21st, 2015.
Issues Resolved
Issues Affecting both Nginx and Apache
-
Issue 1083
Newline in Content-Type meta tag breaks the page
(
08cbf9
) -
Issue 1215
Missing CSS files with OptimizeForBandwith + combine_css
(
55e0962
) -
Issue 1222
rel=canonical links added for resources optimized with
InPlaceResourceOptimization
(
61f4e96
) -
Issue 1226
Nested rewrites get inconsistent request properties
(
024eb91
) -
Issue 1227
Can't build PSOL
(
4b6a08
)
Issues Affecting Apache
-
Issue 1224
Serf depends on APR 1.3
(
f3edc3b
)
Issues Affecting Nginx
Release 1.10.33.1-beta
This bug-fix release was made December 16th, 2015.
Issues Resolved
-
Issue 1218
WebP served to UAs that don't support it
(
e39879
) -
Issue 1219
Crash in gzip header handling
(
0f7726
)
Release 1.10.33.0-beta
This release was made December 14th, 2015.
With the 1.10 release we have several high-impact features to share. We're
most excited about Responsive Image
Support, which delivers high resolution images to high pixel-density
screens by automatically generating html5 srcset
attributes for images. Other big changes
include Caching Gzip Output, which lets us
run gzip at the most aggressive encoding
level, Remote Config,
which lets you load additional configuration over the network, and
converting Animated GIF to WebP, which reduces
the size of animated GIFs by 65%.
New Automatically Enabled Features
- Cache Gzip Output
- Compress rewritten resources at the highest compression setting and store them compressed in cache.
- Insert Universal Analytics
- If enabled, the Insert Google Analytics filter will now insert Universal
Analytics (
analytics.js
) instead of the legacyga.js
. This should have no impact on reporting, and gives you access to the benefits of Universal Analytics. - Fetch resources over HTTPS
- HTTPS fetching is now enabled in the default configuration.
- Switch to new JS Minifier
- The JavaScript minifier introduced in 1.8 is now the default.
- Add PageSpeedNoop Query Parameter
- Add query parameter for cache busting.
- HTML5-compliant attribute names
- HTML5 requires all custom attributes to be prefixed
with
data-
, and with this release PageSpeed generatesdata-pagespeed-foo
attributes. Old-stylepagespeed_foo
attributes are still accepted.
New Opt-In Features
- Remote Configuration
- Fetch additional configuration directives over HTTPS.
- Responsive Image Support
- Make images responsive by adding
srcset
attributes for different pixel densities. - Animated WebP
- Convert animated GIF to animated WebP for browsers that can render it.
-
Make
showads.js
Asynchronous - Convert the blocking
showads.js
snippet into the asynchronousadsbygoogle.js
snippet. - HTTP/2-specific configuration in ngx_pagespeed
- Allow configuring filters and sharding differently depending on whether the browser connection is HTTP/2.
- Request-specific downstream caching configuration
- Allow script variables in the downstream caching configuration. (Nginx only)
- Content Experiments
- Allow PageSpeed experiments to log data to a Google Analytics Content Experiment.
Issues Resolved
Issues Affecting both Nginx and Apache
- Issue 931 Do not serve source map on hash mismatch.
-
Issue 979
Allow spaces between filter names in
PageSpeedFilters
header. -
Issue 1085
Don't update
Last-Modified
when cache-extending. - Issue 1092 Parsing complex CSS can fail, leaving cache in an inconsistent state.
-
Issue 1109
Can't set
MessageBufferSize
to 0. - Issue 1116 Support gcc 4.6.3 when building from source.
- Issue 1131 When building from source, respect the CXX variable.
- Issue 1149 WebP transcoding doesn't work with MapProxyDomain+IPRO.
- Issue 1150 BoringSSL won't compile under gcc5.
- Issue 1154 Spin in serf.
- Issue 1160 Don't serve WebP to Firefox on Android
- Issue 1164 Do not abbreviate 0s in CSS files as 0.
-
Issue 1173
Disallow
should apply to defer_javascript. - Issue 1182 Don't try to resize images with invalid desired dimensions.
- Issue 1183 Race condition in the shared memory cache between delete and write.
- Issue 1184 Include canonical links for images and pdfs we rewrite.
- Issue 1185 Improve CSS parser's handling of new constructs.
-
Issue 1186
Remove
/wp-admin
from our url blacklist. - Issue 1187 Prioritize Critical CSS writes a mixture of optimized and unoptimized content.
- Issue 1188 Location headers not rewritten when proxying redirects.
- Issue 1189 Race in FileCache.
- Issue 1193 File reading tracks line numbers.
- Issue 1202 Improve resource usage for on-the-fly optimizations.
- Issue 1203 File cache entries are read in 10k chunks.
Apache-specific Issues
- Issue 1077 Purging fails if the top-level configuration has PageSpeed as off.
-
Issue 1088
Allow server owners to block access to
handlers such that they can't be re-enabled
in
.htaccess
. - Issue 1179 Compilation issue in ApacheFetch under 32-bit.
- Issue 1191 IPRO recorder crashes on corrupt brigades with multiple EOS buckets.
Nginx-specific Issues
- Issue 957 Fix handling of header-only requests.
-
Issue 1015
MapProxyDomain
does not work withInPlaceResourceOptimization
. - Issue 1021 Fix interaction with ngx_brotli.
Release 1.9.32.11-stable
This release was made December 9, 2015. It is a clone of the 1.9.32.11-beta release.
Release 1.9.32.11-beta
This security update release was made December 9, 2015.
Issues Resolved
- https://www.openssl.org/news/secadv/20151203.txt Update BoringSSL to pull in OpenSSL changes.
Release 1.9.32.10-stable
This bug-fix release was made October 27th, 2015. It is a clone of the 1.9.32.10-beta release.
Issues Resolved
Issues Affecting both Nginx and Apache
-
Issue 972
LoadFromFile
logs errors on 404s (3d44cc
) -
Issue 992
Segfault in https fetching
(
b4f4ae9
) -
Issue 1039
Noisy
leaked_rewrite_drivers
on destruction message (58aaa4
) -
Issue 1040
inline_google_font_css
no longer works in Chrome (01045a
) -
Issue 1043
Source maps set
?PageSpeed=off
for.pagespeed.
sources (9d6d08
) -
Issue 1050
X-Sendfile
messages should not be cached (a49af6
) -
Issue 1060
Spurious
DownstreamCacheRebeaconingKey
Warning (0f2a6f
) -
Issue 1068
Empty resources should not be cached.
(
741a86
,3ac019
) -
Issue 1070
Opera Mini should not be sent
lazyload_images
JS (0a90bb
) -
Issue 1078
Image rewriting dcheck-fails on images with invalid dimensions
(
166151
) -
Issue 1087
Critical images js doesn't play well with
display
(f01252
) -
Issue 1106
If-Modified-Since
not working with IPRO (9ba250
) -
Issue 1109
Can't set
MessageBufferSize
to 0 (16e9f4
) -
Issue 1116
Won't compile with
gcc
4.6.3 (3f9176
) -
Issue 1152
boringssl build fails on suse tumbleweed/archlinux
(
4cbc93
)
Apache-specific Issues
-
Issue 1048
Apache stuck indefinitely waiting for PSOL
(
84a9de
) -
Issue 1081
Invalid cache entries on aborted requests
(
7a3fab
)
Nginx-specific Issues
-
Issue 864
Server
header dropped (a9c292
) -
Issue 888
Check-fails on invalid urls instead of declining them.
(
9da85b
) -
Issue 913
Incorrect
Date
header on 32-bit (7355f2
) -
Issue 948
Fails to build with nginx 1.7.11 and
--with-threads
(a81cc9
) -
Issue 956
DCheck failure if pagespeed is off and no file cache path is
configured
(
c925b4
) -
Issue 965
PageSpeed returning partial web pages
(
b9ca5d
)
Release 1.9.32.10-beta
This bug-fix release was made October 8th, 2015.
Issues Resolved
-
Issue 1048
Apache stuck indefinitely waiting for PSOL
(
84a9de
) -
Issue 1152
boringssl build fails on suse tumbleweed/archlinux
(
4cbc93
)
Release 1.9.32.6-beta
This bug-fix release was made July 29, 2015.
Issues Resolved
Issues Affecting both Nginx and Apache
-
Issue 972
LoadFromFile
logs errors on 404s (3d44cc
) -
Issue 992
Segfault in https fetching
(
b4f4ae9
) -
Issue 1039
Noisy
leaked_rewrite_drivers
on destruction message (58aaa4
) -
Issue 1040
inline_google_font_css
no longer works in Chrome (01045a
) -
Issue 1043
Source maps set
?PageSpeed=off
for.pagespeed.
sources (9d6d08
) -
Issue 1050
X-Sendfile
messages should not be cached (a49af6
) -
Issue 1060
Spurious
DownstreamCacheRebeaconingKey
Warning (0f2a6f
) -
Issue 1068
Empty resources should not be cached.
(
741a86
,3ac019
) -
Issue 1070
Opera Mini should not be sent
lazyload_images
JS (0a90bb
) -
Issue 1078
Image rewriting dcheck-fails on images with invalid dimensions
(
166151
) -
Issue 1087
Critical images js doesn't play well with
display
(f01252
) -
Issue 1106
If-Modified-Since
not working with IPRO (9ba250
) -
Issue 1109
Can't set
MessageBufferSize
to 0 (16e9f4
) -
Issue 1116
Won't compile with
gcc
4.6.3 (3f9176
)
Apache-specific Issues
-
Issue 1048
Apache stuck indefinitely waiting for PSOL
(
e59644
,c001a8
) -
Issue 1081
Invalid cache entries on aborted requests
(
7a3fab
)
Nginx-specific Issues
-
Issue 864
Server
header dropped (a9c292
) -
Issue 888
Check-fails on invalid urls instead of declining them.
(
9da85b
) -
Issue 913
Incorrect
Date
header on 32-bit (7355f2
) -
Issue 948
Fails to build with nginx 1.7.11 and
--with-threads
(a81cc9
) -
Issue 956
DCheck failure if pagespeed is off and no file cache path is
configured
(
c925b4
) -
Issue 965
PageSpeed returning partial web pages
(
b9ca5d
)
Release 1.9.32.4-stable
This release was made Jun 17, 2015. It is a clone of the 1.9.32.4-beta release.
Release 1.9.32.4-beta
This security update release was made June 17, 2015.
In versions between 1.7 and 1.9.32.3, PageSpeed was built with a version of OpenSSL that was vulnerable to the issues detailed in the June 11, 2015 security advisory. We have updated our crypto library to fix these issues. PageSpeed now builds with Google's BoringSSL, an OpenSSL fork which includes this fix, and is expected to be more stable in future.
In versions between 1.8.31.2 and 1.9.32.3 it was possible to cause a crash by requesting JavaScript source maps when source mapping had been turned off.
We recommend that all users upgrade. If this is not possible, however, the following workarounds are available:
- The OpenSSL vulnerability only applies if you have
FetchHttps
enabled and have configured PageSpeed to fetch HTTPS content over the open internet. DisablingFetchHttps
will prevent these crashes, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS. - Set a
Request Option Override
token, and explicitly enableinclude_js_source_maps
. This makes it impossible for attackers to disable source maps and cause these crashes.
Issues Resolved
- Issue 1094 Source map can be requested with option disabled.
- OpenSSL Security Advisory [11 Jun 2015] Replace OpenSSL with BoringSSL.
Release 1.9.32.3-stable
This release was made January 14, 2015. It is a clone of the 1.9.32.3-beta release.
Release 1.9.32.3-beta
This bug-fix release was made January 5th, 2015.
Issues Resolved
- Issue 1025 Purge cache UI has problems in admin console.
- Issue 1028 Malformed CSS file can cause a hang in CSS parser.
- ngx_pagespeed Issue 832 Don't log to stderr/stdout: gzip enabling code.
- ngx_pagespeed Issue 839 ngx_pagespeed 1.9.32.2 doesn't compile with Tengine.
Release 1.8.31.6-stable
This bug-fix release was made January 5th, 2015.
Issues Resolved
- Issue 1028 Malformed CSS file can cause a hang in CSS parser.
Release 1.9.32.2-beta
This security update release was made October 27, 2014.
Issues Resolved
- Issue 978 Blacklist Windows Browser for transcoding to webp.
- Issue 982 Defer javascript not working in IE9 or IE11.
-
Issue 989
IPRO with LoadFromFile on a resource that is already fully optimized
serves
cc:max-age=300
. - Issue 992 Malformed CSS can lead to unbounded stack depth.
- Issue 1004 Disable SSLv3 and SSLv2 support in serf fetcher.
- Issue 1012 JS error in rendered_image_dimensions filter when the same image appears multiple times on a page.
-
ngx_pagespeed Issue 808
ngx_pagespeed prints
Log: [info] No threading detected. Own threads: 1 Rewrite, 1 Expensive Rewrite.
on startup. - ngx_pagespeed Issue 813 Segmentation fault when ngx_pagespeed is built with gcc 4.1.2
Release 1.8.31.5-stable
This security update release was made October 20, 2014.
Issues Resolved
- Issue 992 Malformed CSS can lead to unbounded stack depth.
- Issue 1004 Disable SSLv3 and SSLv2 support in serf fetcher.
Release 1.9.32.1-beta
This release was made September 16, 2014.
New Features
-
Support nginx script variables in
LoadFromFile
- Allows configuration like
LoadFromFile "http://$host/" "$document_root"
- Support HTTP Persistent Connections
- When using the native fetcher for Nginx, advertise
Connection: Keep-Alive
and keep active connections around for reuse. -
Improved
debug
filter support - Many more filters now support debug logging, emitting explanatory
comments inline when the
debug
filter is enabled. -
Enabled
InPlaceResourceOptimization
by default - In Place Resource Optimization is now enabled by default.
- Purge individual URLs from cache
- Allows cache entries to be purged by PageSpeed administrators.
- Improved PageSpeed admin site
- Admin page improved to show more information, provide graphs, and perform cache-purging operations.
- "Sticky" Query Parameters
- Set query parameters in cookies for persisting options across queries.
- Signing resource URLs
- Optionally cryptographically sign and verify resource URLs.
- Restrict query params
- Optionally restrict interpretation of query parameters.
Issues Resolved
- Issue 786 serf_url_async_fetcher.cc error messages using IP instead of domain name.
- Issue 794 Colorize warnings and errors in message_history page.
- Issue 813 Disable beaconing for bots.
- Issue 850 dedup_inlined_images breaks site combined with lazyload_images and defer_javascript.
- Issue 853 Provide separate filters rewrite_javascript_external and rewrite_javascript_inline.
- Issue 909 Strict mode detection is too conservative.
- Issue 965 Don't relocate scoped style tags.
- Issue 967 Don't relocate scoped style tags in prioritize_critical_css.
- Issue 969 Don't send inline WebP to Chrome/36 on iOS. See issue for workaround fix for both nginx and Apache.
- Issue 984 Fix handling of experiment spec, so that options are applied when using the default filters.
- Issue 985 Re-add query params when we get a redirection response.
- Issue 986 Default flattening limit is too low.
- ngx_pagespeed Issue 238 Automatically enable gzip compression in Nginx.
-
ngx_pagespeed Issue 712
.pagespeed
resources served with chunked encoding on Nginx. - ngx_pagespeed Issue 719 IPRO with LoadFromFile gives null responses for unknown file extensions.
-
ngx_pagespeed Issue 725
Duplicate
Location
headers when proxying with Nginx. - ngx_pagespeed Issue 731 Support setting NumRewriteThreads and NumExpensiveRewriteThreads in Nginx.
- ngx_pagespeed Issue 739 Nginx compilation error with GCC 4.9.
- ngx_pagespeed Issue 757 Support POST responses for HTML.
Release 1.8.31.4-stable
This release was made August 5, 2014. It is a clone of the 1.8.31.4-beta release.
Release 1.8.31.4-beta
This security update release was made June 17th, 2014.
Issues Resolved
- Update OpenSSL version to include fixes for a man-in-the-middle attack.
Release 1.7.30.5-stable
This security update release was made June 17th, 2014.
Issues Resolved
- Update OpenSSL version to include fixes for a man-in-the-middle attack.
Release 1.8.31.3-beta
This bug-fix release was made May 30th, 2014.
Issues Resolved
- Issue 941 Pagespeed optimized resource sending incorrect Content-Length header.
- Issue 945 mod_pagespeed cache directory is unwritable by default.
- Issue 947 Do not serve source JavaScript when a rewritten source map is requested.
- ngx_pagespeed Pull 701 Allow admin paths to be set at server scope.
- ngx_pagespeed Issue 705 StaticAssetPrefix not working.
Release 1.8.31.2-beta
This release was made on May 6th, 2014.
New Features
-
New rewrite level
OptimizeForBandwidth
- Safe rewrite level in which HTML is not altered, but CSS, JS, and images are rewritten in place to conserve bandwidth.
- New admin pages
- Admin consoles at
pagespeed_admin
andpagespeed_global_admin
simplify system configuration. - JavaScript source map support
- New filter
include_js_source_maps
allows debugging of PageSpeed-minified code. - Image classification
- PageSpeed now uses a classification algorithm to decide when to convert a lossless image (png or gif) to a lossy format (jpeg or lossy WebP).
- WebP conversion on by default
- The
convert_jpeg_to_webp
filter is now on by default as a core rewriter and as part ofrewrite_images
. - Serve WebP URLs to any browser
- Enable users with older browsers to view
.webp
URLs, making it easier for visitors to share image links. - Inline resources without explicit authorization
- Permits inlining of CSS and JavaScript from domains that are not directly authorized for rewriting (for example because they belong to a third party).
- Downstream cache rebeaconing support
- Allows filters that depend on beaconing (such as lazy loading and inlining of images) to interact correctly with downstream caches such as Varnish.
- Browser-dependent in-place optimization
- Enabling
in_place_optimize_for_browser
permits browser-dependent CSS and image optimizations such as WebP conversion. - Configurable location for static assets
- New option
StaticAssetPrefix
specifies the path to PageSpeed-specific static assets. - Cache sharing among domains
- New option
CacheFragment
allows multiple domains to share a portion of the cache, enabling them to share common resources. - Ability to set options in experiment specs
- Experiment specifications can now include a comma-separated list of option settings similar to those in query parameters.
-
Optional
Host:
header inMapOriginDomain
- The
MapOriginDomain
directive can now include aHost:
header to be used by PageSpeed when fetching resources. - Fetch HTTPS resources in ngx_pagespeed
- Support secure resource fetching using HTTPS in the nginx web server (supported in mod_pagespeed since version 1.7).
-
LazyloadImagesAfterOnload
on by default - After onload, load all images even if some are not yet visible.
Issues Resolved
-
Issue 106
Inline js files even if they contain
</script>
. - Issue 452 Can't run experiments except on filters and some thresholds.
-
Issue 570
Document
RewriteDeadlineMs
. -
Issue 586
Track image rewriting time
in
mod_pagespeed_variables
. - Issue 692 Fixed-case paths broken in domain-mapping directives.
- Issue 752 Issue downstream cache purges only for GET requests.
- Issue 812 SerfThreadFn might compile with the wrong calling convention and crash on shutdown.
- Issue 813 Disable beaconing for bots.
-
Issue 817
WebP transcoding should trigger off
Accept:
headers and issueVary: Accept.
- Issue 831 Spriting replaces transparent color with arbitrary color.
-
Issue 832
DCHECK failure on
static_rewriter
test. - Issue 840 Deadlock when rewriting resources.
- Issue 845 etag should not be issued for mismatching content.
-
Issue 846
PageSpeed's cache lookup needs to become
Vary: Accept
aware, at least for WebP. - Issue 855 Deadlock when using apache threads with in-place rewriting, a threaded mpm, and memcached.
- Issue 856 Improve error message reporting when shared memory segment creation fails.
- Issue 858 Remove insignificant message: “Default shared memory cache: Cache named pagespeed_default_shm already exists”.
- Issue 863 Cache-Control: no-transform has no effect if combined with other values.
- Issue 865 ImplicitCacheTtlMs directive doesn't work in IPRO mode.
-
Issue 871
Apply in-place optimization on first request
if
InPlaceRewriteDeadlineMs
is -1 andLoadFromFile
is enabled. - Issue 881 Changing JS files can make combining/minification produce reference errors.
-
Issue 882
Run
combine_javascript
beforerewrite_javascript
, and have it do the minification inline. - Issue 883 Employ image classification to make better decisions about lossy conversion.
- Issue 885 Enabling memcached causes “Waiting for property cache” messages and server spinning.
- Issue 907 Sharedmem “Unable to insert object of size” message needs to be demoted and indicate the cache key.
- Issue 915 Link error on “html_minifier_main” using GCC 4.9.0 + [Gold] Linker.
- Issue 918 <style scoped> is translated to <link rel="stylesheet" scoped> however there is no browser support for the latter.
- Issue 921 Downstream Caches - PURGE request has a double slash.
- Issue 927 defer_javascript errors in Safari 4.x and 5.0, user scripts fail.
- Issue 928 Allow user defined attributes to override spec-defined ones.
- Issue 937 Increase beacon frequency until there's enough data, then decrease it.
- Issue 938 Check for image criticality at image onload to fix carousel display.
- ngx_pagespeed Issue 537 Client times out on 304 requests.
- ngx_pagespeed Pull 560 Unbreak /ngx_pagespeed_messages.
- ngx_pagespeed Issue 577 Wrong date HTTP header after HTML rewrite.
- ngx_pagespeed Pull 590 Add proxy support to native fetcher.
- ngx_pagespeed Pull 621 Don't call chown() unless necessary.
- ngx_pagespeed Issue 625 CHECK failure on DNS timeout.
-
ngx_pagespeed Issue 652
DownstreamCachePurgeLocationPrefix removes cache headers for
.pagespeed.
resources. - ngx_pagespeed Issue 686 DCHECK failed: !src.IsKeySaved().
Release 1.7.30.4-stable
This release was made March 24, 2014. It is a clone of the 1.7.30.4-beta release.
Release 1.7.30.4-beta
This bug-fix release was made March 13, 2014.
Issues Resolved
- Issue 441 Filter "make_google_analytics_async" turns benign call to deprecated method into a functional error.
- Issue 781 Images are inlined into CSS styles in IE7 if Firefox renders them first.
- Issue 874 Warning messages in log for "ModPagespeed:noscript?".
- Issue 880 Combining minified JS files can produce invalid results when deadline exceeded.
- Issue 885 Enabling memcached causes "Waiting for property cache" messages and server spinning.
- Issue 896 IPRO on reverse proxy can capture gzipped content and serve it to users without content-encoding:gzip.
- Issue 898 IPRO does not correctly handle resources which failed to fetch.
Release 1.7.30.3-beta
This bug-fix release was made January 16, 2014.
Issues Resolved
- Issue 867 Data URLs in CSS become blank after rewriting.
- ngx_pagespeed Issue 596 Data URLs in CSS and JavaScript are broken after upgrading ngx_pagespeed from 1.6 to 1.7.30.2.
Release 1.7.30.2-beta
This bug-fix release was made January 7, 2014.
Issues Resolved
- Issue 627 Quoting of ModPagespeed:noscript insertion broken in some browsers.
- Issue 831 Spriting replaces transparent color with arbitrary color.
- Issue 840 Deadlock when rewriting resources.
- Issue 856 Improve error message reporting when shared memory segment creation fails.
- Issue 857 Avoid insertions (e.g., beacon) at midpoint of the document which ought to be at the end of it.
- Issue 858 Remove insignificant message: Default shared memory cache: Cache named pagespeed_default_shm already exists.
- Issue 860 GoogleFontCssInlineFilter doesn't handle protocol-relative URLs correctly.
- Issue 861 PSOL sample application has dcheck-failure in the demo program.
- Issue 862 mod_pagespeed may have deadlock in property cache fetch in IPRO non-proxy mode if memcached is used.
- ngx_pagespeed Issue 578 Nginx Resolver API changes break the ngx_pagespeed build.
Release 1.6.29.7-stable
This release was made November 13th, 2013. It is a clone of the 1.6.29.7-beta release.
Release 1.7.30.1-beta
This release was made on November 7th, 2013.
New Features
- Default shared memory metadata cache
- Create an on-by-default memory cache shared by all server processes.
- Fetch HTTPS resources for Apache server
- Support secure resource fetching using HTTPS for Apache server.
- Fetch HTTPS resources using mod_spdy for Apache server
- Support faster HTTPS resource fetching, if you also use mod_spdy version 0.9.4.1 or higher.
- Inline Google Fonts API CSS
- Reduce the number of blocking round trips required to start rendering a web page using the Google Fonts API.
- Preserve URL relativity
- Specify whether to preserve the relative URLs or convert them to absolute URLs.
- Optimize multiple URL-valued attributes
- Support optimizing more than one URL-valued attribute per element.
- Implicit cache-lifetime for resources
- Specify the cache lifetime for resources that do not have "Expires" or "Cache-Control" headers.
- Maximum time for inplace resource rewriting
- Specify the maximum time to wait for a resource to be rewritten. If the rewriting completes within this time, the rewritten resource will be served, otherwise the original resource will be served and rewriting will continue in the background.
- Maximum size of the combined CSS
- Specify the maximum size that CSS files may be combined to.
- Maximum size of images that will be optimized
- Specify the maximum size of decompressed images that PageSpeed will try to optimize.
- Minimum size of JPEG images that will be compressed in progressive format
- Specify the size threshold that determines when to use progressive format for compressing images to JPEG. Progressive JPEG is more effective for compressing large images, while non-progressive JPEG works better for smaller ones.
- Resize images to rendered dimensions
- Resize images to, or close to, the actual dimensions that they will be displayed. The rendered dimension may be smaller than that specified by the width and height attributes.
- Better image compression and resizing
- Use more optimized image resizing technique and remove OpenCV. Replace libjpeg with the more efficient libjpeg-turbo.
- Configuration defaults updated
- Starting in this release, we combine JavaScript and convert PNG images
to JPEG by default.
- Default combine_javascript to on (was off).
- Default convert_png_to_jpeg to on (was off).
- In-Place Resource Optimization for Nginx
- ngx_pagespeed can now optimize resources accessed directly from their original URLs, not just those rewritten with the PageSpeed URL format. This can be useful for optimizing resources referenced from other sites and from JavaScript.
Issues Resolved
- Issue 198 Optimize handling of multiple references to the same image on a page at different sizes.
- Issue 376 Image resizing should utilize width/height information in CSS classes.
- Issue 423 Support fetching resources over HTTPS.
- Issue 466 Provide a way to optimize all resource attributes in a tag.
- Issue 503 Preserve URL relativeness.
- Issue 664 Strip Connection and other hop-by-hop headers when saving input resource.
- Issue 755 Memory leak with 'graceful' restart relating to shared memory starting in 1.4.
- Issue 756 ModifyCachingHeaders should not touch Cache-Control headers if downstream-caching is enabled.
- Issue 757 Make maximum image size configurable.
- Issue 758 Add configurability for DisableRewriteOnNoTransform and system test.
- Issue 759 Cleanup race in SchedulerBlockingFunction::Block() and ::Cancel().
- Issue 773 Repeat image inlined at low resolution when local_storage_cache is enabled.
- Issue 799 Console slow when logfile is large.
- Issue 803 Metadata cache will reminder not-optimizable for 5 minutes after rate-limiting drops a fetch.
- Issue 809 mod_pagespeed disables mod_headers/mod_expires when proxying content with cache-control set.
- ngx_pagespeed Issue 42 Added in-place resource optimization.
- ngx_pagespeed Issue 356 Support setting options in response headers.
- ngx_pagespeed Issue 367 Fix intermittent crash on reload.
- ngx_pagespeed Issue 433 Unable to compile with gcc 4.8.
- ngx_pagespeed Issue 447 Log message to the correct vhost-specific log file.
- ngx_pagespeed Issue 463 Native fetcher crashes when running out of file descriptors.
- ngx_pagespeed Issue 522 Fix use-after-free in logging.
- ngx_pagespeed Issue 532 Added script to turn apache-format pagespeed_libraries.conf into nginx-format.
- ngx_pagespeed Issue 539 File cache and logdir are created and given appropriate permissions.
mod_pagespeed October 2013 Security Update
mod_pagespeed releases 1.6.29.7-beta, 1.5.27.4-beta, 1.4.26.5-stable, 1.3.25.5-stable, 1.2.24.2-stable, 1.0.22.8-stable fix critical cross-site scripting (XSS) vulnerability.
ngx_pagespeed Release 1.6.29.7-beta
ngx_pagespeed release 1.6.29.7-beta fixes critical cross-site scripting (XSS) vulnerability.
Release 1.4.26.4-stable
This release was made August 7th, 2013. It contains one additional bug fix compared to version 1.4.26.3-stable, but is otherwise identical.
Issues Resolved
- Issue 683 Pagespeed strips cache-control:no-store, etc. headers.
Release 1.6.29.5-beta
This bug-fix release was made July 25, 2013.
Issues Resolved
- Issue 748 RewriteRandomDropPercentage cause duplicate image srcs to be blank.
- Issue 751 Leaked ASM symbol names cause segmentation faults on Apache.
Release 1.6.29.4-beta
This bug-fix release was made July 11, 2013.
Issues Resolved
- Issue 742 Broken default pagespeed.conf in 1.6.29.3.
Release 1.6.29.3-beta
This release was made July 10, 2013.
New Features
- PageSpeed Console
- The PageSpeed Console monitors your installation's performance and links to general information on how to improve the performance.
- Supporting downstream caches
- Experimental feature for supporting caching proxy servers to allow HTML to be cached in these servers.
- dedup_inlined_images
- Filter that removes redundant inlined images and replaces them with JavaScript that loads all subsequent uses from the first.
- Randomly drop expensive rewrites
- To reduce processing load, PageSpeed can be configured to optimize the most frequently fetched resources, leaving infrequently fetched resources alone. This is accomplished by randomly dropping expensive (CSS and image) rewrites. Frequently fetched resources will have a higher probability of being rewritten than infrequently fetched resources. Over time, frequently accessed resources will be optimized and cached so a page will be fully optimized. Infrequently accessed pages will be left unoptimized or partially optimized, saving CPU time and cache space.
- DisableRewriteOnNoTransform
- Default on, but may be turned off to allow PageSpeed to rewrite
resources even if they have a
Cache-Control: no-transform
header. - Configuration defaults updated
- Starting in this release, we enable lossy image compression by default
and update several other default configurations values. Updates:
- Default AvoidRenamingIntrospectiveJavascript to on (was off).
- Default ImageInlineMaxBytes to 3072 (was 2048).
- Default CssImageInlineMaxBytes to 0 (was 2048).
- Default MaxInlinedPreviewImagesIndex to -1 = unlimited (was 5).
- Default MinImageSizeLowResolutionBytes to 3072 (was 1024).
- Default ImageRecompressionQuality to 85 (was -1 = lossless).
- Default JpegRecompressionQualityForSmallScreens to 70 (was -1 = lossless).
- Default WebpRecompressionQuality to 80 (was -1 = lossless).
- Default WebpRecompressionQualityForSmallScreens to 70 (was -1 = lossless).
Issues Resolved
- Issue 199 Multiple references to the same small images all get inlined.
- Issue 644 Improve lazyload behavior.
- Issue 675 rewrite_javascript breaks Wordpress /wp-admin/ pages with certain common WP plugins.
- Issue 683 Don't strip Cache-Control:no-store, etc. headers.
- Issue 684 elide_attributes should not remove type=text as wordpress uses it in CSS.
- Issue 690 Add originating page URL query-param to beacon URL.
- Issue 700 Image height tag removed when image is embedded.